The major goal of the paper at hand is to compose a risk management plan based on the facts presented in the case study, which is devoted to the security breach of customer data experienced by Flayton Electronics. The study will identify the size of the project (relying on the facts and inferences that can be extracted from the case study), select appropriate tools and techniques for risk management, and complete the corresponding section (Risk Tools and Techniques) in the provided Risk Management plan for both quantitative and qualitative aspects of this project. The Risk Reviews and Reporting section of the plan will be developed according to the determined project size. The Probability and Impact section will be completed with justification of values. In the final part of the paper, the Risk Thresholds section will be defined and justified.
Scope and Objectives
The project Data Security Breach is intended to ensure that the organization will be able to manage future security risks by applying risk mitigation methods and executing timely, effective, and appropriate steps to avoid data breaching that has already taken place in the company. This will maximize the likelihood of achieving the goals of the project. Suitable measures are required not only for the security of the organization but also for customer protection (Sen & Borle, 2015). The project is going to address numerous challenges that the company’s IT systems cannot currently manage, identify what data stealing devices were applied, what weaknesses and flaws IT systems feature, what strategies are implemented for fixing them, how the company informs its customers, and what can be done to win back their loyalty.
Thus, the major scope of the present paper is to create a holistic picture of the existing risks that can be deduced from the case. It will encompass business integrity and stability prospects as well as the consequences of the events for all the parties affected. It will also identify factors that pose threats to the future success of the business and estimate what can be done to eliminate or minimize them (Biener, Eling, & Wirfs, 2015).
As far as objectives are concerned, they include:
- to determine and manage security risks that may arise in the upcoming years (both internal and external);
- to address illegal accounts usage, disabled firewalls, flaws in the PCI submission, IT weaknesses, reporting problems, and other issues in a timely and efficient manner;
- to sustain risk levels at a point of remaining satisfactory or acceptable (which can be defined as the level of losses that are manageable in any economic circumstances);
- to outline criteria for future identification of security risks;
- to translate a redefined strategy into practice.
The implementation of the project will involve all the stakeholders. All the information related to risks will be communicated to them in due time and detail to ensure that corrections can be introduced to the plan. This way, they will be able to concentrate on the areas that are at the highest risk. The plan is proposed to be running for 6 months in order to ensure that all the above-mentioned problems are addressed. The budget of the project is $100,000.
The project is considered to be medium in accordance with the provided project sizing tool. This can be justified by the scores obtained as a result of the assessment:
- strategic importance of the project – 8 (major contribution to business objectives);
- commercial/contractual complexity – 4 (novel commercial practices, new to at least one party)
- external constraints and dependencies – 4 (some external influence on elements of the project);
- requirement stability – 2 (clear fully-defined agreed objectives);
- technical complexity – 4 (enhancement of existing product/service);
- market sector regulatory characteristics – 4 (standard regulatory framework);
- project value – 2 (small project value – <$250k);
- project duration – 4 (duration 3-12 months);
- project resources – 4 (medium in-house project team);
- post-project liabilities – 4 (acceptable exposure).
The overall project score is 40, which makes it medium in size. Nevertheless, the strategic importance of it is rather high due to the exposure of customer information. The project outcomes will determine whether it will be possible to the company to win back customer loyalty. All other factors do not exceed the accepted complexity level and are supposed to be manageable.
Risk Tools and Techniques
The following risk tools and techniques have been chosen for both the qualitative and the quantitative aspects of the project:
- Initiation. Risk Management Plan elaborated at the start of the project and regularly reviewed by the project manager will serve as the initiation document. This is crucial since the team cannot operate without having a clear-cut picture of the problems and steps to resolve them. Otherwise, the process will be chaotic.
- Identification of risks and opportunities. The following techniques are to be implemented:
- Collective analysis of all assumptions, purposes, and obstacles that the project may face. Even though there is a risk management plan at hand, all the issues must be discussed to ensure that all team members understand them correctly (Allodi & Massacci, 2017).
- Quantitative risk probability testing. Conditional probability is necessary to find out the dependence of the outcome on the actions performed and risks that may appear in the process (Buh, Kovačič, & Indihar Štemberger, 2015).
- Analysis of the project implicit and explicit assumptions and constraints. This will allow revealing mistakes before the project is translated into practice.
- Review of a standard rick checklist. Excessive concentration on the existing problem may lead to overlooking other gaps that the project does not address. This standard procedure will elicit them (Denolf, Trienekens, Wognum, van der Vorst, & Omta, 2015).
- Ad hoc identification of risks by the project team at any time during the project. Even if the initial risks are removed, it does not imply they there may appear new ones at a particular stage of the project implementation. That is why the assessment must be continuous.
- Assessment. Assessment is necessary to determine which risks are critical and should be included in the priority list. It will be performed in the following way:
- Double P-Matrix to prioritize risks for action, using the standard Risk Scoring calculations based on Probability (P) and Impact (A). This is the most demonstrative way to assess each of the identified risks since it will allow comparing not only the probability of occurrence of each risk but also how detrimental it will be for the system if the risk is not eliminated (Tan, Shen, Langston, Lu, & Yam, 2014).
- Top Risk List for priority management attention. Since senior managers are responsible for the success of the project, it will be useful for them to know what operations and work processes need to be reorganized first.
- Risk Register update to include assessment data. This way it will be easier for the whole team to see assessment results for each department.
- Response Planning will include:
- Response Strategy Selection as appropriate for each identified risk. Strategic Planning is highly important to avoid chaotic or contradictory actions.
- Risk Register update to include response data. Similar to the assessment list, this register will demonstrate what parts of the plan have already been completed.
- Reporting. The company will provide ad-hoc reports to all the stakeholders involved in the project implementation. However, the final results should be delivered to customers, too, as they are the ones who suffered security violation.
- Review. The project results will be reviewed at each stage to see the progress. Risk review meetings are required to agree on responses to newly appeared risks.
- Post-Project Review. The company will perform the final review on the completion of the project to outline the lessons learned in the process.
Risk Review and Reporting
Risk exposure on the present project will be reviewed during the whole process of its implementation. Regular reviews are needed to identify new risk and assess their importance, track the progress and agree on the actions when it is required. Since the project is medium in size and will run only for half a year, minor reviewing will take place twice a month to see whether some changes in tools or techniques should be introduced. In this case, the project plan will be updated and reissued to document the revised process. All the stakeholders will be provided with a copy of the risk register to see the results of each review and understand their new responsibilities if there are changes.
When the project is complete, the Project Lessons Learned Report will be released to outline all the risks and obstacles that appeared during the project life for similar projects to take into account.
Probabilities and Impacts
|SCALE||PROBABILITY||+/- IMPACT ON PROJECT OBJECTIVES|
|VHI||>90%||>15 days||>$50K||Very significant impact on overall functionality|
|HI||71-90%||10-14||$31-50K||Significant impact on overall functionality|
|MED||51-70%||8-9||$21-30K||Some impact in key functional areas|
|LO||31-50%||3-7||$5-20K||Minor impact on overall functionality|
|VLO||11-30%||<3||<$5K||Minor impact on secondary functions|
|NIL||<10%||No change||No change||No change in functionality|
As far as time is concerned, the project life is not long, which means that management of each newly appeared risk cannot take more than 15 days. Otherwise, the whole schedule will have to be revised and additional financial losses will follow. Since the overall budget of the project is $100K, it implies that its ultimate functionality is undermined in case of the risk that will bring about the loss of more than half of the total sum. This will mean that the project continuation will be at stake. If $31-50K is lost, the company will hardly be capable of addressing all the security risks that currently influence the effectiveness of its performance. However, it will still be possible to deal with the major data breach problems (without guaranteeing that they will not reappear in the future). Only if an unexpected risk costs the company less than $5K (lasting less than three days), it can be considered insignificant although some distortions of the secondary projects functions might take place.
The initial categories of risk include (Feri, Giannetti, & Jentzsch, 2016):
|RBS level 0||RBS level 1||RBS level 2||Example of risk|
|0. Project Risk||Technical-related concerns|| || |
|Management Risks|| || |
|Commercial Risks|| || |
|External Risks|| || |
For the given project, technological risks will be primary since security violation occurred due to the weak technological protection of the system and vulnerability to cyber attacks. Managerial risks are mainly connected with flaws in OS and the marred reputation of the company since its manager did not manage to provide services outlined in the contract. The company not only undermined the reliability of its security policies but also put at risk private information provided by its customers. Moreover, from the legal perspective, the organization might suffer consequences of some of its clients will decide to start legal proceedings against it (Romanosky, Hoffman, & Acquisti, 2014). The direct responsibility of Flayton Electronics was to ensure that no information would ever be disclosed. Since the company did not manage to follow this condition, it should be ready that competitive disadvantage and the loss of customer loyalty may follow if all the enumerated problems are not eliminated by the present project.
Allodi, L., & Massacci, F. (2017). Security events and vulnerability data for cybersecurity risk estimation. Risk Analysis, 37(8), 1606-1627.
Biener, C., Eling, M., & Wirfs, J. H. (2015). Insurability of cyber risk: An empirical analysis. The Geneva Papers on Risk and Insurance Issues and Practice, 40(1), 131-158.
Buh, B., Kovačič, A., & Indihar Štemberger, M. (2015). Critical success factors for different stages of business process management adoption–A case study. Economic Research-Ekonomska Istraživanja, 28(1), 243-257.
Denolf, J. M., Trienekens, J. H., Wognum, P. N., van der Vorst, J. G., & Omta, S. O. (2015). Towards a framework of critical success factors for implementing supply chain information systems. Computers in Industry, 68(1), 16-26.
Feri, F., Giannetti, C., & Jentzsch, N. (2016). Disclosure of personal information under risk of privacy shocks. Journal of Economic Behavior & Organization, 123(2), 138-148.
Romanosky, S., Hoffman, D., & Acquisti, A. (2014). Empirical analysis of data breach litigation. Journal of Empirical Legal Studies, 11(1), 74-104.
Sen, R., & Borle, S. (2015). Estimating the contextual risk of data breach: An empirical approach. Journal of Management Information Systems, 32(2), 314-341.
Tan, Y., Shen, L., Langston, C., Lu, W., & Yam, M. (2014). Critical success factors for building maintenance business: A Hong Kong case study. Facilities, 32(5/6), 208-225.