In today’s competitive world, information technology (IT) and information systems (IS) have become a ubiquitous part of the business environment. With the passage of time, improvements in technologies, and an increase in the competitiveness of the business environment, companies have increasingly become dependent on their information technology systems to realize their business goals (Barnier, 2011). IT and IS have become part of businesses as a way of improving operational effectiveness. In the beginning, it was adopted as a means simply for undertaking an organization’s operations, but it has become an integral facet of any organization’s being and continued existence, no operation can be carried out in an organization without IS (Abiodun, 2013). Therefore, we have to place an emphasis on IS risk management.
Companies, such as Kmart are exceedingly reliant on the integrity of their information systems. Their achievements depend, to a large part, on the capability to make use of increasingly productive databases, and execute opportune decisions linked to industry changes. Such a company’s performance will suffer if it were to have incidences of system interruptions, errors, or even if it falls behind its competitors concerning the information technology, which it uses, and in what way it is using it (Savić, 2008). IS risk includes the failure to respond to these requirements, as well as other issues, such as external fraud by intruders. Savić (2008) identifies information systems as being vital to each phase of business, resulting in the fact that IS risk, once a minor component of operational risk has risen to become a major vulnerability for organizations to identify and manage. IT risk includes security, availability, performance, and compliance elements, each with its own beginnings.
Risk to information systems is any occurrence that endangers or creates breakdowns in the performance of critical It systems. According to Gibson (2010), the risk is the possibility of a loss occurring as a result of a threat exposing vulnerability. Threats are possibilities representing dangerous scenarios, a vulnerability in a system is a point of weakness and resultant loss can be understood as leading to a compromise to business functions or assets (Gibson, 2010). It is therefore of importance that such risks are known and surmounted not as a function of chance but rather as a matter of inbuilt systems developed to recognize the risk and offer mitigation. Breakdown of IS, which occasionally is as a result of negligence and/or malicious intent is the basis upon which the need for risk management of IS facilities arises as the repercussions are many and go beyond the costly cost of delays (Abiodun, 2013). They include high cost of disruptions, exposing management inefficiencies, and a myriad of other challenges that translate to damage those results in the inability of a company to become competitive (Smith & McKeen, 2009).
If an information system is compromised, as is in the case with Kmart, the inherent loss to business can be understood in the following terms (Gibson, 2010):
Business functions are the actions a business undertakes to create value as it offered its products to its customers and if a function related to it is compromised, the business realizes a loss as fewer sales are accomplished by the company. The risk is therefore in any business function that can be compromised when it is directly important to the company, as is in the case of Kmart; an attack that was in its Point of Sales was very significant. This is because this is how it generates its revenues/sales and if the attack had succeeded, it would have amounted to a major loss.
Anything with value to a business is its assets and if they were to be lost, it would amount to a loss. An occurrence that would lead to such a scenario poses a risk. The tangible and intangible assets of Kmart were compromised since there was a loss although it was given to the public. Their systems were compromised and it required resources to fix the problems. By having identified the importance of the customer’s data Kmart was able to create a robust risk management process that empowered it to deal with the attack as soon as was possible and able to fix the problem and preserve the integrity of its assets. Also, its customers have assured of their data something that contributed towards some of its intangible assets.
Since a risk poses a loss, in trying to manage the potentialities of these risks resources have to be deployed to deal with the risk. This in itself drives business costs as controls and countermeasures are instituted. In considering a risk, profitability and survivability ought to be reflected on. Profitability is the ability of the company to remain at a profit even in the occurrence of a loss whereas survivability is the ability of the company to survive loss due to risk. Kmart’s investments in its IS would be said to have afforded it profitability and survivability since it had anti-virus although they were compromised, IT security partners, and an IT team that was able to undertake forensic investigations.
Information systems are made up of various components that Gibson (2010) identifies as domains. These are the points of contact or interaction with the IS and can be internal to a company or external to competitors, customers, and other partners. The domains will therefore be protected using necessary software and hardware and processes and procedures that include passwords, anti-virus software’s just but to mention a few. Where a domain exists, therein lays vulnerability. This can take a variety of forms and can be attributed to either procedural, technical, or administrative weaknesses, which translate to physical security, technical security, or operational security weakness (Gibson, 2010). Kmart experienced a breach in their store payment system that was a result of malware undetectable by their current anti-virus systems that targeted financial information– debit and credit card numbers (Kmart, 2014). In the case of Kmart, the part of its infrastructure that was compromised must have been in the workstation domain (POS) where the malware was introduced and it embedded itself in the system/application domain with the intention of infiltrating its databases. The anti-virus software that was installed in the system was unable to identify the malware that was used for the attack allowing it to enter the system through the workstation domain (point of sale is where transactions occur and the stores make sales and there is the transfer of information on the platform). Thereafter, the malware was intended to infiltrate the store’s databases, and these are found in the system/application domain, where database servers are to be found. This was identified and anti-virus software was introduced to deal with the malware.
From the onset, risk management is a cumulative process that seeks to identify, assess, control, and mitigate risks and since what comprises risks are threats and vulnerabilities, their identification is relevant for the risks to managed to reduce the severity to the business (Gibson, 2010). Previously, IT-based risk was a moderately simple activity focused on whether IS could deliver on desired results successfully and keep applications up and running. But with the opening up of the organization‘s boundaries to external partners, service providers, external electronic communications, and online services, managing IT-based risk has morphed into a dire proposition (Smith & McKeen, 2009). The importance of risk management cannot be overemphasized and its place in an organization is of significant value. How then does a company go about managing the risk posed to its IS/IT infrastructure and investments? Gibson (2010) identifies effective risk management to be a two-pronged approach where it starts with understanding threats and vulnerabilities. The risks can be lessened by either reducing the vulnerabilities or reducing the impact of the risk once it occurs.
Smith & McKeen (2009) have a more holistic approach to managing risk in information systems when they identify that, unlike the past, today’s environment goes beyond age-old practices of achieving security through physical or technological means (e.g., locked rooms, virus scanners), towards the now growing understanding that managing IT-based risk must be a strategic and holistic activity going beyond just the responsibility of a small group of IT specialists, to embrace and become a part of a mindset that extends from partners and suppliers to employees and customers. This, Kmart did well to do as it informed most importantly its customers and other stakeholders when it made a press statement/release and made it clear that if their customers were to become suspicious of any activity as it relates to their cards, necessary steps should be taken (Kmart, 2014). The company also offered to undertake credit-monitoring protection for its customers and partners.
In order to deal with risk to information systems, three things have to happen: threats need to identify, vulnerabilities have also to be identified and thereafter the threats and vulnerabilities have to be paired in order to determine the likelihood of a risk occurring and as the result of potential vulnerabilities being exploited by potential threats (Gibson, 2010).
The process of threats occurring and being identified in an information system is the first step towards risk identification and risk management. A threat is a possibility of a negative occurrence resulting in loss and this has to with a breach of an IS that would bring about loss of confidentiality, availability, and integrity of the IS. This can be due to internal or external causes, intentional or accidental. Either way, they have to be identified as a matter of mechanism established within the organization towards this end.
As earlier highlighted, the risks that are inherent in information systems are due to vulnerabilities that can be found in the systems themselves especially in any of the domains. For the Kmart experience, theirs was through the internet where hackers sought to exploit an apparent weakness to inflict a loss. However, before this happens there is a way such vulnerabilities can be identified prior to an incidence. Bypassing the system through various checks and balances, it is possible to determine the health of the system and how robust it is to withstand threats which when coupled with vulnerabilities result in risks. Gibson (2010) has identified a few sources of identifying vulnerabilities in an IS. These include:
- Audits – that enables systems and processes to be looked into and determined whether they meet existing rules and laws. An audit will yield possible weaknesses once complete.
- Certification and accreditation records – that are used to ensure whether a system meets industry standards. The process of such ascertainment will surely identify any point of weakness, as certification usually requires detailed documentation.
- System logs – any access and interaction to an IS will yield logs. This may include, audit logs, firewall logs, DNS logs all that seek to show access and data movement within a system. If such logs were to be reviewed, weaknesses would become identifiable.
- Prior events – any previous incident will give an insight on the going-ins in the IS detailing the risk that has already been actualized. With this, a trend can be ascertained and offer ways of identifying not only the previous weakness but also that may be related to a vulnerability that caused the incident to occur in the first place.
- Trouble reports – that are a part of the company documentation will yield a wealth of information and become a key pointer in the weaknesses that have been highlighted and make it possible to see if there is an inherent vulnerability due to a repeat pattern.
- Incident response teams – that have been set up as part of the way a company handles its incidences. If this were to be utilized as a part of identifying vulnerabilities, information can be sought from them to make suggestions.
Once threats and vulnerabilities have been identified, the final step in risk identification is matching them up to determine up to what extent the resultant impact will be. This will offer insights into the potential risk and thereby by extension make it possible to create systems and make investments that will go towards dealing with the risk were it to become a reality, enabling risk management.
The management of risk in an information system comes from the knowledge of the threats that are available to a system after the vulnerabilities have been identified. It should be understood that this would then influence the choice of procedures and systems to deal with such risks, inherent or apparent. This will then inform the management of a risk when it occurs as was in the Kmart case once they discovered that they had been hacked.
It should be understood that the advantage of ensuring that the company has a robust mechanism of identifying risk and its management is geared towards protecting the company’s investments. As earlier highlighted at the beginning of this report, risks equal loss. Kmart had in place such a mechanism for it to be able to identify a risk that was a result of its systems being compromised by what they termed as malware that was not visible to its current anti-virus software and related protection protocols. Once this was known and identified, the next step was in reporting the incidence to relevant authorities that include federal law enforcement authorities apart from sharing the information with its banking partners and IT security firms as they sought to further establish the root cause of the risk and manage it effectively.
Enterprises are becoming more dependent on information technologies to achieve their business objectives and as such, the team that leads the integration of IT in the business is a significant part of the company’s assets. It is not just enough to have hardware and software incorporated into the business operations. It is also important and quite valuable that one is able to have an information technology team if not a department that works to ensure that all is fine. This was the scenario for Kmart who through its information technology team was able to identify a breach in its payment data systems and immediately launched investigations working with a leading IT security firm (Kmart, 2014; Lennon 2014).
When it comes to managing information risks in information systems, it has been established that identifying risks in the information systems is the foundation upon which risk management can become effective. It is the human IT resource that will undertake to test the systems and ascertain points of weaknesses and evaluate the potential risks that arise out an IS operations. For example, the Kmart IT team was able to undertake a forensic investigation which made it possible to ascertain the impact of the attack thus enabling them to appropriately tackle it, which included removing the malware and instituting further protective measures (Lennon, 2014).
Gibson (2010) also talks about making Cost-Benefit Analysis (CBA) ensure that it becomes harder for potential malicious attacks on a system, like the one experienced by Kmart. CBA is supposed to help determine not only the appropriate system requirements, but it is also supposed to aid determine the team that will overlook the system and its integrity. It should be noted that the CBA can also guide ascertain costs in that whether risks are to be avoided, shared/transferred, mitigated, or accepted (Gibson, 2010).
All the fore mentioned steps are of significance to Kmart in various ways:
By law, they are expected to make public or report such incidences and this enables them to maintain compliance with several bodies and regulatory authorities under whom they fall under. Several bodies in the US have created a legal framework to tackle issues of data integrity and deal with risks that arise in information systems. The bodies that play a role in the management and identification of risk in the US include but are not limited to the National Institute of Standards and Technology, Department of Homeland Security, National Cybersecurity and Communications Integration Center among others (Gibson, 2010). In addition, this includes activities by the legislative process that has created several laws and acts to guide the protection of data, tackle malicious intent on data integrity and to institute procedures that aid in ensuring compliance of standard so as to ensure that such data is kept in such a way that makes it harder to be accessed without controls. Among the laws that lead or require compliance are Federal Information and Security Management Act, the Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act among others (Gibson, 2010). Some of the requirements of these Acts of law are that they necessitate programs to be in place for reporting suspicious activities and customer identification among other requirements. Specifically, according to Savić (2008) the Gramm-Leach-Bliley Act requires safeguards for customer information, privacy, and information security whereas the Sarbanes-Oxley Act requires internal control reviews across most departments, which are a subset of the organization-wide risk assessment process.
There is also the aspect of involving what can be considered relevant players or stakeholders to the business as is in the case of making public disclosures to customers, partner bankers, and IT security firms. As for customers, being the main component of the business, they usually withdraw from transaction providers whom they have little trust in, as data leakages usually constitute a serious threat to them not only as consumers of a providers services and goods but also to their electronic commerce and online engagements owing to financial losses from credit/debit cards information theft (Savić, 2008).
According to Savić, (2008) in the U.S., any losses be they be financial or otherwise that arise from loss of information related to a holder’s credit card are assigned to issuers, insulating cardholders from direct financial risk. However, this is contingent upon specific conditions and as highlighted by Kmart’s press release to the public, “it is important to note that the policies of most credit card companies state that customers have no liability for any unauthorized charges if they report them in a timely manner”. This they referred to and offered to give their customers who would be affected by the attack on there is free credit monitoring. It is such initiatives that create loyalty in customers and ensures that they become a part of the solution to managing risks in information systems as they remain true and steadfast thereby enabling disclosures to become viable options. As for the case of Kmart, it is reported that their customers appeared not to be impacted by the attack (Lennon, 2014)
Information systems are an integral part of business and have grown to become very valuable assets for all businesses. The incidences that result in the compromise in the workings of IS and IT, therefore, pose serious risks issues and potential losses to businesses. Towards mitigating such losses were these risks to occur, required and in some instances initiatives fall under the ambit of companies in that they should have in place risk identification and management systems that act to protect their crucial IS assets, investments, and related infrastructures. Kmart through its information technology team was able to identify a breach in its payment data systems and immediately launched investigations working with a leading IT security firm. Also incorporated in their risk management in the wake of the data breach was communication to its partners and involvement of law enforcement authorities owing to the criminal nature of the risk. In addition, caution was given to its customers so as to help protect them if it would arise that their information was compromised.
Abiodun, A. (2013). A Framework for Implementation of Risk Management System in third Party Managed Cloud. Journal of Information Technology & Economic Development, 4(2), 19-30.
Barnier, B. (2011). Managing IT business risk. Journal of Corporate Accounting & Finance (Wiley), 22(6), 65-68.
Gibson, D. (2010). Managing Risk in Information Systems. Jones & Bartlett Publishers.
Kmart (2014). 10.10.14 News Release. Kmart.
Lennon, M. (2014, Oct 10). Kmart Says Hackers Breached Payment System. Security Week (Online)
Savić, A. (2008). Managing IT-Related Operational Risks. Ekonomski Anali / Economic Annals, 53(176), 88-109.
Smith, H. A., & McKeen, J. D. (2009). Developments in Practice XXXIII: A Holistic Approach to Managing IT-based Risk. Communications of the Association for Information Systems, 25519-530.