Risk Assessment

Overview

Per the IBM terms of use contract, if IVK were to lease Watson Analytics and then terminate the contract, all previously entered data would be lost. IBM’s policy is to destroy the data when the contract ends. (IBM, 2015, October 10) This poses valuable data loss to IVK if the company decides to eliminate some or all user accounts. The risk of data loss becomes greater the longer the firm utilizes Watson services and with each department’s implementation of Watson Analytics, making switching vendors more challenging and less rewarding should it be necessary in the future. Considering the recent loss of 3M USD before ending the relationship with vendor Netifects, IVK should take extreme caution before committing to Watson Analytics and be sure to fully investigate its application toward IVKs business goals before importing massive amounts of data and be sure to store source data separately.

Privacy

Implementing Watson Analytics behooves IVK to be critically aware of unauthorized access to data. Utilizing Watson Analytics in human resources, marketing, and sales as suggested, requires particular attention to the personal data of employees and customers that may be entered. The greater risk of powerful analytics is precisely what makes Watson Analytics  powerful-- when its cognition framework results in “the automatic data linkages between seemingly non-identifiable data” (Cavoukian, A., Stewart, D., & Dewitt, B., n.d, p.5) that actually provides a profile of an individual. When data sets are linked together, they may reveal patterns in “lifestyle, consumer habits, social networks...even if no single data set reveals this personal information” (p.5). By the nature of the Watson cognitive question-answer model, such linkages are likely to occur. As IVK is likely to benefit strategically from reviewing spending habits of customers and work habits of employees, for example, even if IVK attempts to protect personally identifiable information, decisions regarding the extent to which personal data will be analyzed is essential to limit risk at the entry point. Even basic directory information can be combined with other data to identify someone’s home and just an email or IP  address is sufficient to identify consumer habits and social networks. IVK needs to determine how much information they want to collect, analyze, and store in the cloud as “these risks can include reputational harm, legal action, regulatory sanctions, disruption of internal operation and weakened customer loyalty – all of which can result in revenue and profit losses” (p.5). Other examples of privacy risk include unauthorized disclosure and loss or data theft. If IVK elects to engage in nudging, “the use of identifiable data to profile individuals in order to analyze, predict and influence their behavior,” (p.5) for marketing and sales purpose that may be viewed as invasive by some clients. Lastly, IVK must be cautious not to violate privacy agreements via secondary use of data. “In general, [IVK] can only use individuals’ personal information for the purpose(s) identified at the time they collected the information with the person’s consent. Using that information in analytics may be considered a secondary use and unless the individual gave express consent, that can be seen as a breach” (p.5).

Security

Because Watson is a cloud-based software that is accessed through the Internet, vulnerabilities within web-based encryption can affect Watson Analytics. Data becomes vulnerable in transit when the protocols the search server uses such as Transport Layer Security (TLS), Secure Sockets Layer (SSL), Secure Shell (SSH), and Secure Hypertext Transfer Protocol (HTTPS) are attacked. For example, through a Logjam attack, sensitive information can be obtained when a TLS connection that uses the Diffie-Hellman key exchange protocol fails to convey a DHE_EXPLOIT ciphersuite choice (IBM, 2015, June 26, “CVE-2015-4000”). This vulnerability can be exploited by man-in-the-middle techniques to force a downgrade to 512-bit export grade cipher, allowing the attacker to recover the session key as well as modify contents of the traffic (IBM, 2015, June 26, “Description”). A FREAK attack can also affect Watson Analytics by exploiting a vulnerability in a SSL/TLS implementation that allows the attacker to downgrade the security for the connection (IBM, 2015, June 6, “”CVE-2015-0138”). The SSL/TLS client could potentially accept an RSA temporary key in a non-export RSA key exchange ciphersuit, allowing  brute-force decryption of TKS/SSL traffic between vulnerable clients and servers (IBM, 2015, June 6, “CVE-2015-0138”). The Libraries component also has an unspecified vulnerability that could allow a remote attacker to obtain sensitive information (IBM, 2015, June 6, “CVE-2015-0400”). A Denial of Service attack is also possible through an unspecified vulnerability in the Security component (IBM, 2015, June 6, “CVE-2015-0410”). Attacks are possible on all systems, but their probability and consequences are difficult to predict.

Watson Analytics users also pose vulnerabilities to the system. Users who use the same password for their Watson Analytics account as other work accounts expose potentially sensitive data within the analytics software or expose data to malicious modifications with the shared password from just one compromised account (Gallaugher, 2015, 14.3, “Passwords”). Users who are unskilled in identifying phishing scams, also create risk (Gallaugher, 2015, 14.3, “Phishing”), potentially unknowingly downloading malware that can compromise the user account such as keyloggers and screen captures (Gallaugher, 2015, 14.3, “Malware”). Because Watson Analytics is accessed through the user’s browser, failure to keep the browser up-to-date can also open security vulnerabilities. Errors in security set-up can be a problem too. Watson users can enable additional security when creating a collection, for example; however, this setting cannot be changed once the collection is created (IBM Knowledge, n.d., “Collection-level security”). Security holes cause by user negligence and user errors have high probabilities and can increase other vulnerabilities, so ongoing user-education and training is required.

Risk v. Benefits

Should IVK determine that privacy risks associated with Watson Analytics fall within the firm’s ethical standards, the immense return expected after implementing the system justifies its use. While some customers may find the linkage of datasets painting a portrait of IVK clients, the practice of analyzing consumer behavior is widely used by data scientists across consumer industries (Golbeck, 2013, 3:18). The same data mining that allows stores to predict consumer behavior and personalized advertisements can allow IVK to identify potential loan customers. Advanced analytics would even allow the firm to predict potential clients’ ability to pay (Watson Analytics, n.d.), eliminating other risks. Security vulnerabilities associated with Watson Analytics are not solely risks to the company through the analytics system. Other web-based applications used by the bank such as customer online banking accounts are also vulnerable to encryption-based attacks and user-error. Some of the value brought in by Watson Analytics should, of course, be applied toward security expansion in order to mitigate risks associated with opening additional ports and managing additional server space and firewalls, particularly in the aftermath of the security breach from previous bad patches between systems.

References

Cavoukian, A., Stewart, D., & Dewitt, B. (n.d.). Having it all: Protecting privacy in the age of analytics. Retrieved from http://www2.deloitte.com/content/dam/Deloitte/ca/Documents/Analytics/ca-en-analytics-ipc-big-data.pdf

Golbeck, Jennifer. (2013, October). TedX MidAtlantic 2013. The curly fry conundrum: Why social media “likes” say more than you think. Retrieved from http://www.ted.com/talks/jennifer_golbeck_the_curly_fry_conundrum_why_social_media_likes_say_more_than_you_might_think/transcript?language=en

IBM. (2015, June 6). Security bulletin: Vulnerabilities in IBM Java Runtime affect Watson Explorer, Watson Content Analytics, and OmniFind Enterprise Edition (CVE-2015-0138, CVE-2014-6593, CVE-2015-0400, CVE-2015-0410). Retrieved from https://www-304.ibm.com/support/docview.wss?uid=swg21700625

IBM. (2015, June 26). Security bulletin: Vulnerability in Diffie-Hellman ciphers affect Wastson Explorer, Watson Content Analytics, and OmniFind Enterprise Edition (CVE-2015-4000). Retrieved from https://www-304.ibm.com/support/docviews.wss?uid=swg21960236

IBM Knowledge Center. (n.d.). Security in IBM® Watson Content Analytics. Retrieved from http://www-01.ibm.com/support/knowledgecenter/SS5RWK_3.5.0/com.ibm.discovery.es.ad.doc/iiysasecure.htm

IBM Watson Analytics. (2015, October 10). IBM Watson Analytics security frequently asked questions (FAQ). Retrieved from https://community.watsonanalytics.com/wp-content/uploads/2015/10/IBM-Watson-Analytics-Security-FAQ-10202015.pd

IBM Watson Analytics. (n.d.). Easy analytics for finance. Retrieved from http://www.ibm.com/analytics/watson-analytics/finance?watsonanalytics=true&cm_mmc=WAMicrositeOrganic--C24803SW&S_TACT=C24803SW

Gallaugher, John. (2015). Information systems: a manager's guide to harnessing technology, v. 2.0. Available from http://catalog.flatworldknowledge.com/bookhub/reader/12375?e=fwk-38086-ch12_s02#fwk-38086-chab

Victor. (2015, March 4). FREAK attack. [Infographic]. Retrieved from http://blog.gsmarena.com/new-freak-ssl-exploit-may-major-threat-online-security/

Zariga Tongy. (2015, May 20). Logjam tls vulnerability. [Videofile]. Retrieved from https://www.youtube.com/watch?v=87s1nkATfzk