FLORIDA INSTITUTE OF TECHNOLOGY

ENTERPRISE RISKS, REWARDS, AND REGULATION

A SHORT PAPER ASSIGNMENT ONE SUBMITTED TO:

DR. RONDA HENNING
IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR
CYB 5275: ENTERPRISE INFORMATION SECURITY

BY
CRAIG CANNON

MELBOURNE, FLORIDA
JANUARY 19TH 2013

Today more and more business are using IS/IT systems than any other time in the history
of the world. New technology is being invented everyday to make things more efficient and
effective. As more and more innovative technology is presented to the world at lesser and lesser
cost, businesses are aggressively adopting their usage in the enterprise without fully
understanding the risks involved in using them. There seems to be somewhat of a nave mindset
toward risks when it comes to newer, lower cost technology. Although the benefits and rewards
can prove to be great they come at a cost of risks that are unrealized. The latest information
technology products involve social networking, cloud computing, and server virtualization all of
which are poised to change the way business is done for many years to come.
With change comes challenge and with challenge comes risks. Identifying and assessing
these risks early can pay dividends in the long run as certain costly endeavors are avoided
because they were identified and mitigated early in the process. Enterprise Risk Management
(ERM) in the use of Information Systems/Information Technology (IS/IT) is the major tool that
will be used to identify, evaluate, mitigate, and report these unforeseen risks introduce by
adopting new technology into the enterprise.
Because of this very issue, many companies are quickly finding that their views of IS/IT
enterprise risk management must change in order to maintain a competitive edge over their
rivals. Managers are learning quickly that when risks are mitigated correctly, rewards can be
high. They are equally learning that when risks are underestimated and/or totally ignored losses
are guaranteed to occur. When this happens eventually regulation is mandated usually in
response to a risk that has been exploited and exposed to the public. It is for these reasons that
implementing ERM correctly is critical to the success of any business.
In an academic research article titled Enterprise Risks, Rewards, and Regulation three
PhD professors investigate how businesses respond to risk identified in their IS/IT systems.
Written by Jennifer Blaskowich, Christopher Davis, and Eileen Z. Taylor, this paper presents a
well documented study of the issues surrounding ERM and gives a clear understanding of its
ever-increasing importance in all industries of the economy. Their objective cite how risk
disclosure as mandated by SECs Regulation S-K affects risk management.
They began the paper by focusing on the historical research into ERM, IS governance,
and Regulation-SK in order to gain some insight into what has already occurred in the industry.
According to the author(s), the goal of ERM is to bring awareness to areas where management
might take action to mitigate risk and prevent future losses and thereby realize the benefits of
using ERM. As more and more businesses use complex IS/IT mission critical systems regulatory
compliance will become a necessity due to their high risks.
Studies show that IS/IT is the most complex and costly to document in Sarbanes-Oxley
compliance efforts, and therefore should be considered as an "high risk" area (Bryan, 2009, 34).
The author(s) believe that it is for this reason that regulation has been mandated in this area to
implement industry standards that will address potential risks. Not to mention the fact that highly
publicized data theft incidents, as experienced by companies such as TJX and Heartland Payment
Systems, have served to intensify the spotlight on IS/IT risk exposure (Acohido, 2009;
SecurityFocus, 2007). At the core of IS governance is the identification, assessment, and
disclosure of risks. The very nature of IS governance is to ensure the effective and efficient use
of IT in enabling and enterprise to meet its goals and objectives. The identification, assessment,
and communication of risk is recognized as the core of effective IS/IT governance (O'Leary,

2000; Hunton et al., 2004; Cavusoglu et al., 2004). Part of the IT governance process historically
involved managing risks through mitigation and communication.
Regulation S-K was enacted in 2002, the regulation was created to mandate that all
companies disclose information about all risks including those dependent on business processes
involving IS/IT systems. (Oppenheimer et al., 2005).
From prior research the author(s) found four factors that proved disadvantageous to
companies that identify and disclose their risks.
The first factor involved inadequately identifying IS/IT risks. The authors believe that
current IT governance frameworks are restricted in their ability to adapt to more clutch type risk
factors and are thereby unable to provide conformable and logical guidance on risk
identification. Consequently, this leads management into a false sense of security by believing
that IS/IT smooth operation as all is well until an incident occurs.
The second factor identified is failure to appreciate the power in the variety of risks
identified. Managers must begin to see the whole picture and the power of the sum of the many
instead of the individual few. Managers must not underestimate the additive affect that the sum
of the many risks may have on the enterprise overall. As a result, only reporting a few risks in
essence gives a false sense of urgency to the purpose of risk management.
The next factor tends to look at risk reporting from a cost/benefit approach and assumes
that sharing or disclosing information to the public will have a negative effect with both investors
and customers. For example, public trust could be lost. Other effects may include exposing
frailness to competitors as well as embolden hackers to attack.
The final factor sees regulation as a forced submission act instead of something to
embrace to improve business. This in turn leads to listing risks factors that meet the requirements
of the mandate instead of actively engaging in performing a true risk assessment to identifying
and disclose potential risks. In other words give the government what they are looking for in the
end. With all of this being said, the expectation is that the regulation will lead to improvements
in the identification and disclosure of IS/IT risks. Nevertheless, organizations must began to pay
close attention to their IS/IT risks if they want to remain competitive in the marketplace.
From their research the authors put forth three propositions to prove their case.
Proposition 1: Pervasive dependence on IS/IT will increase the volume of IS/IT risks identified,
and thus disclosed in response to regulation S-K. TSF uses five fundamental principles: they are
security, availability, processing integrity, confidentiality, and privacy. Proposition 2:
Regulations requiring the identification and disclosure of risk factors increase firms' awareness
of the variety of IS/IT-related risk factors facing them. P3 Regulations requiring the
identification and disclosure of risk factors increase the awareness of IS/IT risks by firms across
all industry sectors.
In conclusion, the authors clearly show the effects of Regulation S-K on IS/IT-related risk
disclosures, and in doing so added to my understanding of its strengths and weaknesses. The
strengths were clearly shown in compliance of industry standards. The weaknesses focus on
conforming instead of informing when it comes to regulation and compliance. Overall this article
was enlightening and proved to be very informing of what is happening out in the industry today.
Nevertheless, questions still remain concerning whether businesses are truly informing:
identifying risks, exploring their causes and effects, putting in place processes and strategies to
mitigate them are yet to be answered.

References
Acohido, B. (2009, January 20) Hackers breach Heartland Payment credit card system. Retrieved
January 18, 2013 from USA Today: http://www.usatoday.com/money/peri/credit/2009-01-20heartland-credit-card-security-breach_N.htm
Bryan,L.D. (2009). Corporate managers experience relating to implementing Section 404 of the
Sarbanes-Oxley Act: A focus on information systems issues. The Journal of Applied Business
Research, May/June, 25 (3):25-35
OLeary, D. (2000) Enterprise Resource Planning Systems: Systems, Life Cycle, Electronic
Commerce, and Risk. Cambridge, M.A: Cambridge University Press
Oppenheimer, Wolff, and Donnelly, LLP. (2005). SEC Alert 12/1/05: Required new risk factor
disclosure in form 10-Ks and 10-Qs.