Extract from the chapter "Protecting information" in
"Business Intelligence, the eyes and ears of the business", by Bruno Martinet and Yves-Michel Marti, Editions d'Organisation, Paris. Booz Allen and Financial Times award for the best work on European management in 1996.
4.4.2. The systemic approach: cyndinics
The science of cyndinics, an originally-French term for a science of risk, is the source of an analysis grid applied to determine an organisation's vulnerability under threats against its informational heritage. This approach has been systematised by cyndinic practitioners and is very well explained by Mr. Kervern in his excellent work "L’archipel du danger, Introduction aux Cyndiniques"(Archipelago of danger, Introduction to Cyndinics), Editions Economica, Paris 1991
The basic premise (borne out by numerous analyses of actual disasters) is that disasters occur when a certain number of danger-generating inadequacies are present. An inadequacy can be a feeling of superiority over the competition, for example, or the lack of a feedback system. However well-informed it was on initiatives by the competition and their potentially serious consequences, any company accumulating these two inadequacies would probably challenge the evidence and take no protective measures.
An organisation’s inadequacies, and their potential danger, are studied systematically in this analysis. Inadequacies are grouped into three major families - cultural, organisational and managerial.
1) Cultural inadequacies
Corporate ambience or culture can prove scarcely conducive to protecting information. For example, why protect information in a culture dominated by a sense of infallibility and which has nothing but contempt for the competition? Why protect information in a culture whose energy is spent entirely on internal political battles? The following table presents potential cultural inadequacies:
Number |
Description |
Classic symptoms |
1 |
Culture of infallibility | We are sure of success. Our organisation cannot have any failings. Version 1: our competitors will never take over our market shares. Version 2: whatever our competitors learn about us could never harm us, etc. |
2 |
Culture of simplism | It is simple to protect information. All it takes is common sense. You simply have to insist on badges being worn and install a few cameras. |
3 |
Culture of non-communication | We have always done it like this and we are not going to change everything now. Our hierarchy is not happy when doubts are raised over technical practices. We rarely discuss technical operations amongst ourselves. There is no dialogue between the various company departments. |
4 |
Culture of navel-gazing | Department X will oppose these changes simply because
a member of Department Y has proposed them. We are certain that our competitors are lagging behind in business and competitive intelligence. |
2) Organisational inadequacies
Many managers resign when faced with organisational tasks, which sadly could well explain the mismanagements and commercial, financial and technical disasters.
Why? Several reasons can be put forward: managers are too bogged down in the short term, they do not know how to set about things,
the problems are frequently cross-cutting and they lack the energy to convince everyone involved, they do not see why they should
tire themselves out just to give their rivals in the company the edge and so on. Here is the organisational inadequacy table:
Number |
Description | Classic symptoms |
5 |
Information security depends on other risk-creating management functions (marketing, documentation, strategy, etc.). | The person in charge of protecting information is only one of several employees in the documents centre. We are not, however, going to trim back the prerogatives of the Safety Director (or Communications Director, Administration Director, Marketing Director, etc.). We are overloaded with staff personnel, it is hardly the time to create more. Yes, there are risks, but now is not the time to rock the boat. |
6 |
Cutting down responsibilities | No explanation of information protection tasks. No allocation of tasks to appointed managers. People are adults and know perfectly well what they must do without having to explain it to them. We have discarded all formalities in our organisation; everyone is free to express themselves as they wish. |
The advantage of nominating someone specifically to information protection is that his only task is to minimise risks of loss of information. Human nature is such that a familiar, customary risk no longer represents a threat psychologically. An Operations Manager, for whom information protection is just one of his assignments, is more likely to make light of certain threats than a manager dedicated solely to that purpose.
3) Managerial inadequacies
Other inadequacies in the communication and command chain can also generate risk.
Number |
Description | Classic symptoms |
7 |
No feedback system | Maintaining practices considered dangerous in other organisations and establishments. No notice taken of warning signs appearing in the same profession. Experience from international incidents in the same industry or technical sector not systematically exploited. |
8 |
No information safety procedure in the organisation | No technical manual, procedures or instructions from management. |
9 |
No information safety training programme | People are caught unawares and commit errors that make matters worse. |
10 |
No crisis situation planning | When we realised that someone had hacked into our database, it was panic stations; someone shut the entire system down, whereas given a little more time we could have identified the intruder. |