1 Information as an asset
You’ll remember from Week 1 that, when thinking about computer security, it helps to think of information as an asset. Just like money in the bank, it is valuable, possibly irreplaceable, and crucially it can be lost or stolen.
When we think about our assets, traditionally we consider tangible things such as money, property, machinery and so on. Increasingly, it is recognised that information itself is an asset, crucial to adding value. In today’s digital world, it is increasingly apparent that information is the most important asset, for both businesses or individuals – just think of the value of music to a media company or a games program to a video game company.
Considering information as an asset allows us to create strategies for protecting information and minimising the consequences of any disaster.
As you have seen earlier in this course, digital information and data assets covers everything that can be stored, processed or transmitted through digital systems. It covers all such personal, business or other digital data anywhere in the world. Since 1990, the world has moved from one where most information existed in paper formats, to one now where the world predominately transacts it business digitally.
Information security risk management assesses the value of information assets belonging to an individual or an organisation and, if appropriate, protects them on an ongoing basis.
Information is stored, used and transmitted using various media; some information is tangible, paper for example, and it is relatively straightforward to put in place strategies to protect this information – such as locking filing cabinets, or restricting access to archives.
On the other hand, some information is intangible, such as the ideas in employees’ minds, and is much harder to protect. Companies might try to secure information by making sure their employees are happy, or by legal means such as having contracts that prevent people leaving and going to work for a rival. However, note that some industries have blossomed simply because people could easily move and spread new ideas rapidly through many start-up businesses.
Imperatives and incentives
Information security risk management considers the process in terms of two factors: imperatives or incentives. Imperatives are pressures that force you to act. Incentives are the rewards and opportunities that arise from acting.
The imperatives for information security arise from legislation and regulation. The Computer Misuse Act and the Data Protection Act 2018, which is the UK’s implementation of the General Data Protection Regulation (GDPR), which we discussed last week, are examples of legislative imperatives. Regulatory imperatives include standards such as the Payment Card Industry Data Security Standard (PCI-DSS), which specifies how merchants should secure all card transactions.
The most important incentive is trust. People and organisations are more likely to work with other people and organisations who have secured their information. Establishing this trust requires that the parties involved examine each others’ information security practices to ensure that there are adequate safeguards to protect the information. One way of doing this is to show that the organisation has satisfied the requirements of standards such as PCI-DSS or the ISO27000 family of standards for designing and implementing information security management systems.
In the last few weeks, you have covered all of these aspects – you have learned about a range of threats that confront internet users, you have explored laws that have been drawn up to regulate information and you have seen how the internet is fundamentally underpinned by trust and how technologies such as encryption and signatures can help us feel secure. In the next section, you are invited to apply this to your own information assets.