ENISA: Interview with Jani Arnell on Emerging Risks
Inserito da Agatino Grillo il Gio, 2006-10-24 05:39
ENISA | Ottobre 2006 | Rischi
061024-enisa-arnell
IsacaRoma (IR): Thanks for your collaboration Mr. Arnell. You are an ENISA’s
Risk Management expert and you participated at RMA
workshop in Rome last 13th October with a paper titled
“Study on Emerging Risks” (pdf,
453 K). Could you summarize it or us?
Jani Arnell (JA): One of ENISA’s Risks Management Unit’s main tasks is to contribute to the area of the Emerging Risks. In the Risk Management point of view nothing actually changes within this field compared Current Risks because overall task still remains; we have to be able to identify and manage those risks which are going to jeopardize our assets now and in future. The biggest difference between Emerging Risks and Current Risks are coming from the Methods and Tools, Information Sources and Countermeasures side. There are no such methods publicly available which one could use as such to Manage Emerging Risks, there are no inventories of those valid information sources and types of information which one should obtain when conducting Risk Assessment within Emerging Issues, today’s countermeasures available are not always sufficient to protect our assets from Emerging Threats.
ENISA is doing its best to find answers to these challenges by investigating possibilities, finding feasible solutions, Rising Awareness and bringing people together.
IR: You proposed the following formula: “Emerging Risks = Protection Goals minus Protection Mechanisms”. Can you explain it?
JA: That is actually quite simple way to define Emerging Risks. Usually, commonly speaking, we might say that you might face risk realization if there is relevant threat out there and you are not protecting your asset against it by implementing appropriate countermeasures, such as firewalls, policies etc. What is important to realize as well is that in the Emerging Risks area that is not always enough. Despite the fact that you might have implemented all the possible countermeasures available out there today, they cannot fully protect you against threats in highly dynamic environments. On the other words; you have holes in your shield.
IR: In your vision, it is important to consider also "Societal Risks" like Cyber Terrorism, Information Warfare. Why?
JA: When we are trying to identify Emerging Risks, it is important that we understand full context. Even if Emerging Risks are most likely to be born when applying emerging and future technologies and applications, it’s not the whole cake. How to identify which are those relevant technologies or applications of the future and how we are going to use them? And of course which is those relevant risks related to them? Answer to this is to understand different levels of risks and their evolution as well. It’s about markets, our needs, our behaviour and dependability which all have an effect to this. And all of these different risk levels can have different impacts to various assets and by that for example continuity and development of EU’s internal markets.
IR: What about "Ubiquitous Computing paradigma" and the slogan "Security xor privacy"?
JA: I like this slogan a lot, because it describes so well what the situation is. It actually can have two meanings. Firstly is that within described environment it is either going to be security or privacy, but not easily both. Secondly it means that in here security is like a weak algorithm and by that it is insufficient countermeasure to protect our privacy in the future computing context.
IR: Can you give us some example of Risk Scenarios in Emerging Computing Modes? What is the correct approach?
JA: World is moving more to the direction of Mobile and Pervasive Computing. That means that when our needs are growing emerging technology is there to gives us possibilities. We are going to be surrounded by various networks and computers. So is it about sensor networks, is it about RFID, Ubiquitous Computing? Yes – most likely, but within which time frame, it is difficult to say. There are discussions and visions for instance for smart homes, usage of the RFID chips as implants in side our body to provide us comprehensive medical services or passport like authentication, smart shopping experiences etc. What is the right and the hottest future usage
scenario – that can be tricky to define. We just need to combine all the relevant information which is available and try to build up predictions, scenarios and visions what kind of future we might have
and what are those possible risks which we are about to face.
IR: What are your conclusion and suggestions about emerging risks?
JA: Emerging Risks as a part of Risk Management is interesting and challenging area – indeed. It is not just about lack of methods and tools out there it is lack of that vital base data which we are used to use when identifying risks and quantifying them. It means that we have to rely more into qualitative methods and trust our experts’ visions and predictions. That is challenge to us experts as well – how to convince decision makers to react proactively based on visions made without reliable statistics? Maybe we are becoming more like meteorologists – trying to forecast security weather of the future.
IR: Thanks Jani.
JA: Thanks to you. Arrivederci!
(Italian translation available here)
Before joining to ENISA, Jani has worked several years within Finnish National CERT-team as an Information Security Advisor achieving experiences from Threats, Countermeasures, Awareness Raising and Coordination of Information Security Activities in National, Organisational, SME and End User level. Jani has studied Corporate Security, Security Management and Specialized into Information Security.
You can find his more accurate CV from: http://www.linkedin.com/ppl/webprofile?action=vmi&id=1771234&trk=ppro_viewmore
Jani Arnell (JA): One of ENISA’s Risks Management Unit’s main tasks is to contribute to the area of the Emerging Risks. In the Risk Management point of view nothing actually changes within this field compared Current Risks because overall task still remains; we have to be able to identify and manage those risks which are going to jeopardize our assets now and in future. The biggest difference between Emerging Risks and Current Risks are coming from the Methods and Tools, Information Sources and Countermeasures side. There are no such methods publicly available which one could use as such to Manage Emerging Risks, there are no inventories of those valid information sources and types of information which one should obtain when conducting Risk Assessment within Emerging Issues, today’s countermeasures available are not always sufficient to protect our assets from Emerging Threats.
ENISA is doing its best to find answers to these challenges by investigating possibilities, finding feasible solutions, Rising Awareness and bringing people together.
IR: You proposed the following formula: “Emerging Risks = Protection Goals minus Protection Mechanisms”. Can you explain it?
JA: That is actually quite simple way to define Emerging Risks. Usually, commonly speaking, we might say that you might face risk realization if there is relevant threat out there and you are not protecting your asset against it by implementing appropriate countermeasures, such as firewalls, policies etc. What is important to realize as well is that in the Emerging Risks area that is not always enough. Despite the fact that you might have implemented all the possible countermeasures available out there today, they cannot fully protect you against threats in highly dynamic environments. On the other words; you have holes in your shield.
IR: In your vision, it is important to consider also "Societal Risks" like Cyber Terrorism, Information Warfare. Why?
JA: When we are trying to identify Emerging Risks, it is important that we understand full context. Even if Emerging Risks are most likely to be born when applying emerging and future technologies and applications, it’s not the whole cake. How to identify which are those relevant technologies or applications of the future and how we are going to use them? And of course which is those relevant risks related to them? Answer to this is to understand different levels of risks and their evolution as well. It’s about markets, our needs, our behaviour and dependability which all have an effect to this. And all of these different risk levels can have different impacts to various assets and by that for example continuity and development of EU’s internal markets.
IR: What about "Ubiquitous Computing paradigma" and the slogan "Security xor privacy"?
JA: I like this slogan a lot, because it describes so well what the situation is. It actually can have two meanings. Firstly is that within described environment it is either going to be security or privacy, but not easily both. Secondly it means that in here security is like a weak algorithm and by that it is insufficient countermeasure to protect our privacy in the future computing context.
IR: Can you give us some example of Risk Scenarios in Emerging Computing Modes? What is the correct approach?
JA: World is moving more to the direction of Mobile and Pervasive Computing. That means that when our needs are growing emerging technology is there to gives us possibilities. We are going to be surrounded by various networks and computers. So is it about sensor networks, is it about RFID, Ubiquitous Computing? Yes – most likely, but within which time frame, it is difficult to say. There are discussions and visions for instance for smart homes, usage of the RFID chips as implants in side our body to provide us comprehensive medical services or passport like authentication, smart shopping experiences etc. What is the right and the hottest future usage
scenario – that can be tricky to define. We just need to combine all the relevant information which is available and try to build up predictions, scenarios and visions what kind of future we might have
and what are those possible risks which we are about to face.
IR: What are your conclusion and suggestions about emerging risks?
JA: Emerging Risks as a part of Risk Management is interesting and challenging area – indeed. It is not just about lack of methods and tools out there it is lack of that vital base data which we are used to use when identifying risks and quantifying them. It means that we have to rely more into qualitative methods and trust our experts’ visions and predictions. That is challenge to us experts as well – how to convince decision makers to react proactively based on visions made without reliable statistics? Maybe we are becoming more like meteorologists – trying to forecast security weather of the future.
IR: Thanks Jani.
JA: Thanks to you. Arrivederci!
(Italian translation available here)
Who is Jani Arnell?
Jani Arnell works as an Expert in European Network and Information Security Agency (ENISA) in Risk Management Unit. His tasks include for instance promoting Risk Management and Risk Assessment Methods and Tools to ENISA’s stakeholders such as Member States and SME’s, identifying Current and Emerging Risks and contributing to ENISA’s internal Information Security work by contributing into ENISA’s ISMS, conducting Risk Assessment and acting as interim Information Security Officer.Before joining to ENISA, Jani has worked several years within Finnish National CERT-team as an Information Security Advisor achieving experiences from Threats, Countermeasures, Awareness Raising and Coordination of Information Security Activities in National, Organisational, SME and End User level. Jani has studied Corporate Security, Security Management and Specialized into Information Security.
You can find his more accurate CV from: http://www.linkedin.com/ppl/webprofile?action=vmi&id=1771234&trk=ppro_viewmore
IsacaRoma link
ENISA
- ENISA:
Rapporto sullo spam
- ENISA: Workshop on Information Security Certifications – 28 novembre 2006, Atene
- ENISA: le presentazioni (ed i risultati) del Risk Management Workshop di Roma
- ENISA: Intervista al dott. Louis Marinos, Risk Management Senior Expert
- ENISA: Interview with Dr Louis Marinos, Senior Expert on Risk Management
- ENISA: la guida per costituire un CERT
- ENISA: il glossario del Risk Management (lettere S - Z)
- ENISA: il glossario del Risk Management (lettere N - R)
- ENISA: il glossario del Risk Management (lettere F - M)
- ENISA:
Inventario delle metodologie di Risk Management / Risk Assessment
- ENISA: il glossario del Risk Management (lettere A - E)
- ENISA: il sito dedicato al Risk management ed assessment
- ENISA
Risk Management Workshop, 13 ottobre 2006, Roma
- ENISA – Intervista ad Isabella Santa, Awareness Raising Working Group Coordinator
- ENISA: nuovi rischi e minacce per la sicurezza delle reti e delle informazioni e piano di azione per il 2008
- ENISA, l’agenzia di sicurezza europea
- Intervista ad Andrea Pirotti, Executive Director di ENISA
- La visione di ENISA
- ENISA: raccolta di informazioni sulle certificazioni di sicurezza – invito a collaborare
ENISA Quarterly
- ENISA Quarterly – Messaggio dal Direttore Esecutivo
- Guida internazionale per la protezione delle infrastrutture critiche informatizzate
- ENISA Quarterly - Come innalzare la Information Security Awareness
» email this story | printer friendly version | 1830 reads
