[IEEE 2012 International Conference on Advances in Social Networks Analysis and Mining (ASONAM 2012) - Istanbul (2012.08.26-2012.08.29)] 2012 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining - Critical Infrastructure and Internal Controls

Download [IEEE 2012 International Conference on Advances in Social Networks Analysis and Mining (ASONAM 2012) - Istanbul (2012.08.26-2012.08.29)] 2012 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining - Critical Infrastructure and Internal Controls

Post on 27-Mar-2017

214 views

Category:

Documents

2 download

Embed Size (px)

TRANSCRIPT

  • Critical infrastructure and internal controls

    Iztok Podbregar, Ph.D. Professor of Leadership and management in security

    organizations Faculty of Criminal Justice and Security

    Ljubljana, Slovenia e-mail: iztok.podbregar@fvv.uni-mb.si

    Mojca Ferjan i Podbregar, Ph.DMsc Secretary General MOD Republic of Slovenia

    Ministry of Defence Republic of Slovenia Ljubljana, Slovenia

    e-mail: mojca.ferjancic.podbregar@mors.si

    AbstractCritical refers to infrastructure that provides an essential support for economic and social well-being, for public safety and for the functioning of key government responsibilities. According to Resolution of the National Security Strategy of the Republic of Slovenia various sources of threat are directed towards critical infrastructure. An operational infrastructure ensures the implementation of key state and society function. In this respect, the treat to critical infrastructure may also influence the national security. Risk is the possibility of an event occurring that will have an impact on the achievement of objectives. When we discuses risks, we usually talk about negative impacts, which can cause that we cant be able to achieve our objectives. Risk management is an act or process of controlling risks. All of the government programmes studied adopt a risk management approach to critical infrastructure protection. Risk management helps governments to identify key security assets, assess risks and establishes strategies and priorities for mitigating these risks. We can almost never eliminate the risks completely. Risks can be reduced to an acceptable level. The acceptable risk is a set of risks that the process is facing is sufficiently small or unimportant for the critical infrastructure to coexist with it and not try to further reduce it. Management or those who are responsible for critical infrastructure will want to reduce risk to an acceptable level by applying controls and other measures.

    Keywords- critical infrastructure, risk, risk management, internal controls

    I. INTRODUCTION Organisations obviously vary enormously in their

    objectives but in the public sector they are normally created to decide on and/or delivery public policy. They will manage public resources and be accountable both through their political and managerial leadership for the success of their policies or their success in delivering them. We could thus say that, for a public sector organisation, the principal risks are any that threaten their strategic or operational ability to secure policy objectives. While critical infrastructure1 is by definition essential for the survival of the nation, the government should take care of risks in this field.

    1 The USA patriot act specifically defines critical infrastructure as "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters."

    The American Heritage Dictionary, defines the term infrastructure as the basic facilities, services, and installations needed for the functioning of a community or society, such as transportation and communications systems, water and power lines, and public institutions including schools, post offices, and prisons2.

    When we discuss risks, we usually talk about negative impacts, which can cause that we cant be able to achieve our objectives. Risk is the likelihood of undesirable consequences of future events. It consists of the likelihood that something will happen and the negative consequences that follow, if the event occurs. We can talk about risk whenever there is likelihood that things will not run as planned.

    Every organization, process and also the project of critical infrastructure, irrespective of the business objectives, in its operation is subject to various risks, which, if put into practice, obstruct the achievement of the objective or threaten the efficiency of business. Risk is something that threatens the achievement of objectives.

    Can we eliminate risks? We can almost never eliminate the risks completely. It means that we have to live with a certain level of risks. Some of them we have may be accepted. We can reduce the probability of occurrence of risks by taking different measures and we can reduce the impacts of risks. But we cannot expect that the level of risk will decrease down to zero. We say that risk can be reduced to an acceptable level. And what is the acceptable level? This is the level of risk that an organization is willing to accept.

    What is the acceptable risk level for critical infrastructure? Probably it is the level, which is sufficiently small or even unimportant for critical infrastructure. But as we have mentioned before, it is the level that the managing authority for critical infrastructure is willing to accept. Residual risk is the risk remaining after management takes action to reduce the impact and likelihood of an adverse event including control activities in responding to a risk.

    II. RISK AND RISK MANAGEMENT Risk is a word or concept which we might often use but

    which can be thought of or defined in different ways. The ISO 31000 (2009) /ISO Guide 73:2002 definition of risk is

    2 The American Heritage Dictionary of the English Language, Fourth Edition. Houghton Mifflin Company. Boston, MA. 2000.

    2012 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining

    978-0-7695-4799-2/12 $26.00 2012 IEEEDOI 10.1109/ASONAM.2012.155

    890

    2012 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining

    978-0-7695-4799-2/12 $26.00 2012 IEEEDOI 10.1109/ASONAM.2012.155

    858

  • the effect of uncertainty on objectives. In this definition, uncertainties include events (which may or not happen) and uncertainties caused by ambiguity or a lack of information. It also includes both negative and positive impacts on objectives. Many definitions of risk exist in common usage, however this definition was developed by an international committee representing over 30 countries and is based on the input of several thousand subject matter experts.

    In information security risk is defined as the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization. Financial risk is often defined as the unexpected variability or volatility of returns and thus includes both potential worse-than-expected as well as better-than-expected returns.

    Risk is incorporated into many different disciplines from insurance to engineering to portfolio theory that it should come a no surprise that it is defined in different ways by each one.

    Risk can be explained or defined in a number of different ways both as a word in day to day use and in more technical senses. The many inconsistent and ambiguous meanings attached to risk lead to widespread confusion and also mean that very different approaches to risk management are taken in different fields.

    The related terms threat and hazard are often used to mean something that could cause harm. Here are some definitions from a range of different sources:

    - The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood3.

    - The possibility of something bad happening4. - Risk is the potential impact (positive or negative) to

    an asset or some characteristic of value that may arise from some present process or from some future event5.

    - Uncertainty of outcome, whether positive opportunity or negative threat, of actions or events.

    The risk can be also described as the possibility of an

    event occurring that will have an impact on the achievement of objectives. Risk can be seen as relating to the probability of uncertain future events. Risk is measured in terms of impact and likelihood. Fig 1: Risk Map6

    3 IIA International Standards for the Professional Practice of Internal Auditing 4 The Cambridge Advanced Learners Dictionary. 5 http://en.wikipedia.org/wiki/Risk. 6 In Figure 1, the horizontal axis shows the likelihood of the risk event occurring, ranging from extremely unlikely to almost inevitable, though bear in mind that if there were no possibility of something happening or it were actually certain, then it wouldnt be a risk and does not belong on a risk map. The vertical axis shows the likely impact of the risk event occurring, from very slight loss or damage, through to very great or even disastrous loss or damage.

    While some definitions of risk focus only on the probability of an event occurring, more comprehensive definitions incorporate both the probability of the event occurring and the consequences of the event7.

    In some disciplines, a contrast is drawn between risk and threat. We could say that a threat is a low probability event with very large negative consequences, where analysts may be unable to assess the probability.

    Some definitions of risk tend to focus only on the downside scenarios, whereas others are more expansive and consider all variability as risk.

    The Institute of Internal Auditors clarify the concept by stating that risk is measured in terms of impact and likelihood. This is a common concept in risk assessment and risk management. Risk is measured in terms of its impact and likelihood. Impact involves an assessment of the likely effect of any risk event or outcome. Given that we have accepted that risk entails negative outcomes then this can be taken to be an assessment of the loss or damage suffered as a result of the outcome in question. Likelihood involves an assessment of how likely the risk event or outcome is to actually happen.

    In general, we can say that the risk is the likelihood of undesirable consequences of future events. It consists of the likelihood that something will happen and the negative consequences that follow, if the event occurs. The risk is present whenever there is likelihood that things will not run as planned.

    We have seen that by definition risk entails a degree of inherent uncertainty and there is always the possibility that something bad will happen that no one could have reasonably foreseen.

    Risk can affect different organisations in different ways and thinking through the different types or categories of risk the organisation might face is a useful tool for determining or identifying the specific risks the organisation might face.

    7 Thus, the probability of the severe earthquake may be very small but the consequences are so catastrophic that it would be categorized as a high-risk event.

    891859

  • This could be a useful approach for management throughout the organisation.

    We can almost never eliminate the risks completely. Even the best set of controls imaginable could only guard against anticipated risks, not those that we cannot anticipate or never expected. So we have to accept and live with certain risks. Of course we can take steps to reduce the level of risk, to make it lower and lower but we cannot expect that the level of risk will decrease down to zero.

    Risks can be reduced to an acceptable level. And what is the acceptable risk? What is an acceptable level will depend on the risk attitude or risk appetite 8 which, in turn, will depend on a range of rational and cultural factors. The term acceptable risk describes the likelihood of an event whose probability of occurrence is small, whose consequences are so slight, or whose benefits (perceived or real) are so great, that individuals or groups in society are willing to take or be subjected to the risk that the event might occur.

    Risk management is an act or process of controlling risks. Risk management is a process to identify, assess, manage and control potential events or situations to provide reasonable assurance regarding the achievement of the organization's objectives. Risk management is a proactive process, not reactive.

    Risk management is concerned with the outcome of future events, whose exact outcome is unknown, and with how to deal with these uncertainties. In general, outcomes are categorized as favorable or unfavorable, and risk management is the art and science of planning, assessing (identifying and analyzing), handling, and monitoring future events to ensure favorable outcomes. Thus, a good risk management process is proactive in nature, and is fundamentally different than crisis management or problem solving, which is reactive. In addition, crisis management is a resource-intensive process that is normally constrained by a restricted set of available options. This is in part because the longer it takes for problems to surface within a project, the fewer options to resolve them typically exist.

    III. INTERNAL CONTROLS International Standards on Auditing ISA 315 define the

    internal control as the process designed and implemented by those charged with governance, management and other personnel to provide reasonable assurance about the achievement of an organizations objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations and compliance with applicable laws and regulations.

    INTOSAI auditing standards define internal control as the whole system of financial and other controls, including the organizational structure, methods, procedures and internal audit, established by management within its corporate goals, to assist in conducting the business of the

    8 Risk appetite is simply a description of the attitude to risk of an individual or an organisation; a description of the level and types of risk they are and are not prepared to tolerate.

    audited entity in a regular economic, efficient and effective manner.

    Internal control is a tool used by management to obtain appropriate assurance for the achievement of their goals.

    Standards for the Professional Practice of Internal Auditing define control as any measure or action taken by management or the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved.

    The internal control system, defined as an organization's action plan, which also includes the managements positions, methods, procedures and other measures that reasonably ensure the achievement of the general objectives. The process is designed and effected by those charged with governance, management and other personnel to provide reasonable assurance about the achievement of the organisations objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations and com...

Recommended

View more >