So what is risk, especially relating to IT and information? Simply, it is the intersec-tion of assets, threats and vulnerabilities, although things are rarely simple.

To provide a basis for risk management prioritisation, some will try and make qualitative or quantitative calculations, using whatever data is at hand, although frequently end up with little more than educated guesses.

AssetsThese are the things you value and may wish to try and protect, including people,

property (tangible and intangible), information and data. This includes your reputation, proprietary information, databases, code, sensitive records, equipment and services. All assets can be assigned a value and this can help inform the effort you make in protecting them, if they are under your control.

ThreatsThese are the things that might affect your assets, exploiting a vulnerability (accidentally or intentionally), to access, change, damage or destroy them.

The threats may range from non-malicious staff stumbling over a flaw, through to highly resourced and motivated state actors intentionally targeting assets and creating or exploiting weaknesses to effect undetected access.

VulnerabilitiesThese are weaknesses that a threat can exploit to compromise an asset. They can be at the people, processes or technology level and the intent of the person, process

INFORMATION SECURITY

or program exploiting a flaw to gain unauthorised access to an asset is irrelevant to the vulnerability. Most of these are down to software coding errors, and lack of analysis and testing, although some are deliberate and insidious.

Risk needs to be managed within acceptable limits, and understanding your assets, threats and vulnerabilities is a necessary first step.

www.bcs.org/security

Gareth Niblett, Chairman of the BCS Information Security Specialist Group, examines risk and how we can deal with it.

Information Security Specialist Group (ISSG):www.bcs-issg.org.uk

Information Risk Management and Assurance Specialist Group:www.bcs.org/groups/irma

BCS Security Community of Expertise (SCoE):www.bcs.org/securitycommunity

FURTHER INFORMATION

THE RISK BUSINESS

doi:1

0.10

93/i

tnow

/bw

u041

©20

14 T

he B

ritis

h Co

mpu

ter

Soci

ety

Imag

e: D

igita

l Vis

ion/

dv61

7043

24 ITNOW June 2014

Are you ready for the next wave of computing?Our Next Wave whitepaper series examines the technological trends set to impact business and the skills of the workforce.

bcs.org/nextwave

BC81

0/LD

/AD/

0514

© BCS, The Chartered Institute for IT, is the business name of The British Computer Society (Registered charity no. 292786) 2014

Next

BC810_ld_ad_itnow_fp_ma.qxp 12/05/2014 16:17 Page 1