The purpose of this paper is to discuss the how a security assessment can be used to mitigate fraud and risk towards a given organization. This paper will discuss the steps for an effective security risk assessment which includes defining a risk scope, risk treatments (acceptance, avoidance, transfer, mitigate, or a combination approach), and most importantly risk monitoring and review through controls.
Merriam-Webster defines fraud as the “intentional perversion of truth in order to induce another to part with something of value or to surrender a legal right.” Some type of fraud scheme or business exploit is in the news headlines every day. Anything from employees stealing money out of cash register to multibillion dollar pyramid schemes is seeming becoming a common segment on the news right next to this week’s weather forecast. Every type of fraud shares one thing in common- the exploitation of vulnerability. This exploitation of a vulnerability can be reduced if not eliminated with the use of a proper security assessment. The entire objective of a security risk assessment is to recognize the areas that are the most susceptible to fraud and building a remediation process to prevent fraud from occurring (Wells, 2011). As great as a risk assessment is in identifying and preventing fraud or scams from occurring, shockingly most businesses don’t participate in conducting security risk assessments!
The reality of risk assessments is that nearly 70% of North American companies have not completed evaluations and assessments of their IT governance process. 36% of companies said they didn’t intend to bother performing any type of assessment and assume the risk (Harris, 2011). Part the reason for this lackluster performance in the business world is executive buy in is fairly weak on the subject at hand. In 29% of North American companies, “line of business executives” such as chief information officers has little to no involvement with the IT risk assessment process (Harris, 2011). When there is little push from the top down, most business units and organizations will lack the motivation or don’t see the need to prioritize performing a timely risk assessment on their operational processes. A security assessment can be a powerful and preventative tool to fight fraud for any type of business. What makes this took so effective its comprehensive steps to identify, categorize, and set a sustainable process to audit and monitor a particular vulnerability.
Security assessment is broken up into six major processes. The first process of an assessment is to set the scope of what is going to be covered in the assessment. Similar to project management, the scope or objective of what is to be covered is the most vital part of the risk assessment. Here the identification of projects, internal operations, departments, and standards to be used and people to be interviewed is established to keep a team on track and focused on a particular area of a company to be assessed (It risk assessment, 2011). In this stage of an assessment, the sponsor of the assessment needs to be identified. Here a high level of leadership is needed to be held accountable and produce buy-in from their employees to ensure the process goes as smooth and effectively as possible (Wells, 2011). Another key element in determining the scope is understanding the business environment. The best way to do this is through interviewing the employees. Interviews can be a tricky situation.
When it comes to employees having to talk bad about deep internal flaws or possibly rat out their coworkers, it can turn into an uncomfortable situation fast and the employees with the most valuable information could possibly keep to themselves if the interview process isn’t performed correctly. For each interviewee, the assessor should gauge the willingness of the interview to be open and honest and select the best approach to obtaining information (Wells, 2011). In order to successfully conduct interviews of the employees, an interviewer could according to Joseph T Wells: 1. Conduct focus groups- This allows employees to interact and build concerns off of each other. This only works if the culture of the company is highly collaborative and employees feel comfortable with one another. 2. Surveys- these are the most anonymous and will allowed the more closed off employees to share opinions and unpleasant facts through a more private medium 3. Other feedback forums- Suggestion boxes offer an open ended medium for employees to express their concerns.
The next step within the security risk assessment process is to identify any assets meaning people, software, documentation, data, physical dwellings, and a list of the current control procedures that are aligned within the defined scope. Once the assessment team has all the assets in hand, then they can proceed to categorize the risk of each company asset (risk modeling will be discussed later in this paper). This categorization of risk will allow the team to quantify the damage to the company should a particular asset be compromised (It risk assessment, 2011). The next major step in the risk analysis is generally the hardest since it may not be the most overt and is constantly changing and that step is identifying all the threats and vulnerabilities within an asset and its current control procedures protecting it. These threats can consist of anything from an employee physically stealing cash out of a register, acts of nature, power failures, or sabotage. (It risk assessment, 2011).
Vulnerabilities are defined as a weakness in which a threat can and will exploit to attack an asset to either steal or damage its contents (Wells, 2011). If given the ample time and motivation, criminals will try an exploit whatever vulnerabilities they can to reach their target objective. The fifth step in the risk assessment process is to identify the current controls in place. Most controls are essentially safeguards that protect an asset by reducing its exposure to the outside world. These controls are then reviewed to see what gaps, loop holes, or missing vulnerabilities that the original creator of the controls may not have taken into consideration at the time (It risk assessment, 2011).
Lastly, the security assessment team needs to analyze all the data to determine and weigh the risks, then from those risks a practical and cost-effective safeguard/remediation process needs to be developed to mitigate risk, and finally the remediation steps need to be measured by some type of internal metrics system to ensure the remediation steps are effective and are being utilized by the employees; additionally, periodic audits will ensure that none of the processes set in place have been tampered with and adjustments to the processes can be made accordingly (It risk assessment, 2011). All in all, a proper risk assessment can be proven to save a company time, money, and unnecessary brand damage by being able to proactively identify and remediate vulnerability within its normal operations thereby reducing the risks of employee fraud.
Risk categorization or commonly referred to as Risk modeling is one of the most complex and cumbersome parts of a risk assessment. Risk modeling allows a team to prioritize and make sense of the massive amount of risk data that they uncover. A company simply can’t classify every asset or vulnerability as a high risk/high impact. The higher the severity, the more processes and resources it takes to protect an asset consuming large amounts of time, money, and productive. The key here is balance. In any risk assessment, there has to be an acceptable level of risk, without this key part, a risk assessment will become ineffective since too much will be managed all at once (Wells, 2011). Risk assessors have been able quickly and efficiently come up with a clever model that allows a team to view the probability of a risk then estimate the severity of its impact.
Figure 2.0 Risk Assessment Matrix (Edwards, 2010)
On the right side of Figure 2.0 illustrates the likelihood that an event may occur to a given risk. There are five distinct categories that allow a granular level of probability; however, the featured model shows only 3 probabilities for easier cleaner illustration purposes (Edwards, 2010). The likeliness categories according to Ginny Edwards are: 1. Definite- Which contains an 80% or more chance of occurring. 2. Likely- Has a 60-80% chance of happening.
3. Occasional- Proves a 50/50 chance of occurring.
4. Seldom-A low risk of 10-50% chance of happening. 5. Unlikely- Has a less than 10% chance of taking place. On the bottom of a risk assessment matrix contains the consequences in order of should an event occur. Once gain according to Ginny Edwards the impacts of an exploit or fraudulent activity are as follows: 1. Insignificant- Trivial to extremely low impact.
2. Marginal- Risk will result in some damage/monetary loss, but largely significant. 3. Moderate- Risk isn’t a great threat, but will create a noticeable amount of harm. 4. Critical- Risks that have large consequences which lead to a large amount of loss. 5. Catastrophic- Major impacts that cause a significant amount of damage to a brand, monetary loss, or customer loss. Risks in this category are marked as high priority.
Once a risk has been categorized, then the proper response methods are assigned to help mitigate the risk. This is where the acceptable level of risk comes into play. There are five main ways to respond to a risk/vulnerability. The first way to respond is to ignore the risk all together. This method could be used for threats that are seldom to unlikely to occur and have an insignificant to marginal impact on the company. Here a cost benefit analysis would be wise to perform to ensure the risk has been categorized properly (Wells, 2011). The next response to risk is to transfer the risk to another company or vendor for remediation. This other entity could specialize in a particular type of risk remediation or make them financially responsible for any damages that may occur. This would be great for any threats that are occasional critical to catastrophic in their impact (Wells, 2011). The third action to take against a risk is to mitigate it. This is essentially closing the gaps and loop holes for any vulnerability. This can be used for any type of risk, likelihood, and consequence.
This may be the timeliest and resource driven out of all the risk responses, if prioritized properly, anything significant can and will be remediated within a reasonable amount of time and cost (Wells, 2011). For smaller impacts and less than likely to occur risks, a company could just assume the risk and accept any consequences that may occur should it be exploited. Last but not least, a company could take a combination approach to apply the best solution to the problem (Wells, 2011). If the proper risk modeling has been completed, then a risk assessment team should not have any problems classifying, resourcing and remediating any major and critical threats to a company. The consequences of a weak security risk assessment or a nonexistent risk assessment could very well mean the difference between running a solid fraud free organization and appearing on the Nine O’clock news; suffer irreversible brand damage, and potentially closing the doors. Understanding why employees commit fraud, how to conduct a proper risk assessment and being able to classify a risk will ensure continual lower risk operations for years to come.
Harris, R. (2011). It audit survey exposes weak risk assessment. CIO.com. Retrieved from http://www.cio.com/article/691178/IT_Audit_Survey_Exposes_Weak_Risk_Assessment
Healthcare Management Systems. (2011, August 5). Retrieved from http://www.hcmsnapa.com/wp-content/uploads/2010/10/fraud_triangle1.png
It risk assessment. (2011, August 5). Retrieved from
Merriam-webster. (2011). Retrieved from http://www.merriam-webster.com/dictionary/fraud
Wells, J. T. (2011). Principles of fraud examination. (3rd ed. ed.). Hoboken, New Jersey: Wiley.