During this COVID-19 pandemic we are experiencing a situation in which it can be easy to intuitively appreciate the value of risk management, and how a previous and early assessment can help you make proper and timely decisions.
By analyzing the probability of the appearance of new viruses with high contagion capacity and the impact they can cause (high mortality), it can be estimated whether there is a real risk to society or not. And with a more detailed analysis in which the areas most exposed to contagion, the people with the greatest impact or the places with the least means are known, a risk map can be established to see the most vulnerable groups, where measures are already in place and where it is necessary to take prevention or mitigation actions if the risk materializes.
If we did a risk analysis evaluating people as it is traditionally done in organizations, we would consider “people” as a single asset, which is associated with threats and vulnerabilities: age, exposure to the virus, previous pathologies, bad habits, etc. But doing that analysis we could only estimate whether or not there is a general risk and define a battery of mitigation measures that could reduce the risk. But it would not help us to correctly identify the highest risk groups or how to best use mitigation measures to help them.
If we consider “population” as an individual element, we are associating all threats and vulnerabilities to society as a whole, as well as impacts and probabilities. But we know that not all people are equally vulnerable and not all situations have the same probability for people to be infected.
Therefore, the cases are evaluated individually: there are people with a greater probability of getting infected (workers and users of nursing homes, doctors, nurses, police, etc.), people with more impact if they get it (such as the elderly or people with previous pathologies) and the different factors can be combined: a 70-year-old person, with diabetes and working in a hospital are at much higher risk than a 25-year-old, healthy and working from home. For this reason, management and protection measures cannot be the same for different cases. And to know where and how measures must be implemented, we have to assess the risk in detail.
Likewise, we cannot consider people as a “general asset” in organizations, or stop in broad groups such as “administrators” and “users”. In the IT world, “servers” or “applications” are not considered as a single asset, but are analyzed separately in more specific groupings (such as “web servers” or “financial applications”) and in more mature cases, analyzed at the CIs level (configuration item), such as “purchasing portal web server” or “sales department accounting application”.
Similarly, people should be considered on a case-by-case basis, to know their characteristics, their vulnerabilities, the threats to which they are exposed and the impact if an incident occurs in their workplace. And so, determine the best actions to strengthen each one based on the information available.
In future articles, we will see how internal risk is managed with Kymatio taking into account the human factor.
It is more necessary than ever to focus on the human factor, Contact Kymatio now to start preventing.