Information Risk and the Evolution of the Security Rating Industry: Measuring Information risk within an enterprise has proved to be challenging. While there are obvious analogies to other risk rating activities, like financial credit risk, there are important differences. We present an analysis of approaches to evaluate information risk, with particular emphasis on the development of market incentives to drive wide-spread adoption. Examining information risk through the lens of the debt market rating industry, we consider the possibility of market-driven mechanisms to facilitate wide-spread information risk rating.
Protecting against economically-driven threats requires building security into the culture so that everyone can recognize the risks. This workshop looked at the role of CISOs and directors of information security in building a secure organization. For more see, SecuritySecurity through Information Risk Management, Security & Privacy Magazine, IEEE (June 2009).
Risk assessment services and industry initiatives to develop shared assessments are becoming increasingly polular. Zhou and Johnson examine how such ratings impact vendor competition. For more see, The Impact of Information Security Ratings on Vendor Competition, Workshop on the Economics of Information Security (June 2009).
This research is supported by the Department of Homeland Security, through the I3P.