Everyone has to live with the decisions they make. Some are deep thinkers that analyse and take forever to make a decision whilst others seem to decide on a whim with only minimal thought. Whatever the case, we will have to live with the consequences of our decisions and at times be able to justify why we made them in the first place. The question is will we remember the circumstances of how the decisions were made and will we end up regretting making them?
We have all seen various formulas for conducting risk assessments that include threat, vulnerability, likelihood and impact but what about throwing in ‘regret’ as another factor?
At the end of any risk management process a decision needs to be made about whether or not the residual risk is acceptable. The final decision may be made by board members or a delegated security working group or even an individual on behalf of the company. In all cases, should the very final analysis be about whether or not there will be regret if things don’t go according to plan?
Living with the consequences
The Intelligence and Security Committee of Parliament stated in its Annual Report 2012-2013 :
The threat the UK is facing from cyber attacks is disturbing in its scale and complexity. The theft of intellectual property,personal details and classified information cause significant harm, both financial and non-financial.
Given the threat, it is likely that successful attacks will happen from time to time despite best efforts to prevent them. When an attack has been successfully addressed and the dust settles, there are bound to be searching questions asked about how and why:
- What was the target of the attack? Did those with ultimate responsibility understand the value of the assets that came under attack and did they realise they were at risk?
- Did they understand and accept the impact a successful attack was likely to have? It is likely that the impact was much greater than actually stated. Why was this?
- What techniques were used to carry out the attack? Were vulnerabilities identified and controls (technical, physical, procedural and personnel) put in place to try and reduce those vulnerabilities?
- Were the controls working effectively? Who was responsible for checking?
- Were the residual risks understood and accepted and if so, who by?
If you were asked any of the above questions would you regret the part you played or the decisions you did or did not take? Asking yourself whether or not you could hand-on-heart say that under the circumstances you did what you thought was right at the time would seem to be the key factor.
If you don’t know the answers or struggle to justify any decisions, it is likely that you will have some regrets. The question is can you live with them?
Decision making and IRM
In the Information Risk Management (IRM) world, balancing risk with business benefits demands that the accurate information is available to the decision makers so the most appropriate choices can be made. Keeping a track of what options were available and why certain routes were chosen over others is critical. When you then look back, the decision making process is documented and justified and when presented with the same information, the decisions are also likely to be the same again. There should be no regrets!
More on IRM
Ascentor has written a comprehensive new guide to IRM, especially for HMG suppliers. ‘Facing the Cyber Threat – An Information Risk Management Guide for Government Suppliers’ shows you how to protect sensitive information and meet your business needs.
Article by Paddy Keating ,Director/Government Service Manager at Ascentor.
Other articles by Paddy:
- The Government Protective Marking Scheme – a case of the Emperor’s new clothes?
- List X explained
- What’s new in cyber security in 2013?