25+ documents containing “Managing Risk”.
Assignment: Risk Management Paper
? Write a word paper discussing the role and nature of organizational risk management in justice and security organizations and why it is important. Address the following in your assessment:
o Planning for risk and identifying resources.
o How justice and security organizations manage risk.
o Costs associated in managing risk.
o Consequences of failing to manage risk.
o Benefits a properly performed risk analysis has for management and key stakeholders (include these sections in headings)
? Format your paper according to APA standards.
Include an Introduction and Conclusion. Run paper through plagiarism checker.
5 Pages, Times New Roman-Font 12, 1.5 Spacing
Managing Risk in Project Management
Must include the following:
-Define and explain your topic's relevance to the profession of project management in relationship to effective project management.
-Identify specific issues why this component of project management is important to a project.
-Roles and responsibilities of the project manager and team members.
-Apply this to a case study from a project from the news or a business you are familiar with.
-Specific characteristics of this project component and what project management tools are used to support its implementation during a project and how other project processes are dependent on the successful application of your topic.
-Include how you would develop the skills and tools required for a project team to be effective in mastering your topic.
Paper need to address a very narrow, very specific question or issue which is relevant to the Risk Management and Insurance Industry. The inspiration for the paper can be workplace, a current event, a family situation, financial planning, estate planning, risk management of the family or business, etc.
Paper should be in APA format. The following are some APA basics; all papers must have the following:
The entire document is double spaced (including the reference page)
There are no extra spaces between paragraphs
The font is either Times New Roman, 12 point, or Arial, 12 point
Margins are 1 (one) inch all around
If paper has citation, they should look this: (author's last name, year of publication: Sullivan, 2005). If you have a citation in the body of the paper, there MUST be a reference listed on the reference page. If there is a reference on the reference page, there MUST be a citation in the body of the paper that ties to that reference.
More About References:
All references are listed alphabetically, by last name of author or, if there is no author, by the first work in the title of the article
Last names of the authors are always used, never first or second names. If there are first or middle names available, just use the initials
If there is no date, then put (n.d.) after the authors last name and initials. If there is no author, then put the name of the article, followed by (n.a.)
All references are double spaced
The second, third, etc. lines of a reference are indented inch
Basic Guidelines for this paper are:
Each paper must:
Clearly state the question/issue
Provide an answer or explanation or position or recommendation
Be sure to make reference to the source(s) from which the explanation was obtained
Areas to Be Considered for the Paper Could Be:
Interview the (risk) manager of a business to find out what kind of risk management activities the business undertakes
Interview an independent contractor about the risk exposures faced when constructing a new house
Report on a lesser known A"niche coverage, e.g., animal mortality, snowmobile, boater or travel insurance
Health Care reform
Personal Financial Analysis
Risk at your own business
Medicaid support for Family Planning in the Managed Care Era
Health Care and Risk Management
Risk Management and a Music Festival
An analysis of a risk management issue in nursing in neonatal units or other care units
Discuss the impact of the events of 9/11 on the risk management plans
The risks involved in managing a small enterprise
Possible Topic Sources:
Insurance Journal Lots of insurance news stories
Risk and Insurance Dot Com Current news and stories
Chubb Companies Good-sized library of case type articles
Business Insurance Current News and Events
National Underwriter Current News and Events
Property and Casualty Dot Com Current News and Events, Jobs, and more
Lloyds of London History, News and More
Risk World News and Views
Insurance Services Organization A Premier Source of Informati
This independent project pretends you are a professional project risk consultant. Because of your experience, a company undergoing a risky project hires you to perform a risk analysis, report to them the top three risks, and recommend risk management activities. The primary activities of this exercise include:
1. Researching a project in the news that has sufficient risk for you to research and report and presenting the case study to the instructor to confirm fit-for-class-project
2. Researching THREE RESOURCES that provide risk management theory and REFERENCING THEM IN YOUR ANALYSIS AND REPORT
3. Authoring a report including the following outline and considering the following requirements
The ability to successfully manage risk/uncertainty in all instances is extremely challenging. The experience and result of this exercise should help you better understand what goes into uncovering and managing risks. This exercise will also provide you a foundation of uncovering risks in your life as well as preparing plans to manage them.
Report Outline
1. Executive Summary
Purpose of the Risk Analysis; Why?
2. Process Used to Uncover and Prioritize Risks
3. Three Major Risks and Potential Impact to the Project
4. Suggested Ways to Manage the Three Risks (and others!)
How should the Company Manage other Uncovered Risks?
5. Conclusion/Next Actions
6. References
Report Requirements
1. Sections that Follow the Outline
2. Two to Three Pages Not Including References
3. 12 PT, Doublespaced, Arial
4. Page Number on all Except Page 1
5. Follow standard references format
6. Include Case Study Copy w/ Report
Choose ONLY One question to write from following Two questions.
Question one,
Risk assessments inform decision making about effective actions for managing risk i.e. avoiding, removing, reducing, improving and generally controlling risks. ( Waring and Glendon 2007)
Based on your analysis of risk, evaluate the central risk contingencies faced by Tetra Tech, paying particular attention to the salience and likely impact of these risks.
Question two
Based on your case study analysis what do you consider to be the key strengths and weaknesses in Tetra Techs approach to risk management? What recommendations would you make to Don Rogers that would help enhance Tetra Techs risk management strategy?
Firstly, please specify which question you are writing for. Both questions and your witting essay are based on a 14 pages case study called TETRA TECH EC AND RISK MANAGEMENT, which will be sent to you by fax or email by 10am 05/Dec/08 EST. Or when you find a writer, let that writer to contact me via email first [email protected], and then Ill send that material to that writer directly.
Assessment will be marked according to five criteria,
Quality of Presentation
Understanding and use of Theory
Quality of Analysis
Structure and Argument
Conclusions
Any questions email me [email protected]
There are faxes for this order.
Project Initiation" Please respond to the following:
One of the most important aspects of managing risk for a project is to accurately define the size of the project. Determine the criteria that must be considered to perform the project sizing and create one additional factor with rationale.
Suppose the size of the project was not determined correctly and a large, complex project was defined as a medium project instead. Predict the outcome of the risk management process within this organization. Include examples (i.e., the incorrect schedule of the risk management review, incorrect schedule of quantitative assessments) to support your prediction
Stakeholder Analysis" Please respond to the following:
Using the ?Stakeholder Analysis Template? (Appendix B2 in the Hillson and Simon text) for a company that you currently work for or you are familiar with, determine the key stakeholders and categorize them by their attitude, power, and interest dimensions. Justify the categorization for each stakeholder and post the completed appendix for the class to see.
Analyze how stakeholder analysis affects the overall project risk management within an organization. Include an example to support your response.
PLEASE NOTE : The response to each questions should not be less than 100 words,do not retype the questions and and leave a clear indication and space stating where a new line response to another question.
Assignment Instructions
This assignment is a take-home essay assignment of one question for which the student is expected to develop a 3-4 page essay that fully responds to the question.
Question: Examine the role of risk management within the homeland security enterprise.
The basic equation for risk is defined as R = ?(C*V*T) where R is the level of risk, C is the consequences (public health, our economy, government action, public confidence in our institutions) of an attack, V is an assessment of the vulnerability of a potential target (how hard or easy it would be for it to be hit by terrorists) and T is the threat or the likelihood that a specific target will suffer an attack or disaster from a specific weapon. The Department of Homeland Security has stated that it will apply risk management principles to homeland security operations and has stated that ?Ultimately, homeland security is about effectively managing risks to the Nation?s security? (DHS 2010, 2). Drawing upon your class readings and additional research examine how risk management is used by the homeland security enterprise and how that use benefits such aspects as resource allocation, strategic planning, grant award, or any of the multitudes of other homeland security issues or operations.
Reference:
U.S. Department of Homeland Security. 2010. Quadrennial homeland security review report: A strategic framework for a secure homeland. Washington, DC: Government Printing Office. http://www.dhs.gov/xlibrary/assets/qhsr_report.pdf. (accessed August 10, 2012).
Scoring Rubric:
A copy of the complete scoring rubric for this assignment is attached. The following is a synopsis of that rubric.
Area of Evaluation
Maximum Points
Focus/Thesis 20
Content/Subject Knowledge 20
Critical Thinking Skills 20
Organization of Ideas/Format 20
Writing Conventions 20
Technical Requirements:
Length: 3-4 pages, double spaced, 1" margins, 12 pitch type in Times New Roman font.
Sources: All sources for this assignment must come the assigned reading within the course. You are not limited to the pages assigned from each document, but are limited to those documents only to defend and support your arguments/claims.
Citations/References: You must use the Turabian Reference List (Parenthetical) style for this assignment.
Submission: All work is to be submitted as an attachment to the assignment link by midnight on the Sunday ending Week Six, the due date. All work should be prepared in Microsoft Word format and submitted as an attachment.
produce a risk analysis for a one-day charity event (football match) to raise funds
(diagrams and tables can be used as well)
Using Gray and Larsons (PROJECT MANAGEMENT the managerial process 4e)
generic project life cycle and accompanying activities, a WBS that leads to a comprehensive project plan with estimates of tasks and costs, a risk assessment and mitigation
Risk Identification: There are an infinite number of ways to identify risks, but they can be classified as qualitative or quantitative methods.
The process normally starts with some form of qualitative assessment such as:
referring to past projects
using prescribed checklists
through group brainstorming
using the Ishikawa fishbone analysis
Once we have a list of possible risks, we can adopt more quantitative methods to work out:
what is the likelihood of a risk event happening
when a risk event does happen, would we even know that it has occured
how big or severe is its impact
what is/are the remedy/remedies for it
what is the cost-benefit of each remedy
who should we appoint to oversee its management
Risk Classification: If properly done, this list can get really quite long with a host of possible solutions, therefore it makes logical and practical sense to classify the risks into distinct groups which can benefit from a common risk mitigation strategy and for greater accountability, to enable the appointment of risk managers to handle each class of risks.
Risk Mitigation: Needless to say,a risk management strategy needs not just to be appropriate, it should cause the least disruption to the project and should avoid upsetting other stakeholders. The timing of taking a risk action is also important. It needs to be swift and effective, and without breaking the bank.
Risk Log: This is often overlooked by project managers when in fact it is very important to keep a risk register of possible risks identified and actual risk events together with the mitigation taken. In line with best practice, this log should be analysed at the post project audit meeting and key events entered into the lessons learnt database.
Finally, since projects tend to be unique, it is highly probable that every project or undertaking will involve the risk of not having things turn out as planned. The aim of the project risk manager or the project manager (if he is directly responsible for risk management) is to use his team and his own experience or expertise to try and identify as many of the risks as possible and to prepare a plan for mitigation should and when the risk events occur.
Exam Project: Many students do rather a 'bad job' with risk. They usually are quite good at identifying the risks, and sometimes will go as far as classifying them. Then they seem to run out of steam and their mitigation strategy tends to be extremely weak and not well thought through. They also fail to use the standard risk formats. You should structure your risk section more carefully in the light of my comments
Essay type:
Case study - Project management, budget management and cost management. Chain of retail stores.
Students can use case study in their own organisation. I prefer a chain of retail stores that operates internationally.
Part 1. Managing Project
Apply the project management techniques to a past, present or future project in your organisation. Comment on the appropriateness of the application of each of the five phases in the successful management of the project. Suggest ways in which the project management process could be improved. 1,800 words. 10 references to be used.
References:
1. Badiru, A. (2009). Science, technology and engineering project methodology. STEP project management: Guide for science, technology and project management (pp. 1-42).
2. Field, M. & Keller, L. (1998). 4 common types of project team. Project management (pp. 242-245).
3. Frame, J. (1994). Managing risk. The new project management: Tools for an age of rapid change, corporate re-engineering, and other business realities (pp. 80-89).
4. Portny, S. (2010). Establishing whom you need, how much and when. Project management for dummies (3rd ed., pp. 129-150).
5. Baker, S. & K. (1998). The network diagram: A map of your project. The complete idiot's guide to project management (pp. 85-100).
6. Thomsett, M. C. (2010). Establishing a schedule. The little black book of project management
(pp. 94-108).
7. Biafore, B. (2007). Introduction. Microsoft project 2007: The missing manual (1st ed.).
8. Cleland, D. I. (1994). Project control. Project management: Strategic design and implementation (pp. 285-298).
9. Cleland, D. I. (1994). Project Termination. Project management: Strategic design and implementation (pp. 285-298).
10. Staw, B. M. & Ross, J. (1997). Knowing when to pull the plug. Project amangement: Aharvard Business Review Paperback, No. 90053
(pp. 57-63).
Part 2. Managing Budget
Discuss the major behavioural issues associated with budgeting in this project. Critically evaluate what you would do to avoid any negative effects (e.g. motivation, participation, rewards conflicts, etc..). 700 words. Five references to be used.
References:
1. Drucker, P. F. (2001). Be data literate - know what to know. In S. M. Young (Ed). Readings in management accounting (pp.2-3).
2. Parker, D., Ferris, K. R. & Oatley, D. T. (1989). The impact of accounting information on managerial behaviour and performance. Accounting for the human factor (pp.65-88).
3. Steele, R. & Albright, C. (2004, Spring). Games managers play at budget time, MIT Sloan Management Review (pp. 61-64).
4. Weygandt, J., Kimmel, P. & Kieso, D. (2008). Budgetary control and responsible accounting. Managerial Accounting: Tools for business decision making (4th ed.. pp. 414-439).
5. Etherington, L. & Tjlsvold, D. (1998). Managing budget conflicts: Contribution of goal interdependence and interaction. Review Canadienne des Sciences de l'Administration: Jun, 15(2) (pp. 142-151).
6. Anandarajah, A., Aseervatham, A., & Reid, H. (2005). Prepare and manage budgets and financial plans (3rd ed. pp. 266-275).
7. Hart, J. , Wilson, C. & Keers, B. (2000). Budgeting principles (2nd ed., pp. 4-6).
8. Neely, A., Bourne, M., & Adams, C. (2003). Better budgeting or beyond budgeting. Measuring Business excellence, 7(3), pp. 22-28.
Part 3. Managing Cost
Locate or draw a cost report or variance report, either for this project or for another, or identify future expected costs. Identify the various cost categories (eg. fixed, variable, direct, indirect and overhead) and comment on how effective these are in managing the costs that relate to this specific project. Discuss how these could be improved to enhance the management of costs associated with this project. Include in your comments the relationship between ensuring quality outcomes for the project and the importance of controlling costs. 700 words. Five references to be used.
References;
1. Anthony, R., Dearden, J. & Govindarajin, V. (1992). Relation to planning and control. Management control systems (pp. 17-22, 967-970). Sydney: Irwin.
2. Toan, A. (1968). Uses of current information. Using information to manage (pp.4-11).
3. Goldman ,T. (1969). Introduction and overview. Cost effectiveness analysis (pp.1-5).
4. Shim, E. & Sundit, E. (2001). How manufacturers price products,. In S. M. Young (Ed.), Readings in management accounting (pp.126-128).
5. Nimocks, S., & Rosiello, R. L. & Wright, O. (2005).Managing overhead costs. The Mc Kinsey Quarterly, (2), pp. 106-117.
6.Anandarajah, A., Aservatham, A., & Reid, H. (2005). Prepare and manger budgets and financial plans (3rd ed., pp. 328-332).
7. Welsh, G., Hilton, R. & Gordon, P. (1988). Performance evaluation and management control. Budgeting: Profit planning and control (5th ed., pp. 542-554).
Resources for your aid in writing this paper:
Michael L. Smith
C. Arthur Williams Published An International Comparison of Workers'' Compensation
Peter C. Young
This paper can include a multitude of topics: See below
A. Certainity, Uncertainty and Risk
B. Pure and Speculative Risks
C. Managing Risk
D. The Nature of Risk Management Activities
E. Risk Assessment, Sources of Risk, Risk Measurement
F. Risk Analysis: Exposures of Financial assests, Types of Financial Assests,
G. Risk Analysis: Exposures to Legal Liability
H: Risk Analysis: Exposures to Work-related Injury, Workers Compensation and Claims
Please be to include as many as possible but pulling the paper together to form a Risk Management and Insurance overall view.
Thanks
Request Excellienco
Preparation: Differences between Disaster Management and Terrorist Incidents
A great deal has been written about the lack of intelligence concerning the 9/11 terrorist attack on the United States. There appears to be a thought that the United States was woefully unprepared. With your understanding of the basics of disaster management (risk assessment, disaster preparation, mitigation, response, and recovery), you should be able to detect any difference between preparing for a terrorist induced disaster and a natural/technological disaster.
For this case assignment, you are to answer the following questions:
1. Compare the requirements for risk assessment in disaster situations to similar terrorist situations. Determine if they are similar or disparate.
2. Did the United States have a strong combating terrorism program prior to 9/11? Explain and support your claims with quotations.
3. Could the United States have accomplished any risk assessment in regards to the Al Qaeda capabilities prior to 9/11?
4. Was 9/11 preventable? Why? Explain and support your claims with quotations.
Paper will be graded with the following in mind:
* Your ability to differentiate between preparing for manmade versus natural (intentional) disasters; i.e., terrorism.
* Your ability to apply your understanding of the background leading up to the 9/11 attack, the level of combating terrorism prior to that, and information that has come to light since.
* Your ability to express the differences in counterterrorism and anti-terrorism measures prior to 9/11.
Case Assignment Expectations
Length: Case assignments should be at least 2-3 pages.
References: At least two references should be included from academic sources (e.g. peer-reviewed journal articles). Required readings are included. Quoted material should not exceed 10% of the total paper (since the focus of these assignments is critical thinking). Use your own words and build on the ideas of others. When material is copied verbatim from external sources, it MUST be enclosed in quotes. The references should be cited within the text and also listed at the end of the assignment in the References section (preferably in APA format).
Organization: Subheadings should be used to organize your paper according to question
Grammar and Spelling: While no points are deducted, assignments are expected to adhere to standards guidelines of grammar, spelling, punctuation, and sentence syntax. Points may be deducted if grammar and spelling impact clarity.
The following items will be assessed in particular:
* Achievement of learning objectives for case assignment
* Relevance (e.g. all content is connected to the question)
* Precision (e.g. specific question is addressed. Statements, facts, and statistics are specific and accurate).
* Depth of discussion (e.g. present and integrate points that lead to deeper issues)
* Breadth (e.g. multiple perspectives and references, multiple issues/factors considered)
* Evidence (e.g. points are well-supported with facts, statistics and references)
* Logic (e.g. presented discussion makes sense, conclusions are logically supported by premises, statements, or factual information)
* Clarity (e.g. writing is concise, understandable, and contains sufficient detail or examples)
* Objectivity (e.g. avoid use of first person and subjective bias)
This paper will NOT be sent to university. this will be sent to a team in my company to review it and decide weather i will be nominated and go study my MBA or not. I am competing with so many co-workers. each employee will write a paper to sell himself so the my company will decide who will go study abroad.
so I want you to write me 2 page where i can sell myself and be chosen to go study my MBA abroad. i actually wrote 1 page. i'll share it with you. i want you to revise it and add another page.
i want you also to mention that i am very academic and ambitious. i would like to continue education. i want to finish my MBA which is my dream. during my MBA, i will also work on my CFA exams( chartered Financial Analyst)
_______
below is what i wrote. but it doesn't mean you use it exactly the same. revise it
My name is Terry. In August 2007, I pursued my bachelors degree in Finance and Supply Chain Management from University of Houston. I joined Dows Chemicals organization in November, 2011.
Prior to joining Dow Company, I worked for a real estate company in the investment division. Being interested and so passionate about investments, I gained wealth of experience during my part-time job before and during my college period.
After joining Dow Company, I have been working in the Treasury organization of Sadara, Saudi Aramcos joint venture with Dow Chemicals Company. I report to the Treasurer, Steve. Working in this start-up has been a great learning experience. Both Sadara and I have grown much in the last year. I have been exposed to a broad range of finance issues and functions including cash management, investments, loan management, risk and credit management and payment processing. I have also worked on documentation and compliance.
I was also privileged to be one of the few non-Finance people to attend the recently-held Finance Boot camp. I discovered that Dows Finance organization offers many challenges and many learning opportunities. My goal is to be able to avail of some of these opportunities.
more information about me: i graduated with a high GPA 3.56 and i was honored 5 times during my bachelor
Cash Management Practices
Cash management involves knowing how much money is coming into and going out of an organization and ensuring that cash will always be available for organizational needs. In a government organization, when tax revenue and budgets are so carefully balanced, effective cash management is of paramount importance. Certain cash management strategies such as delaying payments to vendors and centralizing payments are used to help ensure that cash is available for organizational needs. In this assignment, you will explore various cash management strategies. Then, you will evaluate the effectiveness of the cash management practices used in a specific public organization, and make any necessary recommendations to improve them.
To prepare for this assignment:
Focus on cash management practices and strategies.
Reflect on how cash management strategies are a crucial component of finance and budgeting in government organizations.
Select a public organization, one with which you are familiar or of which someone you know is a part, for use in this assignment.
Reflect on the cash management practices and strategies you read about and relate them to the organization you selected. Speak to the person(s) you know in the organization, if it is not your own, about how the various cash management strategies are used in the organization.
With these thoughts in mind:
Write a brief description of the cash management practices and strategies used in the organization you selected. Then, evaluate the practices and strategies. In your evaluation, explain which practices and strategies are working and which are not. Finally, include any recommendations you might make in order to improve them.
Be sure to support your response with specific references to the resources.
? Web Sites
Washington State's Office of Financial Management, Risk Management Division: Risk Management Basics Manual
http://www.ofm.wa.gov/rmd/publications/rmbmanual.pdf
Optional Resources
United States Department of the Treasury, Financial Management Service, Cash Management Made Easy Guidebook
http://fms.treas.gov/crm/cashmanagementmadeeasy.html
For this assignment, you should read chapters 1, 2 and 7 in Essentials of Risk Management.
This paper will focus on operational risk management. After reading chapters 1, 2 and 7 in Essentials of Risk Management, you should have a basic understanding of what is involved in managing risks within a corporation. I would like you to focus on the operational considerations that were mentioned in chapter 7 (a list can be found on page 155). Most of these considerations involve the employees in some way. I would like you to find an example of a company that failed to use risk management properly and explain how it could have helped them to avoid their problems.
The best way to begin this paper is to think of companies that you have heard of in the headlines in a negative way, or companies that have gone out of business in the last several years. Once you decide on a company, you should be able provide an explanation of the problem as well as your thoughts on how this could have been avoided using risk management. Another alternative is to use a company that you currently or previously worked for. If you choose the latter, please make sure that you can provide the required details.
For this assignment, I would again like to have Writer # rrs63. They have done a wonderful job so far.
Some instructor notes: Unit 9 - Risks Management- Risk Management is at the heart and soul of Asset Protection. It is the most used method of recognizing appraising and anticipating critical loss. Risk Management also known as risk analysis and are techniques, or disciplines that analyze loss, loss potential, threats , or hazards. Risk Management is diagnostic and is part of an overall loss control strategy to minimize risks. In order for Risk Management to be successful, it must be able to identify, tabulate, evaluate and develop solutions for all conceivable hazards, or risks. This formal discipline evaluates risks and establishes a series of processes that allows management to see clearly where their vulnerabilities are, what is at risk, and what can be done about it. Students should read pages 241 through 267 Management and Emergency Management is discussed on pages 275through 308. While the book provides only an overview, it does provide valuable information. In the 1990's, most experts in the field of security, predicted emergencies and disasters of greater severity. In post September 11, 2001, their predictions have been realized. Learning to deal effectively with a crisis is no longer an elective. Since emergencies do not come along everyday, many managers do not have a great deal of practical experience in dealing effectively with crisis. Because of the infrequency of this type of major event, it is important to train and plan in advance. When these dynamic events occur, there is great opportunity to protect assets or lose them. Being prepared is the key, liaison with emergency responders is critical and media relations could mean the difference between perceived success and failure. A well thought out emergency response plan that is built around the incident command system, can save lives, reduce property loss, and reduce an organization's potential liability.
In most situation, a security director will make quick decisions with little input from others in minor situations. In large scale emergencies or crisis, the security director will not be alone and will have to understand his/her role in crisis management. In fact, many federal, state and/or local responders may arrive with greater authority and capability than the security director. The best approach to these situations is to develop an emergency response plan, working in concert with other responders in advance. Please prepare a 3 page report on how emergency response planning, the incident command system and effective media relations can protect people and property.
I will scan the book pages again if you need for the reading assignment to facilitate your writing the paper. As always, thank you!
1. Deere & Company exports tractors to Spain, but the strong dollar against the Euro hurts sales of Deere Tractors in Spain. In the Spanish market, Deere faces competition from German and Italian tractor makers, such as Fendt and Claas, whose operating currencies are the Euro. What kind of measures would you recommend so that Deere can maintain its market share in Spain? 200 words or more one reference
2. If you work for a publically traded company, download the company?s annual report. If you don?t work for a publically traded company, download the annual report of one of your favorite products (e.g. Apple or Dell). Search through the report and look for the section regarding ?Managing risk? (it may be under a different name, but it is in there). Describe how this company manages economic, or some other type of risk. 200 words or more one reference
Please ask Cathii first if she is comfortable completing research in this area. If she is not please pass the assignment to a professional who works in the field of Corporate Risk Management.
Corporate Risk Management Comparing Strategies
Analyse, compare and contrast the fundamental risk management strategies.
Notes:
As a risk management professional you will undoubtedly be faced with a risky situation. Whatever course of action you decide to take you will inevitably be doing one or more of the following:
Identifying the risks that you face
Quantifying the risks that you face
Preventing risks
Creating risks
Buying and selling risks
Diversifying risks
Concentrating risks
Hedging risks
Leveraging risk
Insuring the risk
These are the fundamental strategies for managing risks. Any action that affects your risk exposure involves one or more of these strategies. With knowledge and understanding of the availability and purpose of such strategies, it is likely that your approach to a risk problem will be more efficient in terms of time and cost reduction and may also prevent you from overlooking an important risk or an effective action to deal with it.
request Whitelaw
Preparation: Differences between Disaster Management and Terrorist Incidents
A great deal has been written about the lack of intelligence concerning the 9/11 terrorist attack on the United States. There appears to be a thought that the United States was woefully unprepared. With your understanding of the basics of disaster management (risk assessment, disaster preparation, mitigation, response, and recovery), you should be able to detect any difference between preparing for a terrorist induced disaster and a natural/technological disaster.
For this case assignment, you are to answer the following questions:
Compare the requirements for risk assessment in disaster situations to similar terrorist situations. Determine if they are similar or disparate.
Did the United States have a strong combating terrorism program prior to 9/11? Explain and support your claims with quotations.
Could the United States have accomplished any risk assessment in regards to the Al Qaeda capabilities prior to 9/11?
Was 9/11 preventable? Why? Explain and support your claims with quotations.
Paper will be graded with the following in mind:
Your ability to differentiate between preparing for manmade versus natural (intentional) disasters; i.e., terrorism.
Your ability to apply your understanding of the background leading up to the 9/11 attack, the level of combating terrorism prior to that, and information that has come to light since.
Your ability to express the differences in counterterrorism and anti-terrorism measures prior to 9/11.
Case Assignment Expectations
Length: Case assignments should be at least 2-3 pages.
References: At least two references should be included from academic sources (e.g. peer-reviewed journal articles). Required readings are included. Quoted material should not exceed 10% of the total paper (since the focus of these assignments is critical thinking). Use your own words and build on the ideas of others. When material is copied verbatim from external sources, it MUST be enclosed in quotes. The references should be cited within the text and also listed at the end of the assignment in the References section (preferably in APA format).
Organization: Subheadings should be used to organize your paper according to question
Grammar and Spelling: While no points are deducted, assignments are expected to adhere to standards guidelines of grammar, spelling, punctuation, and sentence syntax. Points may be deducted if grammar and spelling impact clarity.
The following items will be assessed in particular:
Achievement of learning objectives for case assignment
Relevance (e.g. all content is connected to the question)
Precision (e.g. specific question is addressed. Statements, facts, and statistics are specific and accurate).
Depth of discussion (e.g. present and integrate points that lead to deeper issues)
Breadth (e.g. multiple perspectives and references, multiple issues/factors considered)
Evidence (e.g. points are well-supported with facts, statistics and references)
Logic (e.g. presented discussion makes sense, conclusions are logically supported by premises, statements, or factual information)
Clarity (e.g. writing is concise, understandable, and contains sufficient detail or examples)
Objectivity (e.g. avoid use of first person and subjective bias)
I am doing research in masters degree as a dissertation I have selected topic whish is related to my course , I am studying Information Systems Management, my topic is Risk management in software development projects, I have done most my research, unfortunately I have got an critical situation especially in mine chapter which is findings and discussions, in this chapter I have to discuss tow case studies and interviews, I have done recently the tow case studies which are 1 London Ambulance Service ( LAS) 2 Flight Control System ( FCS), my problem is I couldnt work with the interviews I have made interviews with ten people who have enough experience in this field and I have collected their answers some of them were by face to face and others was by phone or email
( Skype), I will give a general idea about my research:
Software development projects face various risks throughout the life cycle of the projects. Therefore, it is important for the management to be efficient and effective in identifying and mitigating these risks at various stages if they want to achieve higher success rates. The most important strategy in software development risk management is to reduce and minimize incidences. Thus, the strategy should be comprehensive in mapping all possible problems, measuring the risk magnitudes, prioritizing the identified risks and mitigating them at minimum costs. Over the decades, there have been many cases of expensive software projects flopping due to inappropriate risk management process.
My order is :
I have read some resources in interviews but really I am very confused because I couldnt understand them very well or let me say I couldnt know How can I employee them in my research, I will put the below and read them, try to make sentence with them such as analysing, discussions, definitions, benefits, ext.
You can use any Statistical Analysis you see it appropriate.
__________________________________________________________________________________________
List of interviewed people
NO Name Position Manner of interview
1 Ahmed Alsaleh Business Manager Face to face
2 Amr Jad Researcher in Risk Management Face to face
3 Fahad Altfery Senior IS Department Phone
4 Ibrahim Alquhtani Project Team Leader Phone
5 Haitham Almayyan Senior and work over engineer Skype
6 Hussein Zedan Technical Director of STRL Face to face
7 Khalid Alali Solutions Architect Phone
8 Mansour Alammari Project Risk Specialist Skype
9 Nasser Almalki Business Analyst Phone
10 Sultan Hamad Senior IT project Manager Phone
Q1: Have you worked with any software project? and if so, which stage did you work with it?
A.A: Yes, I have developed system for renting cars in Saudi Arabia.
A.J: Yes, I have worked in software project, I worked in planning stage for user interface.
F.A: Yes, if you work with any software especially developing websites you will face many problems, but you should be patient to solve them.
I.A: Definitely, my career has always centered on developing various applications and programs to our clients. As a Project Team Leader, I am always involved from start to finish with the software projects I am assigned to lead.
H.A: Yes I have, I worked with drilling operational risk assignment, and It was generic software program.
H.Z: Yes, I have from beginning to the end.
K.A: Majority of my work involves ensuring that designs and plans are properly executed during all phases of software projects; thus, I am always involved in all stages of the SDLC.
M.A: I have always been involved with software projects from beginning all the way to the end-of-life of the applications my company developed. However, my part in all aspects of software projects is concentrated on the risk side.
N.A: Being involved in software projects is my "bread and butter," and I always am at the forefront throughout all stages of the project since I have to always ensure that documented business process are properly developed into the correct applications.
S.H: Yes, I have worked with various software projects for over a decade now. I have worked on all stages of software projects as a developer, analyst and now I mostly handle the management side thereof.
Q2: Have you faced any problems or risks during this project? And if so, which kinds of those risks and how could you solve them?
A.A: Yes, we faced some problems in that project which was the previous system for the company manual system, and the had a huge number of data to transfer them into the new system, we solved this problem by hiring new staff to help us for transferring the old data into the new system.
A.J: Well , the main problem was faced me regarding or about the time, when I had a task to achieve it within tow weeks for example, sometimes we can do it at specific time, so we have to make a shift whether before or after tow weeks to make extension to solve this kind of problem.
F.A: Yes, if you work with any software especially developing websites you will face many problems, but you should be patient to solve them.
I.A: Human resources especially project team members have always been both a challenge and a risk for me. They either go absent during critical stages of the project or simply quit because they got better offers from other software development companies.
H.A: Some of them and it had been resolved by scarifying some targets, and the risk assessment was for justifying the extra cost and involving the high management with the decisions prior starting the work
H.Z: Yes, a lot of problems, such as changing mind of the customers, another problem was end-user, so we have to bring people to stay with us to tell us the requirements so we need to understand the stakeholders very well.K.A: Scope creeps have always been the challenge and risk to the software projects I have handled. This is in due largely to the major stakeholders wanting changes usually halfway through the development stage.
M.A: Challenges and risk to software projects abound. As the in charge of the overall risk aspects of projects, I have learnt that technological and human-caused risks are always manageable but naturally occurring risks are quite difficult because you cannot really fight Mother Nature.
N.A: The biggest challenge and risk I have encountered so far is when the identified business processes did not coincide with the applications being developed. The reason being was that the business process owners did not provide in detail their needs and requirements.
S.H: Projects always come with their inherent and unexpected problems and risks. The challenges and risks that pose the greatest threat to projects have always been human caused either through ignorance, apathy or malicious intent.
Q3: Are there challenges in software development process, and if so where can we identify those challenges ?
A.A: Any software project must have challenges but the question how can we reduce those challenges to be easy at running time, for example, we can face challenge when we work with critical systems or let me say when we work with e-bank system, because these systems usually need high degree of security, and another point we face challenge when we want to collect data from stakeholders, they sometimes dont help us to obtain full picture for developing new system.
A.J: I think the main challenges can be faced any analysts or any team work who are working within the life cycle will be about the time , that is included because you cannot estimate or forecast any expected risk, that is main challenge to still find out something to solve it.
F.A: I think the challenge will focus on how can you provide the success in your project without losing time and effort and money,
I.A: My worst nightmare had come through when several of my projects saw majority of my developers absent or quitting on me. I was challenge with the task to find replacements pronto otherwise; we would have been penalized for the delay.
H.A: Yes, any software has some challenges, but those hallenges are different from system to another one, and the degree of challenge will increase if we worked with critical system.
H.Z: The big challenge to be honest the gap between the concept and the requirement, such as what the users want and the articulation of what users, because the users are not engineer or have enough knowledge in computer scents. So the main challenge in software project how can we understand the users to provide for them good services.
K.A: Despite the best laid and developed project plan, during the development stage, there will be items that are out of scope and yet are critical to the overall completion of the software project. The challenge then is going back to the plan and try to incorporate the scope creeps based on the approved Change Control Procedures
M.A: When Mother Nature sends in the snowstorms, floods, hurricanes, tornados and other natural calamities, there isn't much one can do. Thus, then Mother Nature sends in the snowstorms, floods, hurricanes, tornados and other natural calamities, there isn't much one can do. Thus, the challenge is in catching up with the work after fortuitous events.
N.A: Ensuring proper alignment of business processes and developing applications have always been the greatest challenge I face with every software project.
S.U: All types of people or major and minor stakeholder bring about the greatest challenges especially when unforeseen changes are introduced by major stakeholders during development stage.
Q4: From your point of view, what is a risk in software development projects ?
A.A: Actually the risk might be come with everything in our life, but for software projects, if the software didnt work very well, or if it didnt achieve all or some functions, then the software at the moment has a degree of risk.
A.J: I have got your question, it is depended on the system and the team of work as well as, because everyone in the team work has different personality and different skills, also it depends on the empowerment for software projects.
F.A: You know, every software must be passed through using life cycle for development, and if the software didnt pass any stage, so that lead us the software has risk
I.A: Not having the total buy-in and support of management is my view of risk in software projects.
H.A: In my opinion as operational the challenge in proper accumulation all the data from the database, but the software will only show the results based on our inputs.
H.Z: When we want to develop any system we should consider on the system, but if we wanted to develop risk management for any system we should consider on the environment.
K.A: Not being able to come up with the correct and complete system for the client is the biggest risk I consider in software development projects.
M.A: Too many to mention and the categories abound too. But they generally fall under the category of human, technological and natural risks.
N.A: Software development project risk is something that a project team of its members could mitigate to a certain degree while some will still have residual risks.
S.U: Risk in software development is not being able to foresee or forecast what could be the possible and probable problems the project may encounter.
Q5: Are there any specific factors or threats that are known to put software projects at risk, and if there are, what are those factors ?
A.A: I think the most important factor, if the staff didnt understand the new system or if they were unhappy with receiving the new system.
A.J: Well, I think I will come back to you or return back to you and I will remind you about the time, it is main factor , and sometimes if you have a big project the money as well and the budget.
F.A: Yes, there are some factors such as good knowledge and experience for team work, strong management, try to put complex systems in high propriety to a achieve them.
I.A: I have always found that when people especially the programmers do not show up; then the project went into a Domino Effect and work that was supposed to be done affected other parts of the project.
H.A: Actually, risk can be come with everything, it doesnt have alarm to tell us, so that means we should ready to receive the risk and solve it as soon as.
H.Z: The main factor is known to put software projects at risk, if the stakeholder came to you during developing the system and asked you to add something extra, because in this case might the system will take long time or need new planning.
K.A: Poor development work or sub-standard coding is the biggest factor that I have seen put software projects at risk.
M.A: I had several projects that went into a standstill for up to a week because of severe snowstorms. We could not do anything about it but simply wait out the event.
N.A: Misunderstanding between the business process owners and the coders especially during actual coding became a showstopper in a few of my projects.
S.H: Human factors have always posed the greatest threats to software projects especially when those directly involved in the project do malicious acts.
Q6: What are risks in software projects have proved to be so difficult to improve it at development stage ?
A.A: Well, when we want to develop a new software there are some elements that might be affected this developing such as budget and enough number of teamwork and business strategy and time.
A.J: Well, it also needs to discover the risk before it happens, you can reduce risk, sometime you can discover and some time you cannot discover the risk and reduce it as well, because sometime the risk may be happened in uncertainty opportunities.
F.A: In my opinion, I think reengineering process very difficult stage, because it takes long time, we need to understand the existing system very well.
I.A: Programmers are not perfect since they are only human; thus, they can make mistakes and if left uncheck, one mistake may lead to several problems.
H.A: Noting but if there is any modification it should be done by the operator to show all the risks and options clearly to the customer.
H.Z: Interaction and communication, the large systems harder becomes why because risk management module is not composition so for example, if I have developed multinational software project for example you must be carful with this project or you will loss it, because the people involved and the culture involved and the religion as well as involved.
K.A: "Garbage in and garbage out" has always been a truism during the development stage. When the developers do not pay attention to detail and inputs wrong codes, then one thing will lead to another. Eventually, we had to go back and check each and every entry.
M.A: Sub-standard programming is a risk that is difficult to improve during the project development stage. that is why it is always important to get top-notch developers especially for high-level projects.
N.A: Developers not able to understand how to interpret business processes into development work proved to be the risk that was hard to improve during the development stage.
S.H: I would say when there is a lot of wrong coding and this is caught only during the testing and debugging stage. When the mistakes are numerous, redoing the whole application sometimes is the best course of action.
Q7: Are there categories of risks in software projects, and if there are, what are those categories ?
A.A: I think there are three levels of risks in software projects, low level which can be solved such as miss small requirements, and medium level which needs time to solve all the risks in this level such as no enough number of staff to achieve all functions at specific time, last level which is high and high and critical level, and it might be led the software project to the failure. Moreover, it will be so difficult to solve the problems in this level such as poor planning and poor structure or poor management as well as.
A.J: It also depends on the type of rsk may be some risks are related to the software and some risks are related to hardware and some risks are related to business some of them are related to management and administration, it is depended on the type of risk. Then you will do categories when the risk comes down from top to down.
F.A: Yes, all categories of risk management in software project deal with different types of implementation new software and upgrades and management.
I.A: Schedule and budget risks mean not meeting project deadlines or overextending timelines for the former while latter is not only being over the budget but also expending budgets ahead of schedule or when it is not due. Operations risks cover the day-to-day events of projects. These may be lack of equipment, unscheduled absence of personnel, delayed arrival of materials delivery and even stoppage of work for various reasons. Technical risks have something to do with how the actual software is being developed, the outputs including the supporting resources required for testing and integration such as the network, hardware and data. Environmental risk covers the social, political, economic and business climate affecting the project.
H.A: The categories are the risk for doing the job, percentage of happening, existing of on hand available sources and resources.
H.Z: There are many categories, one is anticipated and another one is unanticipated so you need to put the system in safe stage.
K.A: We follow the seven-staged SDLC and as such we categorized risks based on each staged of the SDLC. The risk categories are (1) planning risks, (2) requirements definition risks, (3) systems design risks, (4) implementation risks, (5) integration and testing risks, (6) acceptance, installation and deployments risks, and (7) maintenance risks.
M.A: For not only software projects but also all our projects have three categories of risks: human-caused natural-caused and technology-based risks; these are all quite self-explanatory.
N.A: The company I work for has three categories of risks for software projects. Business risks are those would cause termination, financial loss and legal problems with the projects. Operational risks are daily but manageable project risks. Technical risks are those involving technology, systems and processes embedded in software projects.
S.H: Our company categorizes not just software project but all project risks under strategic, operational, and tactical risks. Strategic are the high-levels risks that will completely shut down a project. Tactical risks are mid-level ones that are still salvageable when they hit projects. Operational risks are the day-to-day problems and challenges faced with projects.
Q8: How are risks analysed in software projects?
A.A: Firstly, we should establish or let me say collect the right data, and then we should identify all risks, after that we are ready to analysis these risks and evaluate them, lastly we should treat all risk.
A.J: Before you are going to analyse the risk, you have to identify the risk, so the analysis is process of identification and evaluation, so that means you have to identify the risk itself, then you can evaluate this risk in which level for this risk, may be high level or low level.
F.A: Yes it is good question, analysis any software to identify the risks depends on difficult type of the system, so you have to select all risks in the system then you have to understand them very well after that you need to find out appropriate way or method to reduce those risks.
I.A: Whenever we start planning any project, we complete the Risk Register by placing regular project risks in various parts of the project phases. Once the regular risks are allocated, the project team along with the project manager convenes a three-day risk scenario building wherein we brainstorm what other possible or different risk that we might face in the project.
H.A: By numbers, percentages and colours to measure the degree of existing risk.
H.Z: Yah, there are some techniques for analysing risk management such as forces analysing might be good one and the evaluation of the forces.
K.A: My company goes by the SEI-SMU CMMI way of analyzing software projects risks. We first prepare ourselves for risk management; thereafter we identify and analyzed possible and probable project risks. From there, we develop the risk treatment plan and apply mitigation solutions to the identified risks.
M.A: Fortunately, our company has developed a comprehensive database of project risks. Once we take on a particular project, we simply allocate the likely risks for every stage of the software projects and after doing this, mitigation measures are incorporated. For whatever residual risks there are, these are closely monitored throughout the project so they will not become major risks.
N.A: The way we analyzed risks is first by determining what risks would affect various stages of the software project. For each risk, there is a corresponding mitigation measure and these measures are approved by top management prior to implementation.
S.H: By following the risk management methodology in the Project Management Institute's (PMI) Project Management Book of Knowledge (PMBOK) is how we analyze not only software project risks but all our other IT projects as well.
Q9: Are there standard software projects risk management approaches that are may be acceptable may be at global level? And if so, what are those approaches?
A.A: Risk management should reduce all risks which might be faced during project life cycle within creating good solutions.
A.J: The structure for standard software projects risk management approaches is started from identification the risk until risk control or monitor.
F.A: Well, we cannot prevent any risk in the world, but our responsibility how can we reduce the risk and how can we know the risk before it happens.
I.A: There is no one risk approach that we use but instead for every given project we determine the best fit. For instance there are American risk management approaches and these are suitable for American clients. But since we also have European clients, we try to use risk management approaches from that continent since more often it is a client requirement.
H.A: It is internally approved for our company and the approach as mentioned above to make the decision clear for the operator with customer among with high management acceptance.
H.Z: Risk management should lead and mange software project to be successful, you can also read textbooks to get more information.
K.A: The Software Engineering Institute - Carnegie Mellon University has several risk management approaches and we have adapted these and found them quite suitable to almost all of our software projects.
M.A: There are several software project risk management approaches available out there but since the company I work for is an information technology and project management firm, we did not adopt a specific risk management approach to our software development projects. Instead, we utilize the International Organization for Standardization (ISO) 27000 series and specifically ISO/IEC 27005 Information Security Risk Management. Since it is an ISO document, it is a global standard and contains best practices not only in information technology and project management risk but in other endeavors as well such as in business and strategic planning. Complementing ISO/IEC 27005 are ISO/IEC 27001 Information security Management System Requirements and ISO/IEC 27002 Code of Practice for Information Security Management. Most people when they first hear the term information security, the first thing that would come to mind are computers and related information technology. This is not true because information security covers both digital and physical security and the corresponding risk identification procedures thereof. Thus, using the ISO 27000 series provides any of our projects with detailed insights on how to properly manage any project risks including software development projects.
N.A: Several methodologies or approaches of international fame and standard are available and we always try to use one that best meets the needs and requirements of each project.
S.H: The Project Management Institute's (PMI) Project Management Book of Knowledge (PMBOK) Risk Management Process Group basically covers the approaches we use for risk management. It is a global standard and has been adapted by major industries worldwide.
Q10: What are real roles for risk management to reduce the failure in software development projects ?
A.A: The important role for risk management is to highlight on all barriers that might delay the project to achieve it at specific time. It should provide good communication between all channels in the project.
A.J: Well, it depends on the team, and the skills for the team as well as, how their capacity to manage those project to be successful without high risk.
F.A: Through using good plans, and in addition it needs someone who has experience with dealing especially large system, because it has more risks.
I.A: To make the software development projects proceed without delay or failure.
H.A: The roles should be clear and give enough evaluation for developing projects.
H.Z: It is far better to develop the right system than developing system right, that what I would say.
K.A: To keep the project going without the threats and vulnerabilities affecting any part thereof and causing uncontrollable problems.
M.A: Risk management is not just a part of the software developments projects but covers all aspects of projects from beginning to end, there are risks in various aspects of the projects and without applying risk management methodologies in each of these, then the project is doomed to fail. An example would be in the Change Management aspects of software projects, risk management is applied by ensuring that any changes are approve and duly validated otherwise it will have a Domino Effect on the succeeding stages of the project. In Configuration Management, the role of risk management is to validate that how things are to be done is done and it has the desired results forecasted.
N.A: Risk management is an integral part of every project in order to meet the demands of the clients and gain their satisfaction upon completion.
S.H: The real role for risk management in software development projects is to ensure all possible and probable risks are managed in order for these not to unduly affect the overall outcome of the project.
Q11: From your point of view, what are real reasons for the failure in software development projects?
A.A: Yes, yes there are some reasons which might lead any software project to be unsuccessful, such as miss deadline or poor design in user interface or no fit between the new system and training course , all these reasons will lead any project to the failure.
A.J: Well we can say, usually the projects fail when there is no enough time to cover all important issues in the project to identify the risk or to develop system at same time or run time and as well the money some time it will be not enough to provide all requirements.
F.A: There are some reasons for the failure, for example poor communication skills in leadership, and some companies receive many projects at same time so those projects may will delay the companies to deliver the projects at specific time.
I.A: : Lack of enough human resources to have project continuity and complete the project on time.
H.A: In my opinion, the real reason for the failure in software development is poor communication between project team and system owners.
H.Z: The main reason for the failure in software development project misses understand the requirements fro developing as I said last time we should develop the right system and get the right requirements.
K.A: When developers make a lot of mistakes in the coding and these mistakes have to be corrected thereby causing delays and in some projects total failure.
M.A: Poor planning and poor change management have been some of the real reasons I have seen failed projects.
N.A: Software developments projects do not mean simply developing business applications to automate business processes or streamline business operations. One of the end stages of software projects is the utilization of the applications by end-users and business process owners. Unfortunately though, one of the real reasons for failure in software projects is people's resistance to change. This particular evident during the requirements and needs analysis stage where we do a gap analysis of what-is and what-the-end-stage will be. We often encounter end-users who are uncomfortable providing data on the business processes they handle because the very thing on their minds is that when these business processes are automated, they can be retrenched. Others will simply be absent or call in sick during the data gathering stage and this entails delay on the project timeline. During the testing stage, some of the end-users and business process owners would negatively critique the application even though the input, process and output of which are exactly what the business process called for. It sometimes gets frustrating because I feel that just because the client company is being enabled by technology, these people look at technology as the villain out to get them out of their jobs.
S.H: Failure of key stakeholders to abide what was agreed upon in the Project Management Plan.
Q12: Lastly, how dose the future of software projects and software project risk management look like ?
A.A: These days marketplace has a good software projects, and many companies around the world usually provide high quality of modern software. On the other hand, risk management is always tried to reduce the risk in new software projects, that means there is related relationship between risk management and software projects. In general, risk management will be popular topic in next years, because the industry of new software is increasing day by day.
A.J: I think it is very important because every thing in the life or in the world is related to the risk and the risk management is still growing up and it will be global subject in the future.
F.A: Of course, available software projects are completely different if we compared them in previous software, because the software has become to help organisations to achieve their goals, and if those organisations have changed their strategies for sure the software will change to be adapted with new strategies. Also risk management has come to aid the teamwork of software projects for solving all problems which might software has.
I.A: I see risk management taking more active parts not only in stages of the software project but also in subsets thereof because there will be more detailed risk management approaches in the future.
H.A: The reliable and professional software will make life much easier and more even if it is connected to the data base to extract the data (minimize the time and take same actions quicker)
H.Z: I think people are beginning now to learn risk management for software projects, and it is going to be important part in our education how do you mange risk. I would like to say tow things , first one we should develop right system rather than just develop the system right, and another one test early and teat off in, we should keep testing after delivering the system.
K.A: There will be more developed automated risk management systems based on artificial intelligence and these will make future software projects better managed in terms of the risk aspect.
M.A: Risk management will be part of the overall information security governance of every projects.
N.A: A software project without software project risk management is asking for major trouble to happen. The latter supports the optimum operation of the project and without it, threats and vulnerabilities will have a field day. in the future, there will be better automated risk management applications that can simply integrate with software project management systems thus making the risk management methodology more effective and efficient.
S.H: Risk management will further be improved and will eventually help improve future software development projects.
Hi Writer?s
Please download the instructions also, when you write the assignments can you separate the Employee Monitoring Discussion and Employee Monitoring Off-hours for me please.
Please download the instruction.
Employee Monitoring Discussion
Based on your reading of the article, ?Managing Risk From Within: Monitoring Employees the Right Way,? discuss employee monitoring. What are some practical guidelines organizations should follow when monitoring employee behavior? Explain why companies need to monitor, and how they should monitor. Identify any laws that might have an effect on employee monitoring. Do employees really have any rights to privacy in the workplace?
References
Latto, A. (2007). Managing risk from within: Monitoring employees the right way. Risk Management, 54(4), 30-34. Retrieved from http://search.proquest.com/docview/226993948?accountid=27965
Employee Monitoring Off-hours
Based on your reading of the article, ?Mitigating the Risks of Messaging,? discuss employee monitoring outside of the workplace. Can organizations really monitor employee?s activity on their own time? Can an organization dictate a code of conduct off-hours? Are there any guidelines that organizations must follow when monitoring employees? activity off-hours?
References
Grey, M. (2006). Mitigating the Risks of Messaging. Information Management Journal, 40(6), 68-71.
Readings
Complete the following:
? Read Grey?s 2006 article, ?Mitigating the Risks of Messaging,? from Information Management Journal, volume 40, issue 6, page 68. This article discusses the need for organizations to monitor instant messaging (IM) communications.
? Read Latto?s 2007 article, ?Managing Risk From Within: Monitoring Employees the Right Way,? from Risk Management, volume 54, issue 4, page 30. This paper describes the delicate process of monitoring employee communications.
Prepare a paper in which you analyze the global financing and exchange rate topic: roles of international financial institutions (e.g. IMF, World Bank, ADB, etc).
In this please describe the roles of international financial institutions, how it is used in global financing operations, and its importance in managing risks.
BUSN105: Scenario
You are an inventor who enjoys working around the home, cleaning, cooking, and doing minor home repairs and remodeling. You have little financial skills and no management skills. You have a great idea for a new kind of home appliance that meets everyday consumer needs. Your net worth is not very high so you have no idea if you?ll be able to ?fund? this start-up. You know that currently there are similar products that meet the consumers? needs, but those products are inherently dangerous. You know nothing about manufacturing other than that it costs lots of money to set up a plant. You are convinced that this new technology idea would be applicable in a wide range of other products.
Your spouse, knowing how much time this venture will take away from family time, has asked you for an example of what you mean to make sure your idea isn?t some harebrained scheme. You mention the following as two similar ideas that were developed for one application but proved to have VERY widespread applications:
a. The ?clicker? was initially invented for use with TV?s, but now has widespread applications for a host of electronic applications, just like your technology could potentially do.
b. The 3-prong power cord for electrical appliances was invented for higher quality appliances. Lower quality appliances have a 2-prong cord, which is a safety issue. Better quality power cords have the 3rd ?ground? wire, so now it has widespread application, just like your technology could potentially do.
Assignment
Continuing with the scenario from Unit 1, you now need to make a management decision about how to fund your business. You have several options. You can borrow money, sell stock, or license the technology. Chose the type of funding which you prefer. Then, write a 2?3 page paper that reflects your decision-making analysis. In this paper, be sure to include the following:
Using your own words (no quotations), write a series of short paragraphs describing the meaning, function, and importance of each of the following four terms:
Investment Banker
Stock Market
Financial Management
Risk Financing
Identify your preferred source of funds.
Describe your decision for choosing this form of funding.
Explain the pros and cons of your decision.
Describe one other possible option for this funding decision.
Please submit your assignment of 2?3 pages in APA format.
Submitting your assignment in APA format means, at a minimum, you will need the following:
TITLE PAGE. Remember the running head: AND TITLE IN ALL CAPITALS.
ABSTRACT. A summary of your paper, not an introduction. Begin writing in third person voice.
BODY. The body of your paper begins on the page following the title page and abstract page and must be double-spaced (be careful not to triple- or quadruple-space between paragraphs). The type face should be 12-pt. Times Roman or 12-pt. Courier in regular black type. Do not use color, bold type, or italics except as required for APA level headings and references. The deliverable length of the body of your paper for this assignment is 2-3 pages. In-body academic citations to support your decisions and analysis are required. A variety of academic sources is encouraged.
REFERENCE PAGE. References that align with your in-body academic sources are listed on the final page of your paper. The references must be in APA format using appropriate spacing, hang indention, italics, and upper and lower case usage as appropriate for the type of resource used. Remember, the Reference Page is not a bibliography but a further listing of the abbreviated in-body citations used in the paper. Every referenced item must have a corresponding in-body citation.
General Requirements for Dissertation
Minimum of 150 pages not including graphs, charts, tables.
APA style for format and APA parenthetical documentation for references.
The dissertation should be formed including the following five chapter format:
1. Statement of hypothesis;
2. review of prior works on the subject and related subjects;
3. identification of the methodology;
4. analysis of the problem(s) or significant issue(s) involved;
5. summary findings and conclusions
Chapter1 - An Introduction which includes a statement of the problem an overview of the study, the significance of the study, how an why it is important.
Required Heading:
-Introduction
Required Subheadings:
- State the Problem
- Purpose of the Study
- Importance o the Study
- Scope of the Study
- Rationale of the study
- Definition of terms
- Overview of the Study
Chapter 2 - Review of related literature. ?Research the writings of other authors who have explored a similar subject. ?All perspectives should be presented; include both positive and negative aspects. ?Provide a description of the sources to be used in the research.
Required Heading:
-Review of related Literature
Chapter 3 - The method. ?The research design should be explained, and any special tools, surveys, statistical procedures, tests, comparisons, questionnaires or interview techniques used should be described.
Required Heading:
- Methodology
Required Subheadings:
-Describe the Approach
- Identify the Data gathering method
- database of study
- comment on Validity of Data
- comment on originality and limitation of data
- summary of chapter 3
Chapter 4 ?- The data analysis section should analyze the findings.
Required heading - Data Analysis
Chapter 5 - Summary, discussion, and recommendations
Required heading - Summary, Conclusions & Recommendations
-------end general dissertation requirements-----
Specific dissertation requirements
I wanted the dissertation based on an Article I wrote for computerworld in 2001. ?The article titled "The Internet Way" is a methodology and process in which corporate information systems management can use internet based technologies for all (or most of) of their system needs. ?In specific, the internet way is a technology developments strategy that can aid companies in their internal systems development while creating assets that can be leveraged externally (on the public internet). ?Below, please find my initial attempt at the introduction to the dissertation. ?I only wish that I had the time to finish this.
The internet way: A unifying theory and methodology for corporate systems development
by
John R. Mariano
In Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy in Management Information Systems
2003
Abstract
The internet way
by John R. Mariano
Do you want to strategically implement e-commerce software without extensive projects or ridiculous expenses? Sound impossible? This seemingly Herculean task can be reduced to a manageable and straightforward effort using a simple approach: "The Internet Way."
The Problem: As the market for e-commerce services expands, firms are struggling to Web-enable their core business systems. At the same time, they must integrate internal operations with external product offerings. E-commerce strategists must also link internal technologies and processes to suppliers and customers. There are five questions that stem from these efforts:
1. ? ? ? ?How can we minimize the scope of these projects to decrease risk and increase success?
2. ? ? ? ?How can we justify their costs?
3. ? ? ? ?How will our customers be affected?
4. ? ? ? ?How will cross-functional teams and products work together successfully?
5. ? ? ? ?How can I train my team on the new technologies?
Most technologists and business leaders realize that e-commerce will change our world. Unfortunately, the technical implementers are forced to respond to ad hoc business needs, formulating a technology strategy by default. Having a strategy is one of the most critical factors in achieving success with projects, sites and implementations, particularly on the Internet.
? ?
Method: The Internet Way will work for those who have established Web-enabled strategies, and those who have just begun to chart their course. You don''t have to pay an expensive consulting firm to guide you. ?
The Internet Way is a commitment that every project team must make in looking for ways to leverage or use Internet-based offerings. While this may sound impossible, it can be achieved if you creatively look at all your core vendors, their applications and the commitment those vendors have to e-commerce. From there, you''ll investigate new or existing technologies to see how they leverage Internet offerings or functions. The global marketplace shouldn''t be forgotten. If you communicate with external clients using Internet protocols, why wouldn''t you use them internally as well? The benefits are vast, but how can you do it while managing risk and your budget? There are four essential areas that will get you on your way.
Upgrade. Almost every vendor has a technology-based offering that is -- or will be -- using Internet technology. Upgrades don''t have to have limited benefits; you can leverage the upgrade efforts, expenses and justification to introduce Web-based technology. For example: Hewlett-Packard Co. recently released a new operating system for its Unix platform HP-UX 11i. (Guess what the ''i'' stands for?) Through this upgrade, HP-UX 11i provides an Apache Web Server, Java JPI, a Java Runtime Environment and other perks. This is the perfect time to expose your teams to Internet-based technologies. And consider them for new projects. This way, a necessary implementation can be used to your advantage.
Implement. As we improve our technology, and as business lines become more dynamic, we must unify and enhance applications. These integrated offerings can be delivered to a user through a Web browser. You can connect with external and internal data sources while bridging between various applications, unifying through the graphical user Web interface. Using external components that can be purchased, rather than developed, can improve your delivery times and decrease risk. Also, users are becoming more familiar with using the Internet, something you and your organization can use to your advantage. These benefits can decrease your time to market for technology deployments (internally and externally), minimize end-user training and unify your IT workforce through technology. As more Internet technologies are implemented within the organization, the need for specialized resources decreases, since they will all start to use HTML, Web servers, Web services and other technologies and components.
Deployment. Your internal Web applications should be exploited by using them for external processing. The long-term implications are extraordinary. For example: At Academic Management Services, an application was created for the call center that''s used for outbound counseling efforts. Since the application was developed using Internet technology, some of its functions and pages are used to enhance the public Web site (www.tuitionpay.com). Eventually, this will allow a call center representative to see the same thing as a Web user is seeing by sharing a user session. Second, our call center can be distributed across geographic regions while using a specific, secure Web site. There are many other features that can be introduced -- like load balancing and redundancy -- that will allow for applications to be modified during the day without a service outage to your users.
Collaborate. Whether it''s people or projects, adopting a cross-functional collaborative strategy will greatly improve communication, processes and results. As your upgrades, initiatives and deployments continue, you''ll benefit not only from the spread of the technologies, but also from improved delivery times and having users who are more familiar with surfing the Internet. With all this synergy, in a planned long-term strategy, the IT staff will have more to work with and will improve their skills.
Findings: "The Internet Way" is a straightforward philosophy that will have a positive impact to the technology staff and the organization overall. Its implementation can be gradual and planned, reducing risk while introducing new technology.
{Add text on the approach over time as experienced at AMS}
{Add text on the areas of concentration, potentially move the method section in here}
Within this thesis, it will be proved and illustrated that the ?Internet Way? can be applied to almost every type of system, from client/server to mainframe, and can streamline operations. ?And it will make the implementer a hero/heroine to their users.
ii
Table of Contents
Chapter One ? Introduction
Watch the film Girl Interupted and answer the following questions:
1. Determine at what level of dysfunction the main child character(s) are operating ? primary, secondary or tertiary. Give reasons for your choice.
2. Identify resilience or its potential in the child, young person and/or family member.
3. Describe what developmental age and related issues this movie is illustrating.
4. Choose one or two conversations from the film that demonstrate engagement, creative strategies, family conversation, multiple systems management or follow-up.
5. Critically analyze the parts of this conversations that are related to engagement, case management, risk management and interventions
This assignment should be a maximum 8 pg in length- APA format and 12 pt font, double-spaced.
Provide a three page, double-spaced, Times New Roman, 12 point summary of the article "Electronic Security Information Documentation" available below. The paper should include a referenced (footnotes or endnotes) analysis indicting agreement or disagreement with the author. It is important that that you use references to back up some of your statements.
Electronic Information Security Documentation
Peggy Fung1 , Lam-for Kwok1, Dennis Longley2
1 Department of Computer Science
City University Of Hong Kong
Kowloon, Hong Kong
2 Information Security Research Centre
Queensland University of Technology
Brisbane, Australia
[email protected] [email protected] [email protected]
Abstract
Effective security management depends upon good risk
management, which is itself based upon a reliable risk
assessment, involving data collection of all the facets
influencing system risk. Such data collection is often an
extremely onerous task, particularly if a substantial proportion
of the required information is not adequately documented.
Hence comprehensive, updated information security
documentation is a keystone of good information security
management. Whilst the recently emerging information security
management standards provide some implicit guidance on the
development of documentation; there is relatively little support
available for security officers attempting to develop and
maintain such documentation.
Traditionally textual security documents are not necessarily the
most appropriate format for describing the security of large
complex, networked systems, subject to frequent updates. It has
been suggested [1], [2] that a security officer?s workstation,
with a database and GUIs, may present a more effective form of
security documentation. However, such a tool requires a welldeveloped
model of the information system and, as discussed in
this paper, a standardised means of representing security
entities.
This paper proposes an information security model to facilitate
the development of electronic security documentation. A
proposed security entity classification scheme is first described.
Such a classification scheme and the use of object identifiers to
identify security entities greatly facilitates the development of a
security officer?s workstation. The potential of the model for
risk assessment and security design is described.
A prototype model was developed in Visual Basic to test the
concepts proposed, and a Java based model is currently under
development at the City University of Hong Kong..
Keywords: Information Security Management, Risk Analysis,
Information Security Standards, Information Security
Documentation.
1 Introduction
In the past three decades there has been a sharp increase
in the awareness of the potential deleterious impacts,
arising from inadequate information security.
Copyright ? 2003, Australian Computer Society, Inc. This
paper appeared at the Australasian Information Security
Workshop 2003 (AISW2003), Adelaide, Australia. Conferences
in Research and Practice in Information Technology, Vol. 21. C.
Johnson, P. Montague and C. Steketee, Eds. Reproduction for
academic, not-for profit purposes permitted provided this text is
included.
Unfortunately the scale of the problem has escalated more
rapidly than the commitment to combat it. Moreover, in
many cases, the media emphasis on hackers and viruses
has distorted the debate and tended to divert senior
management awareness from the more fundamental
aspects of information security.
In particular there may be a sharper focus on technical
solutions, to well advertised attacks, than on the
fundamental necessity to view information security as an
organisation wide business/ management / technology
issue.
Organisational security officers are charged with ensuring
the security of information assets and systems. As such,
they are perilously located between management and
technology. They are required to ensure that the
technological systems are implemented and operated in
such a manner, that the business risk to organisational
information assets and systems is contained within
acceptable boundaries. In effect they are required to
assess the level of business risk from an information
security viewpoint, and to recommend operational or
technical changes designed to bring that risk down to
some acceptable, but often unspecified, level.
The first step in such a risk assessment involves a major
data collection and evaluation process. This process is
often extremely time consuming, disruptive and
expensive. Hence, there is a temptation to work with
over-simplified models of the information system, and to
request highly subjective estimates of risk-related data
from I.T. staff.
Subjective risk assessments bode ill for a security officer
in a highly complex, networked environment, particularly
when information security failures may have significant
impacts on the financial well being or the regulatory or
contractual obligations of that organisation. In the
aftermath of a serious information security failure,
security officers may well be called upon to supply
convincing, documented, evidence that their risk
assessment recommendations, to senior management,
were well founded.
Hence one can easily demonstrate the importance of
comprehensive, timely, risk and security documentation,
to organisational security officers. Unfortunately, there
appears to be minimal support systems available to
security officers tasked with the development,
maintenance and interpretation of such documentation.
Information security management standards such as
German IT Baseline Protection Manual Standard Security
Safeguards [3], BS7799 [4], and ISO17799 [5] do provide
an infrastructure of information security management and
hence some guidance on the structure of security
documentation. Nevertheless it is interesting to compare
the emphasis on bookkeeping in the training of financial
auditors, with the average educational/training courses for
security personnel. In general there is a significant lack of
guidance, let alone tools to aid the security officer in the
documentation task.
In this paper, we discuss the importance and role of
information security documentation. In particular it is
suggested that a commonly agreed information security
model, and a common method of security entity
classification, would facilitate the development of
software tools for the production and utilisation of such
documentation.
2 Role of Information Security Documentation
2.1 Support for Risk Assessment
The information security industry has made significant
advances to meet the perceived threats to organisational
information security. Originally, outside the military
sector, the major threat identified by the finance and
banking industry was the security of electronic
transactions, and security manufacturers supplied
hardware cryptographic systems to this market. The
advent of viruses in the late 1980s spurred a new industry
in anti-viral software. Later the development of the
Internet as a common communication channel for
organisations, expanded the hacker community and the
production of firewalls to thwart them. PKI companies
provided cryptographic software the emerging Ecommerce
market, and many organisations now invest in
various access tokens such as smart and magnetic stripe
cards. The biotechnology industry is also continually
gearing itself up for its promised future.
Nevertheless security officers can face a difficult task, in
convincing management that these vendor products
represent only a part of the solution. Individual
countermeasures must be embedded within a coherent
information security infrastructure, if the organisational
operations are to be adequately protected.
The development of such an infrastructure must itself be
guided by effective risk assessment projects. The
importance of effective risk analysis was recognised in
the early 1970s[8], and there was a strong move by some
governments to facilitate the adoption of such
methodologies in sensitive computing systems.
Risk analysis includes the identification of assets, threats,
vulnerabilities, countermeasures and the evaluation of
loss expectancy. An information security risk analysis
study defines the IT environment under consideration and
recommends corrective actions.
Risk analysis projects were relatively expensive, even in
the mainframe computing era, because they involve the
collection and evaluation of a significant volume of data
including: ? the intrinsic threats, the IT system, its
physical and operating environment, the assets to be
protected and the business functions dependent on those
assets.
Such risk studies were either conducted by in-house staff
or external consultants. In general the in-house staff often
lacked extensive experience of the subjective aspects of
risk evaluation, and consultants had no previous
knowledge or experience of the organisational system
under study. Generally the existing documentation was
inadequate, in terms of its content, detail and currency,
for risk assessment. Hence the initial familiarisation
process was normally accompanied with a major task of
data collection.
The magnitude of this initial familiarisation task escalated
rapidly, as systems evolved from batch processing
mainframes to current complex, multi site networked,
client server scenarios. Moreover, the batch processing
mainframe environment was stable for long periods,
usually between purchases of the mainframe equipment.
Hence risk assessment recommendations had a long halflife,
significantly reducing the average annual cost of
such studies.
In the current climate the complexity and volatility of
information systems is such that:
The risk assessors, must at the outset, have
significant knowledge of the organisational system,
its environment and the business functions that it
supports.
The system documentation must be sufficiently
versatile, comprehensive and timely to reduce the
data collection task to achievable levels.
The cost of risk assessment updates must be
minimised.
There appear to be two conclusions from the above:
IT systems must be fully documented, from a
security viewpoint, and such documentation must be
regularly updated.
The abovementioned security documentation must
be in a format that significantly reduces the cost and
effort of risk assessment exercises.
2.2 Due Diligence
The evolution of IT systems, described above, clearly
escalated the magnitude and complexity of the
organisational security officer?s task. This development
in IT systems was moreover accompanied by increasing
integration of the IT systems into the organisational
business functions, to the extent that the health of the
business functions were inextricably linked to that of the
supporting computing and computing systems.
Computing downtimes, causing merely minor irritation in
the erstwhile mainframe era, would be life threatening to
most modern corporations.
Hence the security officer is not only faced with a major
task of risk assessment in a complex environment, the
potential penalties associated with inadequacies, in the
subsequent recommendations, have also escalated.
Unfortunately given the probabilistic nature of risk
assessment, there can be never be a guarantee of incident
free operation for the IT system over a long period of
time.
In a post security incident environment the security
officer must demonstrate that the security systems
implemented were reasonably compatible with the true
level and nature of the system risk. Moreover, current I.T
system failures may have serious consequences for the
financial well being of the organisation, and for its
compliance with regulatory and contractual obligations.
In the current climate management may well be formally
required to demonstrate due diligence in the protection of
information assets and systems.
Macro risk assessments, based upon apocryphal,
subjective assessments, are likely to be unconvincing in
the witness stand. Today?s security officers would be well
advised to equip themselves with comprehensive security
documentation, and associated risk assessment strategies,
as evidence that they had acted with a high level of
professional competence.
2.3 Security Documentation Requirements
It is much easier to make a case for the development of
comprehensive security documentation, that to actually
produce the documentation itself. In many cases advice
takes the form ? I would not start from here?.
The information security management standards do
provide an infrastructure for information security
management, which at least suggests a structure for the
documentation. A recent paper by the authors [6]
suggested the type of current organisational
documentation and data that should be collected and
packaged to form an initial set of information security
documentation.
In this paper the necessary facets of security
documentation are described and some insight into recent
work on an Information Security Model is discussed.
At the outset the question arises ? what is being described
by the security documentation? Most system
documentation is designed to assist operators and
developers in the performance of their tasks. Security
documentation is not however aimed normal system
operation, but rather at the circumstances in which the
system fails, in some sense. Hence security
documentation should provide a detailed description of an
agreed security model for the system. In other words an
organisation?s security documentation should contain the
local parameters of a generally accepted information
security model.
The proposed model need not be described in
conventional textual format. Given the complexity,
magnitude and volatility of modern information systems,
some form of database representation is more appropriate.
Moreover such a database should be supported with
software tools and GUIs to facilitate the development,
updating, investigation, risk analysis and security
reporting.
If a common model were employed by organisations then
third party vendors would be encouraged develop support
software. Moreover, given a common format of security
documentation one could envisage situations in which
external security advice and expertise were readily
absorbed by an organisation. Hence it is possible to
envisage a system in which CERT Advisories are
automatically downloaded and added to the security
database. The security software could then generate a
report on the implications of the reported attack for the
organisation.
3 A Proposed Model
3.1 Overview
The Risk Data Repository [1], [2] is a risk analysis model,
developed some years ago, which aimed to integrate all
available organisational data related to security. The
model had the ability to evolve over time as it
incorporated newly acquired data. The RDR described
entities in term of their roles from a security viewpoint,
and demonstrated the inter-relationships of security data.
The RDR essentially comprised three domains:
Environment, Platforms and Assets. The environment
domain included elements that effectively hosted or
supported the operation of the information processing
system: equipment, building, staff. The platform domain
was the logical description of the information processing
system and its defences. The assets domain described the
data and processes, to be protected, because misuse of
these assets would have a deleterious effect on the
organisational business operations.
The RDR comprised a database and graphical facilities to
trace the inter-relationship of security entities. Hence it
was possible to trace the effect of a threat of fire in a
building to the potential business impact. Experience with
the RDR demonstrated three significant aspects of such
security modelling:
the difficulty of describing the wide range of security
entities concerned with risk assessment and security
modelling;
problems of importing data from other RDRs; and
problems arising from the hard coding of security
expertise in the model.
It was clear that a major problem in the development of
such an organisational risk database lay with the
classification of the various entities. There appears to be
no common directory to describe such items as: Threats,
Computing Hardware, Buildings, Services, Users,
Information Assets, Access Control Policies, etc.
In the development of an Information Security Model, to
replace the RDR, the concept of Environment, Platform
and Assets was extended to five categories:
Systems: includes hardware, software, platforms,
networks, applications, users and information assets.
Environment: includes locations (sites, buildings,
floors and rooms) and services (power, cabling, air
conditioning, water and communications).
Security: includes threats, countermeasures, Threat
Trees and Threat Countermeasure Diagrams.
Procedure: includes external procedures, such as
government legislation and international standards,
and internal procedures: organization policies,
guidelines etc.
Relationships: security depends critically upon the
context of entities and this context is described by
relationships. For example, hardware is located in a
building, networks are connected to other networks,
and a security policy complies with a Standard?s
recommendation. Relationships among the various
entities are defined here.
Each of the above classes has a number of subclasses and
the whole set of entities can be described as a directory
tree. Borrowing the concepts of X.500[7] the various
subclasses and subsequent entities can be classified with
object identifiers, representing the set of nodes traversed
from the root to that entity (See Fig 1).
The proposed classification system has a number of
immediate advantages, from a risk assessment and
security documentation viewpoint. Firstly each entity is
uniquely and succinctly identified by its object identifier,
indicating its position in the directory tree.
Secondly the classification provides a top down model
with the major entities specified at an early stage of
development. For example, a building, floor and room are
each subclasses of the parent - site. It is well recognised in
risk assessment that the preliminary investigation involves
consideration of the major entities, followed by a
subsequent refinement into more detailed areas, as the
analysis identifies the risk priorities. Risk assessment
models that require full system details to be entered at the
outset hit major data collection problems.
The top down approach is also facilitated by the
Platforms entities under Systems entities. Platforms are
large IT systems comprising all the other Systems entities,
Hardware, Software, Networks, Users and Assets.
Defining Platforms at an early stage facilitates a largescale
organizational model, e.g. Platforms, located on
Sites.
A further advantage of the classification scheme is that it
facilitates the importation of data from another risk
database, assuming both databases have followed the
same classification model. Hence mergers within
branches of an organization, with consequent integration
of systems, can be readily handled, from a risk assessment
/ security documentation viewpoint.
The classification system described so far provides only
an inventory of the security entities. Security relevant
details of those entities, e.g. vulnerability to flooding for a
site, communication protocol of a network, issue date of a
security manual, are also stored in the database. Given the
diverse nature of the entities such attribute information is
stored as a
Risk assessment and security documentation are,
essentially concerned with the relationships between these
entities, i.e. the Web Server is Located in the IT Building,
and there be will a wide diversity of such linkages. Given
the importance of these linkages, to the role of the model,
they are themselves classified as security entities i.e.
Relationships. Hence the linkages, or relationships can be
structured into classes and sub-classes, with each class
and sub class given an object identifier. Such linkages can
be stored as a simple tuple: < Linkage OI, Incident Entity
OI, Target Entity OI>, represents a linkage between two
entities, similarly linkages involving three or more entities
can be unambiguously defined.
For example, the relationship
Server A is located in Building B can be represented by
the tuple <5.1.1.2.1.3, 1.1.1.3.2, 2.1.3.2>. Where
5.1 Relationships between two entities
5.1.1 incident entity is a Systems (1)
5.1.1.2 target entity is an Environment (2)
5.1.1.2.1 relationship class is
Environment/Locations (ID = 1)
5.1.1.2.1.3 particular Location Link (ID = 3).
1.1 Sytems/Hardware
1.1.1 Computing Hardware (ID = 1)
1.1.1.3 Server Class (ID = 3)
1.1.1.3.2 Server A (ID = 2).
2.1Environment/Location
2.1.3 HQ Site (ID = 3)
2.1.3.2 Building B (ID = 2).
The model entities, attributes and relationships can
provide an overview of the current systems, e.g. major
platforms, the major components of such platforms:
networks, computing systems, users, information assets,
the sites where the platforms are located, the services they
Fig 1. Directory Tree For Security Entities
comROOT
Systems(1) Environment(2 Security(3) Procedures(4)Relationships(5)
Locations(1) Services(2)
Fig 2.Effect Of Intrinsic Threat On Business Operation
CAUSING FINANCIAL LOSS TO
CAUSING DAMAGE TO
INTRINSIC THREAT
ORGANISATIONAL
PLATFORM
INFORMATION
ASSET
BUSINESS
OPERATION
ACTS ON
depend upon etc. The model can also be refined with
increasing level of detail, e.g. the sub-networks that form
the major networks etc.
The relationships can be employed to facilitate crossreferences
between documentation. For example, the
Procedures Class can refer both to internal and external
documentation. Hence chapter and paragraphs of
standards, and security manuals may be given object
identifiers. A Compliance relationship, between
paragraphs in internal security manuals and corresponding
paragraphs in BS 7799, would facilitate internal audits.
3.2 Threat Trees
Risk Assessment is concerned with the ultimate effect of
intrinsic threats, e.g. fire, loss of external services,
international network failures, on business operations
(See Fig 2). An important role of the security
documentation, and hence the proposed model is to
facilitate the tracing of such threat scenarios.
From the work on the model conducted so far, it would
appear that the classification scheme, and in particular the
classification of relationships, significantly facilitates
such threat tracing.
The threat transmission illustrated in Fig 2 is in effect a
series of statements along the following lines:
Incident Threat acting on Incident Entity causes Target
Threat to act upon Target Entity (Fig 3). For example:
Fire acting upon Building causing Physical Damage
to Equipment (located in Building).
Threats are security entities classified in the model and
are classified within the Security class. The concept of a
Threat acting upon an Entity is embodied in a
Threat_Entity relationship i.e. the tuple
The Risk Assessment diagram (Fig 2) may hence be
represented as a Threat Tree (Fig 4) where each node
represents a Threat_Entity relationship caused by the
parent Threat_Entity. Relationship. The Threat Tree
recognises that a Threat_Entity may spread to many target
entities. At this stage it should also be stated that the
Threat_Entity transmission need not be restricted to a
tree, since a Threat_Entity node can have more than one
parent. The model can deal with these situations but for
simplicity they are not discussed here.
The concept of threat trees is well known, but a major
problem with such trees lies in the effort required for their
development. One of the more interesting facets, of the
proposed model, is that it opens up the possibility of an
automatic construction of threat trees. Consider first
manual development of threat trees in the context of the
model.
The starting point is the root node, i.e. interest is focused
upon the effect of a particular threat acting upon a
particular entity, or more simply upon a particular
Threat_Entity.
At this stage some security expertise is required to predict
the effect of this Threat_Entity on other entities in the
organizational database. For example, a security officer
would predict that a fire in a room would damage
equipment in that room. In effect a Relationship between
Threat_Entities, which are themselves Relationships, is
developed. This Relationship between Threat_Entities is
termed a TETE in the model. Hence:
Incident Threat_Entity
Target Threat_Entity
TETE defines the linking of the Threat_Entities <
TETE_1_OI, TE_1_OI, TE_2_OI>
Given a database of all possible Threat_Entities and
TETEs, developed by a security officer, then threat trees
could be automatically produced for any root
Threat_Entity as described below:
1. Starting with the root Threat_Entity, TE_1_OI,
check all TETE entries
2. Extract TE_c_OI from TETE_a_OI ? this is a
child node in the threat tree.
3. Repeat 1 ? 2 until no more TETEs found.
4. Repeat 1- 3 for the next child node in the threat
tree.
CAUSES
INCIDENT THREAT ACTING ON INCIDENT ENTITY
TARGET THREAT ACTING ON TARGET ENTITY
Fig 3. A Threat Entity Causes A Resultant Threat Entity
This procedure does provide for the automatic
development of threat trees, but at a massive cost of
manual development of possibly billions of TETEs. Some
results of the model, however, suggests that multiple
TETEs describing, for example, fires in every room in the
organization, and the equipment stored in each individual
room, can be replaced by a single TETE using object
identifiers with wild cards.
As a simple example of this approach consider the
observation that a fire in a building, with OI 2/1/1/1, is
could affect all floors of that building, and such floors can
be represented with wild card OIs 2/1/1/1/*. Hence we
can replace individual TETEs representing the spread to
each individual floor with a single TETE along the lines <
TETE_a_OI, TE_b_OI, TE-c_OI > where
TE_b_OI is < TE_b_OI, Threat_Fire_OI, 2/1/1/1 >
TE_c_OI is < TE_c_OI, Threat_Fire_OI, 2/1/1/1/* >
Using a comprehensive wild card approach security
expertise can be embodied in a minimal number of
TETEs, which can then be used to develop automatic
threat trees.
The work conducted so far has found that this approach is
quite versatile, to mention a few of the findings:
TETEs can be defined to incorporate the concept of
required linking between incident and target entities.
For example for a fire in a room to spread to
equipment, such equipment must be Located in that
room. This type of condition can be included as an
attribute of the TETE
The transfer of a Threat is not deterministic, it is
required that some estimate of the probability of the
threat transfer be included as an attribute of the
TETEs.
If wild card TETEs is defined then the probability of
a particular threat transfer can be made dependent
upon some attribute of the target entity.
TETEs effectively represent security expertise, and are
therefore developed by the security officer. Suppose
however a large organisation has adopted this model for
its various branches, each with its own security database.
Given the common means of classification it is clear that
TETEs representing common security knowledge can be
developed by head office (say) and imported into branch
databases.
3.3 Security Design
Security documentation should also play a role in the
design of security systems, following the identification of
significant areas of risk.
The threat trees provide an insight into the path from an
intrinsic threat to an undesirable business impact. Having
identified such a path, as a priority security task to be
addressed, the role of the security design is to reduce the
probability associated with this path. Consider the threat
tree illustrated in Fig 4, it can be considered that
additional security is required to reduce the probability of
the three transfer Threat /Entity 1 ? Threat/ Entity 1.2 and
/ or Threat /Entity 1.2 ? Threat/ Entity 1.2.1.
The security measures, physical or procedural, to be
deployed clearly depend upon the nature of the TETE
linking the nodes of the tree. In effect, the role of the
countermeasure is to reduce the attribute of the TETE
describing the probability of the threat transfer.
The threat trees can thus play an important role in security
design, inasmuch as they help to define the type and
placement of the countermeasures.
The RDR included the concept of Threat Countermeasure
Diagrams (TCD) to describe that aspect of security design
concerned with the effectiveness of countermeasures, and
such diagrams have been incorporated into this model.
The TCD is based upon the concept that countermeasures
are themselves subject to threats that can either result in
the countermeasure being bypassed or rendered
ineffective. Threats to countermeasures are countered by
additional countermeasures. For example, it is well
known that firewalls are vulnerable to illicit
reconfiguration, and must be protected by effective access
control. Threat Countermeasure Diagrams are trees of
countermeasures designed to ensure the security
effectiveness of the root countermeasure.
TCDs like TETEs represent security expertise, since they
demonstrate the effective deployment of countermeasures.
Hence given acceptance of the classification scheme they
can be imported into databases. Interestingly the use of
object identifier wild cards seems to allow a TCD to be
customized to its environment. Hence it would appear to
be possible for a generic imported TCD to take account of
local conditions.
4 Conclusion
The information security environment has undergone
radical changes over the last decade. Organisations are
now highly dependent upon the effective operation of
their information systems, and these systems have become
complex and highly vulnerable to external influences.
Hence effective information security risk management is
now a vital component of an organisation?s viability.
Such risk management has also been impacted by the
escalation of system complexity coupled with the
increasing vulnerability and strategic importance of the
information systems. Effective risk management, in turn
relies upon reliable and timely risk assessments.
THREAT / ENTITY 1
THREAT / ENTITY 1.1 THREAT / ENTITY 1.2
THREAT / ENTITY 1.2.1
Fig 4. Threat Tree
The cost of risk assessment exercises increases sharply
with system complexity, and a major component of such
costs lies in the collection of the wide range of security
relevant data. Moreover in an security officers now must
provide convincing evidence of the actions taken by the
organization, to identify and address the threats to their
information systems.
This paper has emphasized the importance of effective
security documentation in the above scenario. It has also
noted the lack of tools and support to assist security
officers in the development of such documentation.
The paper suggests that conventional textual
documentation may be replaced by an electronic database
and supporting software. Such a database, and associated
software tools, must developed around a common
information security model and this paper describes such
an approach.
It has been demonstrated that a standardised classification
of security entities, using object identifiers, facilitates the
development and implementation of such a model. The
work conducted so far has indicated how the model may
be deployed in risk assessment and security design.
Moreover the model provides an opportunity for the
importation of security expertise from vendors, advisory
bodies, etc.
A prototype model based upon Visual Basic has been
developed to test the concepts and a more comprehensive
Java based software package is currently under
development at the City University of Hong Kong.
5 References
[1] Kwok, L.F. (1997): A hypertext information
security model for organizations, Information
Management and Computer Security, Vol. 5
No.4, pp 138-48.
[2] Anderson AM, Longley D and Kwok LF (1994):
Security Modeling for Organizations, Proc. 2nd
ACM Conf on Computer and Communications
Security, Fairfax VA, pp. 241-250.
[3] IT Baseline Protection Manual Standard Security
Safeguards,
URL:http://www.bsi.bund.de/english/index.htm
[4] British Standards Institute (1999), BS7799: 1999
Information security management, Part 1 Code of
practice for information security management,
Specification for information security
management systems.
[5] ISO/IEC 17799 (April 2001): Code of practice for
information security management URL:
http://www.bsi-global.com
[6] Kwok, L.F, Fung, P.K., and Longley, D (2001):
Security Documentation, information Security
Management & Small Systems Security, IFIP
TC11.1/WG11.2, 18th Annual Working Conf. On
Information Security Management & Small
Systems Security, Las Vegas, USA, pp127-140.
[7] The Directory. CCITT REC. X.500-X.521
ISO/IEC Standard 9594:1993
[8] Federal Information Processing Standards
Publication 31. Guidelines for Automatic Data
Processing Physical Security and Risk
Management, Springfield: National Technical
Information Service, June 1974.
Assignment: Risk Management Paper ? Write a word paper discussing the role and nature of organizational risk management in justice and security organizations and why it is important. Address the following…
Read Full Paper ❯5 Pages, Times New Roman-Font 12, 1.5 Spacing Managing Risk in Project Management Must include the following: -Define and explain your topic's relevance to the profession of project management in relationship to…
Read Full Paper ❯Paper need to address a very narrow, very specific question or issue which is relevant to the Risk Management and Insurance Industry. The inspiration for the paper can be…
Read Full Paper ❯This independent project pretends you are a professional project risk consultant. Because of your experience, a company undergoing a risky project hires you to perform a risk analysis, report…
Read Full Paper ❯Choose ONLY One question to write from following Two questions. Question one, Risk assessments inform decision making about effective actions for managing risk i.e. avoiding, removing, reducing, improving and generally…
Read Full Paper ❯Project Initiation" Please respond to the following: One of the most important aspects of managing risk for a project is to accurately define the size of the…
Read Full Paper ❯Assignment Instructions This assignment is a take-home essay assignment of one question for which the student is expected to develop a 3-4 page essay that fully responds to the question.…
Read Full Paper ❯produce a risk analysis for a one-day charity event (football match) to raise funds (diagrams and tables can be used as well) Using Gray and Larsons (PROJECT MANAGEMENT the managerial process…
Read Full Paper ❯Essay type: Case study - Project management, budget management and cost management. Chain of retail stores. Students can use case study in their own organisation.…
Read Full Paper ❯Resources for your aid in writing this paper: Michael L. Smith C. Arthur Williams Published An International Comparison of Workers'' Compensation Peter C. Young This paper can include a multitude of topics: See…
Read Full Paper ❯Request Excellienco Preparation: Differences between Disaster Management and Terrorist Incidents A great deal has been written about the lack of intelligence concerning the 9/11 terrorist attack on the United States. There…
Read Full Paper ❯This paper will NOT be sent to university. this will be sent to a team in my company to review it and decide weather i will be…
Read Full Paper ❯Cash Management Practices Cash management involves knowing how much money is coming into and going out of an organization and ensuring that cash will always be available for organizational needs.…
Read Full Paper ❯For this assignment, you should read chapters 1, 2 and 7 in Essentials of Risk Management. This paper will focus on operational risk management. After reading chapters 1, 2…
Read Full Paper ❯For this assignment, I would again like to have Writer # rrs63. They have done a wonderful job so far. Some instructor notes: Unit 9 - Risks Management- Risk…
Read Full Paper ❯1. Deere & Company exports tractors to Spain, but the strong dollar against the Euro hurts sales of Deere Tractors in Spain. In the Spanish market, Deere faces competition from…
Read Full Paper ❯Please ask Cathii first if she is comfortable completing research in this area. If she is not please pass the assignment to a professional who works in the field…
Read Full Paper ❯request Whitelaw Preparation: Differences between Disaster Management and Terrorist Incidents A great deal has been written about the lack of intelligence concerning the 9/11 terrorist attack on the United States. There…
Read Full Paper ❯I am doing research in masters degree as a dissertation I have selected topic whish is related to my course , I am studying Information Systems Management, my topic…
Read Full Paper ❯Hi Writer?s Please download the instructions also, when you write the assignments can you separate the Employee Monitoring Discussion and Employee Monitoring Off-hours for me please. Please download the instruction. Employee…
Read Full Paper ❯Prepare a paper in which you analyze the global financing and exchange rate topic: roles of international financial institutions (e.g. IMF, World Bank, ADB, etc). In this please describe the…
Read Full Paper ❯BUSN105: Scenario You are an inventor who enjoys working around the home, cleaning, cooking, and doing minor home repairs and remodeling. You have little financial skills and no management skills.…
Read Full Paper ❯General Requirements for Dissertation Minimum of 150 pages not including graphs, charts, tables. APA style for format and APA parenthetical documentation for references. The dissertation should be formed including…
Read Full Paper ❯Watch the film Girl Interupted and answer the following questions: 1. Determine at what level of dysfunction the main child character(s) are operating ? primary, secondary…
Read Full Paper ❯Provide a three page, double-spaced, Times New Roman, 12 point summary of the article "Electronic Security Information Documentation" available below. The paper should include a referenced (footnotes or endnotes)…
Read Full Paper ❯