4.9 KiB
PEST analysis How To
A PEST analysis (Wikipedia) provides a frame for identifying macro-environmental factors that may be relevant to your organization and the security of your information.
PEST is an acronym for:
- Political
- Economic
- Social (incl. cultural)
- Technological
Many variants have been made.
DESTEP adds Demographic and Ecological to the mix.
Walk through the different categories in the first column, and try to think of relevant issues and trends. Just jot down what pops into your mind. Don't overthink it. You can always revisit this document later and add or refine as you see fit.
This analysis is about overall issues and trends – we will deal with requirements and expectations of specific groups and individuals later. We'll also ignore specific laws and regulations for now.
Let's look at some examples:
Try to express the issues as risks or opportunities for your organization and your information security.
| Issues and Trends | Relevance to your organization | Relevance to information security |
|---|---|---|
| Demographic | ||
| Aging population | Increased competition for young talent | Users have trouble memorizing passwords |
| Internationalization of Workforce | Attract talent in a global workforce market | Employees with family living under hostile regimes may experience pressure to disclose information |
| Ecological | ||
| Global warming increases flooding danger | Offices are below sea level | Datacenter may become disfunctional |
| COVID pandemic | Increase in remote working from uncontrolled environments | Higher risks of shoulder-surfing, eavesdropping and inadequate network security |
| Socio-cultural | ||
| Less reading, more AV-media consumption | Training and instruction may need to be adapted | Consider use of media to increase security training effectiveness |
| Technological | ||
| Increase in network-enabled devices (IoT) | Employees may use IoT devices in work environment | Increase in IoT-associated risks |
| Economic | ||
| Government funding for cybersecurity awareness programme | Possibility to secure funding | Adapt in-company training to match funding requirements |
| Political | ||
| Government chooses sides in an international conflict | Organization becomes possible target for state actors | Advanced and persistent threat to InfoSec |
| Intensified enforcement of privacy laws | Closer scrutiny, possible penalties for non-compliance | Monitor compliance across the organization |
Don't worry too much about if something should be classified as one or the other, the point is that you can demonstrate that you have awareness of your environment and are able to act upon it in a structured way.