Risk
11/16/2012
01:25 AM
Connect Directly
RSS
E-Mail
50%
50%

Free Risk Indexing Tool Offers Start For Assessments

Ponemon and Edelman hope to offer benchmark for organizations that want to know where their data privacy risk posture stands

Organizations seeking a quantitative data privacy risk profile gut check gained a free new tool this week. Released jointly by a security research organization and a public relations firm, the Edelman Privacy Risk Index (ePRI) Powered By Ponemon Institute offers a questionnaire-based risk benchmarking calculator that takes variables like organization size, risk conditions and industry into account to provide a comparative risk score for each user.

"The real goal is to help people who are in charge of privacy and data protection at their organization understand where they are relative to other companies," says Larry Ponemon, chairman of Ponemon Institute.

Based off baselines determined through a comprehensive survey of over 6,400 corporate and security executives, the initial survey provided a risk model for privacy that could act as the framework for scoring each individual using the tool to rate their organization. Questions fall into one or more quadrants of risk factors developed by Ponemon Institute: the culture for privacy, security orientation of the organization, privacy policy orientation of the organization and data privacy practices in place.

"We basically built the model on those four quadrants, the combination of which determines what is called a PRI coefficient or index, which ranges from 0 to 100 points," Ponemon says.

In the initial scoring of the benchmarking survey participants, the lowest observed score was in the 20s, while the highest was in the 80s. The survey itself showed that over half of respondents belive their organization does not consider privacy and protection of personal information to be a corporate priority. Just over six in ten said their companies don't enforce all levels of compliance with regulations and laws. And 62% of respondents reported their organization does not have the expertise, training or technology necessary to protect personal information.

All of these answers were taken into consideration to develop the tool's framework. Those who enter their details into the tool will be compared to these ranked and rated companies to come up with their own individual PRI.

Some security pros wonder whether such a tool may give insecure businesses a false sense of hope given the comparison-based nature of the survey and the judgment-based line of questioning that asks participants how equipped they feel their organization is at addressing certain risk factors. According to Nick Cavalancia, vice president at SpectorSoft, it is common for organizations to initially over estimate their organization's readiness to address security problems without additional help delving into security holes.

"There's this false sense of security people may already have, and they may tell you 'Yes, I think we have enough resources to protect employee and customer information,' but they may really not," he says. "If the answers are accurate, then someone can gauge their risk (using the tool). But there is the possibility they can come away thinking 'I'm doing better than the norm, therefore my business is secure.'"

Ponemon emphasizes to ensure organizations get an honest picture of their true risk index, they need to have someone with a understanding of its privacy and security practices.

"The point of reference is always important any time you do a calculator," Ponemon says. "The rater doing this should be someone in privacy or data protection--you really need to understand your organization."

He also explains that the tool is in no way meant to replace an in-depth risk assessment.

"We're not a consulting firm but we know consulting firms and they have huge projects and go to an organization and spend weeks or months trying to figure out the risk issues," he says. "That's not what we're doing, but it's a good starting point. It's like taking a thermometer reading and saying 'Gee, I've got a fever.' It doesn't mean you know what's wrong but it will let you know that you're sick."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mentor
50%
50%
Mentor,
User Rank: Apprentice
11/16/2012 | 10:27:47 PM
re: Free Risk Indexing Tool Offers Start For Assessments
Good article, but where's the URL link to the tool embedded in the story? It would have been helpful and probably brought some more needed and valuable attention to the tool.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7877
Published: 2014-10-30
Unspecified vulnerability in the kernel in HP HP-UX B.11.31 allows local users to cause a denial of service via unknown vectors.

CVE-2014-3051
Published: 2014-10-29
The Internet Service Monitor (ISM) agent in IBM Tivoli Composite Application Manager (ITCAM) for Transactions 7.1 and 7.2 before 7.2.0.3 IF28, 7.3 before 7.3.0.1 IF30, and 7.4 before 7.4.0.0 IF18 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof s...

CVE-2014-3668
Published: 2014-10-29
Buffer overflow in the date_from_ISO8601 function in the mkgmtime implementation in libxmlrpc/xmlrpc.c in the XMLRPC extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) via (1) a crafted first argument t...

CVE-2014-3669
Published: 2014-10-29
Integer overflow in the object_custom function in ext/standard/var_unserializer.c in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an argument to the unserialize function ...

CVE-2014-3670
Published: 2014-10-29
The exif_ifd_make_value function in exif.c in the EXIF extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 operates on floating-point arrays incorrectly, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly exec...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.