The hazy fog in Beijing has triggered many local radio stations and TV news to constantly remind drivers to slow down, turn on the head lamps, and drive with extra care in view of the poor visibility of the road conditions. On the way to the hotel yesterday's evening, from the Xi'an airport, the driver reported that the fog in Xi'an in the past two days have also resulted in a few major accidents and incidents in the city. One involved a chained collision of 32 vehicles at a highway, and the other was a women being robbed on a side road during the day (blaming both on the poor visibility).

 

Contrary to this, in the logical world, when there is little or no visible knowledge of the inventory of information assets and their vulnerabilities and potential exposures (or threats), users and managers would not be able to see or feel the risk, unlike what the fog can do to let us know that we are at risk. They therefore may feel that their information assets are not at risk. When losses have been incurred, in most instances, only the folks who are involved in the investigation, and the managers/staff responsible are abreast of the related incident and associate exposures. To others, the lack of exposure to the incidents again provide a sense of safety.

 

The nature of digital or logical systems is such that risks are often invisible, until they materialized. With all the challenges that business managements need to manage, lack of visibility would also translate into no action. In information security risk management, one of the important tasks is to therefore make the risks visible. This could then bring about better awareness, and enable actions to be taken based on the risk situations.