Threats, Vulnerabilities, and Risks

A threat is a potential danger to an asset. A vulnerability is a threat that actually exists for a given information asset. Risks are unresolved vulnerabilities and the level of acceptable risks is a key management decision in preparing the organizational risk matrix. To prepare an organizational risk management matrix focus first on identifying and ensuring that key information is protected, NOT just computer and network systems. Fix primary and secondary responsibility (where appropriate). Next consider factors unique to the organization’s business such as the following.

Corporate information assets — If there is a list of known and approved proprietary trade secrets or sensitive information, review it with the perspective that everything on the list must have value to the organization and must have some measures in place to reduce the potential risks derived from loss, modification, or destruction.

Existing trade secret and proprietary protection programs — These should be reviewed with the law department or corporate counsel. Too often, the attorneys are primarily interested in ensuring the necessary paperwork is completed (e.g., Confidentiality and Non-Disclosure Agreements, Contract Terms and Conditions, etc.) and will trust to litigation to resolve violations of the documents. Although these are essential to preserve the organization’s right to legal recourse against violations, they are “after the fact” remedies. In an era of global competition where local law enforcement and even judicial tradition may prove unfavorable to a “foreigner”, it is far better to prevent the loss or proprietary information rather than litigate afterwards. As many companies have learned, even large settlements from a foreign rival are of less value than preventing the loss. However, well-organized Trade Secret protection programs often yield a wealth of important details, such as principal experts on the organization’s technology and patent holders and areas of expertise. These should be leveraged to flesh out the asset/risk/protection matrix.

Competitors: past, present, and future — The track record of current and future competitors should be reviewed to see if any of them have a history of using aggressive or illegal tactics to obtain critical information from past rivals. Likewise, in the era of global economic espionage, a current or potential rival’s status in the foreign nation should be considered. If the competitor is a nationalized entity or considered the national flag bearer in a critical technology area (such as microchips, biotechnology, aerospace, etc.) then one can infer they probably have preferential access to intelligence or operatives of the foreign national intelligence service. Needless to say, this can dramatically increase the sophistication and threat level to the organization’s information assets. If the organization enters into a licensee arrangement, the impact of the new partner should be considered, as in some nations one is likely to inherit the enemies of the new partner as an undocumented component of the contract.

Existing and anticipated operations — If one’s organization is geographically limited to one continent and one nation, then the challenges to information security are a little less severe. However, in an era of globalization that is not likely to endure. As business expands to other nations and continents the information security challenges and threats are increased in almost direct proportion to the distance back to the “head office”. The IPS manager should review the current and future scope of operations to determine timing and threat issues which changes create.

The end goal of this process is to a create a list of key information resources and associated risks, then compare these to the available capabilities under the headings of assigned (regular IPS staff), matrix (corporate staff, but non-IPS), and external resources, and ensure all major risks to critical assets are mitigated through involvement of one or more of the available team resources. For each asset defined in the matrix under the risk areas. IPS should prepare a brief (one- or two-page) document which records the specific risks to be addressed. Once these elements are defined, it is essential that the appropriate level of senior management approves the resource-risk allocations.