Workshops — different perspectives and skill sets

There are many tools and techniques that can be used for working together, but we find that multi-disciplinary workshops are the most effective. They make sure that you’re seeing multiple perspectives and drawing on the different skill sets of each stakeholder.

Risks

A risk is a threat that can exploit a vulnerability in an information system. This results in an undesirable outcome that prevents, degrades or delays your organisation in achieving its business objectives.

Workshop for identifying risks

In this workshop, you and the participants discuss the sources of threats and their possible reasons for occurring. You may need to schedule a follow-up workshop to:

• describe the risk scenarios
• list the causes of each risk
• list the effects if the risks happen.

What can go wrong with workshops

You might miss identifying risks if:

• you have not included all stakeholders that are relevant to the information system
• people are not committed to setting up a successful risk assessment.

Setting up successful risk assessments

Sources of threats to an information system

Government organisations can decide if they need to create risk scenarios for each group or specific threats, or both.

Threat groups and their types

Individuals

• Employees or contractors
• Customers or clients
• Service provider employees or contractors
• Hackers
• Hacktivists or activists
• Criminals
• Terrorists

External organisations

• Service providers
• Hacktivist or activist groups
• Foreign governments
• State-sponsored action groups
• Organised crime syndicates
• Terrorist groups

Technical events

• Malicious code — for example, viruses and worms
• Defective code
• Equipment failure
• Failure of air-conditioning
• Loss of power supply

Accidental events

• Fire
• Water damage
• Major accident
• Destruction of equipment or media

Natural events

• Weather — for example, an electrical storm
• Earthquake
• Volcanic eruption
• Flood

Possible reasons for threats from individuals and external organisations

Government organisations can decide if it’s important to consider the intent of the threat source — their actions may be accidental, deliberate or malicious.

Individuals

Individuals might exploit a vulnerability in an information system to:

• minimise their effort to complete a process or procedure
• receive a financial gain
• seek revenge
• gain knowledge or information
• assert power
• achieve peer recognition and respect
• satisfy curiosity
• further political or social aims
• terrorise certain target groups or individuals
• enhance personal status with other individuals or groups.

External organisations

External organisations might exploit a vulnerability in an information system to:

• gain a competitive advantage
• achieve an economic advantage
• get a military advantage
• acquire a political advantage
• further political or social aims
• receive a financial gain
• terrorise certain target groups.

Other factors 

The motivation for individuals and external organisations exploiting vulnerabilities in an information system might be sped up or slowed down by other factors, such as:

• available equipment
• quality of equipment
• expertise
• experience
• opportunities being available — for example, an employee has full access to source code or an information system is exposed to the internet.