In this first chapter of the book, we shall set the scene for the later chapters by focusing on what information actually is and how it is produced or obtained, why we should manage the risks to information, the legal framework surrounding information, and the context of risk within organisations.

We shall take a brief look at some of the hot topics in information risk management, including the Internet of Things and remote working, before discussing the benefits of information risk management and some of the processes by which it can be achieved.

WHAT IS INFORMATION?

Before we begin to examine the need for information risk management, it is important to understand what the difference is between information and data.

Superficially, this appears to be quite straightforward – data are merely unstructured facts and figures, whereas information consists of data that are organised into a meaningful context. For example, the temperature, wind speed and direction, rainfall and atmospheric pressure readings taken twice daily in towns and cities around the country are just data. It is only when they are recorded together, and along with those readings of previous days, that the data are placed in context and begin to have meaning, allowing meteorologists to examine trends and develop a weather forecast. It is at this point that the data have become organised and structured and can now be seen as information.

Although I have drawn the distinction between the two, for the purposes of this book I shall deal with them both under the heading of ‘information’, since both data and information will have value to their owners and must be equally protected, although the owner of the original data and the owner of the resulting information may be entirely different entities.

Information can exist in two different states: physical, with information recorded on paper, film, paper tape, canvas, pieces of clay with cuneiform indentations and notches in tally sticks; and with virtual binary ones and zeros stored on magnetic media or other types of electronic memory device.

Information also comes in two distinct forms. Firstly, there is information that describes or lists other information, such as a catalogue or index, and is often referred to as ‘metadata’. Secondly, there is information that is something in its own right, such as a novel, a software application or the formula for a new medicinal drug. All have value to their owner or originator, and indeed may either be of a personal nature, in which case might be subject to data protection legislation, or may be IP, in which case copyright or trademark legislation will apply.

It is not my intention to deal in any depth with either of these two aspects of legislation since each could easily be the subject of a book in its own right, but you should be aware not only of their existence and general content, but also that they need to be taken into account when developing an information risk management programme.

Recent revelations regarding the organised interception and mining of information by various security agencies have raised awareness at all levels of society of the need to take greater care of our information, but we should not be at all surprised by the extent to which this so-called ‘snooping’ takes place, or by the fact that these agencies are able to carry it out.

This problem lies in the distinction between the need to maintain national security and the need to gather sufficient information to be able to do so. Security agencies such as the National Security Agency (NSA) in America and Government Communications Headquarters (GCHQ) in the UK were set up precisely to carry out this kind of work, so it should not come as a shock to anybody that they are doing it, nor that they are very successful at doing so albeit subject to strict legal undertakings, at least in theory. What should be more worrying is that other nations’ security agencies may be able to undertake similar surveillance and interception and may use the resulting information gathered for nefarious purposes.

Then there is the question of so-called ‘Big Data’, in which organisations – both commercial and governmental – collect vast amounts of information on us as individuals. Every time we use a credit card to purchase goods, the credit card agency gathers a little more information about us. This has positive benefits as well as negative connotations; for example, if a transaction falls outside your ‘normal’ spending profile, the credit card agency can contact you to verify that your card is still in your possession and has not been used fraudulently.

On the other hand, of course, supermarkets may target us with advertising and promotions as a result of aggregating information gained from our loyalty cards, which may or may not be something to be happy about, since they now know more about our spending habits than we do!

A recent investigation¹ into how much Amazon knows about us unearthed some interesting and somewhat alarming results – not only about how much use they make of our browsing and spending habits, what films we watch and what music we listen to, but also about how many data their ‘Ring’ doorbell/video camera records, and what they are able to infer from our commands to the ‘Alexa’ devices.

Similar concerns revolve around Google’s ability to monitor our habits and movements when we use their search engine or ask the Google ‘Home’ devices for information. Both Alexa and Google Home additionally allow us to control aspects of our homes – lights, sockets, closed-circuit television (CCTV), baby monitors and central heating, all from one application on a smartphone.

All this may be extremely useful to us as users, but continues to raise questions over whether others are learning more about us than we might care for them to know, and whether they could ultimately take at least partial control over certain aspects of our lives.

In the UK, there is an ongoing and often heated debate about the use of network infrastructure from the Chinese company Huawei. On the one hand, there is the fear that their possible links with the Chinese government might enable it to have unwanted influence on our lives, including unfettered access to more sensitive information. On the other hand, its cost to the network operators may be significantly lower than that of other suppliers, allowing them to keep call charges to users at a lower rate. The view at the time of writing is that Huawei will be allowed to provide some of the fifth-generation mobile network infrastructure, while the more sensitive ‘core’ of the networks will be closed to them.

Finally, we should make the distinction between information that is about what we do, and information about who we are. Information about what we do could cover such things as where we spend our money, what our audio and visual entertainment preferences are, what we view on the internet, what we say online and anything that can be recorded about actions we have undertaken.

Information about who we are will include those so-called immutable attributes. These are absolute facts and can never be altered. They include such things as our biological parents, our biometrics (for example, iris scan, fingerprints or DNA) and where and when we were born.

Next there are so-called assigned attributes such as our nationality, names, national insurance number or title. These are generally the attributes that people and organisations rely upon to identify and communicate with us, and rarely change.

Finally, there are other related attributes, which, while being a part of our personae, are more easily changed, but still allow people and organisations to identify and communicate with us, and which may be used in identity verification, such as usernames and passwords, email addresses, memberships, qualifications and entitlements.

Many of these types of information are almost impossible to conceal since they are a matter of public record and generally speaking we are happy to make them available – indeed, it is often in our interests to do so, although there are some that we would naturally not make publicly available. For example, we are usually happy to give someone our email address, but at the same time we would not let them know the password to the email account.

The information life cycle

It is easy to imagine that information is ‘just there’, but it must be created in the first place, and then generally follows a set path, as shown in Figure 1.1.

The creative process begins with some form of research, design or discovery, which allows the creator to record the information in some form, whether in hard copy or electronic form, and then to store it in some way. In some situations, the information may be processed somehow, either to manipulate it in a way that others can easily access it, or to make it more useful by enriching it in some way, perhaps by amalgamating it with other information.

The process continues with use, either by the information’s creator alone, or more frequently by others, whether individually or collaboratively, at which point it can be widely shared within a contained environment or publicly.

At some stage, the information may become out of date but still be required as a time-based reference, in which case it will be archived. Eventually, the information will become completely redundant, at which point it can safely be disposed of or destroyed, or may be updated and recycled as new information.

At each stage of this life cycle process there will be the need to ensure that the information is adequately protected from accidental or deliberate loss, change or destruction, hence the need for information risk management.

WHO SHOULD USE INFORMATION RISK MANAGEMENT?

Quite simply, any part of an organisation can and should make use of information risk management, since all parts of an organisation are likely to have information that has value to it.

The human resources department keep records of personnel, much of which will be considered to be personal information under general data protection legislation; sales and marketing departments will hold information on past and projected sales as well as pricing schedules; finance will hold records of the organisation’s income and expenditure; development will have plans and designs for both current and future products and services; and the IT department, although perhaps not owning any of this information, will be responsible for keeping it secure and making it available to authorised staff.

Non-commercial organisations too will have valuable information that must be protected. Hospitals, GP practices and health trusts hold sensitive personal information on patients; local authorities hold lists of vulnerable people; the Driver and Licensing Agency holds details of every driver and vehicle registered in the UK; and Her Majesty’s Revenue and Customs hold huge amounts of financial information about every taxpayer in the country and beyond.

All these different types of information must be protected – they must be kept confidential, so that only authorised people may have access to them; their integrity must be protected, so that only authorised people may change them; and they must be available when required by those who have a need to access them. These three main tenets of information security – confidentiality, integrity and availability – underpin everything in this book, and will be dealt with in greater detail in Chapter 2.

However, in order to protect our own or our organisation’s information, we first need to understand exactly what it is and why it is important to the organisation.

An excellent example of the need for protecting information goes back to the 1940s, when, during the Second World War, the British government put up posters declaring ‘Careless talk costs lives’. The meaning was clear. People who were aware of military plans might innocently reveal them by indiscreet conversation, and the consequences could be extreme for the military and civilian personnel who were taking part in those actions or whose environment might be affected as a result of them. The implication of this was that any information revealed could unwittingly lead to a compromise of security, but it gave no indication of how sensitive the information might be, the consequences of revealing it or how it should be protected.

This brings us to the issue of information classification, in which each piece of information can be classified for its sensitivity, handling, storage, access or distribution and ultimately its disposal. The only problem with information classification is that it does not usually reveal the potential value (monetary or otherwise) of the information either to the organisation itself, or to an adversary who might be able to benefit from obtaining it.

Yet another aspect to be considered is information aggregation, in which small pieces of information (some of which might appear completely trivial) are gathered, often from a variety of sources, and pieced together to provide a clearer picture of the whole.

All these elements are brought together in the techniques we use for information risk management, which allows us to clearly identify those information assets that have value to our organisation; determine the impact on the organisation of their unauthorised distribution, alteration or destruction; assess the vulnerabilities exhibited by them; and assess the events that might bring these about, and the likelihood of these occurring.

All this provides us with a measure of the level of risk associated with each type or piece of information, from which we can determine the most appropriate response while balancing the possible consequences against the cost of treatment.

Some people believe that risk assessments are only necessary in a health and safety situation, but where personal information is concerned, there is also a legal obligation to ensure its proper protection, and the General Data Protection Regulation (GDPR) states that:

Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

As we have already mentioned, information is not restricted to the IT department, so every part of an organisation can therefore benefit from the use of information risk management.

If we are going to protect our information assets, we need to understand what they are, what might threaten their confidentiality, integrity or availability, how they might be vulnerable to such threats or hazards, and how likely these are to occur. This, in short, is the key role of information risk management, the essential components of which are discussed later in this chapter.

THE LEGAL FRAMEWORK

Safeguarding information did not present too many problems until computers, especially personal computers, became widespread. It was only with the introduction of the Computer Misuse Act (CMA) in 1990 that people outside government really began to take unauthorised access to information seriously. Since that time, earlier legislation has been updated to reflect the changes in the accessibility of information, and other legislation designed to better protect information has been developed.

The principal instruments of law, in the UK, regarding information risk management are:

• The Data Protection Act (DPA) 2018 and the UK General Data Protection Regulation (UK GDPR), which deal with maintaining the confidentiality and integrity of information but not its availability.
• The Computer Misuse Act 1990, which deals with the criminal offence of unauthorised access to computer systems and the information contained within them.
• The Police and Criminal Evidence Act 1984, together with subsequent addenda, which deals in part with the proper securing of information-based evidence such as computer files.
• The Official Secrets Act 1989, which deals with the disclosure of nationally sensitive information.
• The Freedom of Information Act 2000, which allows requests to be made regarding rights of access to information held by government organisations.
• The Regulation of Investigatory Powers Act (RIPA) 2000, which deals with information that may be collected by governmental organisations in the pursuit of criminal investigations.
• The Copyright, Designs and Patents Act (CDPA) 1988, which defines copyright as a property right that subsists in the following areas: original literary, dramatic, musical or artistic works; sound recordings, films or broadcasts; and the typographical arrangement of published editions.
• The European Union (EU) General Data Protection Regulation, upon which the UK’s DPA 2018 is based, is slightly different, but will not be dealt with in this book since the differences do not radically affect it.

All of these relate in one way or another to information risk, and many require that the organisations collecting and holding information must take all reasonable steps to ensure its safety.

Regulation in the information risk management space is less prevalent, although the financial sector does have some regulation regarding risk generally; it is more connected with the management of business risk than information.

Standards and guidelines, however, are available in abundance, and Appendix H lists the principal publications in this area.

THE CONTEXT OF RISK IN THE ORGANISATION

Any work on information risk in the organisation must begin with an understanding of the organisation’s wider view of business risk, which must necessarily examine the impacts or consequences of unexpected events. These can result in any of the following:

• Financial loss, which can include loss of business or IP.
• Legal and regulatory penalties, which can arise from either a breach of regulatory practice or failing to meet regulatory deadlines.
• Reputational damage, which generally begins with adverse reports in the media.
• Damage to the organisation’s operations, which may result in subsequent financial or reputational damage.
• Harm to the organisation’s staff or the public-at-large, which again can result from damage to the organisation’s operations and reputation.

Although many of these are not based on pure finance, the bottom line is that it is mostly about money, since many of the other types of impact will ultimately result in some form of financial loss, whether directly or indirectly.

Information risk is a subset of business risk and relates to the confidentiality, integrity and availability of business information assets and the information management infrastructure, and, although we shall deal with the specific minutiae of impacts to the organisation’s information assets, the general principles of business risk management still apply.

Some of the damage to the organisation will be as a result of failures of technology, while other damage will be due to failures to follow policies, processes or procedures, and some will be due to events that simply happen.

A wide range of factors affects the organisation’s business risk environment, beginning with generic operational disruptions which affect all organisations, public and private, regardless of sector or size, such as dramatic changes in the economic or political environment; the failure of business transactions that might result from poor management decisions or the failure of parts of the organisation’s infrastructure.

Other disruptions that are totally outside the control of any organisation, but which can affect a wide range of organisations, include natural disasters, such as pandemics, flooding and severe weather, terrorism and civil unrest, any of which will disrupt not only normal business operations, but also those of the public-at-large.

Other types of disruption will come within the control of the organisation, and are often sector-specific, especially in the area of hazardous operational environments such as petrochemicals and energy production. Disruptions from failures in business processes and systems will normally come within the remit of business continuity management, which, although linked to information risk management, is a subject area in its own right.

Organisations in certain sectors will also be subject to the dictates of legal and regulatory bodies, where both generic and sector-specific statutory regulations place additional responsibilities on the organisation. In those organisations where products and services fall within the range of hazardous products, the organisation will be subject to additional societal responsibilities under regulations such as the Control of Major Accident Hazards (COMAH), and may also be required to cooperate with emergency responders under the Civil Contingencies Act 2004 in order to provide protection not only for their staff within the working environment, but also for the general public.

The culture of the organisation itself will have a dramatic effect on business risk. The most visible of these in a business risk context is that of the organisation’s risk appetite and the internal awareness the organisation has regarding planning for risk. While they sound similar in nature, risk awareness and risk appetite are quite different – awareness meaning that the organisation recognises risk in all its forms, whereas risk appetite means the level of risk that the organisation will accept in any given situation.

Some organisations maintain an extremely low risk appetite; for example, pharmaceutical research organisations take almost no risks at all when it comes to developing a new drug, although it could be said that the potential development costs are a business risk in themselves.

Other organisations thrive on risk – insurance companies and investment brokers being classic examples. This is where risk can be seen as opportunity as opposed to danger.

The reach – local, regional, national, continental or global – of the organisation, together with its business structure and the operational demands it places on its staff, will also be a major contributory factor, and the organisation’s hierarchy and reporting channels will define to a great extent the roles and responsibilities of key staff and their accountability for risk.

Very often, those organisations whose operations have a greater degree of urgency will have an increased risk appetite, and may actively encourage staff to take risks within defined limits.

When it comes to information risk, some organisations will maintain extreme secrecy over their entire operations, while others will focus more on information that is either sensitive or confidential.

HOT TOPICS TO CONSIDER IN INFORMATION RISK MANAGEMENT

Since the original version of this book was written, a number of topics have become increasingly relevant and should therefore be considered in their own right in relation to information risk management.

The Internet of Things (IoT)

The IoT is a concept that allows connectivity between multiple physical devices, permitting communication between the digital and physical worlds. A ‘Thing’ comprises some form of power source; a transceiver to intercommunicate with other ‘Things’; sensors, which allow the ‘Thing’ to take in information; a central processor of some form to make decisions; a storage capability; and, finally, actuators that allow the ‘Thing’ to control something to which it is connected.

While we generally think of these ‘Things’ as objects, they do in fact hold or deliver information, and for this reason, we should be mindful that there will always be some form of information risk associated with them.

At a personal level, the outcome of an attack could range from embarrassing to costly, while at a medical level, for example, an intrusion could possibly have extremely serious consequences.

Artificial intelligence (AI)

Much of the discussion around AI is regarding its capabilities (both for good and for evil); there has been rather less discussion regarding the information security aspects of AI.

What exactly is AI? Investopedia website,² which publishes financial information, defines it as referring to

the simulation of human intelligence in machines that are programmed to think like humans and mimic their actions. The term may also be applied to any machine that exhibits traits associated with a human mind such as learning and problem-solving.

In theory, this suggests that AI machines may make better judgements, recommendations and decisions than humans, and will invariably make them in a more time-efficient manner.

While this section does not go into the more detailed capabilities of AI, we do need to examine some of the issues raised by its use. Let us consider, then, just one of the many uses to which AI can be put – that of autonomous vehicles.

This is a subject close to my heart, since my wife and I now drive an all-electric car, which (the manufacturer claims) is ‘Car 2 Car’-ready,³ and therefore capable of driving itself autonomously as well as communicating with other similarly equipped cars. In fact, this use of AI is yet another example of the IoT.

I should say straight away that given the car’s current state of development, I would not dare take both my hands off the steering wheel, having experienced some of the AI functions built into it. However, leaving aside its drawbacks, let’s look at some of the information-related security aspects in the Car 2 Car context.

Firstly, there is the confidentiality aspect, in which the so-called ‘Infotainment’ system is connected by Bluetooth to my smartphone, and therefore has access to all my contacts.

From the integrity point of view, if an attacker was able to gain access to the car’s software, as has been reported in Wired magazine,⁴ they can – at least in theory – control almost any aspect of the car’s performance, the results of which could in fact be life-threatening. Now that the awareness level of this kind of threat has been raised, automotive manufacturers are beginning to take the security aspects very seriously indeed.

From an availability perspective, if the information contained or gathered by the car itself, such as performance, speed, direction and what obstacles are ahead, is missing for some reason (perhaps some form of instrumentation failure), then the car might not respond as quickly in the way it should, might even respond in a totally incorrect manner or might not respond at all. A sobering thought when a cyclist suddenly pulls in front of it!

The other aspect of the car’s information is that of correctness. If we have engaged the automatic cruise control facility, when our car leaves a speed restricted zone (say 40 mph) and moves into a de-restricted zone, it will accelerate up to what it has been programmed is an acceptable speed – say 60 mph. This is fine on a straight road, but very much the opposite when leaving our village, where the road has several sharp bends. Conversely, on entering a de-restricted zone, the car may ‘decide’ to drop its speed to 30 mph for a few seconds, which comes as something of a surprise to the driver of the vehicle immediately behind!

The manufacturer argues that these software bugs will be ironed out in the next software release (no date given), but our experience of the previous release is that they do not tell us what has changed or what improvements have been made, so we have no idea whether or not the problems have been fixed.

Another example of information security and AI is that of medical diagnosis and treatment. The use of AI in this area is widely hailed as having the potential to eliminate many diseases, and has already contributed greatly to scientists having a better understanding of viruses and how they replicate.

Consider for a moment the use of AI in identifying the size, shape and location of a prostate cancer tumour. The systems that analyse the magnetic resonance imaging (MRI) scans can be used by an AI system to inform the radiotherapy team exactly how to target the tumour while not impacting other vital organs nearby. If the integrity of this information were to be compromised, at best the treatment would be a failure but at worst it could result in further medical issues or worse.

A compromise of availability might mean that tests had to be rerun, causing a delay in treatment, which could well result in a worsening condition for the patient.

It is clear that the information used by AI systems may differ in some respects from routine personal and business information, but its safeguarding must be no less secure, and in some cases there is still a long journey ahead before the algorithms used are truly fit for purpose.

Remote working

Working from a location other than an organisation’s office or from an individual’s normal workplace – occasionally while mobile – began to be popular some years ago, but since the coronavirus pandemic struck in early 2020, the opportunity to permit staff to work remotely (usually from their home) became a major factor in organisations being able to continue their operations, albeit often at a reduced level.

Many organisations found themselves having to gear up for remote working with little experience of the technology needed to achieve it, and with even less of the information risks that remote working can bring about.

The issues they faced ranged from securing individuals’ personal computers (as opposed to company ones), provision of a secure communications infrastructure, storage of non-digital documents and access by other household members whether family or not, to educating the users about how to work remotely and securely. This also included ensuring that both the organisation’s central communications hub and the individuals’ homes had sufficient capacity and resilience to operate at the required level of performance.

There have been numerous examples in the media of people on videoconferencing calls whose partners appear on camera while inappropriately dressed, participants being unable to be heard or seen through lack of bandwidth, and other distracting noises or images. While some of this requires changes to business processes, there are strong links between them and information risk management.

THE BENEFITS OF TAKING ACCOUNT OF INFORMATION RISK

As we have seen, risk is inherent in any organisation or business, and failure to take account of risk in any context can be disastrous. This is also true of information risk, in which information that is critical to the survival of the organisation must be protected, or the consequences could be severe and the organisation could be subject to the same types of impact or consequence.

Information risk management – a subset of business risk management – addresses these issues in order to prevent them, and after understanding the business context, organisations will identify risks, analyse, evaluate and treat them.

There are two basic actions that can be used – firstly to reduce the likelihood and secondly to reduce the impact or consequence of adverse events. In either case, it is also necessary to limit the possible escalation of events so that matters do not deteriorate once they have begun.

Within the context of information risk management, organisations will need to budget for the prevention of disruptive incidents that would otherwise result in some form of impact, and, in those cases where prevention is either not possible or too costly, to budget for the costs of recovery from them.

The potential benefits to organisations of taking serious account of information risk are manifold:

• There will be an improved view within the organisation of the information assets, their value and the degree to which they are protected.
• There will be a noticeable decrease in the overall level of risk borne by the organisation.
• There may well be a reduction in premiums for those information assets that the organisation insures when transferring or sharing the risk.
• There will be an enhanced view of the organisation in the eyes of its various stakeholders and the media.
• The organisation will be able to respond to and recover from disruptive events more quickly and more effectively.
• There will be reduced levels of impact and loss when unexpected events occur.
• The organisation will be able to claim commercial advantage over those of its competitors that do not follow an information risk management strategy.
• Information risk management is a ‘must’ for organisations that are seeking to gain accreditation against ISO/IEC 27001:2017 (Information security management systems) and/or ISO 22301:2019 (Business continuity management systems).

Capability Maturity Model

For those organisations that decide to invest seriously in information risk management, there is also the option of gaining additional benefit from following the so-called Capability Maturity Model (CMM),⁵ which can be used for almost any business function including information risk management.

The CMM consists of five levels of capability maturity:

Level 1 – Initial

Processes at this level are typically undocumented and in a state of dynamic change, tending to be driven in an ad hoc, uncontrolled and reactive manner by users or events.

Level 2 – Repeatable

Processes at this level are repeatable, possibly with consistent results. Process discipline is unlikely to be rigorous, but where it exists it may help to ensure that existing processes are maintained during times of stress.

Level 3 – Defined

Processes at this level are defined and documented standard processes established and subject to some degree of improvement over time. These standard processes are used to establish consistency of process performance across the organisation.

Level 4 – Managed

Processes at this level use process metrics. Management can effectively control the process and, in particular, can identify ways to adjust and adapt the process to particular projects without measurable losses of quality or deviations from specifications.

Level 5 – Optimising

It is a characteristic of processes at this level that the focus is on continually improving process performance through both incremental and innovative technological changes/improvements.

ISO/IEC 15504-2:2003 and COBIT 5^®

Along similar lines, there is also reference to a measurement framework for process capability in ISO/IEC 15504-2:2003 – Software engineering – Process assessment – Part 2: Performing an assessment. The identical generic process capability attributes appear in COBIT 5:⁶

Level 0 – Incomplete

The process is not implemented, or fails to achieve its purpose. At this level there is little or no evidence of any systematic achievement of the process purpose.

Level 1 – Performed process

The implemented process achieves its process purpose.

Level 2 – Managed process

The previously described Performed process is now implemented in a managed fashion (planned, monitored and adjusted) and its work products are appropriately established, controlled and maintained.

Level 3 – Established process

The previously described Managed process is now implemented using a defined process that is capable of achieving its process outcomes.

Level 4 – Predictable process

The previously described Established process now operates within defined limits to achieve its process outcomes.

Level 5 – Optimising process

The previously described Predictable process is continuously improved to meet relevant current and projected business goals.

OVERVIEW OF THE INFORMATION RISK MANAGEMENT PROCESS

Figure 1.2 illustrates the generic information risk management process, found in a number of standards, including ISO/IEC 27005:2018, ISO/IEC 31000:2018 and ISO/IEC 31010:2019. While being a useful aide-memoire, it does suffer from being rather high level, and fails to show the more detailed steps involved. In later chapters of this book, we shall expand this diagram to explain the steps more fully.

At a very high level, the information risk management process consists of four key steps:

1. The identification and qualification of inherent risk – that is, the risk that an activity would pose if no controls or other mitigating factors were in place.
2. Decision-making regarding the most appropriate form of risk treatment for the risks identified in step 1.
3. The application of suitable controls to achieve the objectives determined in step 2.
4. The acceptance of any residual risk following the implementation of the controls applied in step 3.

Naturally, this process only scratches the surface of information risk management, and each of these steps is covered in much greater detail in the remaining chapters of this book.

The process itself begins with gaining an understanding of the context in which the organisation finds itself, and includes both the internal context – that is, strategies and policies from within the organisation itself – and the external context, which includes areas such as legal and regulatory constraints and so on. This is dealt with in greater detail in Chapter 3.

Once the organisational context has been established, the process can continue with the risk assessment, which is broken down into three distinct phases: firstly the identification of the risk, dealt with in Chapters 4 and 5; secondly risk analysis; and third risk evaluation, which are both dealt with in Chapter 6.

Following this, the process takes us into the realm of risk treatment, which is discussed in Chapter 7, with risk reporting and presentation covered in Chapter 8.

At each stage, there are links between the various steps and those of communication and consultation, in which a dialogue is conducted with major stakeholders, and finally also with the process of monitoring and review, both of which are covered in Chapter 9.

SUMMARY

Having now examined the more general aspects of information, hot topics, the capability maturity model and the information risk management process, we can move on to the remaining chapters in this book, which are organised as follows:

Chapter 2 – Review of information security fundamentals

This chapter includes a review of the basic concepts of information security fundamentals, the process of information classification and the Plan-Do-Check-Act model.

Chapter 3 – The information risk management programme

This chapter deals with the goals, scope and objectives, roles and responsibilities and governance of an information risk management programme, and information risk management criteria.

Chapter 4 – Risk identification

In this chapter, we deal with the approach to risk identification, how information assets and their owners are identified, how a business impact assessment (BIA) is conducted and the types of impact we might encounter, and discuss the pros and cons of qualitative and quantitative assessments.

Chapter 5 – Threat and vulnerability assessment

In this chapter, we describe how threat and vulnerability assessments are carried out and also examine the view of existing controls.

Chapter 6 – Risk analysis and evaluation

In this chapter, we cover the process of assessing the likelihood of risks arising and, by combining the likelihood with the impacts or consequences of a threat, calculate the relative levels of risk for each threat type. We then examine how the risk matrix is developed and evaluate the risks in terms of priority.

Chapter 7 – Risk treatment

This chapter discusses the approach to making risk treatment plans, and describes the four strategic, four tactical and three operational risk treatment options.

Chapter 8 – Risk reporting and presentation

In this chapter, we describe how to report and present the findings of the risk assessment process and explain the need for robust business cases.

Chapter 9 – Communication, consultation, monitoring and review

This chapter includes details of the importance of consulting with stakeholders throughout the entire risk management process, and with the process of monitoring and reviewing the work undertaken and how the risk management programme should continue.

Chapter 10 – The NCSC Certified Professional Scheme

In this chapter, we describe the National Cyber Security Centre Certified Cyber Professional (CCP) scheme, the Skills Framework for the Information Age (SFIA) levels and the Institute of Information Security Professionals (IISP) skills framework upon which the CCP scheme is largely based.

Chapter 11 – HMG security-related documents

This final chapter provides a detailed summary of the UK government approach to information risk management, and includes descriptions of:

• Her Majesty’s Government (HMG) Security Policy Framework – the security of information;
• the UK government security classifications.

Appendix A – Taxonomies and descriptions

In this appendix, we provide two useful taxonomies that can be used in information risk management:

• information risk;
• typical impacts or consequences.

Appendix B – Typical threats and hazards

Here, we discuss various types of threat and hazard, including malware threats, physical threats, misuse and abuse threats, social engineering threats, hacking threats, environmental hazards and, finally, threats caused by errors and failures.

Appendix C – Typical vulnerabilities

In this appendix, we examine various types of vulnerability, including those of communications and operations, people-related vulnerabilities, access control vulnerabilities, systems acquisition, development and maintenance vulnerabilities and physical and environmental vulnerabilities.

Appendix D – Information risk controls

In this appendix, we look at the three levels of controls, beginning with strategic controls – avoid or terminate, reduce or modify, transfer or share and accept or tolerate. We then move to the tactical level, which includes detective, directive, corrective and preventative controls. Finally we examine the operational level controls – procedural controls, physical controls and technical controls.

Appendix E – Methodologies, guidelines and tools

In this appendix, we provide a brief description of some of the more popular information risk management methodologies:

• CORAS;
• FAIR;
• OCTAVE;
• SABSA.

Appendix F – Templates

In this appendix, we provide a number of useful templates and guidance information that can be used in the information risk management programme:

• impact assessment template;
• threat/hazard assessment template;
• vulnerability assessment template;
• existing controls assessment template;
• risk register template.

Appendix G – HMG cybersecurity guidelines

This appendix examines the main UK government guidelines for cybersecurity, including the:

• HMG Cyber Essentials Scheme;
• 10 Steps to Cyber Security.

Appendix H – References and further reading

This appendix provides the reader with a large number of information sources:

• primary UK legislation;
• good practice guidelines;
• other reference material;
• NCSC Certified Cyber Professional Scheme;
• other UK government publications;
• risk management methodologies;
• UK and international standards.

Appendix I – Definitions, standards and glossary of terms

The final appendix provides the reader with a summary of the definitions, standards and glossary used throughout the book.

1 See ‘Amazon is watching, listening and tracking you. Here’s how to stop it’ (phys.org).

2 https://investopedia.com/.

3 https://car-2-car.org.

4 ‘Hackers Remotely Kill a Jeep on the Highway—With Me in It’, WIRED.

5 Details of the Capability Maturity Model may be found at: https://cmmiinstitute.com.

6 Details of the COBIT 5 attributes can be found at: https://cobitonline.isaca.org/about.