In the six years since I wrote the original Information Risk Management book, much has changed in terms of technology and the threats to information. Little, however, has changed in terms of vulnerabilities. Chief among these is that many organisations (and often the most senior executives within them) believe that information risk is purely a technology problem, and ignore the fact that processes, procedures and people are often not only at the root of information risk issues, but also one of the principal means of resolving or avoiding them.

Technology is frequently the tool we use to secure information as well as to generate and store it, and these activities are easily interchanged in people’s minds, resulting in confusion and misinterpretation. After all, if you leave your car unlocked and your mobile phone, wallet or laptop are stolen, it is not the car’s fault is it?

It is time we stopped blaming technology for all our woes, and concentrated instead in understanding not only what is happening, but also and more importantly, why it is happening. Then and only then we can do something positive about it; prevent it from happening in the first place, and also prevent it from recurring.

It does not actually matter whether the information is in physical or electronic form; what matters is that it is important to someone and therefore warrants protection from theft or abuse.

It is an unfortunate fact of life that we do not always value things until they are lost. This is especially true of information. Were the last digits of someone’s telephone number 674 or 647? Does a colleague live at number 24 or number 42? While these are trivial examples of the loss or misunderstanding of information, they serve to illustrate how dependent we are on information of all kinds, but they fall short of recognising the effects of information either being permanently lost or (possibly worse) falling into the wrong hands.

In recent years, there have been numerous reports in the media about how the security services, particularly in the UK and the USA, are intercepting our private communications, and while this in itself is laudable in the fight against organised crime and international terrorism – it is, after all, their primary role – it is clear that some governments, and indeed organisations and people, may have different objectives and are seeking to mine our information in order to use it either for their financial gain at our expense or to take advantage of us in some way.

The general principles we use to protect our information can be found in Information Security Management Principles Third edition, published by BCS, Chapter 2 of which deals with information risk. However, this is only a 20-page summary account of the subject, and therefore only scratches the surface.

The lesson – as many a security professional will tell you – is that if a well-resourced opponent really wants to read your information, remove it or change it, then they will find a way of doing so. It may not be cheap or easy, it may involve using a mix of technology and human agents, but if they think it is worth it, you will find it very, very hard to stop them.

The intention of this book is therefore to help you to make life as difficult as possible for them to be successful.