Computer Risks and Exposures

Only available on StudyMode
  • Download(s) : 91
  • Published : September 9, 2008
Open Document
Text Preview
Computer Risks and Exposures
Computers of all kinds within an organisation are constantly faced with a variety of risks and exposures. It is helpful if we first define these terms: •Computer risk
Probability that an undesirable event could turn into a loss •Computer exposure
Results from a threat from an undesirable event that has the potential to become a risk •Vulnerability
A flaw or weakness in the system that can turn into a threat or a risk The total impact of computer risks range from minor to devastating and could include any or all of: •Loss of sales or revenues

Loss of profits
Loss of personnel
Failure to meet government requirements or laws
Inability to serve customers
Inability to sustain growth
Inability to operate effectively and efficiently
Inability to compete successfully for new customers
Inability to stay ahead of the competition
Inability to stay independent without being acquired or merged •Inability to maintain present customer/client base
Inability to control costs
Inability to cope with advancements in technology
Inability to control employees involved in illegal activities •Damage to business reputation
Complete business failure
Computer risks. exposures and losses may be characterised as intentional or unintentional and may involve actual damage, alteration of data or programs as well as unauthorised dissemination of information. Objects which can be affected include physical items such as the hardware or hard-copy outputs which are both vulnerable to risks such as theft or loss; the tele-communications system which can cause major corporate grief if unavailable for any reason as well as being vulnerable to internal or external penetration; the applications software which, being a major control element, is vulnerable to change, bypassing or direct sabotage; systems software such as the operating system itself which can also be amended or circumvented; computer operations where control procedures may be amended or bypassed and the data itself where virtually anything could happen. •The risks in I. S. are the reverse of the control objectives and must be treated as business risks. As such they are the responsibility of executive management with enforcement at a technical level. Obviously, the relative importance of risks will vary and the control techniques will vary from industry to industry and from company to company. The risks may be minimised but they can never be totally eliminated. Computer System Threats

Threats may come from either external or internal sources and may be intentional or unintentional as well as malicious or non-malicious. Internal threats may come from:
IS Auditors
IS Staff
Acting alone or in collusion.
Threats from this source are the most commonly occurring and include errors, fraud, breach of confidentiality (commonly accidentally) or malicious damage. The most common causes of these threats are poor supervisory control combined with poor personnel procedures. In many cases far too much power has been granted to users who already have access to the assets. In many cases the users have an in-depth knowledge of the system’s control weaknesses and are in a position to exploit them. Management

Threats here again include error and fraud but may also include systems manipulation for "Corporate" reasons such as profit smoothing or advance booking of sales or delayed recording of costs. Again breach of confidentiality is a hazard together with malicious damage. Common causes here are likely to involve inadequate segregation of duties with management, in many cases, unquestioned regarding decisions they make and transactions they authorise. This, combined with poor personnel procedures and too much power granted, can lead to major problems, particularly when combined with management’s access to assets and their authority to override conventional control levels. IS Auditors

tracking img