Professional risk analysis

The negative impact(s) resulting from a threat materialising can be determined fairly accurately by way of a business impact analysis. Based on the risk ‘score’, the host organisation will then agree on a course of action needed to manage the threat(s).

The only problem is that the scoring of probability is inherently flawed. If we had put the world’s top 100 risk managers in a room on 10 September 2001 and asked them to rate the probability of the Twin Towers being destroyed at a cost of 3,000 lives within the next 24 hours, how many of them would have said: “The likelihood rating is off the top of the scale. In fact, it’s a sure thing”?

Probability is based on subjective judgement, and an analysis of the facts as we know them. If we are not aware of all the facts, our assessment will be flawed.

Ask yourself the following question, and answer it honestly... “The fact that a serious security threat to the organisation hasn’t materialised as yet is down to (a) Sound management and controls (b) Luck, or (c) We haven’t been targeted as yet.”

Security professionals should always assume the worse case scenario. Business continuity plans should not merely cover traditional areas like fire, flood and explosions. In a world where information is power, and in which technology and automated systems are critical business enablers, professionals must also respond to information security-related threats.

Information security and business continuity must dovetail. We need controls on the former to prevent serious breaches, but there must also be a continuity plan – covering technology and systems recovery – providing the organisation with a fallback strategy, response and recovery back to ‘business as usual’.

Is your current business continuity plan flexible enough to accommodate an information security threat should one materialise? Test it with a straightforward ‘table top’ exercise. Gather together your primary response team members and give them an imaginary scenario to manage. For example: “We’ve just been informed that our main competitors have a copy of our confidential business plans.”

This scenario will require effective stakeholder communication and (possibly) damage limitation. Areas demanding senior management level intervention. A well-prepared business continuity plan should indeed cover senior management.

The plan should also test that an escalation process exists and that it’s appropriate in relation to serious information security breaches. If it isn’t then update it as a priority!

After all, you never really know what the true probability is that a serious breach will occur very, very soon. Do you?