 |
||
 |
 |
e-Marketing |
|
|
||
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
How Risky Is the Internet?Author: Simon Cross Like some other four letter words, risk is imbued with a remarkable diversity of meanings. These can vary according to the context of use, and individual perception. The very act of doing business, in any situation, is an inherently risky process. Business is at the mercy of many internal organisational factors (e.g. people and processes) - nominally under management control. Also a vast range of external forces (e.g. legal, environmental, political, technological, social) - which are largely beyond management control. A change in any one of these factors can have a positive or negative outcome for a business. The Internet introduces a further set of factors which can impact a business, and the nature of its somewhat anarchic and complex structure can only be expected to push the level of risk even higher. Risk on the Internet affects privacy and security issues, as well as material loss or gain. The three primary characteristics of security, as described by Pfleeger (17) are:
The Internet provides a plethora of opportunities for security and privacy to be breeched or compromised - ranging for example from the minor nuisance of unavailability of ISP services, to embarrassing defacement of web sites, large scale fraud, theft of credit card details and goods, and online defamation. Business on the Internet also carries a risk of direct financial loss or gain - for example arising from investment decisions, direct sales or purchase transactions, and strategic business decisions. Risk however is not a binary measure, but a concept which may be defined quantitatively or qualitatively, and is usually used to help make decisions based on future expected outcomes. To answer the main question more fully, perhaps we need to examine an implicit sub-set of issues:
Perhaps the last point above is the most crucial. Risk is everywhere about us (whether just crossing the road, playing dangerous sports, or buying goods on the Internet), but the key utility of risk is the part it can play in helping us to make decisions (do I cross the road further down at the pedestrian crossing, or right here on the blind bend?). RISK DEFINITIONS First, what do we mean by risk? McNamee and Selim (15) give examples of some common interpretations of risk, such as:
It is important to identify not only what is meant by risk, (its semantic definition), but also how people regard risk in a more visceral sense - how they perceive risk on a subjective level. For some, risk only relates to a potential loss, while for others it has a positive side too, with the possibility of a gain. The word risk derives from the early Italian risicare, meaning to dare, with the strong implication that risk is a choice, not a fate. In this sense, risk conveys a notion of freedom of choice; it is up to the individual, or organisation, to choose how to proceed - whether to dare (go ahead) with something, or not. The decision making process may be a combination of objective judgement (based on facts and statistics), and subjective perception of the possible dangers/rewards, or it may be a purely qualitative issue. Kaplan and Garrick (12) define the objective aspects of risk as a combination of uncertainty and damage, expressed mathematically as:
PROBABILITY & RISK Probability is a key component of risk, but this too can be a contentious term, depending on the context of the situation. Some, like Dean (6) propose the use of the word possibility instead of probability, arguing that it is more closely related to the way we think and perceive reality, than the mathematical precision of probability - which as we will show later is often difficult to apply to the non probabilistic nature of the Internet anyway. Dean proposes that risk is defined as the perceived extent of possible loss. The notion of probability has evolved in parallel with the development of the mathematical and physical sciences over the last half millennium or so. The ancient Greeks, for all their mathematical prowess, had no feel for the quantitative aspects of chance. For them, the outcome of chance in games or in everyday life was entirely in the lap of the Gods, and therefore unpredictable. The Greeks believed in the mathematical perfection of abstract ideas, and that the messy realities of everyday life were too chaotic to be subject to the purity of mathematics. This is an early example of how a mental framework can affect the perception of chance - even when the evidence and the tools are available to make the connection between random events and statistical outcomes. The serious study of risk only really took off during the Renaissance period, and as Bernstein (3) notes, all the tools that we use today in risk management and decision making, stem from the developments that took place between 1654 and 1760 (with two notable exceptions). This period saw Pascal and Fermat's dramatic breakthroughs into probability theory, Jacob Bernoulli's 'law of large numbers' and statistical sampling, de Moivre's discovery of the bell curve and standard deviation, followed by Daniel Bernoulli's work on decision making, and then Bayes' dynamic approach to measuring the unknown by revising inferences about old information in the light of new data. The notable exceptions are Francis Galton who in 1875 discovered regression to the mean (the tendency for fluctuating situations to revert back to the norm), and Harry Markovitz in 1952 who developed the mathematical justification for risk diversification strategy. Much of the early work on probability however was based on games of chance with random outcomes - such as the throwing of dice. In these circumstances, probabilities can be assigned a priori with mathematical precision. But when dealing with non random and uncertain events such as human mortality, it is impossible to derive purely theoretical probability values. Jacob Bernoulli at the start of the 18th century showed how probabilities could be estimated a posteriori by measuring what has happened before, on the assumption that future events will follow a similar pattern to those in the past. LUCK OR MECHANISM? But Laplace nearly a century later (and echoed later still by Poincare) reflected the deterministic outlook of the time by expressing disbelief in the concept of luck. Ultimately he believed that every event has a cause, that there is no such thing as pure chance, and the absence of any explanation for events is simply due to our ignorance. Of course, in the final analysis every toss of the die, every spin of a roulette wheel, is responsive to the sum total of energies imparted by their surroundings - we just do not have enough information, or the means to track these events, to predict outcomes. Indeed, chaos theory, a much more recent development as described by Gleick (10), supports Laplace and Poincare by insisting that all results have a cause, even if deeply buried within the 'noise'. Chaos theory accounts for apparently wild fluctuations in a system (e.g. the weather) by an underlying complexity characterised by a non-linear relationship between a set of initial conditions and resultant interactions. An example often quoted here is one of a butterfly causing a minor air disturbance by flapping its wings over Hong Kong, resulting in a hurricane over Florida. A similar (hypothetical) example on the Internet might be the effect of normally insignificant traffic variations causing a catastrophic disturbance when certain critical conditions are met - e.g. one extra surfer goes online and brings a large part of the network down due to congestion or some routing problem. RISKS - QUANTITATIVE & QUALITATIVE The importance of defining (or describing) probability in relation to assessing risk on the Internet is clearly vital in order to be able to make decisions - to maximise potential gains, or minimise potential losses/costs. But how do we assess the quantitative probability of risks on the Internet? We might make any of the following assumptions:
The second assumption above is most commonly used in risk analysis on the Internet - particularly successful when estimating component or system breakdown failures (e.g. MTBF data for servers), as these are often based on large samples, are normally distributed, and independent events. Some aspects of the Internet might still be considered random in nature, and therefore amenable to the first assumption above. For example, according to 'perfect market' theory, the movement of share values of companies are random (because present values reflect all currently available information) and therefore the chance of a stock moving up or down is exactly 50%. Investors on the Internet who followed this theory (still rigorously upheld by some) will have had a rude shock if investing in Internet stocks in the last year. In these circumstances the third assumption above would be more appropriate - the normally random nature of these events were subverted by poor business practices (on the part of business managers) and unquestioning enthusiasm by some investors who over-valued the shares. In other words, it was largely the behaviour of the main players involved who were ultimately responsible for the market effects. The well known auction house, QXL, suffered the largest Internet stock crash of 2000, losing £66.5 million or 96% of its market value (Computing, 21). Assigning probability values to the risks of deliberate attacks on systems connected to the Internet is difficult, if not impossible. One could use the frequency of known previous attacks as a rough guide. However, as Cohen (5) observes, these attacks do not follow a Gaussian distribution, and they tend not to occur as independent events (attacks often involve multiple simultaneous events, aimed at a specific target) - so they are not amenable to the basic mathematics of statistical probability. Such risks therefore need to be recognised and assessed on a relative scale of impact, so that appropriate measures can be taken to cover (i.e. control or mitigate) the risk. PEOPLE Risk depends not only on the mechanistic nature of the underlying circumstances (i.e. choice of one of the three probability assumptions above), but varies according to the perspectives of the individual, their nature, and their social and cultural history. In addition, the risks of business on the Internet will be seen differently by different types of player, such as:
and within each of the categories above will be individual characteristics that place different personal values on the perceived quantitative/objective measures of risk. Companies that are very dependent on the Internet are likely to have a view of risks that differs markedly from that of individuals who surf for pleasure and have little to lose. In such circumstances companies have much more at stake (higher exposure to risks with more severe consequences) than individual surfers - so will tend to be more objective and rational in order to control the risks to an acceptable level, and can justify expenditure on security measures (e.g. encryption, anti-virus software). On the other hand, some small companies and individuals may have less time to research and analyse the data available on the risks of doing business on the Internet, and will only form their perceptions from the narrow range of their own experiences. This can lead to wildly differing behaviour patterns - for example some people happily download executable files from unknown sources on the WWW without a second thought, while others who have experienced a malicious software bug or a damaging virus will invest in lots of protective software and only venture onto the WWW with extreme caution. TECHNOLOGY & SOCIAL ISSUES Despite the satisfying sense of mastery offered by the quantitative approach to risk, it can be deceptive as it focuses on the mechanistic and technological aspects of the Internet, while tending to ignore social and humanistic issues. In the context of IT security in general, many observers including Ghosh (9), Garfinkel and Spafford (8), and Schneier (18) have emphasised that fundamental weaknesses often overlooked in IT systems are to do with human behaviour and social engineering. The same applies to the Internet - no matter how much technology is applied to boost security, it can still be circumvented, either by human failure, or deliberate sabotage of a weak social link (e.g. 'dumpster diving', or masquerading as a trusted party to obtain passwords). Some people still think of security as a technological issue - to counter the perceived risks, just apply more technology. As Schneier has clearly argued, over reliance on technology is highly dangerous, as deliberate attacks on systems now focus on the unexpected, using creative ways around the obvious safeguards. A more holistic and open minded approach is needed to reduce the risks of a malicious attack. The combined effects of technology and social issues are the subject of another line of research into crisis management and disasters, by followers of systems theory. The socio-technical approach proposes that the majority of accidents are attributable to a combination of human as well as procedural and technological failure. As explained by Borodzicz (4) a six stage model (first proposed by Turner, and later advanced by Toft and Reynolds) shows how a combination of social and culturally defined beliefs are brought together with technology and procedures to create a working system which has inherent flaws. According to the model, these flaws are not readily apparent when examining the social and technological aspects in isolation, but during a period of incubation minor faults may be found, and are managed as small operational difficulties (not system faults). Then some precipitating event may initiate a major system failure, which is treated on the basis of previously held (inaccurate) assumptions about the way the system operates, eventually leading to catastrophic breakdown of the system. Though Internet system failures are not likely to be as life-threateningly disastrous as chemical explosions or industrial fires, the mechanisms described above may well be applicable, and provide useful insight in assessing and managing risk on the Internet. The experience of Barclays Bank in July 2000, may be an example of socio-technical failure. As described by Arthur (2), the new online banking system had to be closed down shortly after going live, because under certain situations customers were able to see other customers details online - if a previous attempt by another customer to log in had failed for example. Minor faults had been reported during the beta testing phase, but these had been put down as insignificant teething problems, and were ignored. This was clearly a combination of technical fault(s) and a mis-understanding of the social issues whereby customers unexpectedly caused online queues and log in errors, resulting in severe embarrassment for Barclays, and denial of service to their customers. Another development from systems theory proposed by Perrow (16) is that certain types of high technology system are bound to fail at some point. Perrow suggests that the chances of failure are particularly high where there is a combination of tight coupling and interactive complexity in systems - i.e. a number of mutually dependent components with a high degree of complexity. This leads to what he terms a normal accident, signifying that due to the system characteristics, multiple and unexpected interactive failures are only inevitable. The different perspectives on risk provided by systems theory are disturbingly regressive. Risk, under these circumstances is harder to quantify, or even identify by normal methods, until disaster strikes. By their very nature, complex systems such as the Internet (with its large infrastructure, programs, documents, hosts, servers etc.) are likely to fail on occasion in unpredictable ways. To this end, it is important not only to assess risk in the traditional ways (and as objectively as possible) using historical records of failure, but now there must be a more creative approach to try and foresee future unexpected problems. This would entail a more proactive sharing of information (to catch perhaps infrequent small system errors), better communication of different perspectives of risk (e.g. expert vs. lay persons, as in risk communication theory), and the development of a healthy safety culture throughout the industry. INTERNET ENVIRONMENT The Internet is often referred to as a place, but in reality it is something else - not easily defined by our normal concepts of territory and location. The Internet is huge, uncharted, borderless, accessible to all, and fundamentally insecure, lawless and anonymous. It is not a place, it is many places - a multi-dimensional hyper-space which harbours a diverse range of communities, media and information. A perceptive analysis of the evolving nature of the Internet and its relationship with business and society is given by Lessig (13), but the issues are too extensive to cover here. A recurrent theme of Lessig's is the notion that the Internet is often considered anarchic and un-regulable, but in reality, society and the architects of the web are encoding a set of values and norms into the structure of the web - this should be tackled openly, rather than by stealth or thoughtless default. Governments and tax authorities are starting to address the apparent lack of borders and laws on the web, with inevitable conflicts and confusions (e.g. some aspects of the UK Regulation of Investigatory Powers bill and the UK Data Protection Act 1998 are directly contradictory). The Internet as a medium for business is still undergoing a period of rapid change, thus attracting a higher level of risk than more conventional environments. But as Andy Grove, ex CEO of Intel, proclaimed a few years ago - "in five years time there won't be any e-businesses. Anyone not using the Internet will be out of business". The Internet as a place for business cannot be ignored, but if the risks are higher, the potential rewards and losses are greater. For some companies though, the risks of not using the Internet to best effect may be terminal - as their competitors eat their lunch on the Internet. DIMENSIONS It is apparent that there are a number of highly polarised dimensions associated with our view of risk, which cannot be easily reconciled:
All these different tensions have a validity, even though some may appear to be mutually exclusive. It is suggested here that effective risk management requires an awareness at least of these different dimensions - to smooth the flow of an uncertain future and optimise the risk opportunities. RISK MANAGEMENT Once risks have been identified, they need to be controlled and managed - an essential part of doing business on the Internet. The details of risk management are beyond the scope of this paper, but the importance of the subject merits a brief overview. The primary goal is to control the exposure to risks that threaten the existence of an organisation. The second objective is to minimise the cost impact of the remaining risks. A convenient way to characterise risk is on a graph (after IST Inc., 11) which plots the frequency of a risk occurring against the cost or impact it might have on the organisation, as shown below in Fig. 1
Fig.1 The curves above represent contours of constant ALE (Annualised Loss Expectancy). At first these may appear to represent equal levels of risk to a company - but the labels indicate the different nature of these risks. Risks of low frequency and cost (or impact) can be ignored. At the opposite extreme is a region of high impact and frequency, where there are no risks - if there were any, life would be impossible. In the high cost/low frequency region, risks though rare to occur, are likely to threaten the existence of a company (e.g. major fire), so a policy of risk transfer is recommended - i.e. take out insurance cover. Where both frequency and impact of risks is moderate, controls can often be implemented to mitigate the effects of an occurrence (e.g. use of encryption and physical security to manage access to sensitive data). A risk acceptance strategy is advised for those risks which have a high frequency but a low impact - i.e. they are more of a nuisance than a threat to the organisation. A risk optimisation strategy requires a balancing of the possible losses due to the impact of risks occurring, against the cost of implementing protective security measures for different levels of security. This is illustrated in Fig. 2 below.
Fig. 2 The optimum level of security is achieved where the sum of risks and security costs is at a minimum - in other words, where increasing the cost of protective measures is no longer justifiable by the savings this will make in reduced losses. CONCLUSION Risk is a quantum moment in time, wedged between the known past, and an uncertain future. Risk provides an element of choice - to dare, or not to dare; to take a new product to market, or to take an old product to new markets? Each decision carries the risk of a possible loss or gain. To be entrepreneurial on the Internet is to accept risk. But to make decisions which manage risk to maximise gains and minimise losses is to succeed in business. Risk provides a freedom of choice which makes business on the Internet a very dynamic process - the rewards can be great, and the downfalls can be shocking. But without risk, business would be static and moribund. If risk is acknowledged and used wisely, it can confer significant competitive advantages. As the Nobel laureate Kenneth Arrow (1) remarked:
|
