MBA Guest Lecture: Exploring the Intricacies of Information Security and Risk Management
Cybersecurity Experts Explores Risk Management During Guest Lecture
Reza Khalesi, cybersecurity expert, and Donna Moens, cybersecurity consultant from BDO Nederland, recently delivered a captivating guest lecture at Wittenborg's Amsterdam study location, shedding light on the intricacies of Information Security Management and Risk Management.
During the guest lecture, the duo engaged with MBA (Master of Business Administration) students, using real-life examples and sharing insights on the core elements of Risk Management.
Khalesi initiated the lecture by defining risk management, underscoring the significance of terms such as vulnerability, threat and assets. To encourage active engagement, the duo shared a QR code with the students, allowing them to answer questions that appeared on the screen throughout the session. Considering their definitions, Khalesi framed vulnerability as a universal aspect of human existence. "All of us have vulnerabilities. For example, elderly people or those who are sick are more vulnerable than those who are physically active," he explained.
Drawing a parallel to daily life, Khalesi asked students to consider the concept of a threat, stating, that "'If I tell you, I'll have to kill you', is a threat, but it does nothing." He emphasised that threats in the context of risk management could be both intentional and unintentional, such as the risk of a car accident when driving.
The duo stressed the significance of assets in the risk equation, defining assets as valuable entities ranging from personal belongings to professional resources.
Khalesi underscored the interplay of vulnerability, threat and assets, highlighting, "Vulnerability plus threat equals risk. For each company, we have different types of risk, such as strategic risk, operational risk, safety risk, compliance risk and more."
Moens continued the discussion by focusing on the practical application of risk assessment in different organisational settings. She stressed the importance of defining the scope when conducting risk assessments. "When you're doing a risk assessment, your scope and your scope determination, how you define it, is really important," Moens further explained that this assessment can be done using a risk matrix, based on two intersecting factors: the likelihood the risk event will occur and the potential impact the risk event will have. In other words, it's a tool that helps you visualise the probability versus the severity of a potential risk.
"This helps us when we are doing a risk assessment. In the end, we want to mitigate or treat our risk," she said. "This risk matrix may vary per company."
Moens also shared an amusing anecdote about risk management, illustrating how we navigate and mitigate risks in our daily lives. "In September, our business unit organised a trip to Mallorca. Living in The Hague, Reza and I decided to travel together for our 6:30 flight, requiring us to arrive at Schiphol Airport several hours early – a very early 3:00 to be precise. Reflecting on a prior experience where I almost missed my flight to Albania, my risk-averse approach emphasised the importance of punctuality. On the other hand, Reza, embracing a more adventurous attitude, was willing to take the risk of being late, aiming for a 5:00 arrival. Our different responses to the situation illustrate the diversity in risk tolerance – some being more accepting, some more risk-averse, and others focusing on mitigating measures."
After more in-depth discussions, Khalesi expressed his gratitude towards the students and Wittenborg senior lecturer Dr Gilbert Silvius for their time and for making this opportunity possible. Silvius, in turn, highlighted that the guest lecture served as a reminder to students that information security lies in the details and that an independent view by externals quite often reveals our 'blind spots'.
WUP 18/02/2024
by Erene Roux