Risk vs. Uncertainty (Part II): The Secure Print & Scan Edition

I remember once talking to a friend in HR who lamented the fact that her office didn’t have a way to securely scan or print documents. Because she worked in a department with highly sensitive data, I thought that it was strange it wasn’t made available to her.

I recommended that she put in a request to IT to see what they could do, to see if (a) the ability to securely print and scan was available, and if not, be made available; and (b) if it was available, instructions to how to use that function should be made known to the company’s employees.

The response that my friend got from IT was hugely disappointing (to us, at least): that because there wasn’t enough demand for such a service, IT didn’t feel there was a need to invest in this area.

Now, I’ve worked closely with and within IT, and I fully understand from an IT perspective that resources are highly limited (both in terms of money and time), and issues affecting only a small number of users typically shouldn’t warrant any IT investment. And to them, this was an issue that affected only a small number of users — how many people were going to be scanning or printing highly sensitive documents anyway?

But what this IT person didn’t understand was that though it was only a few people who were printing or scanning sensitive documents, these sensitive documents had the potential to impact a large number of people. HR doesn’t work for itself; it’s a supporting function dealing with (potentially) the most sensitive aspects of every employee in the company.

I had half the mind to ask my friend to tell that IT guy that the next document she prints would be his employment details. Perhaps then he would think it a worthwhile investment.

This brings me to another point about risk and uncertainty. Remember in my previous post that I mentioned that the main difference between risk and uncertainty was that the former had known odds while the latter had unknown odds?

The chance of someone seeing a document he or she shouldn’t be given privy to can be calculated. It’s a risk, and the odds are by and large calculable – it’d be something along a function of the number of people using the printer, their usage frequency and periods of printing (peak vs. off-peak periods), the number of documents that are printed (sensitive vs. non-sensitive), and the length of time sensitive documents are collected or deleted.

As the IT person had assumed, the risk of an unauthorised person viewing a sensitive document was probably quite low. Printing and scanning of sensitive documents wasn’t done particularly often, and by and large they’d be collected or deleted before they were viewed by unauthorised persons. But within this scenario lay an uncertainty: how sensitive are these documents and what’d happen if they were viewed by someone with malicious intent?

The IT person couldn’t possibly know how bad an outcome it could be if such an incident did occur. Preventing just one employee from seeing the employment details of a competing employee and finding something he or she deemed “unreasonable” or “unfair” would probably justify the costs of a printing and scanning security implementation. Imagine the costs involved in damage control.

And if you think that’s unlikely or that small employee dispute resolutions are “low cost”, how about preventing the leakage of information about an impending M&A?

In almost all cases, if a relatively low, limited cost can prevent a potentially large (and you don’t know how large), negative outcome, pay it. Make thinking of situations like these with the risk vs. uncertainty mindset and you’ll be surprised the different conclusions you may come up with.

Let me know what you think