Just another ComMetrics – social media monitoring, best metrics, marketing metrics weblog

Early Warning System (EWS) – Categorizing the risks

June 23rd, 2007 · 13 Comments ·

Recently we posted:

Early Warning System (EWS) – what it takes to create success

EISAS and ENISA – will it help risk management across the EU?

EISAS and ENISA – biggest challenge are the Key Performance Indicators – KPIs

EISAS and ENISA – presentation given in Berlin about feasibility study

Early Warning System – much work it takes to create ‘added value’
From time-to-time we will bring new insights regarding the running of EWS operations.
We hope that you enjoy reading these and will get something out of them
We would appreciate if you leave a comment below what you think or maybe what can be added, why don’t you?

Every early warning system or EWS deals with risks and tries to provide relevant information pertaining to these risks to its contstituencies such as SMEs or government agencies.The term risk can be categorized in various ways. The key issue when determining the categorization of a risk event is its primary cause. We could describe an operational risk as:

    A loss event will be considered an operational risk event if it arose as a result of inadequate or failed internal processes, people and systems or from external events.

The above definition does neither exclude strategiy nor financial risks but in the context of an EWS these are probably not of particular importance.

The key issue for an organization or an EWS is that the categorization adopted matches its key business risks.

Risk is expressed in terms of three components:

– event,

– cause and

– effect.

Graphically we can illustrate this as follows:

Defining risk, causal map and ending up with Key Risk Indicators

If you cannot view the above graph properly click here to view

We have explained the above graph in the Table below. We use a computer virus to illustrate our framework better:

risk event a computer virus enters the internal computer network and spreads
external cause a malicious user managed to place the virus on a internal web page
internal cause inadequate virus protection such as anti-virus software running on workstations and notebooks is updated too infrequently – latest signatures may be one or two months old.
effect or impact computer software fails, data is lost, with potential financial and non-financial consequences.

Identifying the root cause(s) of a risk event helps to isolate the operational loss element from other losses and to understand what action might be appropriate to mitigate against exposure to the risk.Successful mitigation could be achieved by, for instance, amending a process, system, control or management approach. Some examples of operational risk causes include:- lack of policies and procedures;
– inadequate follow-up regarding possible policy violations;
– inadequate segregation of duties;
– inadequate activity management;
– inadequate audit of activity
– inadequate physical controls; and
– external events.

When an internal issue is at the root of a risk, the focus should be on how to address the issue. This generally involves modifying a business process or enhancing controls to reduce the potential likelihood and impact of a risk event.

An example might be ‘lack of awareness’ about how malware may damage confidentiality, integrity and availalability of data and information. This situation might cause risk exposure that must be mitigated. In turn, consideration should be given to improving the frequency and quality of communications.

When an external event is at the root of exposure to risk, focus should be on how leading indicators of the external event are monitored. For example, while it may be difficult to prevent large currency fluctuations (or a worldwide attack against certain Internet domain name servers), nonetheless, these can be monitored and various financial (or technical) instruments could be used to reduce risk exposure as far as critical infrastructure or home-users are concerned.


The key is to identify the most critical risks in a systematic fashion while continuing monitoring these carefully over time. Each user group being served by an EWS has a different risk profile. Hence, what matters to a huge FTSE 100 listed multinational and protecting its systems is most certainly different than what home-users or a micro enterprises with 3 employees might cry for.

Without identifying what the specific risk profiles look like for each group to be served (e.g., SME, government agencies and home-users), the EWS will set itself up for failure. While its information and alerts might be helpful or even useful to some, they may not address the risks that are of particular interest to stakeholders it intended to serve when it was launched.


One similarity could be the RISK EXAMPLES, such as a user being vulnerable due to becoming a victim of a social engineering attack. More similarities might be found based on CAUSES of a possible social engineering attack. To illustrate, lack of awareness by users or failure to administer user policies properly by an SME or an Internet Service Provider (ISP) might be the cause of a security risk. Finally, even the KEY RISK INDICATOR(s) (KRI) used across EWSs to assess changes over a Quarter regarding policy violations or phishing attack reports could be similar.

Based on the identified SIMILARITIES, synergies between EWS’-type organizations across regions or countries can be obtained by collaborating in such work as defining risks, developing programs and response mechanisms to such attacks as the one we had earlier in Estonia.

Nonetheless, a phishing attack against a local bank’s customers in region A may not happen in region B for such reasons as the bank not having customers there. HOWEVER, a similar type of phishing attack may be launched by the same people against another bank that does much business in region B instead. Accordingly, many more similarities exist regarding risk examples, causes, and KRIs than differences. The latter may be minor and manifest themselves in such as the user with malicious intent applying different logos according to the bank’s e-banking customers being targed with a type of phishing attack. A difference that is minimal and from a technical and response perspective insignificant!

Soon we will address identifying a risk category, its causes and Key Risk Indicator(s) in a systematic and structured fashion for SMEs or an EWS. Stay tuned.


To make it more convenient for you to take advantage of CyTRAP Labs’ offerings, just provide us with your e-mail address below. You can personalize your subscription to make it suit your needs.


→ 13 CommentsTags: create · early · eisas · enisa · mac’s · success · takes · warning