Chickens!

Why is it so hard to explain the business justification for managing information risk? I have an idea about how to explain this.

I've heard it said that information security isn't about the shark attack, but instead about being pecked to death by chickens. Let's look at that from a financial standpoint. The risk of a major incident is low enough, in people's minds, that it can be discounted (like a shark attack); the potential financial loss is huge, but it won't happen, so who cares?

The risk of minor information security incidents- hah, they're happening all the time! Everyone and their dog is getting dodgy emails from "their bank", or "the IT department", and a non-zero proportion of the recipients will click on the wrong link out of bad luck, curiosity or fear. Of these, some will type in their login details, or have computers able to be taken over, and there you go. Not a huge impact on the organisation as a whole, by and large, but some hours of someone's day used to sort this out (once they notice...). The user loses time; the IT department loses time; and the organisation loses a little money. Not much. Like a single peck from a chicken- uncomfortable, but you can handle it.

How many chicken pecks before you start to really hurt? If the organisation doesn't have a "central nervous system" to allow the cumulative effect of these incidents to be understood, then they won't react like a human who's being pecked many times - they'll react like a huge number of humans who are each being pecked once. Which is to say, they will be mildly uncomfortable, but not inclined to make major changes.

The irony here is that a good information security management system acts as a central nervous system; but without it, you don't realise that you need one.

So what is the solution?

It's easy and hard - you need to either take advantage of a shark attack (have your wish list ready to go BEFORE the shark appears) or start really small and work on it. You can work on both of these approaches simultaneously.