Understanding threat factors in information governance

MICHAEL IRENE, PhD

There is no doubt that in the modern information-flow era, where information informs a lot of what we do, and how we make concrete decisions, there must be threat factors that come with their own business implications. However, a lot of stakeholders in small, medium and large enterprises yet fail to consider these threat factors. In this article, the focus is on five basic components necessary for one to understand these rubrics and how they apply to various organisations.

Imagine this scenario: A company’s CEO was kidnapped in a particular state, how would that impact the business? Most businesses, because they overlook uncertainty, often fall into the trap of acting after the fact. Threat acts must be considered, and scenarios must be created and prepared for. The question here is, what are the top-five threats that can affect the business, for instance? It is called understanding of the possibility and plausibility of an act against an asset under the business’s protection, whether physical or technology related.

Another factor to consider is what is called the threat actors. There are areas that people or entities would attempt to destabilise the organisation’s day-to-day activities. The onus, therefore, is on stakeholders to identify potential threat actors or, more often, categories of actors that can hinder the smooth flow of business operations. The focus here is on defining, interpreting and evaluating all intent and capabilities and how they would affect the business.

For one to even understand the threat actors in a business, one must understand the threat landscape. That means that the business must focus on where threats are going to occur or are most likely to occur, what the impact has been, and trends or issues that drive those threats closer or further away from the organisation. This will help the organisation prepare and act in a timely manner should anything happen. Stakeholders can look industrywide, curate information and gather intelligence as to what is currently happening and make informed decisions and steps.

Then, the stakeholders can now consider threat intelligence, which basically includes the mechanisms, either internal or external, that gather and analyse facts. This can be data driven, human-driven or observed facts. The main thing with threat intelligence is trying to gain critical insight to all aspects of threat and using these empirical data to build resilient systems.

And one of the key activities is threat modelling. This encapsulates the “how” of the potential threat. It is a very smart way of taking all threat data and creating a model with the known components and recreating the exact same threat in a test environment. Many call this “tabletop exercises”. This process not only gives the organisation measurements of the depths the threat could cause but also provides unique perspectives that companies often overlook when considering threat areas. It is very common for these exercises to happen in high-tech, transportation and medical industries, but they can be applied anywhere for the purposes of education and readiness.

Stakeholders, no matter the size of their organisation, should consider understanding the threat factors present in their current industry and take steps to prepare, inform, and provide guidance in how to build a threat-ready and threat-proof business.

Michael Irene is a data and information governance practitioner based in London, United Kingdom. He is also a Fellow of Higher Education Academy, UK, and can be reached via moshoke@yahoo.com; twitter: @moshoke