Taxonomies are simply ways of ordering or classifying information and can help us to understand concepts through either diagrams or written explanations. For clarity, this appendix includes both forms for the following areas:
It should be noted that these are simply the author’s interpretation, and are not necessarily complete in terms of all possibilities, or to the deepest level of abstraction.
INFORMATION RISK
Information risk is the combination of the impact or consequence of a threat or hazard on an information asset and the likelihood or probability of its doing so. Figure A.1 illustrates the key components.
Figure A.1 An overall taxonomy of information risk
The impact or consequence of an event is the successful result of one or more threats acting upon one or more vulnerabilities of an information asset. They are categorised as follows:
The section Typical Impacts or Consequences lists and describes the various types in more detail.
Likelihood or probability
Likelihood expresses the possibility that an event may occur, but places no certainty on it doing so. Probability, on the other hand, expresses a greater degree of certainty, in that it is based on mathematical or statistical information computed by or gathered by research. The two terms are sometimes used interchangeably, but it should be remembered that likelihood is a qualitative view, whereas probability is a quantitative view.
Threats or hazards
Some threats are malevolent in origin, such as hacking and social engineering, while others are non-malevolent, such as environmental threats and simple failures.
The likelihood will be influenced by:
Appendix B lists and describes various types of threats and hazards.
Vulnerabilities are weaknesses in or surrounding the information asset, which a threat might exploit in order to compromise the information asset. Vulnerabilities may be: physical, such as inefficient locks; technical, such as poorly configured firewall rules; or procedural, such as a lack of segregation of duties. They have the following contributing factors:
Appendix C lists and describes various types of vulnerabilities.
TYPICAL IMPACTS OR CONSEQUENCES
Figure A.2 illustrates and describes some of the possible impacts or consequences that might arise as a result of a successful threat against an information asset.
Operational impacts
Operational impacts are generally experienced rapidly by the organisation. Most are very obvious – for example, when information to which they expect to have access is no longer available or which they can plainly see has been dramatically altered.
Very often, direct operational impacts will result in subsequent indirect financial impacts, so an inability to meet a service contract may well result in lost orders or in claims for contractual damages. Operational impacts include:
Financial impacts
Unsurprisingly, financial impacts or consequences are normally those that gain the greatest attention within the organisation. It is frequently against a backdrop of possible financial loss that the costs of remedial actions will be compared. While this is certainly correct, it is also true for other types of impact as well.
Many of these impacts – for example, lost sales immediately following the event – will be felt very quickly, while others – for example, increased insurance premiums – may not manifest themselves until a later date, possibly some considerable time after the costs of the event have been counted.
Financial impacts may also not be as noticeable to the whole organisation – for example, staff may not be aware of the financial implications of an event at all, and have no appreciation of the position in which the organisation finds itself until they read about it in the media or find that pay increases and bonuses are reduced. Financial impacts include:
As with reputational impacts, legal and regulatory impacts can have serious repercussions on an organisation, and the handling of these is best dealt with by a specialist team within the organisation, who may communicate information regarding an event through the corporate communication department. Legal and regulatory impacts include:
Reputational impacts
Reputational impacts are almost always highly detrimental to the organisation. For this reason, many organisations employ communication specialists who are skilled in countering negative publicity and putting a positive spin on any bad news. In such organisations, most staff are advised not to talk directly to the media, but to pass enquiries through to the corporate communication department. Reputational impacts include:
Wellbeing of staff and the public-at-large
Although more rare, safety incidents are generally highly visible outside the organisation, and occasionally have an effect on the public-at-large. More common, however, are any events that may have an adverse effect on the organisation’s staff, and these can also cascade into financial and operational secondary impacts. Wellbeing impacts include: