Today, I'm meandering (rambling!) on from Friday's post about systematically managing outsider threats, returning to an older theme about using Probability Impact Graphs (PIGs) for both risk analysis and security awareness purposes.
One of the more unusual information risks on our radar for September's outsider threats awareness module is xenophobia - the fear of strangers. It has a deep biological basis: most animals naturally congregate and live with others of their kind, forming social groups (families, flocks, tribes etc.) while excluding those who are 'different' - most obviously predators. The differences aren't always obvious to us humans. Sheep, for instance, recognize each other more by sound and smell than by color.
Compared to other risks in this domain, xenophobia is fairly widespread, putting it roughly half way along the probability scale. But what of the business impacts of xenophobia afflicting employees? Hmmm, not so easy. As is often the way, the consequences depend on the circumstances or context in which incidents may occur. In this specific case, there may even be benefits (such as spotting possible intruders - corporate predators!) as well as adverse impacts (such as racism). Personally, on balance and bearing in mind the other outsider threats we're also concerned about, I'd put the impacts towards the bottom of the scale, putting xenophobia somewhere left of center on the generic Probability Impact Graph ...
... but it doesn't end there. How does the xenophobia information risk compare to others? I've shown just one other risk here of the 8 or so we have identified already as an indication of what we mean by 'information risk', and to illustrate the range. In our estimation, the risk of a "Targeted hack or malware attack" is slightly less likely than xenophobia but has a significantly higher impact on the organization if it does occur.
OK, are you with me so far? What are you thinking at this point? My guess is that you're either cruising along, going with the flow, or puzzling over the meanings, implications and positions of those two information risks. Maybe that prior almost incidental mention of racism has lit your blue touchpaper already, and maybe you don't consider xenophobia even remotely relevant to the topic at hand. Perhaps you would put xenophobia elsewhere on the PIG, or split it into various incidents with differing implications - and likewise with the other risk. Possibly you are confused over the meaning of xenophobia, or consider it something that insiders might have and therefore out of scope of the outsider threats topic ...
Fantastic! In terms of the key objectives of security awareness and training, the PIG is working nicely: it has set you thinking about the topic area, considering those two risks, comparing and contrasting them.
Now imagine there are another 6+ information risks plonked on the same PIG, described in fairly straightforward terms and analyzed subjectively in the much same manner, with similar issues and concerns arising ... and you'll appreciate the power of this technique, especially in a group setting such as a risk workshop or online discussion forum. It is both creative/stimulating and analytical/pragmatic, leading naturally in to the discussions around what ought to be done about the information risks, particularly any in the red zone (clear priorities). It harnesses the group's expertise and experience, challenges prejudices and biases, and helps people contemplate quite complex matters productively.
I commend it to the house.