IT Audit Technology Risk: Knowns and Unknowns

Information security
Author: Robin Lyons, Principal, IT Audit Professional Practices, ISACA
Date Published: 21 December 2020

Knowns and unknowns. In a game of word association, some may think of the US National Aeronautics and Space Administration (NASA). It was an associate administrator from NASA’s Office of Safety and Mission Assurance who heightened awareness of known/unknown risks in a 2003 presentation on safety and mission success. It may have been, however, former US Secretary of State Donald Rumsfeld who truly elevated the known/unknown risk paradigm. He said that “there are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don't know. But there are also unknown unknowns. There are things we don't know we don't know.” These two examples are fairly recent, but the paradigm (based on the Johari Window Model) was actually created by two psychologists (Joseph Luften and Harry Ingham) in 1955 as a self-awareness and communication model. Interestingly, this model has been applied not only to the space industry and politics, but also to risk management.

In the IT Audit’s Perspectives on the Top Technology Risks for 2021 study, Protiviti and ISACA assessed the responses of global IT audit and risk leaders to survey items on technology risk issues. In the survey, respondents were asked to rate the digital maturity of their organizations: these ratings were then used to define levels of digital maturity. The levels ranged from organizational “Digital Skeptics” whose digital plans and initiatives are in their infancies to “Digital Leaders” at the other end of the spectrum who have experience incorporating digital aspects into their strategic plans. In the study, Protiviti and ISACA noted that “organizations outside the Digital Leader group may have less visibility into what they don’t know.”

This insight from the study is very relevant because as a trusted advisor to an organization, an internal IT auditor strives to avoid not knowing about something that could adversely affect an organization. So, what could the auditor not know? Looking at this from the Johari Window Model perspective, the auditor may be faced with known-unknowns. That is, the auditor is aware of a threat but the magnitude or other elements of the associated risk may not be apparent. On the other hand, unknown-unknowns are risks that the auditor has no visibility into as the auditor does not know that the risk exists.

For organizations that have not yet achieved Digital Leader maturity, the benefits of continuous improvement based on lessons learned and predictive indicators are not available to them. So, as those organizations continue to move toward Digital Leader maturity, there are steps that IT auditors can take to mitigate the chance of being caught off-guard by an unknown-unknown. These include:

  • Performing continuous technology risk assessments. As organizations continue to embrace new technologies, the audit function should ensure that the risk assessment process is dynamic. This will facilitate identification of new risks and incorporation of them into the existing risk management program. Continuous technology risk assessment also ensures that longer-term foundational risks that present less risk in the current risk environment do not evolve into high-velocity risks because they are not being monitored.
  • Leveraging frameworks for unplanned risks and events. A framework such as COBIT 2019® supports strategic planning which, when coupled with continuous technology risk assessment, allows an organization to ask the question, “What technological threats could delay or hinder achievement of our goals and objectives?” This integrated approach may go a long way in organizations being better prepared for unknown risk.

IT auditors can monitor known-unknowns and provide preliminary guidance on how to mitigate the unknown elements (e.g., what areas of the business may be impacted and an estimate of how significant the impact might be). But it is the unknown-unknowns that are troubling because, ultimately, an unknown-unknown is an unmitigated risk. IT auditors can work to minimize the chance of an organization being broadsided by an unknown-unknown by integrating consideration of enterprise needs in the continuous technology risk assessment process. The Johari Window Model may have started as a framework to develop self-awareness and communication skills, but its tenets can be leveraged by IT auditors to focus consideration of unknown-unknowns, and subsequently increase visibility into what their organizations don’t know.