Information Security Management

The outcomes of routine or repetitive tasks tend to approximate certainty; in other words, they have a single outcome or possibility. I like to think about them as tangible tasks. Being tangible increases the comfort, confidence, and willingness associated with performing such tasks. However, often we are faced with intangible situations. Hence, they are subject to uncertainty; they have no measurable outcomes (Huettel et al., 2005).

Uncertainty itself could be in different forms. If specific methods like a history of previous experience can manage it, this makes it less daunting. However, frequent unexpected changes can make the uncertainty uncertain or even “volatile,” necessitating repetitive study and assessment for a successful management (Bland & Schaefer, 2012).

One of the things I learned in my study and contemplation during the limited journey in the Information Security Management module is that information security management is not a hard science. Even after many years of development, it still needs to be closer to that. Frameworks, standards, and regulations make the task easier by providing definitions and listing policies and procedures that must be followed to achieve the desired level of security or compliance (‌Kirvan, 2021).

One side of the multi-faceted equation is the audience, customers, or stakeholders longing for a clear understanding of risks lurking around their businesses, willing to get help in the decision-making process of a planned event or having difficulty visualizing the risks or gains. Here I would like to reflect on my experience during the first summative assessment, which was about providing a consultation to a business willing to undergo digital transformation. I have learned that the risk assessment process is dynamic and interactive and needs input from different sources. As complex as it seems, it requires a solid return to the basics, i.e., thinking generally and breaking down complex structures into small pieces that can be dealt with individually.

Going back to Cathy, the manager of “The Pampered Pets” store. Cathy's situation is like many who struggle with decision-making or estimating and managing risks to their business. I tried my best to break down her business into small valuable pieces, i.e., assets as described by Alberts et al. (2005), after which I crafted threat profiles to model the risks facing her business as is and the expected risks or gains if she undergoes a digital transformation. However, I couldn’t wholly stand in her shoes. Although I was not too fascinated when I was asked to write a python application to convince Cathy after I had spent a fair amount of time thinking and drawing the threat profiles of her business using draw.io. Soon I realized the need to think out of the box to provide a practical and interactive way that involves the stakeholders in the risk analysis, enhances the visualization of the outcomes, and decreases the burden caused by repetitive tasks of re-evaluating valuable assets through the eyes of different viewers.

My involvement in part II of the summative assessment was valuable in a way that increased my confidence in using programming skills to transfer a rigid topic to a more enjoyable and practical experience. I transformed my risk analysis of Cathey’s business into an interactive one using Graphviz's open-source library (The Graphviz Authors, n.d). I wrote an application to draw threat profiles that included probability-impact scores. In addition, I could show the outcomes of the threat profiles in a color-coded form to help the viewer appreciate the risk through color, which is often used in risk matrices too (P. M. Training, 2022). The user can change the values and add additional assets in a simple JSON file format. This application can be reused for many risk assessment tasks and can be further enhanced to satisfy the needs of risk analysts and stakeholders.

Finally, I am so grateful for my experience during this module. It was too short for a topic like this, but it was a valuable introduction to many concepts of the risk management field that I needed to be aware of. Thank you, Dr. Millward!

References

Alberts, C., Dorofee, A. & Stevens, J. (2005) OCTAVE ® -S Implementation Guide, Version 1.0. Available from: https://resources.sei.cmu.edu/asset_files/Handbook/2005_002_001_14273.pdf [Accessed 27 November 2022].

Bland, A. R. & Schaefer, A. (2012) Different varieties of uncertainty in human decision-making. Front Neurosci 6(85).

Huettel, S. A., Song, A. W. & Mccarthy, G. (2005) Decisions under uncertainty: probabilistic context influences activation of prefrontal and parietal cortices. J Neurosci 25(13): 3304-11.

‌Kirvan, P. (2021) Top 10 IT security frameworks and standards explained. Available from: https://www.techtarget.com/searchsecurity/tip/IT-security-frameworks-and-standards-Choosing-the-right-one?vgnextfmt=print%20%5bAccessed%201%20July%202022%5d [Accessed 29 November 2022].

P. M. Training (2022) Simple Risk Assessment Matrix Template & Excel Example. Available from: https://pm-training.net/risk-assessment-matrix/ [Accessed 28 November 2022].

The Graphviz Authors (n.d) Graphviz. Available from: https://graphviz.org [Accessed 18 December 2022].