Ensuring Transparent Risk Conversations: Separating Classification from Assessment

As cybersecurity experts, we are often asked to assess and communicate potential risks to stakeholders within an organisation. However, sometimes the conversation can hit a roadblock when certain information is classified. In this article, we'll explore why it's important to separate the classification of information from the assessment of risk and provide examples of how this distinction can impact decision-making and communication within an organisation.

?

Classifying Information vs. Assessing Risk

When discussing potential cybersecurity risks, it's important to distinguish between the classification of information and the assessment of risk. The classification of information is a way of designating certain types of data as confidential, secret, or top secret, for example. It's used to ensure that sensitive information is protected and only accessible to authorised individuals. However, the classification of information does not tell us anything about the potential risks associated with that information.

Assessing risk, on the other hand, involves identifying potential vulnerabilities and threats to an organisation's assets and infrastructure, and determining the likelihood and potential impact of a security breach. Risk assessments are used to inform decision-making and prioritise security measures and should be conducted regularly to account for changes in the threat landscape.

?

Avoiding the "Classified Risk" Excuse

When the classification of information is used as an excuse to avoid discussing potential risks, it can lead to a lack of transparency and a limited understanding of the threat landscape. This can make it difficult for stakeholders to make informed decisions about how to allocate resources and prioritise security measures. It can also create a false sense of security, where stakeholders assume that classified information is inherently secure, regardless of the risks involved.

For example, if a security team identifies a potential vulnerability in a classified system, they may be hesitant to communicate this to other stakeholders due to the sensitive nature of the information. However, by not discussing the potential risk, the organisation may miss an opportunity to implement appropriate security measures or allocate resources to mitigate the risk.

?

The Importance of Separating Classification from Assessment

On the other hand, when the risk assessment process is informed by the classification of information, it can help ensure that appropriate security measures are in place and that risks are mitigated effectively. This can lead to a more comprehensive and effective cybersecurity strategy, where resources are allocated based on the potential impact of a security breach and the likelihood of it occurring.

Another benefit of separating the classification of information from the assessment of risk is that it can facilitate communication between different stakeholders within an organisation. For example, if a security team identifies a potential risk associated with classified information, they can communicate this to other stakeholders, such as senior management or legal counsel, without disclosing the specific details of the information. This can help ensure that everyone is aware of the potential risks and can make informed decisions about how to mitigate them.

?

Reviewing and Adjusting the Classification of Information

It's important to note that the classification of information is not static and should be reviewed regularly to ensure that it is still appropriate. As the threat landscape evolves and new vulnerabilities are discovered, the classification of information may need to be adjusted to reflect these changes. By regularly reviewing the classification of information and assessing the associated risks, organisations can ensure that they are prepared to respond to new and emerging threats.

?

Conclusion

In conclusion, when it comes to cybersecurity risk, it's important to classify information appropriately, but not use it as an excuse to avoid discussing potential risks. By separating the classification of information from the assessment of risk, organisations can ensure that appropriate security measures are in place and that risks are mitigated effectively. This can lead to a more comprehensive and effective cybersecurity strategy, where resources are allocated based on the potential impact of a security breach and the likelihood of it occurring. Regularly reviewing and adjusting the classification of information can help organisations stay ahead of emerging threats and ensure that their security measures are appropriate and effective.

As cybersecurity experts, it's our responsibility to help organisations understand the importance of separating the classification of information from the assessment of risk. By doing so, we can help ensure that decision-making is informed by a comprehensive understanding of the threat landscape and that appropriate security measures are in place to protect against potential breaches.

?

References:

"National Institute of Standards and Technology Cybersecurity Framework." National Institute of Standards and Technology, 2018, www.nist.gov/cyberframework.

"Risk Management Framework." National Institute of Standards and Technology, 2020, www.nist.gov/rmf.