InfoGuard AG (Headquarter)
Lindenstrasse 10
6340 Baar
Switzerland
InfoGuard AG
Stauffacherstrasse 141
3014 Bern
Switzerland
InfoGuard Deutschland GmbH
Landsberger Straße 302
80687 Munich
Germany
I have been diving since 2015 and am now a licensed instructor with the Professional Association of Diving Instructors (PADI). Diving is fundamentally a safe recreational activity, but it nevertheless remains an excursion into a hostile environment – underwater – and so it involves some risks. There are many parallels to IT security in this respect – especially when it comes to providing an IT service on the Internet. Both activities can be carried out safely if common precautions are taken – one of which is risk management. In this blog article, I show the various components that make up risk management and what we can learn from diving.
Risk management is the ongoing process of addressing risks holistically: identifying, recording, treating and monitoring them. In this blog post, I will discuss the four known risk treatments. These are risk acceptance (take no further measures), risk mitigation (take financially feasible countermeasures), risk transfer (such as insuring possible damage) and risk avoidance (discontinue the risky activity).
In the corporate environment, identified risks are recorded in what is referred to as the risk register, categorised by priority and each risk is assigned a risk treatment. The goal is to track, capture and minimise business-relevant risks over the time in line with the risk appetite that is acceptable to the company as set by the management (how much risk can we accept, how much do we want to risk?).
The risk timeframe in diving is usually short, for example assessing the water situation in terms of swell and current – though this isn’t usually a significant risk factor in Swiss lakes. However, some measures do have a longer-term dimension, especially risk mitigation.
I can generally minimise the risks involved in diving by improving my skills, for instance by diving regularly or taking further training courses and making sure that my equipment is serviced at appropriate intervals by professionals in diving shops. Of course, there are shorter-term risk mitigation measures, such as reacting to lower water temperatures by diving with a thicker wetsuit or even a dry suit. Here the transition to risk acceptance can be fluid, for example if the water temperature on the planned dive is only below expectations at the deepest point, but is bearable for a few minutes. If so, I can accept this situation, but as usual in risk management, I have to monitor things in order to be able to react in an emergency. If my body indicates through shivering that the temperature is too low, I need to come up to a shallower position where the water is warmer.
A frequently misunderstood type of risk treatment is risk avoidance. As already explained, risk avoidance means not engaging in an activity. But what does that mean exactly? Another useful comparison is that diving is not a competitive sport. If a person feels physically unable to do the planned dive, it is in their own interest as well as in the interest of all involved (dive buddies, lifeguards etc.) to exercise caution and not do the dive – that’s risk avoidance! In other words, I consciously avoid the risk of being injured during a dive by sitting it out and waiting until I am fit enough to dive again. Recognising this situation and reacting with the risk-avoidance strategy is not weakness, but can be life-saving in this case.
In the business environment, risk avoidance requires a greater degree of decision-making, potentially at the executive level. This can have an impact on business strategy and may also require a reorientation of business areas or projects – even if investments have already been made – because of a changed threat level.
One example of misunderstood risk avoidance that I have encountered in my practical professional life was during a risk assessment of an IT service:
Attentive readers will have already noticed what is obviously wrong here: apart from the fact that the measure listed is not a real measure, the risk treatment (avoidance) does not fit the measure. As long as an API is externally accessible, there is always a chance that it can be hacked via a vulnerability. If risk avoidance is indeed the desired risk treatment, then the logical consequence would be to prohibit all external access to the API. This means that the API would have to be removed – other measures such as making the API only accessible via VPN are no longer part of risk avoidance.
Finally, we have risk transfer. In business, it is possible to protect oneself from financial loss through insurance or an indemnity clause in a contract – an option that should be carefully considered if there is a low probability of a risk occurring, but the extent of the damage would be unacceptably large.
Unsurprisingly, insurance for instructors is not an option, it is a “must” and it must cover the students as well.
How can InfoGuard support you in risk assessments or risk management?
InfoGuard has consulting specialists who are certified in risk management, for example ISACA CRISC, or have many years of experience with risk frameworks such as ISO/ISE 27005. In line with our mission statement “We do everything we can to keep our clients safe”, we will be happy to offer you tailored advice to identify your specific needs and requirements in the area of risk management. Contact us for a free consultation!