Information risk awareness

In line with common practice, we've covered "information security risk" previously in the security awareness materials. Virtually all the awareness modules cover information security, so this time around we've refocused the module on information risk, information risk management (IRM) especially.

The diagram below sums up the guts of the classic IRM process: identify then assess information risks, choose how to treat them, implement the treatments, then loop back to pick up and respond to changes.

There's more to it than that, for instance information must flow to and from management (e.g. information risk levels, business priorities and risk appetite) while suitable metrics are necessary to manage and improve the process systematically.

Talking of which, I'm currently reading a fascinating account of how High-Reliability Organizations (HROs) use Highly Reliable Security Programs (HRSPs) to drive improvements in their information risk and security management activities. The book's author (Lance Hayden) lays out a strong case for milking every last drop of value from incidents and near-misses (or near-hits, as he calls them!) rather than - as most organizations do - paying lip-service to incident investigation, hoping that everything is quickly forgotten ... and consequently suffering the same or similar incidents repeatedly. As a fan of security metrics, security culture, systematic learning and improvement, the core idea resonates with me. I'll be reviewing "People-centric Security: Transforming your Enterprise Security Culture" here as soon as I've finished the final chapters and mulled it over. It's certainly food for thought, so on that basis alone the book is well worth a look.