The Cybercrime Prevention Hour has considered how risk management tools could be used to inform, raise awareness, and provoke discussion on how to control individual and corporate risks.
The approach to examine risk is simple; identify, assess and deicide. Risk threats have two components consequences or impact and likelihood or probability of occurrence.
Cybercrime RISK is the potential for a THREAT is a person or thing that is likely to cause damage to exploit a VULNERABILITY such as a flaw, feature or user error that may result in some form of negative IMPACT.
Vulnerabilities that expose us to Cybercrime
Introducing the Risk Assessment Matrix
The results using the Risk Assessment Matrix discussing different vulnerability domains can be then used to inform decision making. Whether a risk is taken or not, or an affordable or practical control, is initiated to give sufficient comfort and safety. Every individual or organisation will have different devices, software, networks, and behaviours to contend with there is no one solution for everyone however there are common themes.
The final step if for dealing with risks is the decision making. As with all risks there are 4 choices; either take, avoid, treat, or transfer. The first two choices are obvious, and it is simply a question of chancing it or not, but sometimes we have no choice and are forced into doing something that is beyond our comfort zone that feels potentially risky. In this situation we try control the risk or limit possibility of things going wrong.
Treating or controlling risks is best understood by giving an example:
“I use my phone for everything if I someone stole it what would I do? If the phone were stolen it would have my address book, diary, email, social media accounts, and personal photos.”
Should use the phone and nothing else or should I risk it?
How can I treat or control the risk?
- Keep the phone on me and only use in a safe place.
- Use device security, fingerprint lock of face recognition.
- Encrypt the storage.
- Make sure I know all the account passwords or have them stored in a password manager I can access from another device.
- Make sure I have backed up of the photos and documents onto a secure cloud storage.
- Make sure I have the device SIM PUK code on file at home and get my mobile phone contract supplier to replace the SIM.
If I implement the 6 controls above, I can drastically limit the impact if I should be unlucky and get my phone stolen. All these measures I can do with no additional cost. Only the first point would reduce the likelihood of my phone being stolen.
If my device is expensive to replace, I could consider transfer the risk of the loss by buying some personal insurance against theft.”