Risk management is the ensemble of processes of identifying, assessing, and taking steps to mitigate risks. Risk management pervades decision-making in all areas of both industry and private life: from a company securing a factory against thefts, to each of us when we decide to install a home security system. All of these decisions are the result of risk management activities in which assets are considered and decisions are taken according to possible losses. As a process, risk management typically comprises several phases, including risk analysis, risk mitigation, and risk evaluation and assessment.
Risk analysis is the foundation of the risk management process and is therefore critical to effectively managing risk. Not only does risk analysis drive the decision-making process, but it also provides the fundamental justification required by senior management and the stakeholder in determining the safeguards to be implemented in an organization. When risk analysis is performed, accuracy is vital: only through an accurate risk analysis can the risk management process provide meaningful results. Central to the accuracy of the risk analysis is the collected data upon which the analysis is based. Unfortunately, such data is often difficult to obtain. For example, when the risk analysis concerns an organization's information security, problems include: (i) the lack of reliable empirical data about the frequency and amount of losses attributable to information security compromises, and (ii) the relative rarity of many kinds of information security compromises.
The first problem (i.e., lack of reliable data) represents a great limit to the accurate calculation of risk analysis profiles. Most organizations are not prepared to collect this kind of data when a loss happens, or the data is collected in an incorrect or ineffective way. Collecting data is a complex operation that requires organizations to analyze the situation and focus on the aspects of the loss that are relevant and meaningful. Usually, this effort is required immediately after a vulnerability has been exercised, which is also the time at which most of the resources of the organization are directed to the recovery from the compromise rather than evaluating the costs of the compromise and analyzing how it could have happened. Another factor that contributes to the lack of reliable empirical data is the fact that organizations that possess this kind of data are normally unwilling to release it due to the extreme sensitivity of its nature: the disclosure could mean immediate losses for the organization, both economical and reputational.
The second problem (i.e., rarity of data) is related to the fact that many compromises are simply rare and it is not reasonable to assume that the organization has experienced them. The rarity makes these events hard to measure and quantify. While mathematical approaches are the best to establish the probability of randomly distributed events (such as virus infection), they fail when it comes to more unique compromises (such as insider crimes).
The two problems discussed above can, to at least some degree, be overcome by the use of collaborative approaches between organizations operating in the same industry. A collaborative approach in which organizations share their knowledge about risks, vulnerabilities, and losses could provide the required consistency to the collected data, both in terms of empirical data availability and accuracy. Unfortunately, there are significant obstacles to such collaboration, including the availability, sensitivity, and relevancy of the data to be shared. In terms of data availability, it is common for large organizations to not collect data related to the exercise of IT security vulnerabilities. Such data collection may not be performed because it is often difficult to define the kind of data that is to be collected.
With regard to data sensitivity, data related to IT security losses, breaches, and exploited vulnerabilities is nearly always sensitive and confidential. When inadequate security practices result in a loss for the organization, management is often concerned that the disclosure of such losses will undermine the public confidence in the organization. It is not only a matter of embarrassment but also a matter of credibility and trust that the public market is willing to show to the organization. In view of this, sensitive data can typically only be collected when one can guarantee to the organization providing the data that the data will not be disclosed in any way. This requires complete trust in the collecting agency and its intentions with the data.
Regarding data relevancy, it is important to have the right data at the right moment. Organizations that decide to collaborate have to define together on which data and which aspects they are going to focus their collaboration. As the number of participant organizations grows, it becomes more difficult to unify the collaborative efforts due to different needs that might arise. For example, some organizations may want to not participate in certain collaborative tasks or questions.
In view of the above discussion, it can be appreciated that it would be desirable to have systems and methods that facilitate and encourage the sharing of sensitive information between organizations to assist those organizations in managing risk.