Risk Management: When it comes to success, there should be no shortcuts
During the post-incident investigation into the Deep Water Horizon explosion, they identified that there was an inherent apathy around the effective management of risk. This is a common human behavioral trait, termed as:
Consequently, shortcuts were taken in regards to the risk management practices, meaning that business decisions were made that increased the risk profiles:
“A large number of decisions were made that were highly questionable and potentially contributed to the blowout of the Macondo well… Virtually all were made in favour of approaches which were shorter in time and lower in cost. That gives us concern that there was not proper consideration of the tradeoffs between cost and schedule and risk and safety.”
It is extremely likely that today, many companies are making the same mistakes and are failing to dedicate sufficient time, effort, and resources to validate that any business decisions are not increasing the organization's risk profile.
Does your company suffer from the cognitive miser effect?
Do you feel like the business is prone to taking shortcuts (especially in regards to threat and risk analysis)?
Do you understand the potential impact that this might have on your organization?
In essence, when your business makes any significant change, they need to start by modeling the threats that are associated with these changes:
What is it that you are working on?
What could go wrong?
What do you need to do about it?
How do you measure that you did a good job?
Without having sufficiently answered these questions, your company increases the chances of these changes have a detrimental impact. Consequently, it is extremely important to ensure that you embed security and risk into your business projects.
Marriott Breach: Case Study
On November 16, 2015, Marriott International announced its plan to acquire Starwood Hotels & Resorts Worldwide. On April 8, 2016 stockholders of both Marriott International and Starwood Hotels & Resorts Worldwide approved the merger, making it the largest hotel chain.
A great deal for the business but had they fully identified the threats and the potential risks that this could bring?
Had they considered what threats any inherited booking system could present, as a result of this acquisition?
On 8th September 2018, the Marriot Group discovered ABNORMAL activities associated with a suspicious attempt to gain unauthorized access to one of their internal guest reservation databases. This would later reveal that their corporate network had been breached and around 500 million customer details had been compromised and, on 9th November 2019, Arne Sorenson, President & CEO, Marriott International would be called to provide testimony to the Senate Committee on Homeland Security & Governmental Affairs Permanent Subcommittee on Investigations.
During his testimony, Arne Sorenson made mention of the merger of Starwood, as well as the integration of Starwood's technology and network with Marriott (a pretty significant change - wouldn't you say?), but never once mentioned that as a business they had included some threat modeling and risk assessments so that they could make an informed business decision.
What was the business impact?
The presence of the cognitive miser approach to risk managing this business acquisition was to result in substantial loss magnitude (How much loss is likely, as a direct result of a loss event, not considering losses that may come from secondary stakeholders’ reactions?):
Primary Losses (How much money are we likely to lose from each loss event?).
How long was the reservation system offline?
How much did this cost the business in productivity?
Cost of replacing the reservations database?
Losses from depreciating competitive advantage?
Fines and Judgements costs?
Secondary Risks (How much loss will be experienced, as a result of secondary stakeholders’ reactions to the primary loss event?).
Secondary Loss Event Frequency?
What percentage of primary loss events are likely to result in losses from secondary stakeholder reactions?
Secondary Loss Magnitude?
How much loss did they experience as a result of secondary stakeholders’ reactions to the primary loss event?
Fines and Judgements?
If your organization is considering making a significant change, think about the mistakes that were seen by allowing the cognitive miser to influence your business decision. Think about the costs of embedding thorough threat and risk analysis into your business operations, versus;
The potential costs of not doing so!
Work as a team to address the following:
Alignment with the business perspectives for any significant changes.
Decompose the supporting applications/infrastructures that are involved with any significant changes.
Determine the threats.
Understand any inherent vulnerabilities.
Identify any countermeasures or mitigation efforts that are required to align with the business risk appetite levels.
Rank the threats, from any significant changes, based upon the potential impacts on the business.
In 2019, it was reported that this breach has cost the Marriott Group $126 Million. In hindsight, I wonder whether they will approach any further acquisitions in the same manner, or whether they will see the return on investment of including appropriate security and risk assessments into this business operation?
Through the consideration for embedding threat and risk assessments (and reducing the cognitive miser effect) into your business operations, you can gain considerably greater reassurances and improve your chances of any significant changes presenting adverse consequences to the organization.