Protecting knowledge - a novel security awareness topic

January's security awareness topic is 'protecting knowledge'. By 'knowledge' we mean intangible forms of information such as ideas, concepts, thoughts, expertise, experience, perception, understanding and so forth, distributed throughout the organization in the brains of employees and other workers such as contractors and consultants. 

Along with various other intangible forms of information, knowledge constitutes an extremely valuable category of corporate asset. Think about the creative designs and inventions that may one day become profitable new products and efficient production processes: they all start as concepts, thoughts and ideas in workers’ heads. The gems that we call “skills” and “expertise”, plus the education and work experience so proudly listed on our résumés, are enormously important factors when recruiting or promoting employees, while consultants make a business by selling their intellectual capacity and wisdom.

If you accept that valuable assets deserve protection, and knowledge is a valuable asset, the obvious next question is “OK then, so how do we protect knowledge?” 

January’s security awareness materials promote controls that are procedural, pragmatic and cost-effective. As an example, a policy to encourage job rotation has the effect of systematically multi-skilling the workforce. Workers become competent at a greater number of activities, hence they are capable of standing-in for others (e.g. if someone in an important position unexpectedly resigns or goes off sick). Furthermore, as they transfer from department to department, they build their social networks by getting to know a larger pool of colleagues, with clear implications on knowledge sharing and brokering new relationships.

Once you have thought through the issues and the benefits (which go beyond risk-reduction), you’ll be kicking yourself that you didn’t have them all in place years ago!

At the same time however, it is possible for intellectual assets to be over-protected. For example, if the circulation of knowledge is unduly restricted – basically, if workers are so paranoid that they are usually tight-lipped – it loses its value since it the information is less accessible for legitimate purposes. This must be an issue in organizations such as the NSA for obvious reasons.

The awareness materials therefore emphasize a balanced approach, ensuring that the protective measures reflect the value, purpose and risks to the information. Sometimes it is better to take a chance by sharing sensitive knowledge with trustworthy colleagues and business partners, than to keep it locked in your brain. The tension between need-to-know and need-to-withhold is one of the issues raised in the module.

This is a brand new awareness topic for us. We have covered intellectual property rights (IPR) before, and we have touched on various other aspects occasionally, but this is the first time we have gone into any depth on the protection of knowledge as such. We suspect very few information security programs cover this unusual topic, and yet there are some important points to be made about both protecting and exploiting the organization’s knowledge.