There are four fundamental types of risk in the order of our vulnerability
I. Known Known – We know what are the risks and how we are placed relative to that risk. (For example – exposure to cold air in early November air in Kolkata, the time of change of seasons. This is the time, we thought is also the best time from another angle to hold Infocon Conference on Information Security – because this is also the time when we get the maiden winter sweets of Kolkata)
II. Known Unknown : We know that we do not fully know fully the risks. (Downloading a free software from an arbitrary website)
III. Known Unknown ++ : We know that we do not know anything at all about the risk involved. (Providing sensitive banking information over phone to a caller who says he is a bank employee)
IV. Unknown Unknown : The most dangerous risk. We do not know that we do not know. This is the risk zone that causes greatest harm and damage. It is in this area that all kinds of risks germinate, mutate and manifest. We just see the consequences and then comes a re-action.
The last class of risk with relation to Information Security cannot be mitigated by any hardware box, AI+ software because by definition we do not know that this exists.
Awareness and reporting in a trusted ecosystem can only fish out the “unknown unknown beast” as soon as it manifests so that the damage is minimum.
There is no 100% and permanent information security. There is no permanent bandobost or Permanent Settlement as one British Governor General Conrnwallis started in Kolkata/Bengal in eighteenth century for harvested land of Bengal.
The settlement neither proved a settlement, not permanent.
Information harvesting needs another model of security.