|
1.
Percentage of dishonest employees in organizations: 0.5% (based on expert assess-
ment in developed economies).
2.
Percentage of staff having access to confidential data: highly dependent on the
firm’s business structure and access rights, but high in most financial firms where
most information is sensitive and client-related.
3.
Percentage of employees able to take large amount of data out of the organization:
should be near zero but can be as large as 100% in firms that have not disabled
their USB sticks. The monitoring of data outflow and the protection of sensitive
data has been a focus for information security in firms in recent years. This in itself
is the result of various layers of protection and depends on the type of informa-
tion considered: a few pages of a strategic plan are much easier to remove than
thousands of records of customer data.
4.
Likelihood to be able to sell to criminal parties: we can assume that once a fraud-
ster has gone to the trouble of accessing, copying and removing confidential data,
it will be passed to a pre-arranged buyer. For many years, I used this example
in training to illustrate fault trees and I always assumed that the likelihood of a
ready-made sale would be 100%. However, events show that some information
may still be stolen to order and some may be stolen opportunistically – for sale on
the dark web. In 2017, an international health insurance company revealed that an
employee had unlawfully removed more than 500,000 customer data records from
one of the company’s IT servers. The fraudster advertised the data on the dark web
as “singles and bulk data from $25,” which meant there was no agreed buyer when
the crime was committed (Figure 7.3). However, the dark web provides a market
and makes the information available to potential buyers. We do not know, publicly
at least, whether the data in this instance has been bought and used. It seems very
expensive to charge $25 for a single data record, whereas, as a matter of compar-
ison, a credit card number is worth about 50 cents. I wouldn’t be surprised if this
fraudster, a rogue employee, failed to sell the data. He did, however, create may-
hem for the company, triggered regulatory consequences for the firm and faced
criminal charges himself.
Assuming these four conditions remain independent, the simple product of the
individual conditions is: 0.5%
×
50% (let’s assume that 50% of the staff have access
to confidential data)
×
1% (likelihood to exit multiple confidential records in a context
of imperfect controls)
×
100%
=
0.0025%
=
1/40,000 . . . per employee (Figure 7.4).
The risk exposure is the number of employees in the firm. If it employs over 40,000
people, the expected probability is 1, which the health insurer that found its data on the
dark web may now realize. Disasters are not necessarily improbable, but they should
Scenario Assessment
71
F I G U R E 7 . 3
Dark web advertisement of stolen data (real case, 2017)
Rogue staff
P
1
= 0.5% of employees
Honest staff
(1-P
1
)
No access
(1-P
2
)
No exit
(1-P
3
)
No buyer
(1-P
4
)
Buyer
P
4
= 100%
Event
P
1
×
P
2
×
P
3
×
P
4
=
0.0025% of employees
4
3
2
Access
P
2
= 50% of employees
Exit
P
3
= 1%
1
F I G U R E 7 . 4
Likelihood estimation using
fault trees
72
RISK ASSESSMENT
be improbable if appropriate controls are applied. This example also illustrates the
importance of risk exposure, often neglected in risk assessment, as highlighted in pre-
vious chapters.
F a u l t T r e e s a n d B a y e s i a n M o d e l s : C o n d i t i o n a l
P r o b a b i l i t y
The example of independent controls and conditions is a simplification for illustrative
purposes. A common variation is to consider more realistic cases where control failures
and other impact factors are partially dependent on each other. This leads to the use
of conditional probability, i.e. the probability of an event occurring, conditional on
something else having already occurred, or conditional on some previously unknown
information coming to light. In the case of the health insurer, it would be the probability
of accessing confidential data, given that the employee has malicious intentions, which
is an important piece of information that changes the estimation.
Models using conditional probabilities are often called Bayesian models, or even
Bayesian network, after Reverend Thomas Bayes (1702–1761), an English statistician
and philosopher who gave his name to the Bayes theorem. The theorem provides the
formula to determine conditional probability. Bayesian models in operational risk refer
to measurements where likelihood assessments are updated by new expert opinions or
because of new information.
Overall, I would recommend FTA or any of its variations for scenario assessment
in order to generate meaningful discussions on the causes, preventive barriers and nec-
essary conditions for extreme events. Of course, like every model, the results of FTA
depend directly on the different faults identified and the probabilities attributed to each
of them. However, breaking down scenario estimates into their different components
of likelihood and impact increases the robustness of the results as well and the trans-
parency of the process leading to those results.
Scenario analysis and assessment of extreme events are vast topics that go beyond
the scope of this book. For more detailed discussions, please see the books and studies
referenced in this chapter. The additional case study, inspired from real scenario assess-
ment as part of an Internal Capital Adequacy Assessment Process (ICAAP) project,
sheds more light on best practice scenario assessment techniques.
C A S E S T U D Y : S C E N A R I O A S S E S S M E N T A T A N
I N V E S T M E N T F I R M
This firm needed to self-assess the capital required to cover its operational losses
at 99.9% reliability. We used a scenario-based method and quantified each rele-
vant scenario. Each scenario is decomposed into its risk drivers by the relevant
Scenario Assessment
73
business and risk specialists. Each risk driver is quantified, using a range of values
and estimation of probabilities of all of these values. The method delivers a sim-
ple distribution of values for each scenario. The value around the 99.9th centile
is the upper range of the capital need for a scenario.
Do'stlaringiz bilan baham: |
