Friday, 9 May 2008

Risk Party X

First party risks are simply those which primarily concern the organisation, whereas third-party risk concerns those parties which are external to the organisation. Volonino & Robinson (2004, p48) particularly differentiate first and third party risk in that first party risk of impact the organisation itself, whereas third-party risk creates liability through legal redress such as a lawsuit.

Any risk which impacts the organisations bottom line, reputation or otherwise devalues the organisation is a first party risk. Third-party risk is one which involves others external to the organisation such as the organisation’s partners, competitors or customers.
Some examples of first party risk of include any which impact the organisations bottom line directly such as electronic fraud online theft. Examples include the compromise of Citibank by Russian attackers in the early 1990s where USD10 million[1] was stolen through an unauthorised electronic transfer. There was no direct impact to the customers of Citibank and the reserve funds of the bank did not fall below the required level. As such there was no third-party impact or loss.

The next example (or more correctly set of examples) of a first party risk involved the many parties who had their web sites defaced and subsequently listed on the anti-online defacement site. Though there was a large amount of public embarrassment for many of these sites, these did not involve any realisable or actionable third-party costs.

Concerning third-party risk, one of the earliest and worst computer incidents did not involve hackers. This case was a software controls and design failure. The Therac-25 system was created by one programmer who revised the Therac-6 systems (Levson & Turner, 1995). This was a PDP-11 based system which controlled a CS-3604 x-ray source. Between 1985 and a following 19 month period to 1987, six people were irradiated with a massive dose of x-rays. In each of these cases severe physical damage or death resulted. This risk resulted from a control failure which allowed a single programmer to write, test and review a single set of code. This was one of the worst third-party risks as not only were three people seriously maimed, but three people died as a direct consequence of a control failure.

There are multiple examples of third-party risk. The recent release of the “Privacy Rights Clearinghouse's (PRC)” register detailing the number of personal records "involved in security breaches" has is close to 100 million breached recorded thus far[2]. The PRC has detailed and accounted security breaches ever since the ChoicePoint episode[3] was publicly leaked in February 2005. This demonstrates the level of control failure which currently surrounds us all.

[1] FraudWatch - Chip&Pin, a new tenner (USD10)

No comments: