Exercising in private

Continuing this mini-series of bloggings inspired by business continuity exercises, today I'm talking about other sources of creative inspiration for security awareness purposes - specifically, information from within and around the organization concerning incidents, near-misses, information risks and other issues that are known internally but haven't (yet!) been picked up by the news media. There's a wealth of information there, behind closed doors.

Most organizations care enough about various kinds of risks to manage them explicitly. All organizations seeking certification against ISO/IEC 27001 are required to manage information risks (by which I mean "risks pertaining to information"), a process that starts by identifying the risks to be managed.

How do they do that?

One approach involves considering the organization's risks in general: what threatens achievement of corporate/business objectives? And which of those risks has an information element? Large, mature organizations typically have some sort of 'corporate risk register', perhaps even a dedicated team or department of risk experts primarily responsible for risk management, especially (if not exclusively) for the "significant", "substantial", "strategic" or "bet-the-farm" risks. Other organizations have more diffuse arrangements for managing risks, perhaps just an implicit, integral or informal part of 'governing', 'managing' or 'doing business'. Either way, the risks typically identified at that high level may not be labelled or even considered to be "information risks" but many are, or have an information aspect. Fluctuating exchange and interest rates, for instance, can have significant implications for corporate financial management, and so need to managed carefully: the rates, plus the factors influencing them, plus the details around how the rates affect corporate finances, plus the financial management systems and processes themselves, all revolve around information ... hence there are information risks. Pick any other significant corporate risk and you can almost certainly find significant information risks.

Another approach explores business processes, systems etc. For business continuity purposes, a classical Business Impact Assessment is all about mapping out the organization's main activities and highlighting the things that absolutely must continue operating come-what-may in order for the organization to survive. Extend that map just a little to include the activities required for the organization to thrive and prosper, and there you go: a nice set of business activities (plus systems, resources, relationships etc.) that are critical or extremely important to the organization. Once again, there are bound to be associated information risks, since information is critical to all of them.

A third way focuses on information systems and flows, especially computer data, looking for IT-related threats and vulnerabilities. They may be labelled "IT risks", "technology risks", "cyber risks", "data risks" or whatever, but to me these are simply a subset, members of the broader set of corporate information risks. [And if you are wearing massive dark cyber-blinkers, you should expect to be blind-sided by serious incidents involving information that were outside your field of view. Don't say you weren't warned!] 

A fourth way looks at issues, events and incidents, and perhaps near-misses that the organization has experienced directly when risks have actually materialised or come close. These are learning opportunities with an obvious significance for those directly involved and (usually) interest and value for others. 'Once bitten, twice shy' concerns the long-term personal and social reaction to adverse events. Post-incident investigations can be an excellent source of information about risks, including threats, vulnerabilities, impacts, controls, governance, management, processes, people, situations, capabilities and more (e.g. "We were fortunate on this occasion that ..."). However, investigations are tough because of the damage caused and the natural reactions and sensitivities of those involved. 

Those four approaches to identifying and dealing with risks, plus others (such as the insurance and strategic/corporate governance perspectives), all contribute to the organization's general understanding and appreciation of risks, including information risks ... hence they are all sources of content for security awareness and training purposes. It makes a lot of sense for the awareness program itself to be risk-driven, risks being an obvious means of both identifying relevant topics and prioritizing the coverage. 

It doesn't particularly matter whether the impetus relates specifically to information risks or corporate risks in general since information is an integral part of all of them. So, for instance, if for some reason management happens to be particularly concerned about the organization's compliance-related risks right now, there is plenty of latitude to raise awareness of information risk and security within the context of compliance e.g. compliance with privacy and other information-related laws, contractual terms relating to information protection, security policies, intellectual property rights and so on. 

That's what we've been doing every month since 2003, in a generic way, building and maintaining a unique library of awareness and training content covering 70 information risk and security topics. Within your organization, you can do the same thing with a narrower perspective, focusing on aspects that are pertinent to your business, or to your culture, your people, your locale, your industry, your challenges, your incidents, your critical activities, your resources ... and, yes, your risks. Rummage through the corporation's attic (its risk registers, incident reports and BIAs) looking for pain points, concerns and interesting stuff worth dusting off and exploiting for your purposes. Talk to your colleagues about the Stuff That Really Matters and dig a little deeper to discover plenty more sources of inspiration. Explore situations where the organization (or those in which employees previously worked) narrowly escaped disaster, and the same for your business partners, industry peers and office neighbours. If you ever run short of interesting and relevant security awareness topics, you're just not thinking broadly, deeply or creatively enough - so let's talk. We'd love to help. It's what we do.