Welcome to the SecAware blog

I spy with my beady eye ...

24 Jan 2020

NBlog Jan 24 - information, data, knowledge And All That

On the ISO27k Forum lately we've been discussing something that comes up repeatedly, a zombie topic you could say since the discussion is never really settled to everyone's complete satisfaction. There's always more to say.

The discussion concerns the disarmingly simple phrase "information asset", used in some but no longer defined in any of the ISO27k standards. Among other things, we've discussed whether people/workers can be classed as information assets, hence information risks associated with people potentially fall within scope of an ISO27k ISMS.

Yesterday, Mat said:
"Knowledge is generally broken down into three different types - explicit, implicit, and tacit. When we are talking about classing employees as an asset or simply treating the information that they know as an asset, I think maybe this can be broken down further using these different knowledge types.
Explicit knowledge is knowledge that is easily transferable, can be recorded and stored. Things like standard work instructions, guides, procedures, policies. Due to the nature of this information, it seems obvious to class the information itself as the asset here - you can mitigate the risk of information loss simply by recording the information.
Implicit knowledge is the practical application of explicit knowledge. This can include knowing your way around a particular security product, or a particular piece of equipment. This type of knowledge is difficult to record, however, things like best practices are the best attempt although it's difficult to include the entire background knowledge of the best practice. Due to this, loss of this information is difficult to completely mitigate, and hence, I think the employee here could be classed as the information asset. The best mitigation is to keep the employee.
Tacit knowledge is the practical application of implicit knowledge. Examples of this are knowing not only a particular security product but how and why this product fits into your infrastructure. The small details which make the infrastructure whole - having the history of decisions and incidents which led to this point directly on hand. This type of knowledge is inherently most difficult to record and I think due to this, the employee would again be classed as the information asset. The best mitigation is to keep the employee."
That breakdown, described back in 1991 in the Harvard Business Review, makes sense in theory but things are rarely so neat and simple in practice. Information, data, knowledge And All That defies simplification.

Information that is ‘captured’ in some lasting physical form (Mat's ‘explicit knowledge’, captured in documentation, written words, diagrams, doodles, audio or video recordings, computer data, program code, emails, bloggings etc.) is never truly comprehensive or complete. Even War and Peace must surely have had parts where the author or editors trimmed it back, or decided not to go into details! However, once captured, information is more easily:
  • Stored
  • Communicated/passed on to others ... or withheld from them
  • Copied
  • Accumulated
  • Valued, sufficient for accounting, sales or other purposes
  • Disputed or challenged
  • Analysed
  • Expanded upon
  • Protected by intellectual property laws ... or pirated, plagiarized and disclosed inappropriately
  • Submerged, hidden, stolen, damaged/modified, garbled, deliberately mis-stated or destroyed in that physical form. It can certainly still be misunderstood or misinterpreted (ask any lawyer about the 'precision' of even formally-worded statutes and contracts!).
While physical storage media are not free, the real value of, say, a book or a computer disk comes from the information stored on it - the information content. I believe the same is true of people, particularly knowledge workers whose brains are more highly valued than their brawn.

Information that is presently ‘uncaptured’ (Mat's implicit and tacit knowledge) can still be withheld or communicated in an ephemeral form – such as someone shaking their head or nodding gently, or groaning, or clapping, or failing to step in and stop proceedings, when someone else is pondering some choice or decision. Those actions may never be permanently recorded or captured as such, just ephemerally observed (or missed!) by someone else.

Furthermore, the way or manner in which things are expressed is itself a form of information, meta-information you could call it. Shouting “STOP!!!” means something different to a muttered or whispered “stop”! The plain written instruction "Stop" leaves a lot unsaid ("Should I simply take my foot off the accelerator, or change quickly down through the gears, gently or forcibly apply the brakes or slam them on hard, deploy the parachute/anchor and brace for impact?").

Implicit and tacit knowledge includes 'thoughts', 'concepts' and 'ideas', ‘experience’, ‘expertise’, ’understanding’, ‘comprehension’, ‘wisdom’, 'creative works' such as art and inventions … and more, much more. It includes the frameworks and patterns that organise and interrelate, link or distinguish things as part of 'the bigger picture', including both the narrow and the broader context. Generally, this all accumulates during a person’s life, for some more than others. Some bits can be taught and learnt, others have to be internalized, or drawn out and refined through practice, or appear to be inherent capabilities or innate skills. Try as I might, I will never be an Olympic gymnast, chess grand master or concert violinist … but I believe I have a reasonable grasp of information risk and security, picked up over the decades – and I enjoy passing it on and debating things here and elsewhere (e.g. in conversations, presentations, courses, books, websites, articles, reports, emails …), partly because I enjoy thinking about and expressing things, contemplating the topic and learning new stuff from other people, expanding my own knowledge-bank at the same time. It's give and take.

Specifically, Mat twice said “The best mitigation is to keep the employee.” There are several issues with that. For a start, not all knowledge workers or sources are employees. Some are paid advisors or contractors, teachers etc., some are colleagues, peers, gurus or ‘thought leaders’ in a much more general way. Where would we be without Google, eh? Secondly, and more importantly, simply ‘keeping’ employees is seldom sufficient. They (we!) are neither possession nor pets. They need to be looked after, nurtured, rewarded, encouraged, challenged, given opportunities, pushed a little, cut some slack, guided, motivated, brought back in line, told to "stop waffling and get to the bloody point, Gary" and so on, in order to get the best of them. This is far from easy for those managing 'knowledge workers' and those whose knowledge seems to be locked inside them, out of reach, including people suffering stress and mental illness or ... whatever. The point is that we're all different, individuals, so a generic/simplistic approach is, at best, sub-optimal.

Circling back to the topic, in business and virtually all other contexts, information even in the form of intangible, ephemeral, implicit or tacit knowledge can obviously be an asset - something of value. If it's missing or damaged, we are poorer. Most of us make substantial efforts to gain it, even consciously investing in it. And, just like other investments, its value can vary: riskier investments generally offer higher returns but you may get back less than you invest.
“If I send my people on training courses to get better qualified, they’ll leave!” the reluctant manager explained. “Ah but”, said the wise advisor, “what if you don’t train them … and they stay?”
Is a worker the information asset, or is it their knowledge that is the information asset? Interesting question! Using Mat's breakdown:
  • Their explicit knowledge is already captured, making it available to exploit even without the person ... provided the knowledge capture is sound (accurate and complete - integrity properties) and available when needed;
  • Their implicit knowledge may be captured and then exploited so long as the person is there and is cooperating, and so long as someone (possibly the same person) has the inclination, resources and capacity to 'capture' it with integrity - which is far from certain;
  • Their tacit knowledge can be exploited but would be difficult or impossible to capture, or at least it would take an extraordinary effort to do so, and the worker must be available, willing to cooperate and able to disclose the knowledge or unable to prevent its disclosure.

The process of 'capturing' a worker's knowledge, then, turns out to have information security implications. There's much more to it than simply requiring the worker to "document what you do" or "write stuff down", especially as some of the most valuable knowledge is conceptual, complex, difficult to express in any form, particularly in writing (and here I am, struggling to express my thoughts and complete this little inconsequential blog piece!). Furthermore, knowledge that is valuable to the organization may well be of value to others, hence there are confidentiality aspects to it as well. Captured knowledge can be locked away in a vault but, oddly enough, workers generally resent being treated that way, their implicit and tacit knowledge becoming both harder to capture and less valuable during incarceration.

OK, that's more than enough rambling from me for now. I've got Things To Do, knowledge to capture and secure, animals to feed, a crust to earn. ... but somehow I suspect I'll return to this topic more than once. Perhaps on my business card, I should call myself a "Zombie wrangler".

No comments:

Post a Comment