Social Icons

Wednesday, October 29, 2014

Dyman Associates Risk Management review: Experts Identify Easy Way to Improve Smartphone Security


Assigning risk scores to apps may slow down unwarranted access to personal information

October 28, 2014

What information is beaming from your mobile phone over various computer networks this very second without you being aware of it?

Experts say your contact lists, email messages, surfed webpages, browsing histories, usage patterns, online purchase records and even password protected accounts may all be sharing data with intrusive and sometimes malicious applications, and you may have given permission.

"Smartphones and tablets used by today's consumers include many kinds of sensitive information," says Ninghui Li, a professor of Computer Science at Purdue University in Indiana.

The apps downloaded to them can potentially track a user's locations, monitor his or her phone calls and even monitor the messages a user sends and receives--including authentication messages used by online banking and other sites, he says, explaining why unsecured digital data are such a big issue.

Li, along with Robert Proctor and Luo Si, also professors at Purdue, lead a National Science Foundation (NSF)-funded project "User-Centric Risk Communication and Control on Mobile Devices," that investigates computer security. The work pays special attention to user control of security features in mobile systems.

Li, Proctor and Si believe they may have a simple solution for users, who unknowingly allow voluntary access to their personal data.

Most users pay little attention

"Although strong security measures are in place for most mobile systems," they write in a recent report inthe journal IEEE Transactions on Dependable and Secure Computing, "the area where these systems often fail is the reliance on the user to make decisions that impact the security of a device."

Most users pay little attention, say the researchers, to unwanted access to their personal information. Instead, they have become habituated to ignore security warnings and tend to consent to all app permissions.

"If users do not understand the warnings or their consequences, they will not consider them," says Proctor, a Distinguished Professor of psychological sciences at Purdue.

"If users do not associate violations of the warnings with bad consequences of their actions, they will likely ignore them," adds Jing Chen, a psychology Ph.D. student who works on the project.

In addition, there are other influences that contribute to users ignoring security warnings. In the case of Android app permissions, of which there are more than 200, many do not make sense to the average user or at best require time and considerable mental effort to comprehend.

"Permissions are not the only factor in users' decisions," says Si, an associate professor of Computer Science at Purdue, who also led research on a paper with Li that analyzed app reviews.

"Users also look at average ratings, number of downloads and user comments," Si says. "In our studies, we found that there exist correlations between the quality of an app and the average rating from users, as well as the ratio of negative comments about security and privacy."

"This is a classic example of the links between humans and technology," says Heng Xu, program director in the Secure and Trustworthy Cyberspace program in NSF's Social, Behavioral and Economic Sciences Directorate. "The Android smartphones studied by this group of scientists reveals the great need to understand human perception as it relates to their own privacy and security."

"The complexity of modern access control mechanisms in smartphones can confuse even security experts," says Jeremy Epstein, lead program director for the Secure and Trustworthy Cyberspace program in NSF's Directorate for Computer and Information Science and Engineering, which funded the research.

"Safeguards and protection mechanisms that protect privacy and personal security must be usable by all smartphone users, to avoid the syndrome of just clicking 'yes' to get the job done. The SaTC program encourages research like Dr. Li's and colleagues that helps address security usability challenges."

Monday, October 13, 2014

Dyman Associates Risk Management Crucial To The Mining Industry’s Growth

Managing Director of Marsh Botswana, Fritzgerald Dube, said the mining industry is faced with exposures that need to be identified, measured and controlled economically in order for the mine’s operations to flourish.  Speaking at a mining seminar hosted by Marsh Botswana last week, Dube explained that while the environment in which they operate in is always changing and presenting new threats, they are able to understand risk trends and develop effective programmes. Although a lot of mines have fully fledged risk management departments, Dube noted that mining is a dynamic and ever evolving specialty and that new risk that were not previously anticipated would always evolve.

“As such, risk managers need to be forever considering and devising risk management plans for those risks which they have never been exposed to before,” he advised. Dube added that risk managers need to recognise that they play a critical role in ensuring stability of operations and sustained production in whatever environment that they operate in.

He underscored the importance of risk management, stating that it is a critical function in all mines. He urged top management to commit to instilling a risk management culture throughout the entire organisation.

“Risk management should not be a ‘nice to have’ but rather a ‘must have’ that carries the full weight and support of senior management,” he stressed.

However, Dube regretted that the impact of uncertain events on mine productivity is not limited to loss of property and revenue alone, but possible death as well. An earlier report that was issued by a leading reinsurance advisor, Willis Group Holdings, warned mining companies not to be tempted to cut back on their risk management spending as they try to deal with rising costs, falling commodity prices and decreased productivity levels.

The report titled, Mining Risk Review 2011, identified the main challenges mining companies are facing. They further stated that the bulk of cost cutting had come from reductions in head office spend, exploration and business development.

On the same topic, Botswana Confederation of Commerce and Manpower (BOCCIM) CEO Maria Machailo-Ellis acknowledged that the mining industry had been experiencing fatal accidents around the country. She however noted that they had moved ahead with efforts to prevent recurrence.

Marsh Botswana was established in 1984 and is a subsidiary of Marsh & McLennan Companies, a world leader in delivering risk and insurance services and solutions. Marsh currently provides insurance brokerage and risk advisory services to over 70 percent mines across the globe.




Thursday, October 9, 2014

Dyman Associates Risk Management-Reserve Bank Warns Rising House Prices and Investors Could Hurt Economy

The Reserve Bank has warned that soaring housing prices and rapidly growing investor activity could pose risks to the economy.

The RBA said low interest rates, rising house prices and competition among lenders had translated into a strong pick-up in lending to property investors, particularly in Sydney and Melbourne, creating an imbalance.

Households had become increasingly willing to take on risk and debt this year, the RBA said.

It attributed the pick-up in household credit growth to being almost entirely driven by investor housing credit, which was growing at its fastest pace since 2007.

“The composition of housing and mortgage markets is becoming unbalanced,” the RBA said in its biannual financial stability review on Wednesday.

It has begun talks with the Australian Prudential Regulation Authority (Apra) about how to reinforce sound lending practices for property purchases.

Risks to financial institutions would increase if high rates of lending growth persisted or increased.

“The apparent increase in the use of interest-only loans by both owner-occupiers and investors might also be consistent with increasingly speculative motives behind current housing demand,” the RBA said.

“At this stage the main risk from this strong investor activity appears to be that the extra demand may exacerbate the housing price cycle and increase the potential for prices to fall later.”

That could pose risks to the economy if people reacted to declines in their wealth and loan repayment difficulties by cutting back on their spending.

Households that could be most affected were not necessarily the ones taking out loans, it added.

There was also the risk that the increased demand would lead to too much construction and an eventual oversupply of housing, but this was more likely to affect specific local markets, particularly Melbourne.

The RBA said the rise in investor activity had probably priced some potential first-home buyers out of the market.

The willingness of some households to take on more debt, combined with slower wage growth, meant the debt-to-income ratio had picked up a little in the past six months.

“While this ratio is still within its range of the past eight years at around 150%, it is historically high and hence any further increases in household indebtedness would be taking place from an already high base,” it said.

The RBA warned banks to be cautious about their lending practices.

“It is important for macroeconomic and financial stability that banks set their risk appetite and lending standards at least in line with current best practice, and take into account system-wide risks in property markets in their lending decisions,” it said.

In the past year Apra had increased the intensity of supervision around housing market risks facing banks.

It is also working on new guidance for sound risk management practices in mortgage lending.


“The characteristics and risk profile of households investment property exposures warrant close examination given the recent strength of investor demand for housing,” the RBA said.

Tuesday, October 7, 2014

Dyman Associates Risk Management: Is Your Money Safe?

Is Your Money Safe? Risk Management Blindspots That Cost Investors Dearly

Both retail and institutional investors who have survived one or more economic recessions have learned that they cannot select their money managers solely on a demonstrated stream of at or above benchmark returns and that they need to include the underlying risk of their investment portfolio in the formula that calculates expected future value. However, the risk denominator in portfolio management analytics may be underestimated or misestimated because of the following three industry problems:

1. The traditional view of risk is disaggregated

The traditional view segregates risk into market, credit and operational. In most organizations, both public corporations that issue equity and debt to investors and privately-held asset managers that oversee investors’ money, the various aspects of risk are managed separately.  For example, in some typical organizational structures, the Investment Officer is responsible for market risk; the Treasury Officer or CFO for credit risk and the COO for operational risk.  Each analyzes and synthesizes risk separately and reports his findings to the Board or Management Committee, leaving them baffled to make sense of the holistic picture.  However, risk is not additive or linear and often hot spots in one area may cause undetected issues in other areas.

Market, credit and operational risk were interrelated in one of the most notorious examples of risk mismanagement — AIG’s failure to meet its liquidity obligations which led to $170 billion government bailout.  AIG was heavily involved in writing CDS with its exposure at the height reportedly reaching $440 billion (market risk), which exceeded what the company could pay in claims when the MBS it insured defaulted leading to a liquidity crunch (credit risk).  Additionally, there were signs of inherent operational risks: AIGFP was a minimally regulated and separate hedge fund that leveraged the credit rating of the holding company to place big bets with little reserves. Each one of these issues separately did not pause “crash the car” risk, but in aggregate the market, credit and operational risk factors of AIG could have been lethal to the company and the economy safe for the subsequent government bailout.

2. Regulators are approaching the industry reactively

Significant regulatory tightening ensued after the 2008 mortgage crisis.  According to some critics, regulators may potentially be looking at risk far more reactively by focusing on the problems that have already manifested than proactively identifying new risks that could cause the next business failure. For example, the Financial Stability Oversight Council (FSOC) so far designated three US financial institutions as Systemically Important Financial Institutions (SIFIs) – GE , Prudential  and AIG and imposed on them increased capital requirements. However,  the FSOC does not consider large asset managers to be SIFIs. There is some merit to the logic that asset managers do not require as strong of a balance sheet since they do not own the assets they manage and pass through the downside risk to their investors.  Yet, it could be argued that the asset managers’ aggregate risk and that their investment processes and technology infrastructure pause systemic risk.  For example, over a trillion dollars of passive investments including the iShares brand are managed on Blackrock ’s technology platform Aladdin. It is not hard to foresee the dramatic impact of a major failure of Blackrock’s platform on the US and global economy.

3. Operational risks is not adequately represented

To manage market risk better, most investors are well aware of basic portfolio hygiene principles including the value of diversification, the importance of looking at volatility driven asset correlation, rebalancing, the criticality of subtracting leverage when assessing quality alpha, the value of protecting for inflation through IL bonds or inflation-hedging assets such as real estate. I would argue that operational risk is as big if not a bigger driver of financial loss as market risk. According to Phillipa Girling, a leading expert on operational risk and author: “operational risk in the headlines in the past few years” is hard to ignore: Notorious examples include “egregious fraud (Madoff, Stanford), breathtaking unauthorized trading (Société Générale and UBS), shameless insider trading (Raj Rajaratnam, Nomura, SAC Capital), stunning technological failings (Knight Capital, Nasdaq Facebook IPO, anonymous cyber‐attacks), and heartbreaking external events (hurricanes, tsunamis, earthquakes, terrorist attacks).” (Operational Risk Successful Framework).  Inadequately managed operational risk costs investors, corporations and tax payers billions of dollars:  Madoff’s  pyramid reportedly cost investors $18 billion and the 2008 government bailout cost taxpayers $700 billion. (New York Times Archives)

If the impact of operational risk is undoubtedly large, why do otherwise savvy investors often disaggregate or even completely miss operational risk from the overall expected value analytics of their portfolio and inadvertently accept more risk than they are comfortable with? Part of the problem stems from a lack of a well established methodology to clearly quantify operational risk and integrate it into portfolio management.

Imagine creating a unified industry-sponsored score for operational risk similar to a credit score or  Moody’s  bond ratings, which takes into consideration the fundamental elements of operational risks – people, process, technology, and external events, and quantifies them.  That score would then be clearly available for investors along with the returns and market risk of the portfolio leading to a far more accurate valuation. Significant progress toward accountability and transparency could be made if operational risk were to be demystified.

How can investors make safer investments?

What could investors do in an environment of confusing regulatory requirements and limited transparency around operational risk?  For starters, Investors can raise their awareness and employ alternatives to address the information asymmetry in the following ways:

1. Select asset managers that demonstrate commitment to operational risk management

Certainly some asset managers understand and are willing to invest in operational excellence and risk management.  For example, in the 2014 Review of the Asset Management Industry, the Boston Consulting Group provides an overview of the shadow model where an asset manager can use two counterparties to manage their middle and back office. At Bridgewater Associates, I co-led the implementation of such a model where the firm aimed to create greater transparency, switchability and stay ahead of the regulatory bodies by outsourcing its back and middle office to both BNY Mellon and Northern Trust. FundFire published an article, Bridgewater Divides Industry with Latest Deal, describing the benefits and open questions about the model. It is still early to say whether the industry will embrace this model more broadly. Similarly to gain an operational excellence edge, Citadel and Tudor  invested in a custom-built straight-through processing systems that integrate the trading platforms with the post-trade processes creating greater transparency and reliability. Both are aiming to commercialize their technologies and make these available to smaller money managers who may not be able to afford a large in-house technology development team.

Monday, October 6, 2014

Dyman Associates Risk Management: The Basics of WHS Risk Management

Prior to the modernisation of industry, managers were understandably primarily concerned with performance and cost.

Workplace safety (WHS) unfortunately was often only considered when it affected any goals associated with performance and cost. With the passage of time and gradually increasing awareness of worker rights, employee health, safety and well-being has of course also gained additional attention.

There are various reasons for managing WHS risk. Typically they are summarised into one of four main groups:

- Ethical and moral: accident prevention is undertaken to prevent injury to personnel purely as the result of humane considerations.
- Legal: legislation places a number of duties on various persons and failure to carry out these duties can result in fines and, in extreme cases, imprisonment.
- Financial: the costs of an injury are made up by two parts the direct cost (cost associated with medical treatment, and damage) and the indirect cost (time spent on investigations, lost production retraining).
- General business considerations: these could be considered as financial, but given the difficulty in quantifying them, they are best kept separate. They generally relate to the organisation’s corporate image and reputation. Poor health and safety systems and outcomes affect many stake holders including employees, customers, insurance companies, as well as investors and financiers.

WHS risk management is concerned with providing a structured systematic approach to decision making with respect to WHS issues. The strength of applying a systematic risk management approach to WHS issues is that it combines technical, consultative and managerial approaches into processes that support informed, consistent and defensible decision-making.

The WHS Risk Management Process can be introduced at any time, but good practice dictates the process should be commenced at the earliest possible time. Whether designing a piece of plant or a whole facility, the risk management process of hazard identification, risk assessment, control, and review should be incorporated at the design / planning stage.

WHS Risk Management includes the process concerned with identifying, analysing and responding to WHS risk. The primary objective is to eliminate or minimise the consequences of adverse effects (injury, illness or property damage) on employees or the workplace. This consists of the following major steps also known as the Risk Management Process Model:

- Establish the context: establish the strategic, organisational and risk management context in which the rest of the process will follow.
- Identify risks: identify what, why and how thinks can arise that will be the basis for further analysis.
- Assess risks: determine the existing controls and analyses in terms of consequences and likelihood in the context of those controls. Typically, the analysis should take into account a number of potential consequences and how likely those consequences are to occur.
- Evaluate risks: compare the levels of risk against a pre-established criteria. This allows risks to be ranked so to identify management priorities.
- Treat risk: allow for the development of specific management plans to control the risk by way of elimination or minimisation strategies.
- Monitoring and review.
- Communication and Consultation.

By implementing systematic WHS Risk Management activities, organisations are able to better understand operations and their associated hazards as well as afford greater flexibility with regard to the methods used to control risks and the costs of implementing those controls.

With the increased ability to respond effectively to organisational changes, both internal and external to the organisation, WHS risk management may lead to a myriad of direct benefits including:

- Reducing injury and illness to employees and the community
- Saving money and adding value by more effective allocation of resources
- Improving the quality of information available for making decisions
- Improving the understanding of WHS risks throughout the organization
- Complying with WHS legislation and the ability to better to demonstrate this
- Improving the organization’s image and reputation
- Improving accountability and transparency of decision-making

Possible broader and longer term benefits of an effective OHS risk management program are:

- Effective strategic planning as a result of increased knowledge and understanding of key risk exposures
- Lower workers’ compensation costs because undesirable OHS outcomes are foreseen and addressed
- Improved audit processes
- Better outcomes in terms of the effectiveness, efficiency, and appropriateness of OHS programs, i.e. programs targeting key risk areas
- Improved communication, both within the organization and between the organization and its external stakeholders

WHS Risk Management is a foundation of an organisation and it touches all facets of an organisation’s activities. For this reason, careful planning is required in the development and implantation of a WHS Risk Management program.

Successful WHS risk management requires a sensible and straight forward approach. The purpose of implementation should not only be seen as a compliance requirement but also as a key business tool in adding value to the organisation objectives.


WHS Risk Management should include regular reviews of all WHS aspects of an organisation’s activities. The effectiveness of the WHS Risk Management Process should be monitored and documented in order to ensure that the risk management strategies continue to be relevant to the organisation’s activities that affect WHS.

Friday, October 3, 2014

Dyman Associates Risk Management Review on the Best Password Managers for PCs, Macs, and Mobile Devices

6 local and cloud-based password managers make passwords stronger and online life easier for Windows, Mac, iOS, Android, BlackBerry, and Windows Phone users.

Thanks to high-profile computer security scares such as the Heartbleed vulnerability and the Target data breach, and to the allegations leveled at the government and cloud providers by Edward Snowden, more of us Internet users are wising up about the security of our information. One of the smarter moves we can make to protect ourselves is to use a password manager. It's one of the easiest too.

A password manager won't shield you against Heartbleed or the NSA, but it's an excellent first step in securing your identity, helping you increase the strength of the passwords that protect your online accounts because it will remember those passwords for you. A password manager will even randomly generate strong passwords, without requiring you to memorize or write down these random strings of characters. These strong passwords help shield against traditional password attacks such as dictionary, rainbow tables, or brute-force attacks.

Many password managers allow you to automatically populate your password vault by capturing your Web log-ins using a browser plug-in and allowing you to store these credentials. Other options for populating your password database include importing an Excel spreadsheet or manually entering your log-in information. Further, using these stored credentials is typically automated using a browser plug-in, which recognizes the website's username and password fields, then populates these fields with the appropriate log-in information.

Although several browsers offer similar functionality out of the box, many password managers offer several benefits over the built-in browser functionality -- including encryption, cross-platform and cross-browser synchronization, mobile device support, secure sharing of credentials, and support for multifactor authentication. In some cases, usernames and passwords must be copied from the password manager into the browser, reducing the ease-of-use but increasing the level of security by requiring entry of the master password before accessing stored log-in information.

Some password managers store your credentials locally, others rely on cloud services for storage and synchronization, and still others take a hybrid approach. Some of the options using local storage (such as KeePass and 1Password) still support synchronization through Dropbox or other storage services. Deciding which password manager is best for you will come down to features and ease-of-use, as well as to whether you're comfortable storing your passwords on the Internet.


Wednesday, October 1, 2014

Dyman Associates Risk Management: Fundamentals of cloud security

For many companies, security is still the greatest barrier to implementing cloud initiatives. But it doesn't have to be.

Organisational pressure to reduce costs and optimise operations has led many enterprises to investigate cloud computing as a viable alternative to create dynamic, rapidly provisioned resources powering application and storage platforms. Despite potential savings in infrastructure costs and improved business flexibility, security is still the greatest barrier to implementing cloud initiatives for many companies. Information security professionals need to review a staggering array of security considerations when evaluating the risks of cloud computing.

With such a broad scope, how can an organisation adequately assess all relevant risks to ensure that their cloud operations are secure? While traditional security challenges such as loss of data, physical damage to infrastructure, and compliance risk are well known, the manifestation of such threats in a cloud environment can be remarkably different. New technologies, combined with the blurring of boundaries between software-defined and hardware infrastructure in the datacentre, require a different approach.

One of the first steps towards securing enterprise cloud is to review and update existing IT polices to clearly define guidelines to which all cloud-based operations must adhere. Such policies implement formal controls designed to protect data, infrastructure, and clients from attack, and enable regulatory compliance. Government bodies such as NIST, the US Department of Commerce, and the Australian Government Department of Finance and Deregulation (PDF) have produced cloud computing security documents that outline comprehensive policies for their departments, which can be a useful starting point for implementing a corporate policy.

It is important to recognise that cloud security policies should provide protection regardless of delivery model. Whether building private, public, or hybrid cloud environments within the enterprise, cloud security is the joint responsibility of your organisation and any cloud service providers you engage with. When conducting due diligence on third-party cloud service providers, carefully review the published security policies of the vendor and ensure that they align with your own corporate policies.

A fundamental security concept employed in many cloud installations is known as the defence-in-depth strategy. This involves using layers of security technologies and business practices to protect data and infrastructure against threats in multiple ways. In the event of a security failure at one level, this approach provides a certain level of redundancy and containment to create a durable security net or grid. Security is more effective when layered at each level of the cloud stack.

When implementing a cloud defence-in-depth strategy, there are several security layers that may be considered. The first and most widely known protection mechanism is data encryption. With appropriate encryption mechanisms, data stored in the cloud can be protected even if access is gained by malicious or unauthorised personnel. A second layer of defence is context-based access control, a type of security policy that filters access to cloud data or resources based on a combination of identity, location, and time. Yet another popular security layer in cloud-based systems is application auditing. This process logs all user activity within an enterprise application and helps information security personnel detect unusual patterns of activity that might indicate a security breach. Finally, it is critical to ensure that all appropriate security policies are enforced as data is transferred between applications or across systems within a cloud environment.

Unfortunately, there is no one-size-fits-all solution for cloud security that can protect all of your IT assets. Nor is it wise to adopt a closed-perimeter approach. Organisations can no longer rely on firewalls as a single point of control, and security practices must expand beyond the datacentre to include key control points for endpoints accessing the cloud and edge systems. When incorporating third-party public and hybrid cloud solutions in your enterprise IT strategy, you cannot assume that the security policies of these service providers meet the standards and levels of compliance required. Make sure you spell out and can verify what you require and what is delivered. Read More