Tolerance and risk exposure

Many companies face a variety of challenges, including operating risks, competitive risks, and competition risks. Some businesses have high-risk exposure due to the essence of their industry, and others have low-risk exposure – as does risk tolerance. Risk sensitivity is a measure of possible failure, while risk tolerance is a measure of how much volatility an organization is able to tolerate in the face of negative shifts. The rise of new and online media technology has provided a plethora of lucrative opportunities for business expansion. However, these technologies have exposed many businesses to cyber-security risks in terms of data security and privacy, which may lead to the loss of revenue and customers’ confidence. The recent Sonly attack calls for the executives and board members to take into consideration the concepts of risk management. This cyber attack presented unprecedented shocks to the company, as Sony lost $170 million (DLA PIPER, 2014). Additionally, Sony’s stock market declined by 6% due to lack of investors’ confidence, and so was the total revenues. Such a loss is an exemplar of the degree of risk many companies are likely to be exposure and risk tolerance is very low.

Risk exposure and tolerance

Based on the Sony’s recent cyber attack and the possibility of future risks of this nature, it is significant to develop an analysis of choice and forecasting, including the implications of the organizational choices. The target domain for this case may include potentially attractive choices that decision makers deem as important and willing to expend resources in order to avoid uncertainty and losses. For instance, Sony should invest more in cyber security technologies in order to avoid such risk exposure in the future. According to prospect theory, risk aversion is the observation that disadvantages and losses are weighted significantly higher than the advantages and gains (Kahneman & Lovallo, 1993). Risk aversion calls for risk avoidance. The decision makers, who are risk averse, ended up paying a premium to avoid the risks.

In cyber security perspectives, risk aversion is the best strategies because it is better to invest in antivirus software and other technology to ensure data security and enhanced privacy. Data security and privacy is not something that companies, such as Sony, are willing to tolerate. Due to high risk exposure and low risk tolerance of cyber security, it is important to effectively manage risk proactively identifying it, analyzing it, and reviewing mitigation strategies. Identification of risk starts documenting of possible risks in a risk register, from which probabilities are tabulated based on frequency of occurrence. It is also significant to note that root-cause analysis is pertinent for risk identification, unveiling its causes and coming up with preventive measures.

Risk management

Prioritizing in risks is very important in avoid loss related to any uncertain changes. High frequent risks should be given priority after risk evaluation. In most cases, an outsider, such as an auditor, is need for risk evaluation. It is important to note that risk monitoring and controls implies a high effectiveness of the reporting mechanisms. In Sony’s case, a team of cyber security experts are needed to identify the weakness and vulnerability of its systems and the procedures needed to seal them to avoid possible cyber attacks. Due to the rapid growth in technology, company should keep on updating their systems, as new and innovative ways of cyber attacking are emerging in every day. However, updating systems occur with its costs, but the cost of cyber attacks is far greater and its tolerance is very low. The reluctance to respond to the potential losses is influential and costly in totality (Kahneman & Lovallo, 1993).

Numerical risk analysis

Due to cybersecurity attacks, Sony lost almost $170 million – where at least 100 million accounts relating to PlayStation consumers were hacked. It took Sony one year to exactly depict the damage of the cyber attacks. Through this attack, the details of more than 77 credit cards was stolen and released, an act that bleached the privacy of its customers. UK Information Commissioner’s Office fined Sony $178,000 for violating the data protection laws (DLA PIPER, 2014). In the following year, 2012, the company’s total revenue declined by 10.6%. The company’s stock reduced by 6% and this affected its enterprise value of $14.584 Billion (2011). After this cyber security attacks, Sonly planned to invest $15 million on better cyber security technology, which could have prevented this incident. The numerical risk analysis is as follows:

No of PlayStations (millions)

Sales in $ millions

Year 2011- sales

7.4

63,840.00

Year 2012 - sales

2.5

57,720.00

:After cyber attack

Sales not exposed to risk

33.78%

Sales exposed to risk

66.22%

:On risks

Sales exposed to risk

6,120.00

:In million

Number of units at risk

4.90

:in million units

Cost per unit

1,248.98

 : Cost per unit

With no mitigation measure

Reduced sales

10.60%

Reduced units sold

4.9

: In million units

Sales revenue lost

6,120

6,120.00

Privacy breaching cost

170.00

 : Litigation costs

UK ICO’s fines

0.18

 : Data protection law

Decrease in Enterprise value

-6% (of $14.584 Billion in 2011)

1,545.90

Cost of the risk impact

-7,836.08

: $7.836 Billion

With mitigation measure

Better cyber security cost

-15

: $ 15 million

Expected revenue growth 15%

9,576

Technology impact

9,561

 : In billion

Mitigation impact

9,561

Conclusion

In conclusion, the companies with high cyber security risks have low risk tolerance as they have a devastating effect on revenue and reputation. Cyber security risks involve loss of privacy and data, which in turns lead to revenue loss and damage of company’s reputation. For this reason, companies are risk avert when it comes to cyber security. Due to increase in technology, companies should invest in up-to-date cyber security to protect their data and confidential information. The investment in mitigation measures is worth as companies cannot tolerate the aftermath of cyber attacks. Sony learned this lesson from first-hand experience.

References

DLA PIPER. (2014). Cyber Risks and the Impact on Company Directors. www.dlapiper.com

Kahneman, D., & Lovallo, D. (1993). Timid choices and bold forecasts: A cognitive perspective on risk taking. Management science, 39(1), 17-31.