Sreekant Vijayakumar & I spoke at Product School in Dec 2019 on everything that goes into Risk Management at Digital Enterprises. First part focused on explaining why Risk Management is existential question for organizations today and not cost saving. Second part focuses on educating on the foundations of Risk Management and last part is how a real Risk Management Practice (Product Managers, Data Scientists, Engineers, Operations) is built & run in an organization.

1. www.productschool.com
Part-time Product Management Training Courses
and
Corporate Training

2. Join 40,000+
Product Managers on
Free Resources
Discover great job
opportunities
Job Portal
prdct.school/PSJobPortalprdct.school/events-slack

3. Alumni graduated
across 20 campuses
Cities all over the world
+100
10,000+

4. CERTIFICATES
Your Product Management Certificate Path
Product Leadership
Certificate™
Full Stack Product
Management Certificate™
Product Management
Certificate™
20 HOURS40 HOURS40 HOURS

5. Corporate
Training
Level up your team’s Product
Management skills

6. Ram
Ravichandran &
Sreekant
Vijayakumar
T O N I G H T ’ S S P E A K E R S

7. Creating Safe
Digital Experience
Ramkumar Ravichandran – Data science TLM, Google Shopping
Sreekant Vijayakumar – Sr. Product Mgr, Fraud Mitigation & Payments
Disclaimer: Participation in this summit is purely on personal basis and is not meant to represent Adobe or Google’s position on this
or any other subject and in any form or matter. The talk is based on learning from work across industries and firms. Care has been
taken to ensure no proprietary or work related information of any firm is used in any material.

8. 8
https://images.app.goo.gl/9JWr3HY4gsq5o1uP9

9. OK! Double clicking on the topic first...Digital?
9
Creating Safe Digital Experience
All Digital Assets that are
significant portion of User
Journey (Product, Platform,
Business Model, etc.)

10. ...Safe?
10
Creating Safe Digital Experience
Protect, Resolve,
Recover

11. ...Creating?
11
Creating Safe Digital Experience
Products, Tools & Systems,
Processes, Ownership Matrix,
Culture

12. ● Why?
● What?
● How?
● Why?
Agenda
12

13. Role of Risk PM is now Strategic & Proactive from
predominantly Financial & Reactive earlier...
13
https://www.flaticon.com/free-icon/bank_755195
$bns in Impact, #Ms Customers Impacted, Brand Impact ($bn), Regulatory Fines ($bn)
Accelerating further because of digitization
Evolving ecosystem complications (touchpoints, form factors, AI driven, Edge AI)
Evolving actors & motivations
Glocalization: Regulations, Privacy Expectations, Payments
https://www.pci.upenn.edu/event-calendar/accelerate-icon/
https://www.sccpre.cat/show/ibboxoi_download-evolution-and-the-social-mind-digital-ecosystem/
https://www.istockphoto.com/illustrations/hacker-logo?sort=best&mediatype=illustration&phrase=hacker%20logo
https://apkpure.com/blue-browser/appinventor.ai_sidney_net.BlueBrowser

14. ● Why?
● What?
● How?
Agenda
14
● What?
Personas Threat Types Vectors

15. Personas: Classifications of Actors
15
Motivation03
● Financial Motivation (Profit/Arbitrage)
● Malice (Crime, AML, Sabotage)
● Validation (Emotional, Commercial, PR)
● Competitive Intentions
● Strategic Social Engineering
Origin of Threat02
● Internal (Employees, Vendors, Suppliers,
Partners)
● External
Entities by Size,
Sophistication & Scope
01
● Level 1: Individuals
● Level 2: Organized Enterprises
● Level 3: State Sponsored

16. Threat Types
16
Cybersecurity
Targets Infrastructure,
e.g., GitHub ASN attack,
Wannacry ransomware
Policy Violation
e.g., Money Laundering,
Scams, Counterfeits,
Content
Platform/Service Abuse
Promotions/Returns Abuse,
Platform misuse, e.g.,
AAirpass, Cambridge Analytica
Information Security
Critical Customer Data
targeted, e.g., 2018 Marriott
(500M #), 2017 Equifax (143M#)
Monetary Fraud
Intentional Defrauding-Stolen
Cards, ATO, Non Repayments,
e.g., UB Group, 37% Installed
Software is pirated
02
01
05 04
03

17. Attack Vectors
17
Acute Growth Rapid Exploitation of single vulnerability, e.g., stolen credentials
Multipoint Exploitation of a connected vulnerability, e.g., Target Hack
Opportunistic/
Strategic
Stay under-the-radar and wait for right timing, e.g., Sony Hack
Signature Spoofing Sophisticated set up that mimics genuine customer behavior
Network Co-ordinated exploitation on multiple fronts, e.g., fake accounts
Target Switching Migrate attack from stronger systems to weaker systems, e.g, Match.com

18. Common Delivery Mechanisms (not exhaustive)
18
Common Types
Bots Injections Hijacking Spoofing Testing Mimicking
●Pings
●DDos
●Form
Fillers
●SQL
●Ads
●Browsers
●Notificatio
n
●iFrames
●APIs
●Page
Elements
●CTAs
●Credential
s
●Ip spoofing
●Device
●2FA
●Credential
s
●Card
Testing
●APIs
●Network
Creators
●Deep Fake
Algorithms

19. ● Why?
● What?
● How?● How?
Agenda
19

20. Ecommerce - Risk Overview (illustrative)
Driver Common Risk Types tracked
Merchants
Significantly Not As Described (SNAD), Item Not Received (INR), Merchant-Buyer Collusion,
Merchant-Merchant Collusion, Money Laundering (Fake Sales), Counterfeits, Scams,
Competitor Sabotage, Price Undercutting, Redirecting Sales, Cannibalizing Offers, Fake Ads,
Non-Compliant Inventory, Settlement Frauds, Delayed/Non-Payment of Dues, PII & PAI
Misuse, Subsidy Misuse
Affiliates Traffic & Attribution Fraud, Ad Fraud
Buyers
Buyer Collusion, Returns Abuse/Over Use, Promotions Abuse, Refund Abuse & Fraud,
Referral Frauds, Remorse Returns, Improper Chargebacks, Bulk Buyers, Subscription
Cancellation (Trial Policy Abuse), Account Sharing, False Rating & Comment Abuse,
Resellers, Networks
Fraudsters
Account Take Over (ATO)- Buyers/Sellers/Partners, Stolen Cards (SC), Negative Balance at
Settlement (NBL),Stolen Packages, Spamming, Credential Spoofing
Partners
Lost/Damaged in Transit, Missing Packages, Bad Delivery, Vulnerable Systems, Operational
Issues, Insider Risk

21. Key Steps in Protection
21
Profile
Define and evaluate
various customers risk
profiles
Feedback
Ongoing feedback
from the false
positive/negative
analysis
Monitor
Tracking of customer
interactions for risky
behaviour
Mitigate
Measures to
segregate and nullify
the fraud vector
Identify
Means to identify
various vectors
without causing
friction
Detect and
Mitigate Threat

22. Enterprise Security Layers

23. Platform Overview

24. Stakeholders
● Build product roadmap and vision
● Educate stakeholders
● Drive initiatives
● Customer Experience
● Platform
Product
Management
● Scalable solution design
● Build platform capabilities
● Architects
● Developers
Engineering
● Identify and leverage data sources
● Build models to power capabilities
● Monitoring and alerts
● Data Scientist
● Analysts
Data Sciences
● Review orders
● Perform ad-hoc analysis
● Drive intelligence
● Investigations
● Reviewers
● Fraud Analysts
Operations
● Terms and conditions
● Privacy impact
● Traceability matrix
● Privacy
● Legal
● Compliance
● Audit
Enforcement
● Campaign cohorts
● Cohort removal
● Overstatement prevention
● Sales
● Marketing
● Growth
● Finance
Business

25. Product Management in Risk
25
IterateDeliveryRoadmapGoalsVision
• Define the long term vision
• Communicate to key stakeholders
• Buy-in from management
• Set up time bound goals
• KPIs to measure impact
• Bottomline to business
• Prioritized Initiatives list
• Milestones for each initiative
• Timeline for delivery
• Trade-offs
• Data Driven Optimization
• Support, Operations & Distribution
• Refine, Revamp or Retire?
• ”Learn-Listen-Test” launch
• Usage Protocols : Guide & Comply
25

26. Data Science in Risk Management
Typical KPIs
Monitoring, Alerts &
Analyses
Predictive Modeling
Investigations
Actual Loss Rate (#, $, %), Attempted Rate (%), Prevented Loss Rate* (#, $,
%), Successful Contest Rate (%), False Positive Rate, PR AUC, Agent Review
Pass Through Rate (%), Abuse Rate (%), Customers Impacted (#), CS Calls (#)
& CS Time Spent
Key Monitoring Reports & Analyses Readouts, Threshold & Custom Alerts
(Segments/Geos/Accounts)
Confusion Matrix Measurements & Feedback Loop, Threat Intelligence
Reports, Central Repository, Dark Web Monitoring, New Patterns
Identification & Quantification
Predictive Models, Forecasting, Entity Resolution, Anomaly Detection,
Unsupervised Clusters, Graphs Identifications (Network/Paths/Profiling),
Survival Modeling

27. Building a culture of “Security first”
● Drive awareness & importance of risk: Newsletters, Executive Sponsors, Summits, Office
Hours, Hackathons, All Hands, Bounty Programs, Blue/Red Targeting, MRC Memberships
● Education: Training Programs for External Facing Teams, Risk Audits for
Designs/Flows/Campaigns/Systems/Partners, Annual Certifications for Employees.
● Customer Educations: Educational Content for Customers/Partners/Regulators. Work with
Industry bodies (MRC), Auditors & Regulators to drive “Security Consciousness”.
● Business Continuity & Disaster Recovery Protocols: Strategic, Financial & Operational
Plans to identify events, investigate & respond “responsibly” to the world outside.
● Reserve a seat on the table for the Policy Team

28. The parting words...
28

29. • Holistic AI driven Risk Platform, paired with strong processes & protocols
(prevention, incident response & impact mitigation) are vital to succeed.
Key takeaways
• Risk arena is getting ever more complicated and it takes a strong “culture”,
Executive Sponsorship and Cross Functional Ownership to deliver on goals.
• Impact of Risk is beyond Financial only - it affects Brand, Trust, Customer
Confidence & Regulatory support. But it’s a delicate balance.
• Actors, Motivations & Vectors and their mechanisms are always evolving, so
you ain’t gonna be bored ever.
• Key Players are Product Management, Engineering, Legal/Policy, Data
Science & Operations.
29

30. Thank you! We would love to hear from you...
https://twitter.com/decisions_2_0
http://www.slideshare.net/RamkumarRavichandran
https://www.youtube.com/channel/UCODSVC0WQws607clv0k8mQA/videos
https://www.linkedin.com/pub/ramkumar-ravichandran/10/545/67a
RAMKUMAR RAVICHANDRAN
SREEKANT VIJAYAKUMAR
https://www.linkedin.com/in/sreekantvijayakumar/
30

31. UPCOMING EVENTS
Thursday, December 5
Everything is
Connected: Systems
Thinking in PM
Wednesday, December 4
Defining Product
Success

32. UPCOMING Product Management Training Courses
Tuesdays & Thursdays
January 7 - February 27
6:30am - 9:00pm
7 SPOTS LEFT
Saturdays
December 7 - February 8
9:30am - 3:30pm
3 SPOTS LEFT

33. www.productschool.com
Part-time Product Management Training Courses
and
Corporate Training