Every now and then I read something that makes me think “Wow”. The recent BBC News report of an operating system being developed and trialled which effectively runs a large part of our living environment was one of those moments. Thinking of it the benefits could be immense. The sort of size which has helped Living PlanIT and its CEO get a reputation for being pioneers recognised by the likes of the WEF.
However where ever there are benefits there are also risks. Information security risks, governance and assurance will all be in there. After all what we’re talking about here is an urban management system which gathers, processes, makes decisions and implements changes to everyones lives based upon information.
Resilience of such an urban operating system is an obvious concern. But other things spring to my mind as well. Confidentiality of data, privacy of data subjects, integrity of the systems for managing the urban environment and the impact of implementing such a system and how this in turn may introduce economic opportunities for cybercrime.
The centralisation of so many different management systems could prove a tempting target for cybercrime, nation states and activists. Bringing all these systems together means cybercrime, and others, can focus their limited resources on many fewer systems, at a much lower cost but potentially with far greater returns.
One of the biggest barriers to the type of Armageddon that you usually see in films like Swordfish is the distributed and different nature of information and information systems. Many sets of data, on their own, don’t appear to amount to much however brought together their value is, to coin a phrase, greater than the sum of their parts. One of the biggest challenges and costs for cybercrime and others, has been obtaining unauthorised access and control over hundreds if not thousands of information systems. Reduce that to a central hub and the cost to benefit analysis argument just get’s even stronger.
It left me wondering whether any assessment of information security risks, to urban management systems, assesses the risk to data owners and society and not just to their own organisations resilience and security?! I understand that the Data Protection Act requires businesses to conduct privacy impact assessments. However I’m quietly confident that privacy impact assessments , known as PIA’s, just aren’t being conducted. And, speaking from experience, most risk assessments I have audited, reviewed or been involved in, have focused on the risk to those conducting the exercises not the broader environment that an organisation operates within. I’m sure this point of consideration will be taxing some within these pioneering organisations.
Should a risk assessment limit its self to the impact on a business? Or should it incorporate the impact on society more broadly? If you have any thoughts about this then leave a comment.