Risk Management

Risk Threats to our IT Projects and Systems

Published on 29 September 2010 - Revised on

When we’re managing large project engagements for our organizations and/or our customers, it’s critical that we spend the proper amount of up front project planning time assessing the risks that could potentially derail our project. These risks, if realized, can cost our project thousands of dollars, weeks of time, and possibly doom our project altogether. And with it, our careers – if the project is critical enough.

What is a risk?

A risk is the loss potential that exists as a result of threat and vulnerability pairs. Below is a list of a number of potential threat areas that need to be fully assessed at the beginning of any IT undertaking. A threat is "any force or phenomenon that could degrade the availability, integrity or confidentiality of an Information Systems resource, system or network. One definition is "any circumstance or event with the potential to cause harm to a system in the form of destruction, disclosure, modification of data, and/or denial of use."

For each threat, an individual needs to estimate the loss if the threat were to occur. Therefore, an individual needs to know:

- the replacement cost

- the cost to recreate the intellectual property

- the value of an hour of computing time.

- other considerations (embarrassment, loss of confidence,…)

Here is one way to classify the type of risk to the resource that a particular threat poses. The classifications are availability, confidentiality and integrity.

- Availability - This is broadly defined as having the resource in a given place, at the given time, and in the form needed by the user.

- Confidentiality - Some define this as "The concept of holding sensitive data in confidence, limited to an appropriate set of individuals or organizations".

- Integrity - One can define this as "The ability of an AIS to perform its intended function in a sound, unimpaired manner."

Some of these threats - though not necessarily all - are listed below. Naturally, you must consider your own situation or project engagement. Some threats will not matter and may be dropped from consideration and there may be unique considerations with your specific site or project that warrant their inclusion or omission.

Assets At Risk

Facilities

Environmental risks cover things such as floods, lightning, earthquakes, tornadoes,….. There should be a local meteorological office that could provide information on this, but quite likely a large insurance company should be able to supply more information than you need as part of their policy pricing information. Additionally, consider flooding from such things a fire main leaks, fire extinguisher sprays, fires, contamination, traffic coming through the front of the building or hitting power poles and even bombs - real or even threatened.

Equipment

Power surges can come over the power lines and damage the equipment, fire extinguishers and plumbing leaks which are very bad for electronics, some equipment may be dependent upon air conditioning and some may even "develop legs and walk away"! Additionally, care should be taken that equipment is not used for unauthorized purposes.

Software

Programming can be accidentally (or intentionally) modified or destroyed by programmers or even users. Interrupting the power to an operating system is one method by which the programs which are running may be corrupted. The backup process often has the ability to destroy programs as well as data if improperly used, such as if the "restore" capability is triggered improperly. There is also the risk when installing or upgrading programs that the new code is itself corrupted.

Records and files

How safe is the storage of the media? Could they become lost or damaged? Are they stored in a location where they may be considered "surplus" or "for general use"? If the media is lost or stolen, consider the impact of not only the missing media but the information on it.

Data and Information

This is where the risk of "crackers and hackers" may manifest themselves.

Information is something that can be copied or examined without the owner being any the wiser Information on disk may be copied, read or even erased from remote locations through network connections. The media - external copies, pages of printout, even the computer itself - may be subject to the possibility of damage, loss or theft.

Software programming

Negotiables and other material

This area includes problems derived from unauthorized transactions being performed on the computer such as:

- A retail location may find it has "sold" a thousand items and mailed them and have an invalid credit card number

- Something that was sold in confidence becoming public knowledge

- Something for which the customer is depending on gets "lost" in a fraudulent manner.

Another risk is if there are online control systems which may be corrupted. Power, lights, air conditioning and more are likely to be under computer control. Many sites have their internal control records maintained online. The transfer of items from one location inside the organization to another is recorded - or even ordered - through computer. This includes things like service orders. There is a possibility of these orders being corrupted, deleted or even falsified.

Mission

The threats to your organization are limited only by the risks the organization exposes itself to. The more an information system is used, the more vulnerable it becomes. There may be forged email, the legal record may become published in the local newspaper, competitors may find out proprietary information - the list goes on and on and can only be determined by the ones in the know: YOU.

Personnel

A brief talk with a local insurance company will reveal a multitude of risks: vital individuals may get hit by cars, an epidemic may run rampant across the secretarial pool or even the competitor may decide to pay more.

Rate this article:

No rating

Brad Egeland

Brad Egeland is a Business Solution Designer and an Information Technology / Project Management consultant and author with over 25 years of software development, management and project management experience. He has successfully led project initiatives in Manufacturing, Government Contracting, Creative Design, Gaming and Hospitality, Retail Operations, Aviation and Airline, Pharmaceutical, Start-ups, Healthcare, Higher Education, Nonprofit, High-Tech, Engineering and general IT.

Full biography

In addition to his accomplishments in IT development, resource and project management, he has also authored more than 6,000 expert advice and strategy articles and more than a dozen eBooks and videos on project management, business strategy, and information technology and best practices for his own website and for clients all around the world. Brad is highly regarded as one of the most prolific go-to authors on project management.

Contact author

Name:	Please enter a name.
Email:	Please enter an email address. Please enter a valid email address.

Comment:	Please enter comment.
I agree	This form collects your name, email, IP address and content so that we can keep track of the comments placed on the website. For more info check our Privacy Policy and Terms Of Use where you will get more info on where, how and why we store your data. You must read and accept this rules.

Risk Threats to our IT Projects and Systems

What is a risk?