Risk is a funny thing: if you don’t have any of it, business returns tend toward a thin range in a stochastic industry average. If you have too much risk, it can overwhelm any organization.

The recent experience of Knight Capital Group in the US proves the point that too much risk in the way IT is used is bad for business (see Knight getting costly $400 million lifeline after trading debacle)

The New Face of Risk: Stuxnet, Duque and Flame

What does this have to do with information security, audit, and the governance of IT?

If you have too little risk in the way IT is used to pursue objectives, it’s a reflection of staid practices in keeping with stochastic returns.

Similarly, too much risk in the ways IT is used to pursue objectives can result in risk that will overwhelm any organization.

Just ask the recent targets of the offensive cyber attacks known as Stuxnet, Duqu and Flame (See The Pandora’s Box of Stuxnet, Duque and Flame)

New Ground

The boundaries of risk and reward for the uses of IT are now being stretched by State actors intent on achieving objectives that go beyond those of civil, commercial enterprises. Unfortunately, the results for these new pursuits of IT are going to have ramifications we cannot fully see today, but which contain the seeds of results we can anticipate.

The new pattern emerging from the offensive cyber-uses of IT include covert intelligence, stealth behavior, information gathering, destruction of assets and property, and in the case of Stuxnet the actual loss of life.

The worry is the new tools and techniques can easily be re-employed against civilian military and intelligence interests and non-military commercial interests.

The new offensive directions being spearheaded by State actors promise to radically reshape the comfortable risk and reward boundaries that commercial enterprises have — until now — assumed for their uses of IT.

Whether commercial businesses like it or not, each is being thrust into a new age of risk and reward to which none are contributing, but one in which each will have to spend money to manage new forms of risk.