The place to start in considering information risk is a paper by Blakley, McDermott and Geer entitled Information Security is Information Risk Management, published in 2002. In the introduction the authors state that “Information security is important in proportion to an organization’s dependence on information technology. When an organization’s information is exposed to risk, the use of information security technology is obviously appropriate. Current information security technology, however, deals with only a small fraction of the problem of information risk. In fact, the evidence increasingly suggests that information security technology does not reduce information risk very effectively.” The situation is still the same. Information risk is taken to be the responsibility of IT, primarily because of the need to ensure that internal networks cannot be hacked and that internal information is not inadvertently lost or transmitted through (for example) the loss of a laptop or mobile device. These are important elements but in addition there is the extent to which an organisation is at risk because information is not of sufficient quality or information cannot be found when required. The result is that the British Computer Society can publish a book on Information Risk Management without reference to either of these challenges. Moreover the author emphasises the need for an information audit but gives no advice on how this can be achieved.
Many models of information risk management have emerged over the last decade. These include FAIR (Factor Analysis of Information Risk), TIRQ (Total Information Risk Management) and IRAM2 (Information Risk Assessment Methodology 2) . There are many others. However the emphasis of all these models is based on the approach to information security management taken by the International Standards Organisation in the ISO27000 series of standards on Information Security Management. Although the glossary for these standards has just been revised the focus remains on developing and implement a robust framework for managing the security of their information assets, including financial data, intellectual property, employee details, and information otherwise entrusted to them by customers or third parties. The situation in the USA is no better, though there is a Society of Information Risk Analysis. One of the top US industry associations, the CEB, has a 27 element information risk framework with no reference to information quality or accessibility issues.
None of the information risk assessments that I have come across take account of the impact of not being able to find information, or not having information of an adequate quality. To give just one example, when the Millennium Bridge across the River Thames in London was opened in 2000 it had to be closed quite quickly because as people walked across it the bridge started to sway. It took two years and £5m to rebuild the bridge suspension structure. A report was commissioned from the Engineering Department of Cambridge University. This report shows that this was a known problem but the designers of the bridge were not aware of the research that had been carried out. Apart from the cost the impact on the reputation of the design team was quite considerable. Probably the definitive case study is when Volkswagen found it could not identify any of the documents relating to the changes made to its cars so that they passed emission standards, a situation which will cost the company billions of dollars in fines and lost business. In effect the main risk for information risk management is that inadequate attention is being made to the risks around information findability within the organisation.