Mar 20 2013

Why Asking ‘What If?’ Is Important

These risk assessment practices can help districts mitigate internal and external threats.

Educators are optimists, but it's ­important to be cautious when ­developing school technology ­initiatives and to fully assess the risks associated with any implementation. Completing a formal risk assessment gives administrators, IT leaders and teachers a more persuasive argument for adopting the technology under consideration, as well as a guide to handling unforeseen hazards.

Risk assessment involves objectively and thoroughly examining all aspects of a new initiative, identifying potential issues, and determining how to handle challenges when they arise. Often, when school personnel consider deploying new technology, their concerns ­can delay or derail plans to move forward. But if all stakeholders get the chance to participate in a risk assessment, they will likely support the new initiative.

Following these steps can ensure that an IT risk assessment is comprehensive and, ultimately, effective.

Assemble a Team

Recruit people who are willing to have conversations about how new technology might be used incorrectly or inappropriately. Steer clear of people who are likely to ­focus only on the technology's ­educational benefits.

Typically, principals and assistant principals are not afraid to talk about how technology can be misappro­priated. Because they regularly deal with behavioral and disciplinary ­issues, they're more likely to bring that perspective to the process.

Also, look for people who know the technology in question extremely well. With social media, for example, students could play an essential role in the conversation, as they tend to be most familiar with such tools.

Be sure to include representatives from the stakeholder groups that most want to adopt the technology. If you're evaluating a classroom ­technology, for example, involve at least one teacher in the risk assessment process. That way, the risk ­assessment team can examine the full spectrum of the technology's use, rather than focusing on appli­cations that may not be ­relevant to everyone.

Finally, don't expect every member of the IT department to know every technology inside and out. IT staff tend to be most concerned about keeping things running and may not be fully up to speed on new technologies, or the latest version or application of an old technology.

Begin Identifying Threats

Before implementing any new ­technology, it's important to understand potential issues that might arise in the future and determine how to address them. This phase involves identifying potential threat sources, descriptions and details.

For example, students may ­communicate inappropriately as a means of bullying other students. The threat source is students, the threat description is inappropriate communication and the threat detail is bullying. In order for a threat to be actionable, the technology must have vulnerabilities. In the case of Twitter, students may bully peers through ­direct messaging, by posting an ­offensive tweet or by "favoriting" or retweeting an inappropriate one. The vulnerability is the method by which the threat source (students, in this case) can bully other students.

Threat identification can be ­uncomfortable, as it exposes worst-case scenarios. But it's ­necessary in order to demonstrate that a new technology has been thoughtfully ­examined and to show how it can be used effectively and how inappropriate uses would be addressed.

Consider Likelihood and Potential Impacts

There are two primary methods of risk assessment: qualitative and quantitative.

4 The number of elements in a classic risk assessment. They include threats; vulnerabilities; impact to missions and business operations; and the likelihood that harm will occur.

SOURCE: Guide for Conducting Risk Assessments (National Institute of Standards and Technology, September 2012)

The qualitative method uses the following scale to measure the ­likelihood that a threat will happen: very low, low, moderate, high and very high. Assessing qualitatively how often an inappropriate use of technology is likely to happen is based primarily on the experience and knowledge of team members.

The quantitative method relies on data from similar incidents collected over a period of time. School districts may have extensive data regarding student attendance and achievement collected over several years, for ­instance, but they are less likely to have data regarding the number of bullying incidents in relation to a new social media platform such as Twitter.

Given how quickly new tech­nologies emerge and existing ones evolve, the qualitative method often is easier and more appropriate for most school applications.

A threat's impact generally falls into one of three categories: reputation loss, monetary loss and time loss. In the bullying-via-Twitter ­example, the loss of reputation for the district would likely be very low or low. Monetary loss would be low as well. Time loss, on the other hand, could be moderate, as such incidents consume teachers' time, as well as that of adminis­trators and other personnel.

Prioritize and Respond to Risks

If a risk rises above others in terms of likelihood and impact, the team should engage in risk response, which illustrates to stakeholders that the team has considered what can go wrong and identifies how the threat would be addressed if it happened.

Too often, new technology ­initiatives don't get implemented ­because decision-makers are scared off by legitimate concerns about
how the technology might be used. By identifying and communicating risk responses, risk assessment teams can provide the information and reassurance decision-makers need to move forward.

Risk response refers to actionable steps that help reduce the risks ­created by a new initiative, including mitigation, existing controls, remaining risk and monitoring. Bear in mind that unforeseen risks may exist. For example, what if Twitter invents a new method of communicating that becomes a new vulnerability for ­bullying? It's incumbent on stakeholders implementing a technology to monitor that technology for new and emerging problems — and to respond accordingly, when needed.

The Final Assessment

Risk assessment isn't new, nor does it require specific formulas to be useful. My hope is that all districts take the time to identify the risks associated with new technologies and develop methods for thoughtfully mitigating those risks and implementing those technologies. Ultimately, the students will benefit most, gaining access to resources and developing the skills and knowledge they'll need to succeed in the modern workforce.

<p>C.J. Burton/Corbis</p>

Zero Trust–Ready?

Answer 3 questions on how your organization is implementing zero trust.