Information security revolves around reducing unacceptable risks to information, in particular significant or serious risks which generally involve especially valuable, sensitive, critical, vital or irreplaceable information. Those are the ‘information assets’ most worth identifying, risk-assessing and securing.
That seems straightforward but it is more complicated than it sounds for many reasons e.g.:
- Information exists in many forms, often simultaneously e.g. computer data and metadata (information about information), knowledge, paperwork, hardware designs, molds, recipes, concepts and ideas, strategies, policies, understandings and agreements, experience and expertise, working practices, contacts, software, data structures, intellectual property (whether legally registered and protected or not) … any of which may need to be secured;
- Information is generally dynamic, hence there is a timeliness aspect to its value (e.g. breaking vs old news, forthcoming vs published company accounts);
- Information is usually context-dependent – its meaning and value arise partly from relationships to other supporting or related information (e.g. ’42’ may mean many things, even the product of six times nine);
- Information is often diffuse and hard to identify, evaluate, contain/pin-down and secure – it’s cloudy and “it wants to be free”;
- Information that is too tightly secured loses its value, since its value comes from its legitimate exploitation or use, timeliness, expression and communication/sharing i.e. its availability;
- Some information has negative value (e.g. fake news, subterfuge, malware), which makes integrity important – and that’s another complex concept;
- Severe threats, vulnerabilities or impacts increase the probability or impact of serious incidents, even if the information itself does not seem particularly special (e.g. a faulty 10 cent rivet can bring down a plane);
- Some information risks are significant because of impacts primarily to third parties if the information is compromised. This includes valuable information belonging to third parties and entrusted to the organization (such as personal information and proprietary information/trade secrets/intellectual property) and various incidents with environmental or societal impacts (e.g. intelligence info about weapons capabilities). If incidents occur, there may be secondary impacts to the organization (such as noncompliance penalties and breakdowns in business relationships or brands) which can be hard to value (partly it depends on the third parties’ and other external reactions to incidents, partly on the accountability aspect).
There’s a lot there to take into account, and that’s not even an exhaustive list! In practice, though, there are some obvious shortcuts (e.g. a hospital is bound to need to address risks involving its health and business information, and “good practice” controls are applicable to most organizations) and the Keep It Simple, Stupid approach makes an excellent starting point – way better than putting all available resources into risk identification and analysis, leaving too little for risk treatment and management.