Ethical Risk Maturity Framework - PowerPoint Presentation

1. Ethical Risk Maturity FrameworkSusan Lincke

2. My MotivationSecurity is/was not well funded in industryBreaches are rampantCrime pays: ransomwareBigger picture: The world is not paying to eradicate cyber-security crimeIssues: Looking for profit?Lack of interest?Engineering problem?What is ethical risk?Your feedback is important in this process!

3. Maturity Levels Relating to Ethical Risk

4. A Comparison of Ethical ModelsOur LevelsSelf-ProtectionCompliance ConcernStakeholder ConcernSocietal ConcernFriedman vs Freeman Friedman: Shareholder PrimacyCriminal, Civil & Administrative LawFreeman: Primary StakeholdersFreeman: Secondary StakeholdersPiaget’s Moral Judgment LevelsPremoral, EgocentrismRespect for authority & rulesHeteronomous Level:Cooperation and mutual respectAutonomous Level:Reciprocity and equalityKohlberg’s Levels of Moral JudgmentPreconventional Morality:Respect for Power & PunishmentConventional Morality:Social Values & RulesPost-conventional: Justice & WelfareKohlberg’s 6 Stages1: Obedience to authority2: Benefit each other, mutual deals3: Social approval: good vs. bad4: Obey social, legal, religious laws5: Benefit society (change law)6: Ethical principles over social norms

5. Risk ImmatureAdopt a Standardized Risk ProcessCreate a Culture of Risk CommunicationInvolve business managementCreate a culture of communication and responsibilityDocument and communicate risk findings

6. Self-Protection LevelShareholder PrimacyMilton Friedman“What does it mean to say that the corporate executive has a “social responsibility” in his capacity as businessman? If this statement is not pure rhetoric, it must mean that he is to act in some way that is not in the interest of his employers. For example, that he is to refrain from increasing the price of the product in order to contribute to the social objective of preventing inflation, even though a price increase would be in the best interest of the corporation. Or that he is to make expenditures on reducing pollution beyond the amount that is in the best interest of the corporation or that is required by law in order to contribute to the social objective of improving the environment. Or that, at the expense of corporate profits, he is to hire “hardcore” unemployed instead of better qualified available workmen to contribute to the social objective of reducing poverty.” -NY Times, 1970Risk ScenariosOn Average 5% of revenue lost annually to fraudAverage Loss: $1,509,000/caseMedian Loss: $125,000/caseAsset Misappropriation: $100,000/caseCorruption: $200,000/caseFinancial Statement Fraud $954,000/caseACFE 2020 Report to the Nations

7. Self-Protection LevelTrain to Evaluate Fraud, Security, Business RiskManage for Organizational SustainabilityDevelop a Code of Ethics Addressing Organizational SustainabilityEvaluate Fraud and Ethical RiskInclude an Anonymous Reporting Mechanism for Ethical ViolationsCalculate Quantitative Risk Analysis for OrganizationPrice Insurance with Discounts for Controls

8. Compliance ConcernCriminal, Civil and Administrative LawEconomist Ronald Coase (1960) discusses economic effects of harm and their impact on victims and producers (organizations). In any transaction, both sides have interests. Legislating against a nuisance can result in harm to the producer. When regulation does not exist, civil law can solve problems with a more mutually beneficial outcome. Risk Scenario: Recent SettlementsReports from SC Magazine News Articles:Capital One fined $80 million by the OCR for a breach that affected > 100 million customers (2019)Wendy’s fast food chain agreed to pay $50 million to different states in 2019 for negligence after payment card data stolen from over 1,000 locations in 2015-2016. Texas hospital paid $3.2 million in HIPAA violations.Target paid $18.5 million to 47 different states after 2013 massive breachEurope’s General Data Protection Regulation (GDPR) (2018): Google fined 50 million Euros ($54 Million US).

9. Compliance ConcernTrain for Compliance RiskValue Legal Adherence within ManagementLead Ethically via Management Example and a Code of EthicsAddress Regulation FullyHeed New RegulationsAdhere to Regulations and Standards Addressing Business EthicsPay Attention to the Intent of RegulationConsider Legal Responsibility Beyond RegulationEvaluate Product LiabilityManage Projects ResponsiblyFollow Software Standards for Quality, Security, and SafetyDevelop and Follow Soft LawConfigure Software for Policy Choice

10. Stakeholder ConcernStakeholder TheoryR Edward FreemanThe survival of an organization relies on its interdependency:“So, even if the ideologues who insist that the only legitimate purpose of a business is to maximize shareholder value or maximize profits, the only way to do that is to create great products and services that customers want to buy.” (p 4, Freeman et al. 2007)Deception erodes trust and trust is required for economic transactions. Business management must take responsibility for the effects of their actions, including defending themselves to TV news reporters. When new regulation or litigation arises, the implication is business management failure. Risk Scenario: Employee Bribe Hacker Offered Russian-Speaking Tesla Employee for $1 Million to Execute Ransomware AttackThe Russian employee went to management and the FBI, who apprehended the Russian.Cybercriminal said they would ransom the data and threaten to publish it online if demands were ignored. Kriuchkov disclosed that they had demanded a $6 million ransom from another firm, which settled for $4.5 million.https://www.cpomagazine.com/cyber-security/hacker-offered-russian-speaking-tesla-employee-for-1-million-to-execute-ransomware-attack

11. Stakeholder ConcernLearn the Context of the Business Process and/or Product Development Manage with a View toward All StakeholdersAdopt a Code of Ethics Addressing Stakeholder ConcernsDiscuss the Qualitative Impact of Risk Affecting All StakeholdersCARE for Ethics within Product Development/ProcurementDiscuss Values of ConcernPersonalize RiskConsider Risk Beyond the ExpectedEvaluate the Impact of Risk QuantitativelyEvaluate the Outrage FactorCalculate Risk from the Stakeholder PerspectiveInform/Communicate Ethical Issues to StakeholdersSell Safety and Security to CustomersEvaluate Risk in Software Implementation for All StakeholdersAddress Risk in SoftwareDesign Security into the ProductDocument and Evaluate Safety Decisions Systematically

12. Societal ConcernEthical TheoriesUtilitarianism theory: acts that promote the greatest happiness for the greatest number Deontological Ethics theory similar to Golden Rule: do unto others as you would like them to do unto you. Important: the motive for actions; the morally commendable motive is to act from duty Virtue Ethics is concerned with the character of an entity and on avoiding vice. Virtue can also apply to an organizational level by improving internal organizational qualitiesRisk Scenario: Extreme WeatherCalifornia: Over 12,000 lightning strikes in 3 weeks sparked almost 2 dozen major fires5 million acres burned, destroyed homes; thousands flee. This is early 20 times what had burned at this time last year .September-October historically the worst fire months; due to heat & winds. Managing Climate Risk in the Financial System: “A world wracked by frequent and devastating shocks from climate change cannot sustain the fundamental conditions supporting our financial system,” Others threats: hurricanes, tornados, floodsThreat: customers, suppliers disappear

13. Societal ConcernTrain and Think in EthicsManage Considering the Societal Impact of DecisionsAdopt a Code of Ethics that Addresses Societal ConcernsDiscuss the Societal Impact of Risk QualitativelyThink Outside the Engineer RoleConsider Societal Risk BroadlyAvoid Ignoring Undesirable DecisionsEvaluate the Impact of Risk QuantitativelyCalculate Risk from the Societal PerspectiveResearch Unknown Risk ScientificallyDocument and Evaluate Societal Decisions Systematically

14. Maturity LevelPracticesRisk AnalysisMgmt Leader-shipCompli-anceDevelop-ment & EngineeringRisk Immature LevelAdopt a standard risk processInvolve business managementCreate a culture of communications and responsibilityDocument and communicate risk findings√  √ √√  Self-Protection LevelCalculate quantitative risk analysis for organizationAnalyze fraud and ethical riskDevelop a Code of Ethics for organizational sustainabilityProvide an Anonymous Reporting Mechanism for Ethical Violations Price insurance with discounts for controls√√ √ √  √√   √   √Compliance Focused LevelHeed new regulationsPay attention to the intent of regulationAdhere to standards and regulations addressing ethicsConsider legal responsibility beyond regulationLead ethically via management example and Code of EthicsAssign ethical risk accountabilityManage projects responsiblyLearn the context of the product developmentConfigure software for policy choiceTrain for compliance and ethical riskDevelop and follow soft law         √    √√√  √√√√    √ √    √√√√√√√Stakeholder Concern LevelInform/communicate ethical issues to stakeholdersEvaluate the outrage factorPersonalize riskConsider risk beyond the expectedAdopt a Code of Ethics addressing stakeholder concernsDesign security into the productCalculate risk from the stakeholder perspectiveSell safety and security to customersCare for ethics within product development/procurementAddress risk in softwareDocument and evaluate safety decisions systematically√√√√  √√    √  √ √√ √√√√√√Social Concern LevelTrain and think in ethicsConsider societal risk widelyCalculate risk from the societal perspectiveAdopt a Code of Ethics that addresses societal concernsAvoid ignoring undesirable decisionsResearch unknown risk scientificallyThink outside the engineer roleDocument and evaluate societal decisions systematically√√√ √√√  √ √   √ √√

15. Conclusion - BenefitsLower Levels: to COmplianceMore stabilityFewer lawsuitsRare regulatory judgmentsImproved community reputationHigher LevelsNew products (potentially revolutionary)Better customer relationshipsBetter long term employee, vendor relationshipsLong term community respectFeeling of pride, good will

16. Consent NotificationConsent NotificationPurpose of Research: The purpose of this research is to gain an understanding of current ethical risk practices at U.S. organizations. Statistics of interest include distribution of maturity levels and activities with strong and weak statistical values. Preliminary research results should be available at website: www.cs.uwp.edu/staff/lincke/EthicalRisk.htm available within one week after this event. Consent: Participation in this research is voluntary. If you choose to participate, please complete the appropriate section of this survey related to your current or a recent past employment position: security/risk practitioner, manager, developer/engineer, or legal personnel. Please complete the Qualtrics survey by 3 PM Monday. Whether or not you choose to participate in the survey, copies of the questionnaire are available for download at www.cs.uwp.edu/staff/lincke/EthicalRisk.htm. Benefits: This survey will enable you to evaluate the ethical risk maturity of your organization (with a sample size of 1), against best practices in leading research, and to determine useful options to increase that maturity. At the end of the Qualtrics survey you may download a copy of your responses in pdf form. Also know that you are contributing to an initial evaluation of this ethical risk maturity model for research purposes.Risk: To ensure anonymity, we are not asking for your name or your organization’s name, and the Qualtrics survey is anonymous (no IP addresses are stored). All statistics will be provided in research only based on career category. No statistics will be provided by organization or any other identifier, other than that the survey was conducted at an ‘industry-oriented security conference’. Be aware that any written (text) comments may be published verbatim, with identifier based on career category. If you choose to retract a descriptive comment, you may contact the researcher Susan Lincke by phone at 708-453-2069.Confidentiality: These survey results will remain anonymous on Qualtrics. Aggregated statistics will be published by career category.

17. Questions or Comments? (Would be appreciated)Take the Manager Survey: http://uwparkside.qualtrics.com/jfe/form/SV_9ssHzqOlbloF7wN Word Doc: www.cs.uwp.edu/staff/lincke/EthicalRisk.htm.