Workshop 1: Identifying risks

The Workshop Facilitator gives a brief introduction about the project’s purpose and the discipline of information security. The following points are covered:

• Information security is constantly evolving

• Information security as a process (PDCA cycle)

• Availability, Confidentiality, and Integrity as pillars

• Risk = Probability x Impact

• The iterative nature of the Canvas Method: it doesn’t have to be complete or correct right away; we will expand, deepen, and correct in the next cycle

Below is an example of a presentation that can help convey the topics above to the participants.

After the introduction, the facilitator initiates the interactive part of the workshop.

The following topics are addressed using the Canvas.

Context

Participants are invited to name all the factors inside and outside the organization that influence their work (and more specifically, their work with information). A DESTEP framework can be helpful here. The mentioned factors are written on Post-Its and placed on the Canvas. Participants are asked to briefly explain how the various factors affect their work.

Process

Participants identify the different processes in their department/team. The processes are written on Post-Its and placed on the Canvas. There is space for naming sub-processes or process steps that participants feel deserve special attention in this context.

The Workshop Facilitator specifically asks about:

• Where information comes from and through which medium

• How they use the information in their process / for what purpose

• To whom they deliver information, and through which medium

• What tools they use (software, paper, etc.)

If desired, the process can be visualized as a diagram.

Note: The goal of this exercise is not to create a complete or correct specification of the mentioned items. Mapping out the processes is merely a tool to make participants aware of potential risks.

Risks

The Workshop Facilitator asks participants to note down risks related to information processing relevant to their team or department on Post-Its. He/she may remind them of the aspects of Availability, Confidentiality, and Integrity of information.

Ask participants to use a new Post-It for each risk (one risk per Post-It). Have them also write their initials on the Post-It, as it is useful for reporting and for asking for clarification later.

Give participants space to express their concerns in their own way: what they write often doesn’t fit neatly into the formal definition of a risk (a possible event with negative consequences). In practice, you’ll receive a mix of risks (“stolen laptop”), vulnerabilities (“no encryption on laptop”), and consequences (“data breach”).

The Workshop Facilitator then discusses the noted risks with the participants: what is the (negative) event, what vulnerability causes the risk, and what are the possible consequences if it happens.

After the discussion, the Workshop Facilitator places each Post-It on the Canvas.

Often, the same risk will be mentioned by multiple participants; the Workshop Facilitator consolidates these by, for example, stacking the Post-Its.

Next, the Post-Its are arranged by impact: risks with the highest impact are placed at the top of the column, and those with the lowest impact at the bottom.

The Workshop Facilitator explains that the purpose of this is simply to determine priorities. The facilitator then draws two lines, creating three clusters. The first cluster of risks will be addressed in the current iteration, the second cluster possibly as well (partially), and the last cluster will definitely be addressed in the next cycle.

Note: Some risks mentioned may be out of scope for the project, but this isn’t corrected too strictly. It can be pointed out when determining how to handle the risks.

Risk Treatment

The Workshop Facilitator takes the highest-priority risks and discusses with the participants whether a risk should be addressed by the team itself ("mitigate"), whether another team or party should handle it ("transfer"), whether the risk can be avoided ("avoid"), or if the risk is acceptable ("accept"). The respective Post-It is moved to one of the four quadrants. The chosen treatment is noted.

Reporting

After the workshop, the Workshop Facilitator ensures reporting is completed. Below is an example of how this can be done. The Workshop Facilitator shares the report with the workshop participants.

Deep Dive

For a deeper analysis, Risk Cards can be used. These cards include:

• A description of the risk

• The circumstances under which the risk occurs

• The potential consequences for the team and/or the organization

• An estimate of probability and impact (financial, reputation, continuity)

• Risk score (PxI)

• Risk treatment (see above)

• Transfer to … (to be determined in the https://github.com/rkranendonk/canvasmethod/blob/main/docs/EN/afstemmingsoverleg.md)