Computer Risks and Exposures Computers of all types within an organization constantly face a variety of risks and exposures. It is helpful to first define these terms: • Cyber ​​risk The likelihood that an unwanted event could turn into a loss • Computer exposure Results of a threat resulting from an unwanted event that has the potential to become a risk • Vulnerability A flaw or weakness in the system that can become a threat or risk The total impact of cyber risks ranges from mild to devastating and could include any or all of the following: • Loss of sales or revenue • Loss of profits • Loss of staff • Failure to comply of government requirements or laws • Inability to serve customers • Inability to sustain growth • Inability to operate effectively and efficiently • Inability to successfully compete for new customers • Inability to keep pace with competition • Inability to remain independent without being acquired or merged • Inability to maintain current customer/customer base • Inability to control costs • Inability to cope with technological advances • Inability to control employees involved in illegal activities • Damage to company reputation • Complete business failure Cyber ​​risks. Exposures and losses may be characterized as intentional or unintentional and may result in actual damage, alteration of data or programs, and unauthorized disclosure of information. Items that may be affected include physical items such as hardware or paper outputs which are both vulnerable to risks such as theft or loss; the telecommunications system that can cause serious business problems if unavailable for any reason and is vulnerable to internal or external penetration; application software which, being an important control element, is vulnerable to direct modification, circumvention or sabotage; system software such as the operating system itself which can also be modified or circumvented; IT operations where control procedures can be changed or circumvented and the data itself where practically anything could happen. • Risks in IS are the opposite of control objectives and should be treated as business risks. As such, their implementation at a technical level is the responsibility of executive management. Obviously, the relative importance of risks will vary and control techniques will vary from industry to industry and company to company. Risks can be minimized, but they can never be completely eliminated. Threats to computer systems Threats can come from external or internal sources and can be intentional or unintentional, as well as malicious or non-malicious. Insider threats can come from: • Users • Management • IS auditors • IS personnel • Others Acting alone or in collusion. Users Threats from this source are the most commonly occurring ones and include errors, fraud, breach of confidentiality (usually accidentally), or malicious damage.