Bright Stove

Reflecting information risk journey

Archive for February 2010

Of gaining good fortune and eliminating bad luck

leave a comment »

Having missed the Lunar New Year visiting and celebration in Singapore last year (2009), I very much enjoyed this year’s visit back home. As in the past, visiting and catching up with friends and relatives are the norms. Unlike the past, however, that I usually spent the last evening of the old lunar year watching the Lunar New Year Countdown shows on TV, this year, I followed my in-laws to the Chong Yi temple (崇义庙) and observed an interesting ceremony to receive the God of Fortune (接财神). In fact, this has been a regular ritual for many folks in Singapore for many years now. So the people there are all very well versed with the practice, knowing what will happen at 11pm, 11.30pm, and 12am, and how they should align to the steps of the event as they unfolded.

From the first day onwards, numerous Lion Dance troops started visiting each and every block of flats in the housing estates knocking on doors of Chinese households to greet them well, and if they agreed, to also perform a traditional “dance”, including one or two difficult stuns such as taking a Red Packet and some greens from the top of the door entrance or some higher spots in the flat. Such performance is supposed to bring more good luck and fortune to the family, and in return, the troopers get their Red Packets (cash, upfront). On the third, fourth, or fifth day onwards, depending on when the public holiday ends, and works begin, the Lion Dance troops would also start their visit to offices in and around town to do the same for the businesses, and of course get more and bigger Red Packets.

There are also a number of other activities along the same line of thoughts during the festive season, such as serving sticky sweets to the Kitchen God, and getting additional helps from other specific deities for specific desirable outcomes. Some are guided by cultural and religious practices, while others are based on unknown and supposedly complex calculation using the Lunar calendar and the Chinese Zodiac sign that one belongs. The latter often needs specialists interpretation and guidance.

In all cases, the system is one which involves essentially two human parties, the consumer and a consultant/advisor/specialist group or individual. The “specialist” performs certain ritual (some at a fixed price, others based on whatever the consumer can afford and pay through a Red Packet), with a common understanding that positive outcome would befall on the consumer when that is done. Whether the outcome would actually be positive and as desired is however not guaranteed. No one actually know even when it happened as preached. But few, when being told and made believed about the opportunity or risk, would want to be left out or ignore them, by taking a chance of missing a good fortune, or eliminating their bad lucks. When all is done, with money spent, and time/efforts expended on the rituals, the consumer is at least feeling good with the knowledge that she has done her best to manage her “risk” in this regard.

Interestingly, the world of information risk management mirrors such a system quite closely. There are much information risks in the Cyber world where our digital life and information exist, which organizations are rightfully to be concerned with. Consultants/risk managers (i.e., specialists) are engaged to conduct risk assessments and security controls are used to address at least the significant risks identified. Business management often believe or get a warm feeling, just like the consumers described above, that once these risk management activities have been taken, their risks have been managed and they can get on with their business without further worries. However, what the risk consultants/advisors/managers have completed is only addressing a snapshot of the business risk environment for a given period of time, which is changing constantly with the the business and the operating environment. In other words, when the security controls have been implemented, new risks may have surfaced and need further actions to be taken. Like the “specialists” in the festive and cultural/religious rituals, risk managers do their best to help the organizations (consumers) realize their business opportunity (i.e., gain more fortune) and address potential risks (i.e., eliminate their bad lucks), but they cannot guarantee that the organization will not fail on the next attack (i.e., outcome remains uncertain, only known risks are managed). In the business information risk environment, we could perhaps go one step further in that if risk management activities are not undertaken, we could almost guarantee that some “bad luck” will run against the business successfully, in various forms of digital exploitations.

To address the evolving risks of encountering bad luck or not gaining good fortune in the changing environment (new lunar year, new Zodiac sign), cultural/religious rituals are repeated year after year, in varying forms, and some on a much more regular basis. As a social system, it provides a means to address peoples concerns in a continuous manner, and through repetition, constantly reminding people to do good and behave well. While some may challenge such practices as superstitious or irrational, such a system have served their social purpose for thousands of years.

As OECD emphasized many years ago, organizations need to develop a culture of information security. Perhaps we should also be more religious about it in order to ensure information risks are managed in a continuous manner.

Written by mengchow

February 23, 2010 at 4:07 pm

Posted in Risk Management

%d bloggers like this: