In the wake of the 9-11 attacks, as America began searching for answers, it became clear that the means of sharing critical information between the various organizations engaged in protecting us were woefully inadequate. With the many initiatives put forth since then, there has been improvement in the timeliness and quality of information sharing, but there is still no comprehensive, methodical and disciplined approach to overcoming the institutional and cultural barriers to more effective information sharing. Without such a long term approach, we may be inadvertently increasing our risk – we may be moving away from a “risk avoidance” approach to information sharing to a “risk acceptance” approach in which we have not properly weighed the risks versus benefits involved. This paper will lay out a recommended approach to a comprehensive national information policy that would be based on principles of risk management. The key points are:
The Federal Government must develop a comprehensive national information policy that provides an overarching framework for developing specific guidance in areas such as information security, classification and declassification decisions, and information sharing with international, state, local, tribal, non-government partners and the public.
This information policy must be based on a rational risk management methodology that balances need to know against the need to protect. Risk management, for the purposes of national policy, must include risk analysis and risk response processes.
Risk, as a commonly used but not commonly understood term, is composed of criticality (sometimes referred to as “impact”), vulnerability, and threat (includes all hazards).
The proposed risk management methodology can be developed on the basis of existing analytical models. The key concept is that, under the national information policy, content should regarded as an asset and that risks can be determined in a similar fashion to the way we determine risk for other assets, such as infrastructure.