Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
58 Cards in this Set
- Front
- Back
|
Distinctive features of crime risk
|
Risk control strives to protect an organization, its employees and its customers against the criminal intent or conduct of others, both outside and inside the organization.
|
|
|
Hostile intent
|
Crime is an intentional act; it is not a result of an accident, negligence or a natural event. Therefore, to reduce the frequency and severity or to improve the predictability of crime losses, risk control measures must focus on hostile intent. (10.3)
|
|
|
Continual evaluation of risk control efforts
|
Crime risk control efforts require continual evaluation because criminals may discover weaknesses in an organization's processes at any time. Continual evaluation of risk control efforts is crucial in preventing an breakdowns or gaps in an organization's risk control measures. Risk control techniques should focus on taking precautions, such as these, to eliminate weaknesses that make the organization a relatively easy crime target:
-shielding the organization's assets and activities by maintaining physical, procedural, and managerial barriers that reduce criminal opportunities. - reducing criminals' perceptions that they can commit crimes against the organization without being detected and with legal impunity.(10.4) |
|
|
Characteristics of common crimes
|
1) burglary
2) robbery 3) shoplifting 4) fraud 5) embezzlement 6) forgery and counterfeiting 7) vandalism 8) arson 9) terrorism 10) espionage 11) computer crime |
|
|
1) Burglary
|
The act of breaking into or out of any closed building or space not open for business to commit another felony. (10.5)
|
|
|
2) Robbery
|
The act of taking tangible personal property from another person by force or by threat of force against that person or against another. (10.5)
|
|
|
3) Shoplifting
|
The removal of merchandise from a store by stealth without purchasing it. (10.5)
|
|
|
4) Fraud
|
An intentional misrepresentation resulting in harm to a person or an organization. (10.6)
|
|
|
5) Embezzlement
|
The fraudulent taking of money or other personal property by one to whom that property has been entrusted. (10.6)
|
|
|
6) Forgery and counterfeiting
|
A form of forgery that involves privately duplicating a country's currency or presenting it as genuine with knowledge that it is not. (10.7)
|
|
|
7) Vandalism
|
Willful and malicious damage to or destruction of property. (10.7)
|
|
|
8)Arson
|
The deliberate setting of fire to property for a fraudulent or malicious purpose. (10.7)
|
|
|
9) Terrorism
|
May involve an underlying political agenda. May also involve the deliberate contamination of property through chemical, biological, or radioactive materials, or the destruction of property by bombing or aerial impact. (10.8)
|
|
|
10) Espionage
|
The act of obtaining confidential information through personal observation or mechanical, digital, or electronic techniques that circumvent efforts to protect the information's confidentiality. (10.8)
|
|
|
11) Computer crime
|
A criminal act using a computer to gain authorized or unauthorized access to steal, interrupt, or misuse computer system information. (10.8)
|
|
|
Controlling crime losses
|
Crimes can result in property, personnel, liability, or net income losses. An organization can use risk control measures to protect itself, its employees, and its customers against the criminal intent or conduct of others, both outside and inside the organization. An organization attempting to control crime risk must deter, detect, and deny.
1) deterrence - seeks to prevent crime by reducing or eliminating the motivation and opportunity to commit a crime 2) detection - if deterrence doesn't work, efforts should focus on detecting criminal behaviour before it results in loss to the organization and, finally denial of the facilities, skills, and other capabilities to those intent on causing loss. (10.10) |
|
|
Crime risk control measures
|
Seek either to prevent losses or to reduce their frequency or severity. Loss prevention focuses on deterrence and detection. Loss reduction focuses on reducing the severity of crimes that do occur by denying the criminal the chance to cause a large loss. (10.10)
|
|
|
Crime risk control measures
|
Crime risk control measures that focus on deterrence and detection include these:
1) sound personnel policies 2) physical controls 3) procedural controls 4) managerial controls 5) investigation and prosecution of crimes (10.10) |
|
|
1) Sound personnel policies
|
Can help prevent employee crime. Effective personnel policy requirements and practise include background checks on potential employees, fair treatment of all employees, prompt and equitable resolution of grievances, and termination of or appropriate specified actions against employees who commit crimes against the organization. (10.10)
|
|
|
2) Physical controls
|
Are tangible barriers between would-be criminals and their targets. Physical controls include walls; fences; crash barriers; locked doors; vaults, and safes; guards and guard dogs; and automatic intruder-detection devices and alarms. (10.11)
|
|
|
3) Procedural controls
|
Define how particular tasks can be performed in ways that make it difficult for people to commit crimes, or they make crime detection more prompt or certain.
(10.13) |
|
|
4) Managerial controls
|
Establish an atmosphere within an organization that deters or helps detect crime. Effective managerial controls can include, education, applicant screening, and rotation of employees. (10.15)
|
|
|
5) Investigation and prosecution of crimes
|
Organizations that investigate and actively pursue prosecution of suspected criminals by working with law enforcement officials reduce their crime losses in two ways:
1) They can increase their opportunities to recover stolen property or to receive repayment or compensation from the criminals 2) They can establish a reputation for being tough on crime, discouraging criminals from targeting that organization. |
|
|
Reducing the scale or crime and recovery
|
Risk control measures for reduction or crime losses fall into two categories:
1) measures that reduce the scale of crime - need layer of defence against a criminal attack. The more layers of defence, the less severe the loss will likely be. 2) measures that assist the organization in rapid recovery after a crime is committed - Include having a full backup computer system with operational web site, email, and internet links at an independent geographic location. (10.16) |
|
|
Cyber risk loss exposures
|
Organizations that use the internet-for example, web-based sales and services--as part of their daily operations may have more value residing in their databases than in their warehouses. Therefore, they must consider the risks presented to their electronic systems and electronic data as well as to those of their customers and suppliers.
(10.17) |
|
|
Property
|
All organizations, jot just those who routinely conduct online business transactions, should consider whether they have cyber risk property loss exposures. For example, a plumbing contracting business that is not involved in online sales or that doesn't have a web site may believe it has no cyber risk property loss exposures. However, this may not be the case if the plumbing contractor has a computer network that supports its accounting, finance, and customer database. The data in such a network are exposed to multiple cyber risks, including viruses and corruption, which could severely impair the contractor's operations. (10.17)
|
|
|
Loss of or damage to tangible property
|
Tangible property exposed to loss or damage can include computer equipment and related media, such as software and computer hardware, securities and money. An organization's computer network and the software installed on it can be particularly vulnerable to cyber risk loss exposures such as network server damage and theft, as well as software damage or corruption. (10.18)
|
|
|
Loss or damage to intangible property
|
Intangible property exposed to loss or damage can include electronic data (for example, confidential information such as social insurance or credit card numbers) and goodwill. Additional intangible cyber risk loss exposures include those resulting from trademark infringement, copyright infringement, or malicious code attack. (10.18)
|
|
|
Net income
|
An organization can assess the potential extent of its cyber risk net income loss exposures by considering how it might be affected by a reduction in or cessation of its normal business operations as a consequence of a cyber loss. These are called 'business interruptions'. (10.19)
|
|
|
Loss of business income (including contingent business income)
|
Occurs when an organization's net income and normal operating expenses change as a result of a loss. In terms of cyber risk loss exposures, organization typically examine potential losses that can occur to computer networks. (10.19)
|
|
|
Extra expense
|
In addition to normal operating expenses including payroll, that an organization has during a time of suspended or impaired business operations, it may also need to incur extra expenses to minimize the effects of the business interruption or continue its operations. For example, an organization might have to purchase items such as software, hardware, or other electronic media or hire labour to recreate lost or stolen electronic data. (10.20)
|
|
|
Liability
|
Organizations that maintain a presence in cyber space face increased cyber risk liability loss exposures. These exposures arise from activities such as using email, maintaining web sites, developing software, and conducting daily business operations on the internet. (10.20)
|
|
|
Bodily injury and property damage liability
|
Organizations engaging in technology-related activities, such as transmitting electronic data, maintaining information on or conducting business through, websites or designing and supporting software, must be on guard against the bodily injury and property damage loss exposures generated by these activities. (10.20-21). An example of bodily injury liability would be a software developer developing a program for physicians and pharmacists regarding the potential adverse interactions of different prescription medications. Because of a formulary error in the program, physicians and pharmacists conclude that a particular combination of prescription drugs is safe when the combination actually produces a serious or fatal reaction in a number patients. (10.21)
|
|
|
Personal and advertising injury liability
|
Organizations assess personal and advertising injury liability loss exposures as part of their general liability loss exposure analysis. Typical loss exposures include liability resulting from offences such as malicious prosecution slander, libel, defamation, disparagement, or false advertising. Coverage is limited or excluded by basic general liability coverage.(10.21)
|
|
|
Intellectual property liability
|
Cyber risk intellectual property liability loss exposures can affect an organization's copyrights, trademarks, patents, or trade secrets. For example, a copyright infringement loss exposure can occur when a major political blog site's owner posts on the blog copyrighted articles from a well known newspaper. If the site owner refuses to accede to the newspaper's demand that the blog stop posting the articles, the newspaper can sue the blog for copyright infringement. (10.22)
|
|
|
Error and Omissions Liability
|
As organizations continue to expand their business operations into cyber space, whether they are manufacturing traditional products for sale online, developing software for retail sale, or maintaining computer networks, they should be aware of cyber risk E&O liability. E&O liability presents the possibility of considerable damage to the organization, not only financially but also to its reputation, market standing, and goodwill.
(10.22) |
|
|
Controlling and financing cyber risk loss exposures
|
Internet-related technology has created new opportunities for growth for all types of organizations; however, these opportunities increase organizations' vulnerability to cyber risk loss exposures from many sources, both internal and external. Theft of information and electronic data has not surpassed physical theft at global companies. (10.23)
|
|
|
Risk control measures for cyber risk
|
Specialized risk control measures are usually necessary for an organization to control cyber risk loss exposures involving property, net income, and liability. These risk control measures begin with an organization's determining the scope of its cyber risk loss exposures, often with assistance from a RIM or security specialist. A cyber risk security strategy should incorporate the organization's business objectives and available budget and should include as assessment of the appropriateness of the risk control measures for the loss exposures that are being addressed. (10.25)
|
|
|
Specific risk control measures to prevent, deter, or mitigate risk
|
1) physical controls
2) procedural controls 3) personnel controls 4) managerial controls 5) investigation and prosecution of cyber crimes 6) post-cyber incident rapid recovery program |
|
|
1) Physical controls
|
Place barriers between cyber criminals and their targets. Organizations should provide basic physical protection, such as guards, locked doors, central security alarms, and automatic devices to detect intruders. (10.24)
|
|
|
2) Procedural controls
|
Specify that tasks be performed in secure ways that prevent or reduce losses. In terms of cyber risk, procedural controls apply to how a computer system and all of its associated data are protected.
Protection from hackers is a critical reason for organizations to create, implement, and regularly update procedural controls. (10.24) |
|
|
3) Personnel controls
|
The attitudes, performance and behaviour of employees can leave an organization exposed to cyber attack, regardless of whether the resulting loss or damage was intended.
Organizations can institute sound personnel controls to mitigate the cyber risk loss exposures presented by their employees. Such measures as preemployment screening, training, outlining unacceptable cyber behaviour with associated consequences, and termination procedures that include revoking access and passwords. (10.25) |
|
|
Managerial controls
|
Reduce cyber loss exposures by establishing an environment that prevents cyber losses or assists in their detection. Managerial controls include centralizing responsibility for cyber security. Many organizations have a chief information officer or a chief risk officer whose responsibilities include overseeing all technological aspects of the organization's operations. Managerial controls also involve systems and procedures that have been adopted are monitored and followed to control cyber loss exposures. (10.25-26)
|
|
|
Post-cyber incident rapid recovery program
|
Aids in reducing the severity of an organization's cyber losses and in restoring operation functionality as soon as possible. Implementing a rapid recovery program focuses on the organization's ability to preserve and sustain its net income in the event of a cyber loss.
Risk control measures the organization can use as part of a post-cyber incident rapid recovery program include maintaining full backups of the computer system--complete with an operational web site, email, and internet links, a an alternate location. (10.24) |
|
|
Risk financing measures for cyber risk
|
Organizations exposed to cyber risk must consider the financial consequences of a property, net income, or liability loss and whether they wish to transfer or retain those losses. Sources of risk financing can be arranged before (pre-loss) or after (post-loss financing) a loss occurs. Risk financing measures include insurance, noninsurance risk transfer, and retention.
|
|
|
Insurance
|
Because the field of cyber risk is an emerging and dynamic one, many organizations are uncertain of the value of cyber risk insurance or even of its availability as a technique for dealing with cyber risk. Cyber risk insurance coverage forms are still evolving. (10.28)
|
|
|
Noninsurance risk transfer
|
Organizations can use noninsurance risk transfer as one means of risk financing. When entering into contracts or online agreements, organizations must ensure that the contractual language properly protects them from cyber risk. (10.28)
|
|
|
Retention
|
An organization may use retention to finance its cyber risk loss exposures. One advantage of retention is that it encourages risk control. For example, when an organization pays the cost of its own losses, it may have a greater incentive to prevent and reduce them. A disadvantage associated with retention is that when an organization decides to retain its cyber risk loss exposures, the associated uncertainty of loss outcomes can negatively affects ifs financial position.
(10.29) |
|
|
Social media risk
|
Organizations are increasingly using social media to communicate internally with employees and externally with customers, potential customers, and the public. However, use of social media exposes an organization to significant risks.
Organizations are exposed to reputational, legal, and operational risks and should develop programs to control these risks. (10.29) |
|
|
1) Reputation risk
|
A single negative item of information, whether patently false, true, misinterpreted or taken out of context, can reverse an organization's positive image and severely damage its reputation in a matter of minutes. Employees can also post negative comments about their employers on social network sites.
(10.30) |
|
|
2) Legal risk
|
Social media activities can lead to lawsuits or prosecution for violations of the law. Legal risks associated with social media can arise from an organization's employment or computer security practices or can relate to privacy or use of intellectual property. (10.31)
|
|
|
3) Employment risks
|
Personal information about employees and potential employees is readily available on social networking sites. Hiring decisions based on any such information relating to race, age, disability, or religion may be discriminatory and in violation of many laws. Also, if an organization disciplines or terminates an employee because of comments made to other employees on social networks may be violating specific laws.
(10.31) |
|
|
4) Security risks
|
Employees using social media may reveal confidential information that can threaten an organization's security. For example, they may post comments on failed contract negotiations involving a client, safety problems with products under development, or a meeting with a well-know client. Security risks can also apply to personal safety if, for example, an employee shares an executives travel plans thereby exposing them to personal attack or kidnapping. (10.31)
|
|
|
5) Intellectual property risks
|
Copyright infringement and the disclosure of trade secrets are the primary intellectual property risks related to the use of social media. An organization may have legal permission to use another's copyrighted material; however, if the material or excerpts from it are copied and forwarded repeatedly, credit lines, copyright notices, or attribution may be lost, and the usage may extend far beyond the scope of original permission. (10.32)
|
|
|
6) Defamation
|
Disparaging remarks made on social media may lead to charges of defamation (false written or oral statement that harms another's reputation). An employee may disparage a competitor's product, for example, exposing the employer to liability. In some cases, an organization may be held liable for defamatory comments posted in public-commentary features of its web page. Even if an employee posts a positive statement about an organization this can lead to problems. For example, if an employee posts a positive review about the organization's product on a consumer web site, truth in advertising laws may apply. (10.32)
|
|
|
7) Privacy risks
|
An organization must be careful not to monitor employees' social media activities. An employer has no right to control what employees post on their private accounts. Also, an organization may also be liable for invasion of privacy if it uses an individual's photo or personal information for a commercial purpose, such as advertising, without the individual's consent.
(10.33) |
|
|
8) Operational risk
|
Social network users can be vulnerable to risks posed by malicious software (malware), including computer viruses, worms, and 'trojan horses'. Various malware applications can locate and copy confidential information, such as customers' credit card numbers or client lists, from internal systems; direct users to illegitimate websites designed to look legitimate (spoofing) such as banks and colleges, and request login information, passwords, and account numbers. (10.33)
|
|
|
Controlling social media risks
|
Organizations should develop sound and comprehensive risk control programs to address social media risks. Such programs should begin with an assessment of the risks. To manage social media legal risks, organizations should work with attorneys to identify the risks and any laws that might apply. An organization may want to designate specific individuals authorized to communicate online on behalf of the organization.
A risk control program should include written social media policy that describes the risks, lists the laws that apply, describes the types of behaviours that could lead to loss, and provides rules or guidelines on how to avoid loss. Organizations can also develop a social media agreement for employees to review and sign annually. (10.33) |
