This paper conducts a security risk assessment for Ajax, a courier company relying on mobile devices to track field employees. It examines two primary categories of risk: organizational and technical. On the organizational side, the paper explores how low wages, work overload, and employee disengagement can create security vulnerabilities from within the workforce. On the technical side, it addresses the critical gap in the current system—its inability to verify who physically possesses a mobile device at any given time—as well as broader concerns about cellphone network hacking. The paper concludes with recommended solutions, including improved working conditions, profit-sharing incentives, and biometric device authentication, while emphasizing that organizational risks must be addressed before technical ones.
Organizational risks are complex and, as a result, are more difficult to foresee and eliminate than technical risks. Organizational risks encompass a wide-ranging set of different kinds of risks, from legal liability to management miscues to budgetary concerns. They also include the arena in which most risks are generated—not simply for Ajax but in all fields: human error. Managers who are responsible for assessing and reducing organizational risk must be as attentive as possible to the ways in which workers are likely to pose security risks, whether in an intentional or accidental manner.
Kahneman and Lovallo (1993) note that one of the repeated problems managers make is considering the risks they face as unique. In other words, they tend to believe that other firms do not face the same risks as they do. As a result, the authors argue, managers do not avail themselves of the research available to them about past examples of organizational risk management and the ways in which these risks have been met and reduced. This research suggests that the managers of Ajax may well be making the same kinds of mistakes that have been made by others.
Primary among these risks is that the managers of Ajax are not being sufficiently attentive to the ways in which their couriers feel about their jobs. Although this information is not provided in the scenario, it is reasonable to assume that employees sent into the field are not being paid much above minimum wage. As a result, their dedication to the company and its security protocols will no doubt be lower than that of managers and owners—and may well be less than the managers believe it to be. Security professionals must understand their relationship with the firms and individuals whose security they have contracted themselves to protect, and professional ethical codes appear well-constructed and attentive to the issues most central and relevant to the security profession.
However, one thing that is not clear from this scenario is how one gets low-level employees to commit themselves to such codes of ethics. Such employees may well not feel themselves to be stakeholders. This lack of self-identification as a security professional, paired with low wages and possibly other problematic working conditions, may well make it highly likely that the couriers represent a substantial organizational risk to the firm and its clients.
Technical risks are, as the description suggests, those related to what can in some sense be seen as the non-human aspects of an organization. Of course, this is not entirely true: all aspects of a business are based on human behavior, but in the case of technical applications and technical risks, the human element may be seen as indirect rather than direct. Technical risks include the design of technical components and all aspects of a business based on either manufacturing or engineering. Technical risks also arise from problems in testing procedures. With the sophistication of off-the-shelf systems such as cellphone package hardware-plus-software systems, there tends to be an assumption on the part of managers buying these systems that they have been thoroughly vetted. This may or may not be the case, and a thorough testing process should simply not be assumed. The more technical aspects of a process that are created off-site, the more potential there is for unexpected technical problems to arise.
The most problematic technical aspect of the Ajax courier system is the assumption embedded in the location-specific nature of the mobile devices that employees carry. From the information provided in the scenario, it appears that while Ajax managers can track the location of the mobile device, there is no way to determine who is in possession of the device at any given time. This seems to be a significant potential problem. Managers at Ajax may well be placing too much reliance on the fact that they know where their mobile devices are. This can lure them into a false sense of security: knowing where the devices are is not the same thing as knowing who has the device and what they are doing with it.
This is a separate problem from the system being hacked. Managers may also be far too unaware of the ease with which cellphone networks can be hacked. Technical attacks of this kind can be relatively more easily addressed. Hacking is nearly as old as computer technology itself, and thus so are anti-hacking measures. Like the constant evolutionary battle between antibiotics and bacteria, hackers and security specialists are in a similar battle to get ahead of each other. However, such measures will not address in any way the problem outlined above: how to know who is in possession of the mobile devices at any given time.
The primary way to remedy the potential organizational problems outlined above is to consider the ways in which certain working conditions have habitually created the potential for workers to be disloyal to their employers as well as to the customers or clients of those employers. In short, the conditions inclined to push employees into acts of disloyalty include the following:
1. When workers are given too much work to accomplish within their established work hours. There are two standard types of work overload. The first occurs when "they have the impression that they are working under pressure and have too much work to do in too short a time. This form of overload has been much more common for the last few years as many organizations have slashed jobs" (Organizational Risk Factors). This risk factor may well be present for the Ajax couriers.
The second major form of overwork is "qualitative work overload." This arises "when they feel that they are unable to perform their tasks because they lack the knowledge or skills needed." This form of work overload seems less likely to occur in this case, but if it is present it can be remedied if workers "have a degree of control over the demands made on them" (Organizational Risk Factors).
2. Too little work. While this seems counterintuitive, workers can be as stressed by too little work—which is another way to describe boredom—as by too much.
Providing a work environment in which: (1) workers are reasonably compensated; (2) they are not stressed by overwork; (3) workers are not bored by being underutilized; (4) workers are given an appropriate amount of freedom and authority; and (5) workers are encouraged to feel that they have a real stake in the company through a profit-sharing or stock-option program—will be one in which the organizational risks from employee actions are substantially minimized.
"Biometric authentication to verify device possession"
Of course, such a biometric system is likely to make employees feel distrusted and so might prompt them to try to bypass it. This is a reminder of one of the most important axioms of security risk management: organizational risks are generally the most potentially dangerous and must be addressed first and most pervasively.
You’re 87% through this paper. Sign up to read the remaining 1 section.
Sign Up Now — Instant Access Already a member? Log inAlways verify citation format against your institution’s current style guide requirements.