WEIS 2009 is a workshop focusing on the Economics of Information Security, including Economics of Privacy:
“The 2009 Workshop on the Economics of Information Security invites original research papers focused on any aspect of the economics of information security, including the economics of privacy. We encourage economists, computer scientists, psychologists, business and management school researchers, law scholars, security and privacy specialists, as well as industry experts, to submit their research and attend the Workshop”.
Paper submissions are due by 28 February 2009.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Tuesday, January 27, 2009
Monday, January 12, 2009
“Risk Taxonomy Technical Standard” Published by Open Group
Open Group has recently released a “Risk Taxonomy Technical Standard”, aiming at bringing some clarity to the terminology and concepts related to risk and risk management by introducing a taxonomy, definitions and their relationships:
Ian Dobson, whom announced this release, wrote:
“I'm pleased to announce that the Security Forum's Risk Taxonomy technical standard (C081) is now published. It is freely available from The Open Group's Online Bookstore. Through the link below you can either download the file, or read it on-line:
http://www.opengroup.org/onlinepubs/9699919899/toc.pdf
…
This Risk Taxonomy standard provides a taxonomy describing the factors that drive risk - their definitions and relationships. It also provides an overview on how to use the taxonomy. It responds to the problem that the risk management community worldwide has not yet adopted a consistent definition for even the most fundamental terms in its vocabulary - e.g. threat, vulnerability, even risk itself.
This Risk Taxonomy provides the necessary foundation vocabulary, based on a fundamental analysis of what risk is, and then shows how to apply it to produce the objective, meaningful, and consistent results that business managers need in order to make informed business decisions on how to manage risk.
The intended audience for this standard includes anyone who needs to understand and/or analyze a risk condition. A particular feature of this taxonomy is that it is not limited to application in the information security space; it can be applied to any risk scenario. This scenario-agnostic characteristic enables the taxonomy to be used as a foundation for normalizing the results of risk analyses across varied risk domains.”
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Ian Dobson, whom announced this release, wrote:
“I'm pleased to announce that the Security Forum's Risk Taxonomy technical standard (C081) is now published. It is freely available from The Open Group's Online Bookstore. Through the link below you can either download the file, or read it on-line:
http://www.opengroup.org/onlinepubs/9699919899/toc.pdf
…
This Risk Taxonomy standard provides a taxonomy describing the factors that drive risk - their definitions and relationships. It also provides an overview on how to use the taxonomy. It responds to the problem that the risk management community worldwide has not yet adopted a consistent definition for even the most fundamental terms in its vocabulary - e.g. threat, vulnerability, even risk itself.
This Risk Taxonomy provides the necessary foundation vocabulary, based on a fundamental analysis of what risk is, and then shows how to apply it to produce the objective, meaningful, and consistent results that business managers need in order to make informed business decisions on how to manage risk.
The intended audience for this standard includes anyone who needs to understand and/or analyze a risk condition. A particular feature of this taxonomy is that it is not limited to application in the information security space; it can be applied to any risk scenario. This scenario-agnostic characteristic enables the taxonomy to be used as a foundation for normalizing the results of risk analyses across varied risk domains.”
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Tuesday, January 6, 2009
Economics of Identity Management & Risk-driven Identity Management
Kim Cameron’s post called “The economics of vulnerabilities …”, highlights a few key points made in Gunnar Peterson’s notes about the importance - when making security decisions - of keeping into account the (1) assets at stake in an organization and (2) their value.
Specifically, I found the following point very interesting:
“… If you are like most business you will find that you spend most on Network, then Host, then Applications, then Data. Congratulations, Information Security, you are diametrically opposed to the business!”.
I tend to agree that quite often decisions and investments made in the security space are not really driven by risk management and/or “value-at-risk” criteria.
This is also true in the Identity Management (IdM) space. Quite often the starting point, when making investment decisions in this field, is purely on IdM functionalities and the “general” added-value that they could provide to a business: it would help coupling this with the analysis of the actual business assets at stake, to be protected (business processes and services, information, etc.), their values, the involved threats and related risks.
As previously mentioned in my blog, I believe that we should start discussing about the “Economics of Identity Management”, in the wider context of “Economics of Information Security” …
In the medium/long run, what are the consequences (in terms of costs, risk exposure, usability, agility, reputation loss, etc.) of decisions made in the space of identity management, given the context and the involved assets? What are the feasible trade-offs and available options? Which key factors are truly relevant and need to be kept into account to make informed decisions?
So far, I have found no major discussions about the “Economics of Identity Management” and the above points. I am very keen in getting your input, observations and links.
In the context of the Identity Analytics R&D project, I am indeed interested in researching and exploring this area.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Specifically, I found the following point very interesting:
“… If you are like most business you will find that you spend most on Network, then Host, then Applications, then Data. Congratulations, Information Security, you are diametrically opposed to the business!”.
I tend to agree that quite often decisions and investments made in the security space are not really driven by risk management and/or “value-at-risk” criteria.
This is also true in the Identity Management (IdM) space. Quite often the starting point, when making investment decisions in this field, is purely on IdM functionalities and the “general” added-value that they could provide to a business: it would help coupling this with the analysis of the actual business assets at stake, to be protected (business processes and services, information, etc.), their values, the involved threats and related risks.
As previously mentioned in my blog, I believe that we should start discussing about the “Economics of Identity Management”, in the wider context of “Economics of Information Security” …
In the medium/long run, what are the consequences (in terms of costs, risk exposure, usability, agility, reputation loss, etc.) of decisions made in the space of identity management, given the context and the involved assets? What are the feasible trade-offs and available options? Which key factors are truly relevant and need to be kept into account to make informed decisions?
So far, I have found no major discussions about the “Economics of Identity Management” and the above points. I am very keen in getting your input, observations and links.
In the context of the Identity Analytics R&D project, I am indeed interested in researching and exploring this area.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Sunday, January 4, 2009
Entitlement Management: Any Study/Factual Data about their Impact on Enterprises?
Entitlement Management solutions aim, in a nutshell, at ensuring that the right people (users) have the right access, at the right time to (sensitive) enterprise resources – by factoring in business, legislative and security requirements/constraints.
Usually a centralized approach is proposed as a way to ensure up-to-date control and management of access rights, coupled with the automation of user account provisioning and their lifecycle management.
I am looking for any type of study/survey/data that provides some factual information about the impact that “entitlement management” has within enterprises (e.g. in terms of handling/improving access control, costs, governance, etc.), compared with more traditional, ad-hoc approaches (e.g. relying on ad-hoc systems to manage users’ rights and related access control).
Any pointer to material on this topic would really be welcome.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Usually a centralized approach is proposed as a way to ensure up-to-date control and management of access rights, coupled with the automation of user account provisioning and their lifecycle management.
I am looking for any type of study/survey/data that provides some factual information about the impact that “entitlement management” has within enterprises (e.g. in terms of handling/improving access control, costs, governance, etc.), compared with more traditional, ad-hoc approaches (e.g. relying on ad-hoc systems to manage users’ rights and related access control).
Any pointer to material on this topic would really be welcome.
--- Posted by Marco Casassa Mont (here and here) ---
--- NOTE: my original HP blog can be found here ---
Subscribe to:
Posts (Atom)