Information Security Risk Management: A Case Study of Merck & Co.

Verified

Added on 2019/09/26

AI Summary

This report provides an analysis of the information security risk management practices of Merck & Co., a pharmaceutical company, in the aftermath of a ransomware attack. The report identifies the problem, which involved a cyberattack that disrupted operations and caused financial and reputational damage. It then reviews the risks faced by Merck, emphasizing the need for internal and external environmental analysis using tools like SWOT, PESTLE, and the five forces study to identify potential threats. The report outlines a change management process, including defining a change strategy, preparing a change management team, developing change management plans, and implementing the plans to mitigate future attacks. The conclusion highlights the importance of proactive security measures and strategic planning to prevent and respond to cyber threats effectively. The report emphasizes the importance of conducting environmental analysis, risk assessment, and change management strategies to protect the company's assets and ensure business continuity.

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.

Running Head: Information Security Risk Management
information security risk management
[Document subtitle]

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

Information Security Risk Management 1
Table of Contents
Abstract............................................................................................................................................1
Problem............................................................................................................................................1
Risk Review.....................................................................................................................................1
Process of bringing Changes...........................................................................................................2
Conclusion.......................................................................................................................................3
References........................................................................................................................................4

Information Security Risk Management 2
Abstract
In this paper, a risk statement of Merck & Co. is analyzed to suggest it the better review and
change adoption process. It has been done analyzed under the light of certain facts and concepts
of risk management. It is a famous pharmaceutical company which suffered from a great hacking
risk which caused though Ransomware virus. It is a virus that locked users out of their computers
and demanding a payment of $300 from them.
Problem
Merck which is US based pharmaceutical company affected by a sprawling cyber-attack which
demanded money in exchange of its computer networks and important information files.
Therefore, it influences the working scenario of the company which interrupts its manufacturing
process. Such interruption causes a huge loss to the company. The virus attack happened on the
Merck was also known as Petya
(https://www.washingtonpost.com/news/the-switch/wp/2017/06/27/pharmaceutical-giant-rocked-
by-ransomware-attack/?utm_term=.de0be78c322e). This cyber-attack mainly exploited a
vulnerability discovered some years ago by a National Security Agency. During the attack,
Merck also agreed to pay the demanded amount, but no guarantee had been given by the person
behind the attacks. Therefore, this disappoints the company and hampers its manufacturing and
other business processes. Due to this issue, it was not able to continue its work such stoppage
and interruption causes huge financial as well as the reputation loss to the company.

Information Security Risk Management 3
Risk Review
In order to analyze the risk faced by the environment; Merck should go with the internal or
external environment analysis. With the help of the internal analysis, Merck can get significant
information about the prevailing trends and cases within the internal environment of the
company. On the other hand, external environment analysis also gives significant information
about the probable risks available in the external environment. If Merck analyzed the internal or
external environment, it could collect significant information about the Ransom ware. It is
because prior to the company, different other companies are impacted with that. Such analysis
will give a glimpse and can alert them about the security of its network (Kharraz, 2015). But, it
does not perform so and become the victim of the hacking attack. Merck can perform this with
the help of different strategic tools and concepts. For example, Merck can perform the internal
analysis with the help of the SWOT and competencies measurement method, and external can
perform through conducting five forces study or the PESTLE. The outcomes of all these
concepts and techniques give a significant understanding to the company which further directs its
future decisions. Therefore, it can be said that the both suggested techniques ensures the proper
risk evaluation and comes with essential outcomes. So, Merck should go with the same for
analyzing its internal and external environment and detect a possible threat that can influence its
profitability and competitive advantage in its target market. Such action of the company will
protect it from different unknown hackers and viruses.
Process of bringing Changes
Ransomware attacks the company profitability and working in a significant manner. In order to
deal with the Ransomware attack, Merck & Co. needs to follow the below-mentioned steps:

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.

Information Security Risk Management 4
 Define the Change Management Strategy: Under this stage, Merck needs to come with a
significant strategy to deal with the Ransomware attack. For example, the company can
go with the strategy of make an off-site backup.
 Prepare the Change Management Team: At this stage, the defined change
management team will prepare for change management process (Lam, 2014). This can
perform by awarding training to them. For example, in order to implement the new
strategy of making an off-site backup, it can create a team and awarded responsibility of
restoring data in back up.
 Develop Change Management Plans: Here, the development of change management
plan occurs for further implementation. At this stage, in order to deal with the
Ransomware attack the company needs to formulate a plan like change structure, possible
outcomes, predicted initiatives, etc.
 Implement Plan: This is the stage where the plan is implemented in a practical manner.
In order to deal with the Ransomware hacking attack, the organization needs to
implement the strategy of making an off-shore back up by passing an order or notice to
existing employees (Sittig, 2014).
With the all of these efforts change can implement successfully, and the Merck can deal with the
Ransomware attack effectively.
Conclusion
After studying all this, it can be concluded that Merck becomes victim of the Ransomware attack
due to its own mistakes and carelessness. If it conducted internal and external environment
analysis on a timely basis, it could protect itself from Ransomware attack. Now, after the cyber-

Information Security Risk Management 5
attack, it needs to pay more concentration on an implementation of strategies regarding network
security. Strategy development gives potential to deal with the uncertain problems and sustain
the performance of the company.

Information Security Risk Management 6
References
Kharraz, A., Robertson, W., Balzarotti, D., Bilge, L., & Kirda, E. (2015, July). Cutting the
gordian knot: A look under the hood of ransomware attacks. In International Conference on
Detection of Intrusions and Malware, and Vulnerability Assessment (pp. 3-24). Springer, Cham.
Pharmaceutical giant rocked by ransomware attack. Washington Post. Retrieved 12 August 2017,
from https://www.washingtonpost.com/news/the-switch/wp/2017/06/27/pharmaceutical-giant-
rocked-by-ransomware-attack/?utm_term=.de0be78c322e
Lam, J. (2014). Enterprise risk management: from incentives to controls. John Wiley & Sons.
Sittig, D. F., & Singh, H. (2016). A socio-technical approach to preventing, mitigating, and
recovering from ransomware attacks. Applied clinical informatics, 7(2), 624.