Risks, dynamics and strategies

Of information risk management, "It's dynamic" said my greybeard friend Anton Aylward - a good point that set me thinking as Anton so often did.

Whereas normally we address information risks as if they are static situations using our crude risk models and simplistic analysis, we know many things are changing ... sometimes unpredictably, although often there are discernible trends.

On Probability-Impact Graphics, it is possible to represent changing risks with arrows or trajectories, or even time-sequences. I generated an animated GIF PIG once showing how my assessment of malware risks had changed over recent years, with certain risks ascending (and projected to increase further) whereas others declined (partly because our controls were reasonably effective).  

[Click the PIG to watch it dance]

It's tricky though, and highly subjective ... and the added complexity/whizz-factor tends to distract attention from the very pressing current risks, plus the uncertainties that make evaluating and treating the risks so, errrr, risky (e.g. I didn't foresee the rise of cryptomining malware, and who knows what novel malware might suddenly appear at any time?).

A simpler approach is to project or imagine what will be the most significant information risks for, say, the year or two or three ahead. You don't need many, perhaps as few as the "top 5" or "top 10", since treating them involves a lot of work, while other risks are often also reduced coincidentally as controls are introduced or improved. It's possible to imagine/project risks even further out, which may suit a security architectural development or strategic planning approach e.g. planning to implement biometrics in a few years' time to address increasing requirements for worker authentication.

Another aspect of strategic planning for information risk and security management is that the risk modelling, analysis, treatment and projections are all inherently uncertain, therefore taking us into the realm of resilience and contingency thinking. An ISO27k Information Security Management System (or, in fact, any structured approach to managing the corporation's risks) that helps the organization cope with an uncertain future is an asset, whereas one that rigidly restricts its options may turn out to be a liability if things don't quite go to plan.

The point of this ramble, prompted by Anton's throwaway yet insightful comment about dynamics, is the need to consider both the 'here and now' and the future - even if you find yourself still desperately trying to catch up with the past!