6-1 Discussion: Risk Assessment

Previous Next 

Chapter 10 of the course textbook discusses the importance of conducting risk assessments (RAs). Darril Gibson defines an RA as a point-in-time report used to compare current risks against the controls that are already in place. Although it is beneficial to conduct an RA often, there are challenges to conducting quantitative RAs. For this week’s discussion, you will consider the benefits and challenges of risk assessments with your peers.

In your initial post:

Using the internet, find an example of an adverse IT event that was likely a result of failed risk assessment and planning processes.

As you write your post, consider the following:

Would a qualitative or quantitative RA have been more effective in preventing the risk? Why?

What controls would have been best to implement? Why?

In what ways did senior management’s attitude toward risk influence how the RA was conducted?

How should the company change its RA in the future to prevent this risk from occuring again?

In your responses to your peers:

Further expand on the claims of the original poster, and those who already responded.

Then explain why it is difficult to conduct a quantitative risk assessment (RA) for an IT infrastructure. 

POST 1

One adverse IT event that I could remember and found on the web was the crash of the Obamacare website the day of launch. I believe a quantitative RA would have been more effective for this solution and preventing the risk of the website crashing. The reason why I chose this assessment is because quantitative RA’s provide a more detailed perspective into risk, severity level, and impact of the risk. One control that would have had a good impact would have been to assess the situation or plan for a huge serge of traffic. The company should of had the scalability to allow the users to keep coming.  The reports after the disaster were that the management were to busy making policies and making poor technical decisions instead of spending the time on the website. The company should of worried more about technical issues, website design, and website functionality instead of policies behind the scenes.   references:https://www.mcall.com/news/watchdog/mc-obamacare-website-failure-watchdog-20160224-column.html

POST 2

When asked to search about an IT event I immediately had one in mind as I recently discussed this event, the recent T-Mobile breach. I think this issue really brought forth a lot of issues. This attack was conducted over the course of a week. He had infiltrated the servers early in the attack and began selling information on the dark web as he collected it over time, he eventually gained credentials to further dig into the database and access other sensitive information.When asked of whether qualitative or quantitative RA would have been more effective, qualitative research would have been much more important here. Attacks are conducted all the time on various businesses but can be unsuccessful. Hackers are becoming smarter in their attacks and learning new methods of gaining access to these databases that result in higher quality attacks. Properly researching these areas of vulnerabilities would be the best to conduct.With the attack taking place over a week and the tools available to an Information Security team, there were plenty of opportunities they could have alerted to the intruder and had the attack stopped. From this attack, the question is asked, how secure is their information?This isn’t the first time that T-Mobile has been attacked as such. It’s hard to answer the question of changing its RA when it is an issue that has happened before. This is a demonstration of watching a company not take the proper steps of risk recovery. Now the risks of the customers is in question as they don’t know who’s data has been compromised. Even if they were to switch carrier, the information is out there and can linger with them for years to come.