This document provides an overview of project risk management and its significance in project management methodologies. It covers topics such as risk identification, qualitative risk analysis, risk treatment, and more. The document is suitable for students studying project management or related courses.
Contribute Materials
Your contribution can guide someoneโs learning journey. Share your
documents today.
Project Risk Management Introduction The risk management is one of the significant areas under project management. A risk is defined as an event that may have an impact on the project progress, operations, and its elements and the nature of the impacts may be positive or negative. The occurrence of the risks during the project timeline may alter the determined levels of scope, costs, and schedule that may impact the client satisfaction levels as well. There are also various other possible implications of these risks and it is, therefore, essential that the management of the risks is done adequately. The risk management is also included as one of the significant areas under a majority of the project management methodologies. The report covers the risk management for one of the projects. Project Background The project is an ongoing project which involves the development of a mobile application for the employees of the healthcare firm. The mobile application is to be developed for the Android and iOS platforms and it will include the main modules as user login, patient data records, data analysis, medical reports, and information sharing. It will allow the doctors and nursing staff to keep a track of the patient data and analyse the same to determine patterns for enhanced medical diagnosis and reporting. Information sharing will also be possible between the medical professionals and the patients through the application. Risk Identification Risk Event There will be various risks that may be involved in the project. One such risk event that may appear during the project timeline is the emergence of information security threats and attacks. The mobile application that is being developed for the healthcare care will be done in three major environments as development environment, test environment, and production environment. The application developers and the testing team members will perform the development and testing activities in the first two environments. The production environment will include user acceptance testing processes along with the deployment activities. The risk event that is included may take place in the production environment of the project. This is because the development and test environments will involve the dummy data sets; however, the real data and information will be used in the production environment of the project. These 2
Project Risk Management data sets will be exposed to the information security risks and attacks (Deursen, Buchanan and Duff 2013). The healthcare information is one of the most critical pieces of data and the security attacks on these data sets can have severe implications. The data in the production environment will have an enhanced attack surface and attack window. This is because the application will not be fully implemented and the exposure of the data sets to the unauthorized entities may be done with ease. The first form of information security attack that may occur in this risk event is malware threats and attacks (Bahtiyar 2016). These are the attacks in which the malicious codes and software may be used to impact the information privacy, confidentiality, and availability. These may be carried out on the production data sets through files and the application modules. The employees developing the mobile application will also be provided with the grants and permissions of the production data. The competitors of the healthcare firm may influence these employees and gain access to these data sets. These will be the insider threats and may have severe implications on the data properties (Probst 2011). Theprimaryusersofthemobileapplicationwillbethepatientsandthemedical professionals. Some of these users will be provided with the beta version of the mobile application. The users may not be aware of the functionalities initially and may carry out the operations resulting in improper handling of the data sets. The networks will be the important element in the mobile application and the network testing will also be necessary. The use of the production data over the networks during the testing phase may result in the breaching and loss of the data sets. There may also be issues of the denial of services attacks conducted by the malicious entities (Bertino 2015). Key Causes The primary cause behind the occurrence of the risk event described above is the lack of technicalandlogicalsecuritycontrolsbeforethefinalimplementationofthemobile application. This may result in the enhanced attack surface and attack window providing the malicious entities with the opportunity to easily carry out the risk. The security threat agents in this case may involve the users, application modules, or the networks being used in the application for the purpose of testing and implementation (Green 2015). The second cause that may be involved may be the users carrying out the user acceptance testing processes. Some of these users may be provided with the production data sets. The users may not be aware of the security practices and measures and may carry out certain 3
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Project Risk Management activities that may lead to the exposure of the data sets. The employees of the organization may also get involved in the process and may deliberately transfer the data sets to the competitors. Qualitative Risk Analysis Consequence Table . Objective/ Criteria InsignificantMinorModerateMajorCatastrophic LegalNon- Compliance No issues of violationof the compliance levels <0.5%of non- compliance level 0.5-1%of non- compliance 1-2%of non- compliance >2% of non- compliance Ethical Non- Compliance No issues of violationof the compliance levels <0.5%of non- compliance level 0.5-1%of non- compliance 1-2%of non- compliance >2% of non- compliance CostNegligible increasein theproject costs <2% increase in costs 2-5% increasein costs 5-10% increasein costs >10% increasein costs ScheduleNegligible increasein theproject schedule <2% increase in schedule of the project 2-5% increasein scheduleof the project 5-10% increase scheduleof the project >10% increasein scheduleof the project The criteria are included in the above table as the risks can directly implicate these areas. Also, these areas need to be maintained for organizational and project success and for maintaining the brand image in the market. 4
Project Risk Management Likelihood Table DESCRIPTORCRITERIA / OBJECTIVE Almost CertainTheeventisexpectedtooccurinmost circumstances LikelyTHE EVENT WILL PROBABLY OCCUR IN MOST CIRCUMSTANCES PossibleThe event should occur at some time UnlikelyThe event could occur at some time RareTheeventwillonlyoccurinexceptional circumstances Likelihood Consequence Table RISK RATING InsignificantMinorModerateMajorCatastrophic Almost Certain ModerateModerateHighExtremeExtreme LikelyLowModerateHighHighExtreme PossibleLowModerateModerateHighHigh UnlikelyLowLowModerateModerateModerate RareLowLowLowModerateModerate Consequence & Probability Explanation & Justification The consequence and probability of the risks involved under the risk event is included in the table below. 5
Project Risk Management Risk IDRisk NameLikelihoodConsequenceRisk Rating 1Malware AttacksPossibleMajorHigh 2Insider ThreatsPossibleCatastrophicHigh 3Data BreachesPossibleMajorHigh 4Data LossPossibleMajorHigh 5DenialofService Attacks LikelyMajorHigh 6NetworkSecurity Attacks PossibleMajorHigh 7User Awareness IssuesLikelyCatastrophicExtreme The malware attacks, such as viruses, ransomware, worms, logic bombs, Trojan horses etc. may be carried out resulting in the enhanced possibility of the attack. The consequence will include the loss of information integrity, privacy, and confidentiality. The insider threats will have catastrophic attacks as sensitive and critical information may get exposed to the unauthorized entities. Data breaches and data loss will be possible due to the threat agents as network and users resulting in major impacts. The denial of service attack is likely due to network security issues resulting in major impacts. The other forms of network security attacks, such as eavesdropping issues may be possible resulting in major impacts. The user awareness issues are likely and may have catastrophic issues as the significant information pieces may get exposed (Joshi and Singh 2017). Risk Treatment Possible Treatments The first risk treatment is the use of technical security controls for the prevention and avoidance of the risks. These include the use of anti-malware tools, anti-denial tools, network-based intrusion detection tools, network monitoring tools, etc. for risk avoidance and prevention. These tools will make sure that the maliciousactivities and attemptsare immediately highlighted. For example, the implementation of the anti-malware tools will detect the malware attempts made by the attackers (Potter and Day 2009). Similarly, the anti- denial tools will highlight the flooding activities carried out by the attackers. There are various network-based security attacks that may be conducted. The network-based intrusion detection and prevention tools will highlight the intruder activities and attempts. 6
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Project Risk Management Encryption is another method that shall be used for the purpose of risk treatment. All of the data and information in the mobile application shall be encrypted using the data encryption algorithms. Some of these algorithms shall include advanced data encryption standard, triple data encryption standard, and likewise. The encryption of the data sets will convert the application data in its cipher form and the attackers will not be able to decrypt the data without the secret key. The attackers will not be able to decrypt these data sets and the data loss and breaching of the data sets will be avoided (Neelima and Brinda 2018). Access control is the third mechanism that shall be used. The risk treatment involved the use of role-based access control along with access control lists for preventing the risks. The users shall be provided with the data permissions on the basis of their role. For example, the employees of the organization will be provided with the data access on the basis of their roles (Franqueira and Wieringa 2012). The permissions provided to the Database Administrator will be different from that of the analyst and likewise. There shall also be use of access control lists that shall be used to avoid the attacks. All of these three treatment methods will be acceptable as they will be able to control and mitigate the risks. Residual Risk The residual risk table after the implementation of the above treatment methods are included in the table below. Risk IDRisk NameLikelihoodConsequenceRisk Rating 1Malware AttacksUnlikelyModerateModerate 2Insider ThreatsUnlikelyMajorModerate 3Data BreachesUnlikelyModerateModerate 4Data LossUnlikelyModerateModerate 5DenialofService Attacks PossibleModerateModerate 6NetworkSecurity Attacks UnlikelyModerateModerate 7User Awareness IssuesPossibleMajorHigh 7
Project Risk Management The likelihood and consequence levels of all the risks will reduce after the implementation of thetreatmentmethods.However,thereareresidualrisksthatmayremainafterthe implementationofthetreatmentmeasures.Thisisbecausetherewillbechangesin technology that will occur and may be utilized by the attackers even after the implementation of the treatment methods. Therefore, the possibility of these risks cannot be completely eliminated from the project. Secondary Risk One secondary risk that may occur after the treatment of the risk may be cryptanalysis attacks. These are the forms of information security attacks in which the attackers analyse and identify the encryption algorithms being applied. These algorithms and the codes implemented are identified by the attackers to violate the same (Xu et al. 2014). The prolonged use of the same encryption algorithms by the attackers may provide the attackers with the ability to analyse the algorithms and the patterns used. This may lead to the inability to protect the data sets using encryption as the method. The risk can be treated using multi-path encryption protocols which will reduce the attack window and attack surface. Risk Register Risk ID Risk Name DescriptionLikelihoodConsequenceRisk Rating RiskTreatment Strategy 1Malware Attacks Thefirstformof informationsecurity attack that may occur in this risk event is malware threats and attacks. These are the attacks in which the malicious codes and software may be used to impacttheinformation privacy,confidentiality, andavailability.The malware attacks, such as PossibleMajorHighRiskavoidanceand mitigationshallbe donewiththe implementation of the anti-malwaretools thatwilldetectthe malwareattempts made by the attackers. 8
Project Risk Management viruses,ransomware, worms,logicbombs, Trojan horses etc. may be carriedoutresultingin theenhancedpossibility of the attack. 2Insider Threats Theemployees developingthemobile applicationwillalsobe provided with the grants andpermissionsofthe productiondata.The competitorsofthe healthcarefirmmay influencethese employeesandgain access to these data sets. PossibleCatastrophicHighEncryption algorithms shall be used, such as advanceddata encryptionstandard, triple data encryption standard,and likewise.The encryption of the data sets will convert the application data in its cipherformandthe attackers will not be abletodecryptthe data without the secret key.Role-based accesscontrolshall also be used. 3Data Breaches The use of the production dataoverthenetworks during the testing phase mayresultinthe breaching and loss of the data sets. PossibleMajorHighTheuseofanti- malware tools, access control,anti-denial tools,network securitytools& control,andthe encryption of the data sets shall be done. 4Data LossThe use of the production dataoverthenetworks during the testing phase PossibleMajorHighTheuseofanti- malware tools, access control,anti-denial 9
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
Project Risk Management mayresultinthe breaching and loss of the data sets. tools,network securitytools& control,andthe encryption of the data sets shall be done. 5Denialof Service Attacks The networking channels may be used to give shape tothefloodingattacks, such as denial of service threats and attacks. LikelyMajorHighRiskavoidanceand mitigationshallbe donewiththe implementation of the anti-denialtoolsthat willdetectthe floodingattempts made by the attackers. 6Network Security Attacks There may also be other network security attacks, suchaseavesdropping attacks, distributed denial of service attacks, etc. PossibleMajorHighTheuseofanti- malware tools, access control,anti-denial tools,network securitytools& control,andthe encryption of the data sets shall be done. 7User Awareness Issues The primary users of the mobile application will be thepatientsandthe medicalprofessionals. Some of these users will be provided with the beta versionofthemobile application.Theusers may not be aware of the functionalitiesinitially andmaycarryoutthe operationsresultingin improper handling of the LikelyCatastrophicExtremeThe technical security toolsandcontrols shallbedonealong with the use of user awarenesstrainings and sessions. 10
Project Risk Management data sets. Reflection Critical Analysis Risk management is one of the critical territories under project management. A risk is characterized as an occasion that may affect the undertaking advancement, activities, and its components and the idea of the effects might be positive or negative. The event of the risks amid the venture course of events may adjust the decided dimensions of extension, expenses, and calendar that may affect the customer fulfilment levels too. There are additionally different conceivable ramifications of these risks and it is, in this way, fundamental that the management of the risks is done satisfactorily. The risk management is likewise, included as one of the critical regions under a larger part of the venture management strategies. The report covers the risk management for one of the tasks. The undertaking is a progressing venture which includes the advancement of a versatile application for the representatives of the healthcare firm. The versatile application is to be created for the Android and iOS stages and it will incorporate the primary modules as client login, patient information records, information investigation, medical reports, and information sharing. It will enable the doctors and nursing staff to monitor the patient information and dissect the equivalent to decide designs for improved medical analysis and detailing. Information sharing will likewise be conceivable between the medical experts and the patients through the application (Dey and Kinch 2008). One of the risks that occurred in this project was schedule overrun. It was because there were various changes that were requested by the project sponsor during the entire timeline of the project. The requirements and scope of the project was defined and estimated in the initial project phases. The project sponsor and client requested the changes in the application modules, user interface, and specifications during the entire timeline of the project. This resulted in the delay in the delivery of the project deliverables and resulted in the overrun of the schedule during the execution phase (Javaid 2013). The risk control and treatment process that was used in this phase was risk avoidance and mitigation. The use of change control and management was used as the treatment strategy. The process included the change handling process as change identification, approval of the 11
Project Risk Management changerequest, changehandling,and changecontrol.The changerequeststhatwere approved by the sponsor were accepted and an impact analysis was also done. There were certain changes that involved enhanced impact on the schedule and cost levels. These changes were discussed with the sponsor and the impacts were explained to avoid the scope creepandissuesofscheduleoverrun(Dawson2014).Therewerealsoenhanced communication practices that were used in the process to make sure that the clarity levels of the resources and the stakeholders were enhanced. The risk management process involved in the process was good risk management process. This is because the concepts from the leading project management methodologies were used for risk treatment. A defined process was used for handling these risks. The phases included risk identification, risk analysis, treatment, monitoring, and closure. The risk management process was also synced and integrated with the other concepts under project management. For example, the primary reason behind the occurrence of the risk was the project changes requested by the sponsor. The integration of the risk management process was integrated with change management process. Also, communication management was used as one of the treatment processes to handle and treat the risks. The integration of these project management practices and principles were done to manage the project and the project areas (Ziek and Anderson 2015). There could have been certain measures that might have been taken to enhance the overall risk management process. This included the use of agile approaches to manage these risks. The change control and management processes must have been introduced in the project initiation and planning phases. Also, the estimation of the project schedule and costs should have been done keeping the changes in perspective. The documentation of the risk treatment and control processes would have resulted in better communication and presentation of the results. These might have been used as a reference point in the future processes. 12
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Project Risk Management References Bahtiyar, Serif. 2016. "Anatomy Of Targeted Attacks With Smart Malware".Security And Communication Networks9 (18): 6215-6226. doi:10.1002/sec.1767. Bertino,Elisa.2015."Denial-Of-ServiceAttacksToUMTS".Computer48(2):6-6. doi:10.1109/mc.2015.42. Dawson, Patrick. 2014. "Reflections: On Time, Temporality And Change In Organizations". JournalOfChangeManagement14(3):285-308. doi:10.1080/14697017.2014.886870. Deursen, Nicole van, William J. Buchanan, and Alistair Duff. 2013. "Monitoring Information SecurityRisksWithinHealthCare".Computers&Security37:31-45. doi:10.1016/j.cose.2013.04.005. Dey, Prasanta Kumar, and Jason Kinch. 2008. "Risk Management In Information Technology Projects".International Journal Of Risk Assessment And Management9 (3): 311. doi:10.1504/ijram.2008.019747. Franqueira, Virginia, and Roel Wieringa. 2012. "Role-Based Access Control In Retrospect". Computer45 (6): 81-88. doi:10.1109/mc.2012.38. Green, John. 2015. "Staying Ahead Of Cyber-Attacks".Network Security2015 (2): 13-16. doi:10.1016/s1353-4858(15)30007-6. Javaid, Muhammad Adeel. 2013. "Risk Management In Technology Based Projects".SSRN Electronic Journal. doi:10.2139/ssrn.2325608. Joshi, Chanchala, and Umesh Kumar Singh. 2017. "Information Security Risks Management Framework รขโฌโ A Step Towards Mitigating Security Risks In University Network". JournalOfInformationSecurityAndApplications35:128-137. doi:10.1016/j.jisa.2017.06.006. Neelima, S, and R Brinda. 2018. "Implementation Of Various Data Encryption Methods For MedicalInformationTransmission".InternationalJournalOfEngineering& Technology7 (2.31): 219. doi:10.14419/ijet.v7i2.31.13446. Potter, Bruce, and Greg Day. 2009. "The Effectiveness Of Anti-Malware Tools".Computer 13
Project Risk Management Fraud & Security2009 (3): 12-13. doi:10.1016/s1361-3723(09)70033-8. Probst, Christian W. 2011. "Identifying And Mitigating Insider Threats".It - Information Technology53 (4): 202-206. doi:10.1524/itit.2011.0644. Xu, Jun, Siwei Sun, Lei Hu, and Yonghong Xie. 2014. "Cryptanalysis Of Countermeasures Against Multiple Transmission Attacks On NTRU".IET Communications8 (12): 2142-2146. doi:10.1049/iet-com.2013.1092. Ziek,Paul,andJ.DwightAnderson.2015."Communication,DialogueAndProject Management".International Journal Of Managing Projects In Business8 (4): 788- 803. doi:10.1108/ijmpb-04-2014-0034. 14