In this first chapter of the book, we shall set the scene for the later chapters by focusing on what information actually is and how it is produced or obtained, why we should manage the risks to information, the legal framework surrounding information, and the context of risk within organisations.

We shall take a brief look at some of the hot topics in information risk management, including the Internet of Things and remote working, before discussing the benefits of information risk management and some of the processes by which it can be achieved.

Before we begin to examine the need for information risk management, it is important to understand what the difference is between information and data.

Superficially, this appears to be quite straightforward – data are merely unstructured facts and figures, whereas information consists of data that are organised into a meaningful context. For example, the temperature, wind speed and direction, rainfall and atmospheric pressure readings taken twice daily in towns and cities around the country are just data. It is only when they are recorded together, and along with those readings of previous days, that the data are placed in context and begin to have meaning, allowing meteorologists to examine trends and develop a weather forecast. It is at this point that the data have become organised and structured and can now be seen as information.

Although I have drawn the distinction between the two, for the purposes of this book I shall deal with them both under the heading of ‘information’, since both data and information will have value to their owners and must be equally protected, although the owner of the original data and the owner of the resulting information may be entirely different entities.

Information can exist in two different states: physical, with information recorded on paper, film, paper tape, canvas, pieces of clay with cuneiform indentations and notches in tally sticks; and with virtual binary ones and zeros stored on magnetic media or other types of electronic memory device.

Information also comes in two distinct forms. Firstly, there is information that describes or lists other information, such as a catalogue or index, and is often referred to as ‘metadata’. Secondly, there is information that is something in its own right, such as a novel, a software application or the formula for a new medicinal drug. All have value to their owner or originator, and indeed may either be of a personal nature, in which case might be subject to data protection legislation, or may be IP, in which case copyright or trademark legislation will apply.

It is not my intention to deal in any depth with either of these two aspects of legislation since each could easily be the subject of a book in its own right, but you should be aware not only of their existence and general content, but also that they need to be taken into account when developing an information risk management programme.

Recent revelations regarding the organised interception and mining of information by various security agencies have raised awareness at all levels of society of the need to take greater care of our information, but we should not be at all surprised by the extent to which this so-called ‘snooping’ takes place, or by the fact that these agencies are able to carry it out.

This problem lies in the distinction between the need to maintain national security and the need to gather sufficient information to be able to do so. Security agencies such as the National Security Agency (NSA) in America and Government Communications Headquarters (GCHQ) in the UK were set up precisely to carry out this kind of work, so it should not come as a shock to anybody that they are doing it, nor that they are very successful at doing so albeit subject to strict legal undertakings, at least in theory. What should be more worrying is that other nations’ security agencies may be able to undertake similar surveillance and interception and may use the resulting information gathered for nefarious purposes.

Then there is the question of so-called ‘Big Data’, in which organisations – both commercial and governmental – collect vast amounts of information on us as individuals. Every time we use a credit card to purchase goods, the credit card agency gathers a little more information about us. This has positive benefits as well as negative connotations; for example, if a transaction falls outside your ‘normal’ spending profile, the credit card agency can contact you to verify that your card is still in your possession and has not been used fraudulently.

On the other hand, of course, supermarkets may target us with advertising and promotions as a result of aggregating information gained from our loyalty cards, which may or may not be something to be happy about, since they now know more about our spending habits than we do!

A recent investigation¹ into how much Amazon knows about us unearthed some interesting and somewhat alarming results – not only about how much use they make of our browsing and spending habits, what films we watch and what music we listen to, but also about how many data their ‘Ring’ doorbell/video camera records, and what they are able to infer from our commands to the ‘Alexa’ devices.

Similar concerns revolve around Google’s ability to monitor our habits and movements when we use their search engine or ask the Google ‘Home’ devices for information. Both Alexa and Google Home additionally allow us to control aspects of our homes – lights, sockets, closed-circuit television (CCTV), baby monitors and central heating, all from one application on a smartphone.

All this may be extremely useful to us as users, but continues to raise questions over whether others are learning more about us than we might care for them to know, and whether they could ultimately take at least partial control over certain aspects of our lives.

In the UK, there is an ongoing and often heated debate about the use of network infrastructure from the Chinese company Huawei. On the one hand, there is the fear that their possible links with the Chinese government might enable it to have unwanted influence on our lives, including unfettered access to more sensitive information. On the other hand, its cost to the network operators may be significantly lower than that of other suppliers, allowing them to keep call charges to users at a lower rate. The view at the time of writing is that Huawei will be allowed to provide some of the fifth-generation mobile network infrastructure, while the more sensitive ‘core’ of the networks will be closed to them.

Finally, we should make the distinction between information that is about what we do, and information about who we are. Information about what we do could cover such things as where we spend our money, what our audio and visual entertainment preferences are, what we view on the internet, what we say online and anything that can be recorded about actions we have undertaken.

Information about who we are will include those so-called immutable attributes. These are absolute facts and can never be altered. They include such things as our biological parents, our biometrics (for example, iris scan, fingerprints or DNA) and where and when we were born.

Next there are so-called assigned attributes such as our nationality, names, national insurance number or title. These are generally the attributes that people and organisations rely upon to identify and communicate with us, and rarely change.

Finally, there are other related attributes, which, while being a part of our personae, are more easily changed, but still allow people and organisations to identify and communicate with us, and which may be used in identity verification, such as usernames and passwords, email addresses, memberships, qualifications and entitlements.

Many of these types of information are almost impossible to conceal since they are a matter of public record and generally speaking we are happy to make them available – indeed, it is often in our interests to do so, although there are some that we would naturally not make publicly available. For example, we are usually happy to give someone our email address, but at the same time we would not let them know the password to the email account.

It is easy to imagine that information is ‘just there’, but it must be created in the first place, and then generally follows a set path, as shown in Figure 1.1.

The creative process begins with some form of research, design or discovery, which allows the creator to record the information in some form, whether in hard copy or electronic form, and then to store it in some way. In some situations, the information may be processed somehow, either to manipulate it in a way that others can easily access it, or to make it more useful by enriching it in some way, perhaps by amalgamating it with other information.

The process continues with use, either by the information’s creator alone, or more frequently by others, whether individually or collaboratively, at which point it can be widely shared within a contained environment or publicly.

At some stage, the information may become out of date but still be required as a time-based reference, in which case it will be archived. Eventually, the information will become completely redundant, at which point it can safely be disposed of or destroyed, or may be updated and recycled as new information.

At each stage of this life cycle process there will be the need to ensure that the information is adequately protected from accidental or deliberate loss, change or destruction, hence the need for information risk management.

Quite simply, any part of an organisation can and should m...