Oliver Rochford

Author Archives: Oliver Rochford

IDG Contributor Network: Settling scores with risk scoring

Risk scores seem all the rage right now. Executives want to know what their risk is. The constant stream over the past few years of high profile breaches and the resulting class action lawsuits, negative PR, loss in share price, cybersecurity insurance pay-out refusals, and even termination of liable executives has made this an urgent priority. The problem is we haven’t really developed a good way to measure risk.Most risk score approaches are restricted by a very simple limitation: They are not vendor agnostic or universal. The solution used to calculate risk is limited by the data it collects, which can vary widely.  What is the risk score composed of? More important, what doesn’t it capture? One vendor will include only network and system vulnerabilities, another bundles application vulnerabilities into the mix, and yet another adds user behaviour. Agreeing on the “right” mix still eludes us with no real authoritative standards that define what should be included. Every scoring methodology is subjective, which is surely a sign of how inherently unscientific the entire approach is.To read this article in full or to leave a comment, please click here

IDG Contributor Network: Settling scores with risk scoring

Risk scores seem all the rage right now. Executives want to know what their risk is. The constant stream over the past few years of high profile breaches and the resulting class action lawsuits, negative PR, loss in share price, cybersecurity insurance pay-out refusals, and even termination of liable executives has made this an urgent priority. The problem is we haven’t really developed a good way to measure risk.Most risk score approaches are restricted by a very simple limitation: They are not vendor agnostic or universal. The solution used to calculate risk is limited by the data it collects, which can vary widely.  What is the risk score composed of? More important, what doesn’t it capture? One vendor will include only network and system vulnerabilities, another bundles application vulnerabilities into the mix, and yet another adds user behaviour. Agreeing on the “right” mix still eludes us with no real authoritative standards that define what should be included. Every scoring methodology is subjective, which is surely a sign of how inherently unscientific the entire approach is.To read this article in full or to leave a comment, please click here