Critical Incidents: Damaging Critical Assets
Critical incidents are adverse events negatively
the ability to continue profitable operations. Critical incidents are defined in terms of risk, where risk is the probability of
events happening. Critical assets are those assets
required for the organization to continue profitably, and profitability is the achievement of the organization's goals.
Critical Asset Priority
Critical assets are
divided into three supporting pillars listed in rank order:
Addressing risks is very similar to knowing your adversary: know the risks, accept the risks, mitigate the risks, transfer the risks, and avoid the risks. It is important to know which events can have a detrimental effect on your organization's assets. Harmful events are best
when they are
in the form of a schedule showing the relationships between assets, threats and their frequency, vulnerabilities, and
By accepting risks, you are not
their probability or their impact; rather, you have decided to take measures to protect your assets. By addressing risks, you are committed to implementing cost-effective, asset-protecting safeguards. The most desirable asset safeguard is one that avoids risk altogether, so the asset never suffers diminishment. A subset of risk
is one where the negative impact of the harmful event is postponed, hopefully forever.
The process of transferring risks can also be addressed by implementing safeguards protecting specific assets. An example of a "transferring risk" safeguard is the outsourcing of employee payroll and benefits processing. By passing this responsibility to someone else, accompanied by specific
performance requirements, the risk is passed from the original enterprise to the processor. In the event of a critical incident, the asset, risks, and attendant expense are transferred elsewhere.
Mitigating risks is the process by which their probability of happening is reduced. The subset of mitigating risks is reducing their harmful effects on assets. This mitigation process can be highly complex, involving sophisticated strategies, or it can be as simple as instituting a company-wide policy.
In considering risks, the value of a proactive program is not
determined by its complexity and expense. Never underestimate the value of a simple,
policy. An example of a simple policy is employee Internet use. Employees, as a condition of their employment, agree that Internet use is permitted only as part of their official
. Policies, read and
by each employee, prohibit personal Internet use.
An example of a critical incident that can seriously damage business operations is a senior employee, Bob, who gets a little bored after
and begins to surf the Internet from his workstation. He is aware of the business-only policy, but chooses to ignore it. Because most of the office is an
bullpen, privacy in his workplace does not exist. After checking his Internet e-mail, he does some online shopping, and because none of his
are looking, he takes a peek at some soft pornography Web sites. He begins to lose track of time and surfs to some sites that are more offensive. While Bob is clicking through some pop-ups, Doris, the office manager, enters his work area. Seeing the Web sites Bob is viewing, Doris remarks that they are very offensive. She
her experience to her supervisor and
the local EEO office. This is the third time she has seen Bob browsing pornography at his workstation, and she has
the matter to her company's management each time. But this is her last straw; she has had enough. Bob has been
about his pornography browsing but because his technical skills are not easily
, his activities have not resulted in adverse personnel action. After exhausting her administrative remedies without resolution, Doris files a civil suit, naming her employer and Bob as defendants. Because the
filings are public, there is significant news coverage and the organization's good image is irreparably tarnished. A large
is made and Bob is
One information manager stated, "There is a
accepted statistic that places risk at an acceptable level: 1 percent. This is a risk. That's all the motivation I need; expect the best, but plan for the worst."