Kenneth C. Laudon,Jane P. Laudon Management Information System 12th Edition pdf

determines the level of risk to the firm if a specific activ-

ity or process is not properly controlled. Not all risks can be anticipated and

measured, but most businesses will be able to acquire some understanding of

the risks they face. Business managers working with information systems

specialists should try to determine the value of information assets, points of

vulnerability, the likely frequency of a problem, and the potential for damage.

For example, if an event is likely to occur no more than once a year, with a

maximum of a $1,000 loss to the organization, it is not be wise to spend $20,000

on the design and maintenance of a control to protect against that event.

However, if that same event could occur at least once a day, with a potential

loss of more than $300,000 a year, $100,000 spent on a control might be

entirely appropriate.

Table 8-4 illustrates sample results of a risk assessment for an online order

processing system that processes 30,000 orders per day. The likelihood of each

exposure occurring over a one-year period is expressed as a percentage. The

next column shows the highest and lowest possible loss that could be expected

each time the exposure occurred and an average loss calculated by adding the

highest and lowest figures together and dividing by two. The expected annual

loss for each exposure can be determined by multiplying the average loss by its

probability of occurrence.

This risk assessment shows that the probability of a power failure occurring

in a one-year period is 30 percent. Loss of order transactions while power is

down could range from $5,000 to $200,000 (averaging $102,500) for each occur-

rence, depending on how long processing is halted. The probability of embez-

zlement occurring over a yearly period is about 5 percent, with potential losses

ranging from $1,000 to $50,000 (and averaging $25,500) for each occurrence.

User errors have a 98 percent chance of occurring over a yearly period, with

losses ranging from $200 to $40,000 (and averaging $20,100) for each occur-

rence. 

Once the risks have been assessed, system builders will concentrate on the

control points with the greatest vulnerability and potential for loss. In this case,

controls should focus on ways to minimize the risk of power failures and user

errors because anticipated annual losses are highest for these areas.

TABLE 8-4

ONLINE ORDER PROCESSING RISK ASSESSMENT

EXPOSURE

LOSS RANGE/

EXPECTED 

OCCURRENCE (%)

AVERAGE ($)

ANNUAL LOSS ($)

Power failure

30%

$30,750

5%

$1,000–$50,000 ($25,500)

User error

98%

$200–$40,000 ($20,100)

310

Part Two

Information Technology Infrastructure

SECURITY POLICY

Once you’ve identified the main risks to your systems, your company will need

to develop a security policy for protecting the company’s assets. A 

Download 15,21 Mb.

Do'stlaringiz bilan baham: