Home Tuck Dartmouth Search Site Map Contact Us
Adoption of Risk Measures

In this project, we are examining market adoption of risk evaluation mechanisms. Through corporate interactions and analysis of historical adoption of similar risk measures in the financial sector, we are developing economic models of the risk measurement marketplace.

    Johnson speaks on vendor risk assessment at:

    DHS Software Assurance Forum, Mar 2009.

    SC World Congress, Dec 2008.

    I3P Workshop on Risk and Resilience, Nov 2008.

    WEIS 2009 paper on the Impact of Information Security Rating on Vendor Competition.

    Report on Information Risk Rating.

    Information Risk and the Evolution of the Security Rating Industry: Measuring Information risk within an enterprise has proved to be challenging. While there are obvious analogies to other risk rating activities, like financial credit risk, there are important differences. We present an analysis of approaches to evaluate information risk, with particular emphasis on the development of market incentives to drive wide-spread adoption. Examining information risk through the lens of the debt market rating industry, we consider the possibility of market-driven mechanisms to facilitate wide-spread information risk rating.

    Security through Information Risk Management
    An Executive Workshop for CISOs
    October 5, 2007 - Hanover, NH

    Protecting against economically-driven threats requires building security into the culture so that everyone can recognize the risks. This workshop looked at the role of CISOs and directors of information security in building a secure organization. For more see, SecuritySecurity through Information Risk Management, Security & Privacy Magazine, IEEE (June 2009).

    The Impact of Information Security Ratings on Vendor Competition
    Research Fellow Zach Zhou and
    Professor M. Eric Johnson examine risk rating.

    Risk assessment services and industry initiatives to develop shared assessments are becoming increasingly polular. Zhou and Johnson examine how such ratings impact vendor competition. For more see, The Impact of Information Security Ratings on Vendor Competition, Workshop on the Economics of Information Security (June 2009).

    This research is supported by the Department of Homeland Security, through the I3P.

    CISO Panel – Evaluating and Communicating Information Risk (WEIS)