[unisog] Risk analysis

Russell Fulton r.fulton at auckland.ac.nz
Thu Feb 16 00:26:13 GMT 2006



Micheal Cottingham wrote:
> For example, are different values placed on students
> as opposed to faculty? Perhaps you split faculty and staff in to
> different categories and drill down more. Or do you lump them all together?
> 
First off, I'm not a great fan of detailed risk analysis. In general it
is a very blunt instrument for dealing with a very complex problem.
Assigning numbers is only often tenuously related to reality.

I see it as having two major uses:
1/ If done at a sufficiently high level it can give a veneer of
respectability lacking in straight seat of the pants stuff we do every
day.  This is useful for getting higher management to take notice. (Just
don't tell them that you actually regigged the numbers so that they came
 out the way you wanted ;)

2/ Doing a risk analysis (and involving a lots of people in the initial
data gathering phase) is an excellent way of increasing your confidence
that you have not missed anything.  (Like separate student database
maintained by the disabilities assistance group which is running on a pc
using MS-SQL and exposed to the internet).  All sorts of things crawl
out of the wood work if you do this bit properly ;)  If nothing else it
gets people thinking about the what ifs.

Back to the insider question:   I would classify members of the
university community into several discrete categories - at a
minimum:students, academic staff, IT staff (particularly SAs & DBAs),
Business Staff (finance, student affairs, etc.) and departmental/faculty
administration staff (who as Randy pointed out have access to everything
and work for love -- it certainly isn't money).  Each of these groups
will have a different risk and threat profile.

In the risk analysis I have been involved in we measured potential
damage on a scale of 1 - minimal to 5 disastrous and likely hood on a
similar 1-5 scale.  This seems to work OK for assessing related risks
but once you start looking at risks right across the organisation the
numbers break down and you end up having to fiddle things from different
areas to get sensible results.

Russell



More information about the unisog mailing list