What is risk ?

Privacy
 

Information Security (IS) basicly refers to two concepts: security and information. Security being defined as the absence of unacceptable risks, implementing IS is all about the identification, proritisation of threats and the mobilisation of ressources to adequatly manage information-related risks. Informational Risk Management (IRM) aims more specificly to preserve or improve quality of the informational assests (eg. customer data, financial information, commercial secrets) of an organization in relation to it's expectations (eg. Confidentiality, integrity and availability) or of the expectations of its customers and stakeholders (eg. protection of the privacy of customers). Security is implemented because technology applied to information creates intrinsic risks due to the nature of technology itself.

Risk is often defined as a combination of the probability of occurrence of a damage and its gravity. For Frank Knight, an early significant author on risk management, risk refers to situations by which the decision maker assigns mathematical probabilities to random events which he faces. Risk is also defined as a variation in the results (outcomes) which can occur over a predetermined period in a given situation. Risk is also a function of the distribution of the variance of the probabilities. The majority of the definitions of risk integrate some element of subjectivity, according to the nature of the risk and the field in which the definition applies. I propose here an operational definition of risk based on on-going research.

Risk is the probability of events or situations the its consequences are a diminution, discontinuity or dysfonction between what was expected and happened in a predetermined timeframe.

Informational Risk depends on unacceptability in relation to expectations of value of informational assets, often declared prospectively within an organization. Expectations are established on the basis of of policies, strategy and context (political, environmental, social, technological and economic).

Privacy is a human right, as described in article 12 of the Universal Declaration of Human Rights UN(1948).

    No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

It is also mentioned in the International Covenant on Civil and Political Rights (Adopted 1966, entry into force 1976), Article 17:

1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.

2. Everyone has the right to the protection of the law against such interference or attacks.

In Canada, the Canadian Standards Association produced the CSA's Model Code for the Protection of Personal Information (available here). It sets out ten principles that balance the privacy rights of individuals and the information requirements of private organizations:
   RMF with 17799 ] Definition of risk ] RAM Article ] RAM Eval ] References ] WiFi Security ] Honeypot ]
     
  info@leger.ca
©MarcAndreLéger, 08.04.2008 07:17:23 -0400