Research into an Information Security Risk Rating
The NSF is funding research on giving organizations information-security risk ratings, similar to credit ratings for individuals:
Existing risk management techniques are based on annual audits and only provide a snapshot of a partner’s security posture. However, new vulnerabilities are discovered everyday and the industry needs a solution that enables a business to continuously monitor changing risk posture of all its partners and proactively manage assumed risks. The Phase II research objective is to build a scalable fully-automated ratings system. The research will focus on identifying and incorporating new data sources, improving the statistical properties of the ratings model, and making the ratings predictive of future behavior.
Historically, credit scoring has been a “cost and time-saving technology” that has provided tremendous value to lenders and borrowers alike by reducing costs, predicting future performance, and improving credit accessibility and affordability. Unlike credit scoring, no industry standard scoring service exists to rate business with respect to their information security risk. With Saperix’s ratings service, businesses and government will have the potential to reap the same time and cost savings that lenders do from credit scoring services. If the research is successful, Saperix’s solution would provide market incentives for improving security outcomes, which would be a significant change in how security investments are viewed by businesses.
I have no idea if this is snake oil or if it actually works, but note that this is a Phase II award. There was already a Phase I award, and the NSF must have liked the results from that.
Peter Hillier • January 25, 2012 7:05 AM
Interesting research area. I’m sure the insurance companies will love it! Just imagine, your risk rating and rates going up based on the analysis of your online exposure!