Introduction

Information Risk Management (IRM), now acknowledged as a distinct discipline, shares certain principles with other areas within the risk management field. They also have the common goal of safeguarding assets against various known and unknown risks. However, the diversity of methods can sometimes lead to contradictions, and reaching a consensus can be challenging, even when identifying the same risk. For instance, how significant is the risk of scuba diving? And how is that even remotely connected to IRM?

People are often surprised when I tell them that one of my favorite things in life is scuba diving. Even in the Netherlands, in December, I dare into water at 4 °C wearing a wetsuit, along with an experienced and jovial over 70-year young buddies. I believe it is one of those experiences that you only comprehend by going through it. Experience brings wisdom, which includes self-preservation and adaptive risk management.

I was impressed with the size of the scuba diving community in the Netherlands upon my relocation. I was used to the transparent, rough waters of the Atlantic, and I had never experienced a freshwater dive before. I learned some things about risk management, including IRM principles.

According to the Information Systems Audit and Control Association (ISACA), risk management “usually consists of the following processes: establishing scope and boundaries, assessing risk, treating risk, accepting residual risk, communicating risk, and monitoring” (i). This approach is very effective in understanding why this recreational activity is so relevant to the subject.

Scope and boundaries

Scuba diving is the practice of underwater diving using a self-contained underwater breathing apparatus (SCUBA). The total number of active scuba divers is unknown; however, it is estimated to be between six and nine million globally (ii),(iii), excluding professional divers such as military personnel, which are beyond the scope of this analysis.

Generally, accreditation is not required for this activity. In the Netherlands, the main non-commercial training and certification organization is the Nederlandse Onderwatersport Bond (NOB), which currently has around 13,000 members(xvi). Most certificate entities recognize and offer various degrees of complexity (e.g., deeper diving, Search & Rescue) or specializations (e.g., archaeology, cave diving).

This activity demands from the diver a general fitness stance. The diving associations and certification entities will often require the applicant to undertake a medical examination and clearance.

Risk Assessment

Recreational scuba diving has been viewed inconsistently as either a safe activity or a high-risk sport (iv) over the years, while the definitions of “high-risk” and “extreme” sports have also been debated. Scuba diving takes place in an “unnatural” environment, meaning an activity where humans would not be able to participate without equipment; thus, the environmental context is crucial. Nevertheless, the criterion most commonly used to assess the likelihood of high-risk sports is the fatality rate.

Although there is conflicting data among sources – similar to most activities where there is no obligation to report incidents – Cohen et al. (v) demonstrate that the fatality rate in scuba diving is lower than that of several other activities (activity: high-risk evidence indicated by mortality statistics):

Base jumping: 1:60 | Hang gliding: 1:560 | Boxing: 1:2,200 | Canoeing: 1:10,000 | Scuba diving: 1:34,400

A fatality is hence almost 16 times more likely in boxing than in scuba diving.

According to the Divers’ Alert Network (DAN)(vi), they recorded 130 deaths related to diving (vii) (excluding free divers). From a sample of medical examiners’ reports, the most common causes of death (impact) were drowning, cardiac arrest, and others. The report also found that most scuba fatalities occur among older divers and are linked to health and fitness issues, which we can consider a vulnerability.

Overconfidence bias also plays a role; Buzzacott et al. reported that the fatality rate in cave diving (1969-2007) was higher for trained than for untrained divers (ix). A similar pattern is evident in the Netherlands. According to the latest report by the Duik Ongevallen Statistiek & Analyse (DOSA xviii., concerning 2023), two fatalities were registered from the 37 incident reports received. The ages of the divers involved in the 37 incidents are mostly unknown; however, the highest known age range is between 61 and 70 years. Regarding diving experience, since 2022, the incidents primarily involved diving instructors or divers with over one thousand logged dives (xvii).

Hence, scuba diving is an activity with relatively low likelihood and high impact.

The threat factors or vectors are numerous beyond the “unnatural” context. Regarding the root cause of incidents, a myriad of issues can arise during a simple dive, including environmental conditions such as changes in currents, equipment failure, collisions with vessels, hypothermia, and many others. A rapid ascent can be fatal due to decompression sickness. Many incidents occur due to circumstances before or after the dive, and DAN has conducted a risk assessment for operators of scuba diving activities that encompasses many more factors.

So, why is the fatality rate not even higher? This is where risk management comes in.

Risk treatment

Considering the potential impact of an incident, trained and compliant scuba divers generally have a low appetite for risk, despite the activity. Therefore, they are more likely to reject and mitigate a risk than to accept it. Risk transfer may also occur in the case of agreed procedures with the diving partner (buddy). In any case, the strategy that defines the controls can be summarized in the following axioms:

1.      Self- and context awareness

Knowing your limits is truly vital. It never gets old to remember that one should not push the limits when scuba diving. This means, for instance, not diving deeper than you are trained for, thus avoiding narcosis and other – sometimes lethal – complications. Context awareness is equally important. It is obvious that one should not dive during a hurricane. But less obvious is the question: did you look upwards when you walked into the place you are now? While diving, you need to be aware of what is happening beneath, around, and above you. When ascending after a dive, looking up mitigates the risk of an accident with a vessel.

In IRM, it is essential to be aware of your limits as a practitioner when performing a specific assessment. New technologies and their associated vulnerabilities, which you may not be familiar with, can hinder your judgement regarding a specific threat. For instance, Generative Artificial Intelligence (GenAI) presents specific risks that differ from those of previous technologies. Failing to update your knowledge base may impact your ability to identify risks related to data or model leaks. If you experience “tunnel vision” due to automated risk assessments, you might underestimate the likelihood or impact, or both. Understanding your limits is crucial here, as well as recognizing those of the organization you are assessing. For example, if the tone at the top is “suddenly” affected by the Dunning-Kruger effect, and management either ignores or downplays a “Black Swan Event” that ultimately materializes.

Regarding contextual awareness, legal and regulatory requirements represent some of the most evident parallels, as does the economic climate that may influence investment in beneficial mitigation safeguards (e.g., an Intrusion Detection System). Additionally, technological debt will lead to future problems. Less frequently considered is the social climate: high turnover may elevate the risk of credential abuse; employee dissatisfaction could increase the likelihood of insider threats; and economic recession might result in cases of bribery.

To overcome our blind spots, we need to remember to look up. But not while walking, preferably.

2.      Reciprocity and trust

It is a general rule that divers should always dive together, most commonly in pairs. If a risk arises during the dive, such as equipment failure leading to air deprivation, having someone to assist with a spare source of air is vital. Being reciprocal during a dive- adjusting to the same speed and technique and taking proper care – makes all the difference.

The Dutch expression “check de stek” to plan the dive (route, duration, depth, emergency procedures, amongst others) and the “buddy check” (a systematic pre-dive check of equipment and review of signals) are great collaborative practices and reinforce the trust the divers have in themselves and in their buddies.

IRM is also about teamwork. A good risk assessment relies on insights from various parts of an organization. Legal, procurement, and operations are essential allies in considering information risks and their possible treatment options, which adds value to the process. A holistic view of a risk enables stakeholders to make informed decisions. For that, you need those allies: key individuals within the organization with whom you build a relationship of trust. In the worst-case scenario, they will support you in discussing a potential workaround during that Board meeting. You should be prepared to reciprocate for them as well. At the same time, you must ensure that decision-makers can trust you to fulfill the responsibilities assigned to you.

Another valuable recommendation is to regularly ask decision makers about their risk appetite and current and future strategy, allowing you to adapt your analysis accordingly. This will prevent dissonance and loss of trust when expectations diverge. Additionally, the journey is much more interesting with companionship – both in diving and in conducting a risk assessment.

3.      Redundancy, redundant redundancy

What also makes scuba diving a safer activity than initially assumed is the redundancy. A good diving course teaches that there are plans B and C for everything. For instance, in case of regulator (breathing device) failure, each diver carries two regulators; should one fail, they have a spare. If both fail, there are protocols for sharing air with a buddy during the ascent. In situations where a diver is impaired due to equipment failure or is not feeling well, the buddy knows how to agree on a controlled ascent. If a diver is unconscious, the buddy knows how to perform an assisted emergency ascent. There are also established strategies, such as carrying a knife, in case divers encounter entangling fishing nets.

When treating a risk through mitigation, controls should be implemented in proportion to the risk. Despite the historical efficiency of any control, “one should not put all the eggs in one basket”; investing in a single control to mitigate a critical risk is not advisable. A better practice is to adopt a layered approach and explicitly consider workarounds and detection mechanisms that can alert to control failure. For example, if a hospital “hides” a patient database behind a single firewall solution, the risk may not be adequately mitigated. Additional mechanisms, such as network segmentation, encryption, and proper access control, will provide compensating layers against the potential failure of the primary control.

4.      Avoidance of the “sunk cost effect” (no pun intended)

Even when the plan is prepared or the dive site is a familiar one, a single dive requires groundwork, particularly regarding the equipment. Even with careful planning, a dive can be canceled for several reasons: a stuffed nose, strong winds, or lightning storms.

After all the preparation, the effort to load the equipment into the car and reach the diving site, facing one of these unforeseen circumstances is disappointing. While it may be tempting to insist on proceeding with the dive no matter what, it is essential to be sensible and adjust the plans – either by trying another site or calling it a day.

In the past century, several studies have focused on the attempt to make the most of a loss or the perspective of loss. Daniel Kahneman and Amos Tversky, with their thesis on “prospect theory” (xii), laid the groundwork for Richard Thaler to introduce the concept of the “sunk cost effect” (xiii), which refers to the tendency to irrationally continue investing in something due to the resources already spent. For example, we might insist on wearing uncomfortable shoes simply because we purchased them on a whim.

In an attempt to counter the adverse conditions, both the likelihood and impact of related risks are increased, despite all the controls implemented to mitigate them. A simple stuffed nose may lead to pain, barotrauma, or worse, due to the inability to equalize the eardrums with the Valsalva maneuver (i.e., not being able to control the pressure in the ears because of inflamed sinuses).

The “sunk cost effect” here creates a situation of control risk, which ISACA defines as “risk that assets are lost/compromised (…) due to a lack of, or ineffective, design and/or implementation of internal controls” (xiv).

This deeply resonates with information risk management. A hypothetical scenario would be:

  1. The commercial department in an organization decides to procure a Software-as-a-Service (SaaS) solution to manage non-critical, non-personal data.
  2. The information security team assesses it and determines that it represents low risk, as long as it is not used otherwise, because the solution is not secure enough to process more than non-sensitive data.
  3. The organization acquires and implements the solution with proportionate controls.
  4. The commercial department realized they needed a similar solution that included critical and personal data processing; however, they had already signed the contract with the first solution and had their budget invested in it. The organization decided to use the same solution for critical and personal data processing.
  5. For malicious actors, the solution becomes increasingly appealing to hack (likelihood), and the potential consequences rise (impact);
  6. The risk materializes, and the board wonders how such a solution could be considered low risk.

The controls to mitigate a risk function effectively only if the circumstances remain consistent with those considered in the initial risk assessment. This emphasizes the importance of a dynamic risk management life cycle. The outcome of a risk assessment should not be regarded as a permanent carte blanche to address changing risks. If the context shifts, a reassessment is necessary.

1.      Netherlands’ special: SADD!

The last tenet is Dutch specific. In case of an incident, you should (be) SADD.

SADD stands for Stop, Adem, Denk, Doe (Stop, Breathe, Think, Do). Many scuba diving incidents are related to panic. Regardless of the controls in place to mitigate risks, incidents may still occur. Therefore, it is vital to stop the activity to regain control or contain secondary consequences, reassess the situation, and implement the necessary measures to resolve the incident.

The NotPetya attack wave echoed the idea that panic can exacerbate the impact of an event. In 2017, organizations rushed to unplug their systems from the network; in hindsight, this may have been counterproductive. The Cybersecurity and Infrastructure Security Agency (CISA) provides detailed guidance on the measures that should be taken in the event of a ransomware infection, including the order in which they should be executed, and emphasizes the importance of isolating compromised systems before disconnecting them. An organization will benefit from having such playbooks for various scenarios in case “everything” (all the control strategy) fails.

Where all roads meet

The previous exercise demonstrated that there is common ground between diverse disciplines such as sports activity and IRM. This is primarily due to IRM’s broad scope within the risk management field. Essential practices can be extrapolated from one discipline to another and still make perfect sense, facilitating the potential creation of a unified framework. However, the number of standards and frameworks used to assess information risk is increasing, as indicated by this non-exhaustive list (excluding local frameworks such as EBIOS and MAGERIT):

EntityFramework / Standard / Guidance
British Standards Institution (BSI)BSI Standard 200-2 – general requirements for an information security management system (ISMS)
Carnegie Mellon UniversityOCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation)
Committee of Sponsoring Organizations of the Treadway Commission (COSO)COSO ERM (Enterprise Risk Management) Framework
European CommissionMONARC – Method for Organizing Network and Information Security Risk Assessment
European Telecommunications Standards Institute (ETSI)ETSI TS 102 165-1 – guidelines for threat, vulnerability, and risk analysis
European Union Agency for Cybersecurity (ENISA)ENISA Risk Management Framework
FAIR InstituteFAIR (Factor Analysis of Information Risk)
Information Systems Audit and Control Association (ISACA)COBIT (Control Objectives for Information and related Technology) and ISACA Risk IT Framework
International Organization for Standardization (ISO) / International Electrotechnical Commission (IEC)Information security, cybersecurity and privacy protection:
 — ISO/IEC 27001 – Information security management systems:  Requirements
 — ISO/IEC 27005 – Guidance on managing information security risks
ISF (Information Security Forum)Information Risk Assessment Methodology 2 (IRAM2)
National Institute of Standards and Technology (NIST) — NIST Cybersecurity Framework
 — NIST SP 800-37 Rev. 2 – Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy
 — NIST SP 800-39 – Managing Information Security Risk: Organization, Mission, and Information System View

Additionally, it is becoming increasingly common for commercial entities to develop their own frameworks based on machine learning systems.

The recommended choice, when there are no preferences or requirements to select one, is to adopt what most have in common at a high level and complement that adoption with the particularities of each approach. For instance, using the NIST CSF while quantifying risk with the help of FAIR.

In terms of common topics, the following are omnipresent:

  • risk management steps, including identifying, assessing, mitigating risks and implementing controls;
  • ongoing evaluation and improvement of information security practices to adapt to changing threats and vulnerabilities;
  • references to applicable legal, regulatory, and industry standards;
  • the role of Policy (including documentation, reporting) and Governance;
  • recommendations regarding training, awareness, and stakeholder engagement;
  • focus on asset management;
  • reference to incident management.

IRM, due to its broad scope, can be extrapolated to many other areas of interest. Hence, it is possible to standardize the IRM practice by focusing on the common points of all the available information risk management frameworks: know the risk, assess it with different lenses, create an action plan, enact the action plan, rinse and repeat.

The author of this article does not present any conflict of interest or intentions to sell or advertise products or services.

Sources and references

i. ISACA (2014). CISM® Review Manual 2015. ISACA

ii. Diving Equipment & Marketing Association – DEMA (2024).  2024 Fast Facts: Recreational Scuba Diving and Snorkeling. https://www.dema.org/store/download.aspx?id=7811B097-8882-4707-A160-F999B49614B6

iii. Dixon, J. (May 2022). “Diving Deeper. Understanding Scuba in Underwriting”. SCOR. https://www.scor.com/en/expert-views/diving-deeper-understanding-scuba-underwriting This and following URLs last accessed January 2025

iv. “hazardous hobbies like scuba diving”. https://www.gocompare.com/life-insurance/providers/aig/

v. Cohen R., Baluch B. and Duffy L.J. (2018) Defining Extreme Sport: Conceptions and Misconceptions. Front. Psychol. 9:1974. doi: 10.3389/fpsyg.2018.01974

vi. non-profit organization that provides emergency medical assistance, promotes dive safety through research and education, and supports divers in need of medical help.

vii. Tillmans F. ed. (2021). DAN Annual Diving Report 2020 Edition — A report on 2018 diving fatalities, injuries, and incidents. Durham, NC: Divers Alert Network

viii. In terms of injuries, the Professional Association of Diving Instructors® (PADI) summarised the statistics of Estimated average annual ER admissions (US, 2016-2020) per sporting activity, for instance:

Swimming: 101,822; Golf: 36,616; Bowling: 15,055; Scuba diving: 1,569. In Denny, M. (2017, updated 2021). Is Scuba Diving Safe?. PADI, https://blog.padi.com/scuba-diving-safe/

ix. Buzzacott, P.L.; Zeigler, E.; Denoble, P.; and Vann, R. (2009). “American Cave Diving Fatalities 1969-2007”, International Journal of Aquatic Research and Education: Vol. 3: No. 2, Article 7. DOI: https://doi.org/10.25035/ijare.03.02.07 Available at: https://scholarworks.bgsu.edu/ijare/vol3/iss2/7

x. Burman, F. (2019). Risk Assessment Guide for Dive Operators and Professionals. DAN, https://apps.dan.org/

xi. A Black Swan event, a concept introduced by Nassim Nicholas Taleb, refers to an extremely rare and unforeseen event that has significant and widespread consequences. They are characterized by their unpredictability, massive effects, and the tendency for people to rationalise them as predictable after they happen, such as the COVID-19 pandemic.

xii. Prospect theory refers to the effect that people value potential losses more than potential gains of equal size, and that they tend to make decisions based on perceived gains and losses relative to a reference point rather than absolute outcomes, in Kahneman, D. and Tversky, A. (March 1979). “Prospect Theory: An Analysis Of Decision Under Risk”, Econometrica, Vol: 47, No. 2, The University of British Columbia and Stanford University. https://web.mit.edu/curhan/www/docs/Articles/15341_Readings/Behavioral_Decision_Theory/Kahneman_Tversky_1979_Prospect_theory.pdf

xiii. Thaler, R. (1980). “Toward a positive theory of consumer choice”, Journal of Economic Behavior and Organization l pp. 39-60, North-Holland

xiv. ISACA (sd). Glossary. https://www.isaca.org/resources/glossary

xv. https://www.cisa.gov/stopransomware/ive-been-hit-ransomware

xvi. https://onderwatersport.org/de-nob/

xvii. AAVV (November 2024). Sportblessures in Nederland Cijfers 2023, Rapport 1007. https://www.veiligheid.nl/sites/default/files/2024-12/veiligheidnl_cijferrapportage_sport_2023.pdf?_gl=1*srqf7i*_up*MQ..*_ga*OTMyMDMwODcuMTczODA4MDQ2Ng..*_ga_RFJ7YRGMBP*MTczODA4MDQ2Ni4xLjEuMTczODA4MDU1MC4wLjAuMA..

xviii. DOSA (2024).  https://duikongevallen.nl/wp-content/uploads/2024/12/Analyserapport-2023-Definitief.pdf

Disclaimer

The author of this article does not present any conflict of interest or intentions to sell or advertise products or services.

The author alone is responsible for the views expressed in this article and they do not necessarily represent the views, decisions or policies of the ISACA Netherlands Chapter. The views expressed herein can in no way be taken to reflect the official opinion of the board of ISACA Netherlands Chapter.

All reasonable precautions have been taken by the authors to verify the information contained in this publication. However, the published material is being distributed without warranty of any kind, either expressed or implied. The responsibility for the interpretation and use of the material lies with the reader. In no event shall the authors or the board of ISACA Netherlands Chapter be liable for damages arising from its use.