First Meeting "Glad to have you on board", says Bob Blackmore, the CEO, extending his hand. "Dave here has had his work cut out dealing with our growth, let alone dealing with the security issues". "As you may know, we had a major incident in which our guest wi-fi was compromised - we didn't lose any sensitive information, but our reputation took a beating and bookings dropped about 20% and still haven't recovered to the previous levels. I reckon we're about $500,000 down from where we should be, and it's delayed our plans to raise funds on the stock market". "That's right", interjects Dave Cutler, the CIO. "There was minimal impact on our systems, but our guests' devices were infected with a Monero crypto-currency miner. We upgraded the wi-fi setup with a new authentication and access control server, but we really need to look at our other systems so we don't get caught out like that again". "Agreed!", says Bob. "I'm not sure we can afford another incident like that one. We really need to lock things down, and I'm happy to take a significant budget for security to the board, as long as you give me the facts and figures to justify it". "I think I can do that", says Martin. "There are a few obvious problems, such as fixing up an internal wi-fi network - " "Already onto it", interjects Dave. "The new setup will let us run a second wi-fi network throughout the office spaces, connected to the VPN backbone between the properties". Great! I'll go over that with you, later. But my other top priority is to do some risk assessment, which will help me uncover any other problems and set that budget. I'll need to find out a bit more about the business, though". "OK - what do you need to know?", replies Bob. "Well, for a start, what's the turnover?". Bob consults a folio on his desk. "We're turning over around $470 million a year. We've got around 6,000 rooms across the main hotels, and they've got quite a high occupancy rate during the week. They're very quiet at weekends, though, because they're mostly in city CBD's - and for the same reason, a lot of our guests dine in surrounding restaurants rather than in-house, so we're only getting around $20 million from our restaurant/bar operations. We're working on that, though - we're setting up some package deals with theatre and concert tickets, that sort of thing, to increase occupancy at the weekends". "Where do the guests come from?". "Well, we have contracts with a lot of big companies - around 80 of them. That was the problem with the recent security incident - a few of those companies decided to take their business elsewhere. They were obviously concerned that their people, working in their rooms in our properties, could have been hacked". "Actually", interjected Dave, "we had some visitors from one of the intelligence agencies who insinuated that might have happened, but they wouldn't say much. They did give us some good advice about securing the new wi-fi setup, though". "Hell's bells, Dave", growled Bob. "Why didn't you tell me about that? That raises the stakes quite a bit". "Well, that's the kind of thing my risk assessment exercise should turn up", said Martin. "I need to ask you a few more questions, though. For example, what sort of thing would you consider a catastrophic cyber event, as opposed to say, a major impact?" Bob stroked his chin. "Interesting question . . . Obviously, anything that caused us to have to outlay more than, say, $20 million in hard cash, would be catastrophic. I couldn't raise that much from the banks and shareholders combined. Is there anything that could be that bad in the cyber world?""Well, I won't know until I've started my analysis, but certainly we could get hit with fines for privacy breaches, especially if they affected any guests who are residents of the European Union - they can fine up to 4% of global turnover for the previous year. And then there's .." Bob's eyes opened wide. "Hang on - 4% of turnover? That's damn near ... ". He reached for a calculator and tapped the keys. Yes - that's almost $19 million, right there!". "Don't panic - I don't think that's very likely", responded Martin. "But what would you regard as a major impact?" "I'd say anything that shut down a property for a week. I mean, that's an average of 200 rooms at, say, $275 per night, for a 5-day week. That would definitely hurt!". What would you regard as a moderate, and a minor impact, then - and finally, we'll get an example of something you might consider insignificant". "Oh, insignificant is easy", countered Bob. "Every now and again, we have people have laptops lost or stolen, and we pay out for a replacement. That's part of the cost of doing business, isn't it?". "And minor versus moderate?", said Martin. "Oh, we sometimes have network outages that affect the booking systems. If they go down for an hour or so, and that would be a minor impact, because we'd probably lose several thousand dollars of bookings. If we had problems with some of the big operators and couldn't take reservations for a day or two, then that would start to add up to moderate impact, or worse". "OK", replied Martin, "that gives me something to start work on. I'll set up meetings with all the other managers to collect more details, but I should be able to get back to you in a week with the results of all this and a preliminary budget". Great!", said Bob. And with that, Martin headed back to his desk, to review the information he had gathered.Questions Are Bob Blackmore's ideas of insignificant, minor, up to catastrophic impact internally consistent? Can you use them to create a five-category ordinal scale for impact? Create a corresponding scale for likelihood of cyber events, with corresponding examples. Construct a risk matrix that gives a level of risk for each likelihood and impact combination. Apart from the assets listed in the case study description of the company, what other assets do you think might exist? Are there any obvious threats, and how likely are they? Analyse one of the threats and its impact, and estimate the level of risk