So we are going to look at information security management. And we have been discussing over the past two classes the risks that are exposed to our systems,

or the risks that our systems are exposed to, right? So when we refer to information security risks, we talk about the impact to an organization and

its stakeholders that could occur due to the threats and vulnerabilities associated with the operation and use of information systems. And importantly, within the environment in which those systems operate.

So there are words I highlighted, such as threats, vulnerabilities, environments. So these are the components or dependencies of risk. But in a sense here, the authors of this definition try to convey a message

that risk, in a sense, is a product of threats. Exploiting vulnerabilities in order to cause harm to the system or to an asset, per se, in general.

In a layman's language, we could refer to risk as the possibility of something bad happening, right? Although in some other cultures,

risk also connotes the possibility of something good happening. For example, in the Chinese understanding of risk, it is both something negative as well as positive. However, for our purposes here, we assume the negative aspects.

In the case of information systems, this something bad could be a hacker hacking into the system. It could be technical malfunctioning of the system. It could be an employee exposing data knowingly or unknowingly. It could be data theft.

It could be denial of service attack. It could be many other things, right? What it means, in essence, is that for us to understand risk, we have to understand the assets, the threats,

the dependencies, the components that make up risk. Because risk is contextual. Assuming there is something that is of no value, let's say a used tire that has freed and de-liquitated,

it is of no use anymore because the tire has been changed and perhaps kids are playing with it. Assuming this tire falls from a study building, I mean, if nothing is there,

the tire itself as an asset could suffer no loss because it is of little or no value, right? Although it could damage some other valuable assets, right? So risk mainly is contextual within a particular confine of what an asset is,

what assets do we want to protect? So we try to define some of those concepts, such as assets. Assets, strictly speaking, refers to anything that is considered valuable, right? And that needs to be protected. For example, it could be the personnel,

it could be materials such as computer, it could be information relating to your customers, right? It could be the database, it could be intangible assets such as your intellectual property, your reputation, which your company may have viewed over decades, right?

So those are the things you need to protect against what? Against threats, right? Threats are things, things, could be a human being that exploit the vulnerabilities around your assets

in order to harm the asset, right? It could be cyber criminals who want to penetrate your system. It could be hackers. It could also be natural disaster. These are threats to the assets. Another important concept here is vulnerabilities.

Vulnerabilities are the weaknesses that could be exploited to gain access to your assets. In this case, your information system. What are those weaknesses? They could be weak passwords. They could be using outdated operating system.

It could be leaving your data unencrypted while you are transferring them over the internet. So those are the vulnerabilities that threats, say a hacker could exploit to harm your data, for example, your customer data.

However, if all these threats and vulnerabilities, excuse me, are exploited and they result to no harm, the asset is not harmed in any way. You don't talk of risk here because there is no harm, right?

So we talk of risk in this sense, when there is harm, when there is damage or injury to the asset. And this damage has an impact to the owner of the asset here at the organization, for example, right?

So as I've already mentioned, the risk is contextual. And when we put these core elements together, we could see risk as a condition or a function wherein certain actions happen under certain conditions,

and that could lead to consequences. In this case, we're talking of losses, right? I think John Vicker put it perhaps in a more diagrammatic way.

Here, he explains risk as a function of assets, threats, vulnerabilities, and impacts. And you see the arrow, there is an asset, have vulnerabilities around it. And these vulnerabilities could be exploited by the threats and could cause harm, which has an impact.

So this is the way you understand risk. There's another important element here, which is the control. As we have identified these threats and the vulnerabilities that could impact the system,

what do we do to either stop it, reduce it, or transfer the risk? So these are generally referred to as controls or mitigating elements, right? That either the vulnerabilities or the threats

in order to eliminate the overall risk or reduce them as the case may be. There are certain risks that could not be eliminated but could be reduced. So in the case of information system, your controls must focus on responding to the threats

and the vulnerabilities, right? For example, you don't put firewalls when the threats are actually dishonest employees who could take the data and expose them or perhaps sell them to hackers.

So firewalls would not work because these are internal threats. So what here, you need to carry out the risk assessment of your environment to know the right and the appropriate controls to implement. For example, if you put armed guards

to protect internet hacking, no, it's not possible because the threat is logical. It is not physical, right? Assuming you have perhaps your server room, you could put armed guards to protect them. But if the threat is physical, right? But if your threats are logical,

you have to carry out a risk assessment process in order to identify your risks as well as the appropriate control. This explains it. This is now within the realm of risk management. You have to manage those risks

by conducting a systematic app process wherein you identify your assets, identify the risk, evaluate the risk, put in the controls as well as monitor the controls. So information security risk management is a process.

It is not a product. It is not a one-off product that you buy and the risk goes away. No, antivirus, no. You don't just put in an antivirus and the system is okay forever, no? It is a process that takes continuous monitoring as the case may be.

There are a number of risk management frameworks such as the ISO 2700 family, right? They talk about information security. You could use any of them.

Visually, organizations adopt any or multiple approach where they conduct a systematic risk assessment process that starts with, in this case of ISO 27005,

it starts with communication and consultation, right? You consult those whom you think would provide the necessary information for you to carry out this risk assessment. You contextualize the environment. What really am I trying to assess, right?

You now do the risk assessment wherein you identify the risk, analyze the risk and evaluate the risk. After the evaluation, you treat those risks by implementing those control measures we talked about.

Afterwards, you look at the residual risk, whether they are acceptable the way they are or they are not. If they are not, you go back to the previous process, implement measures and see, can constantly reduce the threats until they are at an acceptable level.

Then you continuously monitor your treatment, your controls, right? You review those controls regularly to know whether they are working or whether the controls even introduce new risks.

So it is a holistic process. It is something that is continuous. And I mentioned this last time, when Stony system was hacked, the information commissioner of the UK investigated the hack and later issued a fine

in their publication, the route that the commissioner is aware that the data controller made efforts to protect account passwords. However, the data controller failed to ensure

that the network platform service provider kept up with technical developments. So this continuous monitoring, you have to keep up with the technical development. Therefore, the means used would not at the time of the attack be deemed appropriate

given the technical resources available to the controller. In other words, they did not do their homework well. At the time of the attack, there were certain things that they could have done based on the technology of the time. However, the data controller failed to take action on the part

to address the vulnerabilities even though appropriate updates were available, right? So that is to tell you what the authorities will be looking out for when there is a data breach. Has due diligence taken place? Has control monitoring taken place?

What actions happened before and even after the breach? So this shows you that information security is not a one-off product. You do it, you continuously monitor the effect of your mitigation strategies.

And for you to do this, you must have to carry out a risk assessment, right? So risk assessment here aids you in the decision-making about the risk. It provides you with the data to evaluate and control risk in a systematic way.

It has to be systematic. So we talked about the importance of risk identification, right? It helps you to identify your assets and threats, vulnerabilities, as well as the impact assuming the threats manifest. Another process would be to analyze those risks, right?

Where you look at data. Here, there are usually three methods. One is a quantitative analysis where you use data to describe the risks posed

by a threat. For example, it could be in monetary value. You value your assets. This is, for example, PCV or this system cost 1 million euro, right? If something happens to it, we could lose this amount of money.

So these are quantitative risk analysis. You use raw data, hard data to quantify the risk. You could also do this qualitatively where sometimes it's difficult to use or find data. For example, when it relates to something

that is emotional, loss objective, or to quantify the risk faced by a company's reputation. Here, most times you may not have the raw data to do this. You use qualitative analysis. You use subjective methods, like accent experts,

to give you their own opinion on certain issues. The best approach usually is to combine both methods, a hybrid scheme where you use both hard data, qualitative analysis methods to analyze the risk.

Then you evaluate this risk. Risk evaluation is the process of identifying the significance of risk by comparing the estimated risk against risk criteria. For example, you may have a risk tolerance level.

Say the company may have a policy that we do not engage in any risk that is above 1 million euro. For example, when you do the evaluation, you look at the significance of the risk. Assuming this risk occurs,

would the company lose over a million euro? If the answer is yes, then it is beyond the risk we could do. Or there could be a policy that we do not, our risk level or the maximum level of risk we could tolerate is only when 10 data subjects are involved.

If there is a scenario where there are more than 10 data subjects, then we do not engage in those risks or we do some other thing. So at this level, the risk evaluation provides you the opportunity to compare the result of the risk analysis or the risk assessment with your risk criteria.

Sometimes the risk criteria could be set by the authorities or the agency responsible for your sector. Then we look at those controls. Having found the risks and the threats,

the vulnerabilities are associated with them, how then do you forestall? How then do you either prevent or modify those risks? So this is within the domain of risk control, right? These are the processes you select and implement

either to modify the risk, eliminate the risk or mitigate those risks entirely, right? Usually there could be administrative safeguards such as transferring the risk. For example, the risk owner

could take up an insurance policy to assuming this risk or cause, let the insurance company bear the loss or bear the burden, right? Your controls could as well be technical. Assuming you have identified that the risk is,

for example, due to weak passwords, you could implement a technical control such as a multi-factor authentication system, right? It could also be physical control. Assuming the threat is to your data analytics,

data center, for example, you could implement a biometric lock so that anybody that comes into that center must have to be authenticated through a biometric means. So it depends on the nature of the risk for you to get the right countermeasures and controls.

So in essence, your risk controls should include a number of things such as deterrent measures. Here, you talk about putting notices or firewalls, right? Deterrent, they would be violators

that this is this, right? You could be just like putting a notice in front of your office that there's a camera watching the whole environment. So you could put in such a banner. You could also put in some detective controls

such as logs, right? You have a logging system where you could go back to see what happened within your environment, right? So here, you could detect anomalies in your system

and try to control those. You could also implement preventive measures such as installing antivirus already on the system, right? Your control measures could also be corrective in essence such as terminating the infected system, right?

Or having a business continuity plan assuming the risk or cause, how then do we come back to normalcy? You put in those plans beforehand. Your control could also be recovery such as having your backups updated all the time

so that once there is a breach, you go back to your backup system and recover your data, right? It could also be compensated as the case may be. Here, assuming you receive several spam emails within your organization, you could put in this compensatory control

by installing a spam filter, for example. So again, it boils down to having the right assessment and that will give you the right control measures. In essence, the risk is a process as I have said,

you have to manage it through a number of activities. It is not a one-off event as the case may be. Basically, this is what I want to discuss about the risk management framework.

Usually there are several methodologies. There are several tools one could use in these. One of them is the ISO 31000 as the case may be. There are a number of them, COBRA as the case may be. So this is an example of what the risk is all about.

You usually be consulted when this is happening. You need to have an idea of the concepts and what they entail for you to give a valuable advice

or as a data protection officer in the room as the case may be. Do you have any question? I'm really sorry about the interruptions due to the network, but do you have any questions or comments on this

before I move to the next part of the discussion? Perfect, then let's look at a number of agencies

within the area of information system you could find within the EU. We mentioned ENISA last week. The Cybersecurity Act give ENISA a permanent status as the case may be.

And ENISA is a short form for the European Union Agency for Network and Information Security. It was established in 2004 as a center of expertise for cybersecurity in Europe. I've mentioned the permanent status.

It has as a resource of the Cybersecurity Act and the activities span from being a pan European cyber security watchdog to conducting cyber security research.

They have a number of publications. If you visit their website, they have rich materials in this area. Currently the Cybersecurity Act give them another task to carry out this EU cyber security certification schemes.

So they are currently developing those schemes and they will be in charge of implementation of those schemes in conjunction with the local authorities. So ENISA is a very, very important agency when it comes to cybersecurity in Europe.

Another important agency you could identify is the SAT EU. This is the computer emergency response team for the EU institution. Agencies are embodied, right? So this institution is dedicated to EU,

environment, the institution, the agency, and the bodies that are under the European Union. It is, their mission basically is to support

these EU entities and institutions against cyber and malicious attacks, right? So the scope of the activities cover cyber, prevention, detection, response, and recovery.

So it is dedicated to the EU as an institution. I've already mentioned this. They provide information about the threat landscape. They provide information needed to protect the systems and networks of the EU.

Then they also provide the alerts and warning. They disseminate information about cyber attacks and security vulnerabilities. They also perform incident response coordination. They could coordinate, as you mean,

a number of EU institutions are under attack at the same time. The SAT EU could coordinate the response. You also have the European Cybercrime Center, Europol. I mean, it's part of the Europol.

Here, they carry out three major activities. They strategize, they are also forensic experts, as well as in the area of operations, right?

One important publication from them is the Internet Organized Crime Threat Assessment. It's published yearly. It's a very, very interesting document to read because it gives you the landscape of the year, how organized crime threats, vulnerabilities are exploited

within a particular year. It's very, very interesting if you have the opportunity to get the latest publication on this, it's worth reading. There you have the member states computer security incident response team, SATs.

I mentioned this in the last class, that both the Network and Information Security Directive, as well as the Cybersecurity Act enjoy member states to have a robust SATs networks, right?

Because there could be instances where collaboration needs to occur among the member states. So the SAT network is like a hub where those activities could occur. It provides member states with forum of trust

and cooperation, I already mentioned this. There could be instances where there is a multiple attack or multiple attacks within the union. So the SAT network is a very important tool to coordinate such attacks.

But you have to note this, a computer security incident response team must not always be statewide. Companies also have their response teams, right? As the case may be, because the goal of a SAT team

is to minimize and control damage resulting from cyber incidents. Usually big corporations like Microsoft, Google, Apple, Facebook, they have their local SAT teams,

which usually collaborate with that of the state as the case may be. But I don't need to bother you with the annex of what their responsibilities are. If you get the Cybersecurity Act, you will see that. Then when you come to the individual member states,

there are usually, in fact, all member states have their own information security authority, right? For example, in Germany, we have the BSI, which is responsible for information security coordination

within the jurisdiction. So they have their tasks on the section three of the BSI Act. You read this when you get the full act, right? So basically, this brings us to the end of this part,

this part of the discussion with respect to information security law and framework in the EU. We started by identifying what those laws are. We also looked at the instruments

from high level EU instruments that regulates what organizations or entities should do when it comes to protecting their information systems, right? We looked at the NIS directive. We looked at the Cybersecurity Act.

We looked at the GDPR, and we also looked at the EE privacy directive to get a feel of how the obligations are framed, in essence. We talked about how to manage those risks

in terms of these are practical knowledge you need to have as a lawyer or a data protection officer in the room. When this impact assessment is being done, what do you expect? How do you contribute? We looked at the framework of ISO27005

that gives you a process of consultation, establishing the contest, risk assessment, risk treatment, risk acceptance, and the continuous monitoring as the case may be. So we finally looked at those agencies from EU level.

There are other agencies, but at the EU level and the member state level, right? So in the final part of our discussion, we shall introduce aspects of European IT law

relating to intellectual property protection. But suffice it to say that next week, we shall focus on how technology impacts intellectual property, how the infringements in digital environments

could be regulated in the normal day-to-day activities. That involve intellectual property. We shall look at copyright infringement in digital environment.

We shall also look at anti-convention of technical protective measures, as well as liability of intermediaries when it comes to intellectual property, right? This will be the focus of our discussion next week.

But I will try as much as possible to start with the basics of the concept of intellectual property. Perhaps we could do that since we have a few minutes left. The concept of intellectual property is a little bit different

from the normal property, tangible property position we all are used to, right? Because an intellectual product has three main characteristics.

The objective form of it is that an intellectual product crops from ideas that have been given expression.

You could dream at night of how to build perhaps a skyscraper or the latest car airplane or whatever. You could imagine, it's limitless what human beings could imagine.

But if you have not put in those imagination into an expressive form, if you have not woken up at night, taken a pencil and a paper to draw those your beautiful aircrafts that you want to manufacture, then you have no property, so to say, right?

So for you to talk of intellectual property, you have to talk of an idea that has been given expression. It could be orally expressed or sing a song and it sounds beautiful. It could also be written, right?

It could be your diagram. It could be your painting. It could be anything whatsoever. Once it is expressed in a perhaps fixed tangible form, right? Then you could talk of one aspect of intellectual property or intellectual product being created.

Another thing is that usually such product, intellectual product must have to convey a message or meaning. It has to be informative in nature, right? A poem, for example,

it's expressing something, right? An article, it's conveying information. So it has this property. It has this attribute of conveying a message to a third party. Then you talk of intellectual product being created.

Finally, there is this argument that there must be an identifiable human creator. But this has been challenged recently because there were instances where an animal took a picture, shot the shutter and the picture was taken.

The question is who created the photograph? Is it the owner of the camera or the animal that pressed the last button? So however, in the traditional sense, intellectual products must have identifiable human creator.

So with these elements in place, then you can talk of intellectual product or acquire an intellectual property into that creation that has emerged on fulfilling those three conditions. So basically this is the area we are going to look at

how information technology has helped in the creation of this intellectual product and how information technology has also aided in violating the rights of those intellectual property owners. For example, millions of videos are being uploaded

every day on YouTube and watched without regards to whoever owns the intellectual property. A lot of file sharing services share those content without regards to the intellectual property. So next week, we shall briefly look at

what intellectual property is all about and the law that regulate how intellectual creation is recognized and protected within the EU. This will be the focus of the final part of our discussion.