New hi-tech risks awareness module
In the 11 years that we’ve been providing the awareness service, it has grown substantially in both breadth and depth. We’ve covered risk management as a discrete topic a few times before, while information risk is the foundation for information security and hence virtually all the security awareness modules. This month, however, the latest addition to our bulging portfolio of security awareness topics concerns the central yellow area of the scope diagram shown here.
A large proportion of information these days is communicated, processed and stored using IT systems and networks. There are numerous risks associated with IT which are central to this awareness module. However, it makes little sense to discuss IT or tech risks in isolation since it is the possible adverse consequences on the business that determine whether or not they are a genuine concern. If there were no impacts, the risks to the organization would be negligible.
“Hi-tech risks”, then, arise where the business intersects both IT and information security. They involve security threats to information assets exploiting vulnerabilities within the technology leading to adverse impacts on the business. [Some involve the use of technology as weapons - another facet to hi-tech risk mentioned in the awareness materials.]
Thinking more broadly, information is a valuable corporate asset that deserves and requires protection against various risks, particularly those that affect its confidentiality, integrity or availability. Protecting information is challenging due to its intangible and ephemeral or dynamic nature. Information is subject to a wide range of threats, while there are numerous vulnerabilities that might be exploited and the impacts or consequences of incidents vary markedly.
To complicate matters still further, information-related risks are ever-changing, and despite our best efforts we can never have perfect knowledge about them: there will inevitably be situations that we did not predict and incidents that we did not completely guard against. Hence information risk management depends on the quality of the information concerning information risks (yes, that is self-referential!):
That's one of the simple diagrams we used to put this potentially quite complex subject across to management - not because managers are "simple", you understand, but rather they need to see past the tech content to appreciate the business implications.
Finally, information and technology risks have to be managed alongside financial risks, market risks, product risks, strategic risks, personnel risks and so forth. From senior management’s strategic viewpoint, they all have to be managed to a comparable degree ... which implies things such as consistency of risk management approaches and terminology, and preferably also risk metrics, otherwise we're asking them to compare oranges with apples when determining whether the risks fall within their risk appetite. The security metrics paper in November's awareness module suggests several ways to measure tech risk that can also measure other forms of risk.
PS You'll understand why we named this module "hi-tech risks" when you see next month's.