In the world of economics there is a concept called Perfect Information. It refers to the idea that in some markets you can assume everybody has the same information. For example, the market value of a publicly traded stock rarely changes by large amounts from one transaction to another. The stability of the system depends on disclosure of significant events or information that could affect a company’s ability to meet their projected targets for sales and profits.

Economists try to simplify their theories of market relationships by assuming everybody has equal access to information about any given company. I’m not going to pretend to be able to explain why this simplifies their analysis. But one thing is clear - the Perfect Information assumption is becoming more accurate with each new online tool available - and not just for investors.

If somebody wants to exploit weaknesses in payment systems, disrupt critical infrastructure such as electrical power distribution, investigate corporate wrong-doings or cheat on college tests, there’s never been a better time to do it. It is becoming easier for bad buys to find the information needed to do almost anything imaginable to their opponent.

The bad guys who can do significant damage to any business are no longer just marginalized group of foreign hackers or an organized crime ring. Its anyone with a motive, opportunity, and a growing capability called - the means.

It may be hard to conceive of who might have motive and opportunity, and I think it’s likely that these two variables have stayed fairly constant over the years. It’s likely that there have always been a few customers, partners, employees and competitors have had these attributes for a long time, but no way to act on them to cause you harm. But the means for successful attacks are becoming less of a barrier with the realization of Perfect Information.

What can the good guys do about it?

Fortunately, risk management has a way to address the problem, in general. But it involves some deep analysis. Threat and Risk Assessments (TRAs) are often thought of when deploying new operational IT systems. But the basic concept applies to all business processes and systems, whether they are automated or not.

The sequence goes roughly as follows:

  1. Identify your tolerance for risk. To some, it doesn’t matter if some of their private information leaks out. Take journalists, politicians and celebrities, for example. A certain amount of their business success depends on people knowing things about them, personally. What risks really matter to your success?
  2. Identify the scope of an assessment. Often, especially in big organizations, you can’t easily do a TRA on the whole organization. But if you break the problem down into smaller units that can be somewhat isolated, you can make it easier. In a newish area of security called Information-Centric Security, this becomes very straightforward, as the subjects of each protection initiative break up into small, manageable units for doing TRAs.
  3. Identify the assets within that area of scope that you need to protect, and their value. This value isn’t necessarily their book value or market value. It also considers what it would cost you if it were leaked, damaged or lost.
  4. Identify who would benefit most from stealing, changing or knocking out each asset.
  5. Identify the vulnerabilities that would give these people the “means”. This is where Perfect Information is not your friend. You want to keep vulnerabilities confidential. It also means deciding what information you need to allow out, and to whom.
  6. Identify business processes that can provide the required security to meet your risk tolerance (from #1 above). They should prevent, or detect and react to the compromise (leak, damage or loss) of these assets. They don’t have to be technologically automated, although that often makes them more secure and scalable.
  7. Put business processes in place to protect the security processes. You need to know when you are not protected.

There are a growing number of TRA analysts around these days. But you should choose one who knows not only IT systems, but general business systems (even ones that still use paper, or undocumented systems).

If you don’t pay attention to the information and assets that are at risk, and especially the information that may cause them to be at risk, the speed of Perfect Information will start to accelerate the likelihood of a breach in your business systems. And since businesses are all about creating value, you need to see what value you’ve created recently, and what information is related to the new value: i.e. how you created it, where it is, how it is protected…
Protecting assets by protecting the information about them makes it harder for anyone to obtain the means to attack you.