Risk management – Asset Impact Analysis
2024
Conducting an impact analysis of assets is an integral part of risk management, serving as a means to minimise the impact of a cyberattack against the organisation.
september 27, 2023
This module uses the roadmap for IoT cybersecurity. The tangible outcome of the tool is a realistic and concrete change plan for the first building block(s) in the visual roadmap, including choices for how to proceed with IoT cybersecurity in the company.
The collaborative learning process creates awareness and understanding of the complexity of change in a company's actual situation, involving both drivers and barriers for the next steps in IoT cybersecurity for the company.
In the end, the result of using this tool is a new organisational reality for the company's work with the building blocks for IoT cybersecurity because of the collaborative learning process.
A change process is the intended and planned way to close the gap between a present situation and a desired goal-situation in the company regarding IoT cybersecurity.
The company needs to have completed the visual roadmap for the four building blocks for IoT cybersecurity as the roadmap describes the desired future state for the company’s IoT cybersecurity and the planned sequence of building blocks.
Now the change process and relevant analytical concepts will be defined.
In this tool, a change process is understood as the process of moving the company from a present not-wanted situation to a desired situation in the foreseeable future.
The underlying principle of the tool is that change can be planned but change activities and resulting changes to behaviour depend on the company's resources and perceptions of IoT cybersecurity. This means that the collaborative change analysis is based on company members’ practical experience with IoT cybersecurity.
The collaborative change tool can, in principle, cover both visionary and radical changes but it is designed for real-life changes in resources and perceptions of IoT cybersecurity that can be achieved and/or furthered by changing the present situation through a structured change process based on collaborative insights.
Inspired by collaborative evaluation (Petersen & Søndergaard, 2021) [1], the following concepts are used in the collaborative change analysis of the IoT cybersecurity:
The process for collaborative change analysis consists of two parts:
The analysis is made for each building block at a time with focus on building blocks in the roadmap's first periods to keep the planning horizon realistic. The analysis of the potential for change in the present situation is made with respect to the intended goal of the change process for each of the building blocks.
The analysis of the present situation is made with two perspectives:
the change process, e.g. the movement from the present situation to a desired situation.
Resources and change perceptions can be seen as either drivers for or barriers to change.
Sometimes the perception is tied to a specific group in the company or external partners and market. For example, a demand from customers regarding more IoT cybersecurity might be seen as furthering the change process by the company's managers, while R&D-employees may see it as external forces meddling in the company's strategy (and thus hindering the change).
After describing existing and lacking resources, and furthering and hindering perceptions, the team of change agents will score each change perception and each resource to create an overview of the change potential in the current situation thereby assessing the scope of the change process.
Potential for change
Printable version of the tool in large format
The realistic plan for the change process incorporates the analysis of the change potential in the present situation. The plan describes an iterative change process where the change team considers change actions and change perceptions/resources tied together in progressive movements towards the desired situation.
A change action can for example be:
The change team should think like this when working with the change plan:
If we do this first change action, then we expect it will further this change perception/resource and/or minimise this hindering change perception/resource. Based on the resulting situation after executing the change action, we will then initiate the next change actions and so on.
Plan for change
Printable version of the tool in large format
The point of the plan is to ensure a systematic dialogue for the change team about change actions and their rationale based on collaborative insights into the company's collected resources and perceptions related to the desired situation of a building block.
The summed-up numbers in the example, indicate more impact from perceptions and lack of resources on the barrier side compared to the change driver side of the present situation.
In this situation, it might be easier to increase the driving forces by for example adding training and reward systems, and company goals for IoT cybersecurity. Company goals for IoT cybersecurity (or even standards) would engage management, increase the present low company accountability for IoT services and products, and at the same time eventually minimise the perception that IoT cybersecurity is not important or measurable. An important consideration in this regard is the response from the people not willing to be accountable for goals external to their own department. Will overarching company goals for IoT cybersecurity create new barrier perceptions?
The collaborative change analysis is a learning process designed to inform the company’s change process to anchor cybersecurity for IoT.
It is important to note that it is the change team who decides what are resources and what are change perceptions. This is clearly an interpretation based on experience with the company's practice with IoT cybersecurity.
This means that the pinnacle of the analysis is for the change agents collaboratively to reflect on and gain new insights into the totality of the situation regarding the company's cybersecurity of IoT.
The best way to do it is:
This step-by-step guide involves two parts.
Move on to the plan of change template that in the end will be a chain of change actions and assumptions of how these change actions are expected to change resources and perceptions identified and described in the analysis of the present situation.
The tangible outcome is a realistic and concrete change plan for the first building block(s) in the visual roadmap, including choices for how to proceed with cybersecurity for IoT in the company.
The plan is contextualised and is the result of a collaborative learning process that in itself is creating a new reality for IoT cybersecurity in the company. This new reality is an awareness of the complexity of the change dynamics and an elaborate understanding of what change perceptions and lacking resources that keep the present situation from changing.
The most important outcome of the tool is the collaborative learning and insights that the company's IoT cybersecurity will build on. It is important not to overly focus on whether something conceptually is a resource or a perception, but instead to focus on creating a common interpretation and to score its influence on the change process in question. Sometimes perceptions may turn into a resource, and resources can be perceived differently by different groups in the company. Just make it clear how you see it to structure and fuel the change plan.
Framing the change process as a learning process also shows that data collection and analysis must continue throughout the change process. When set in motion, the change plan is an iterative learning process whereby the change agents through continuous discussions of employees' and manager's behaviour, gain insights into and understanding of their situation and how to keep on track towards the desired situation, as it evolves.
The next step is to carry out the planned change, and to keep on checking that the analysis is still adequate and represents the building block’s situation.
The change process is a circle of planning, action, and fact-finding about the results of the change action, which implies that the 'present situation' is always changing.
[1] Petersen, CK & Søndergaard, AP (2021) Evaluering som samarbejde om fælles løsninger, Tenakel, Skanderborg
The contents described above have been developed in the project:
’CyPro – Cybersecure manufacturing in Denmark’ by Aarhus University, Alexandra Institut, DAMRC, UGLA Insights and FORCE Technology funded by The Danish Industry Foundation. Material from the project is published under licence CC BY-SA 4.0