The following bullet-points were inspired by another stimulating thread on the ISO27k Forum, this one stemming from a discussion about whether or not people qualify as "information assets", hence ought to be included in the information asset inventory and information risk management activities of an ISO27k ISMS. It's a crude list of people-related information risks:
- Phishing, spear-phishing and whaling, and other social engineering attacks targeting trusted and privileged insiders;
- ‘Insider threats’ of all sorts – bad apples on the payroll or at least on the premises, people who exploit information gained at work, and other opportunities, for personal or other reasons to the detriment of the organization;
- ‘Victims’ – workers who are weak, withdrawn and easily (mis)lead or coerced and exploited by other workers or outsiders;
- Reliance on and loss of key people (especially “knowledge workers”, creatives and lynch-pins such as founders and execs) through various causes (resignation/retirement, accidents, sickness and disease, poaching by competitors, demotivation, redundancy, the sack, whatever);
- Fraud, misappropriation etc., including malicious collaboration between groups of people (breaking divisions of responsibility);
- Insufficient creativity, motivation, dynamism and buzz relative to competitors including start-ups (important for online businesses);
- Excessive stress, fragility and lack of resilience, with people, teams, business units and organizations operating “on a knife edge”, suboptimally and at times irrationally;
- Misinformation, propaganda etc. used to mislead and manipulate workers into behaving inappropriately, making bad decisions etc.;
- Conservatism and (unreasonable) resistance to change, including stubbornness, political interference, lack of vision/foresight, unwillingness to learn and improve, and excessive/inappropriate risk-aversion;
- Conversely, gung-ho attitudes, lack of stability, inability to focus and complete important things, lack of strategic thinking and planning, short-term-ism and excessive risk-taking;
- Bad/unethical/oppressive/coercive/aggressive/dysfunctional corporate cultures, usually where the tone from the top is off-key;
- Political players, Machiavellian types with secret agendas who scheme and manipulate systems and people to their personal advantage and engage in turf wars, regardless of the organization as a whole or other people;
- Incompetence, ignorance, laziness, misguidedness and the like – people not earning their keep, including those who assume false identities, fabricate qualifications and conceal criminality etc., and incompetent managers making bad decisions;
- Moles, sleepers, plants, industrial spies – people deliberately placed within the organization by an adversary for various nefarious purposes, or insiders ‘turned’ through bribery, coercion, radical idealism or whatever;
- People whose personal objectives and values do not align with corporate objectives and values, especially if they are diametrically opposed;
- Workers with “personal problems” including addictions, debts, mental illness, relationship issues and other interests or pressures besides work;
- Other ‘outsider threats’ including, these days, the offensive exploitation of social media and social networks to malign, manipulate or blackmail an organization.
It's just a brain-dump, a creative outpouring with minimal structure. Some of the risks overlap and could probably be combined (e.g. there are several risks associated with the corporate culture) and the wording is a bit cryptic or ambiguous in places. I'm quite sure I've missed some. Maybe one day I will return to update and sort it out. Meanwhile, I'm publishing it here in its rough and ready form to inspire you, dear blog reader, to contemplate your organization's people-related information risks this weekend, and maybe post a comment below with your thoughts.
For the record, I believe it is worthwhile counting workers as information assets and explicitly addressing the associated information risks such as those listed above. You may or may not agree - your choice - but if you don't, that's maybe another people-related risk to add to my list: "Naivete, unawareness, potentially unrealistic or dismissive attitudes and unfounded confidence in the organization's capability to address information risks relating to people"!
Have a good weekend,