For a long period of time, spanning close to four decades, we at Solitaire Interglobal Ltd. (SIL) have accumulated data that allows us to calculate the exposure and risk from an operational perspective. This risk rating is used by SIL clients to understand the probability of failure and the associated costs and impacts from that failure along multiple dimensions. SIL also provides data and associated analysis for a group of insurance companies that evaluate IT and operational risk, as well as for individual clients. Over the last 10 years, the frequency that SIL has been asked to provide this information has increased dramatically as the frequency of loss, and increased scope of exposure has grown.
The primary impetus for the increased analysis need is the rapidly growing impact of failure on the line of business side of an organization. This type of risk used to group both operations and IT security. However, with the advent of more broad-reaching cyberbusiness and with active hacking groups and attack mechanisms that exist in our market today, SIL made the decision to extract, analyze and articulate this risk separately.
The driving reason for splitting the two different types of risk evaluation is the fundamental variations in the source, size, and impact pattern of the two types of experience.
The calculation of operational risk is a passive one. The combination of risk factors and the probability of damage happens in a nonadversarial space. Many times, operational risk is more about a vendor being able to deliver a product and the possible problems that a project team will encounter when deploying a new market. Risk in the sphere can focus on equipment vulnerabilities, marketing shortfalls, and other aspects of a business that are truly in the purview of IT or the line of business unit.
That is not true of the security environment. In the security world, risk is not calculated on a passive mechanism. Instead, risk within the cyberbusiness security venue is a strategic calculation of warfare. In cyberspace today, there are organizations and self-perpetuating weapons of destruction that are loosed deliberately to cause harm. The probability calculation and data needed for analysis are totally different than the passive, situational overlap analysis approach.
Instead of a convergence of weaknesses or a random but discernible pattern that can be mitigated by a variety of set strategies, the situation is instead built on the fact that someone is targeting you to cause destruction, steal information, or shut your business down.
For the last 10 years, SIL has calculated risks and exposures from a security perspective separately than from an operational one. This has allowed businesses to understand more clearly where possible financial and viability challenges may lie.
These two different forms and dynamics of risk are both important to the viability of a business doing extensive work via the Internet. Without a clear understanding and good metrics, business is trying to navigate rocky shoals in the dark. With a dynamic and ever-changing experiential base, it is extremely important that decisions that affect the containment and management of risk are based on a substantive number of experiences. Otherwise, the results are highly skewed, and the possible impact on the business may be very large.
As SIL has grown its database to trillions of comparison points, the change in accuracy and dependability has been notable. Ensuring that you have enough data backing your analysis is one of the most foundational aspects of extended analytics.
For an organization to have good information to drive its decisions, it needs to have a sufficient breadth of data and tools to convert raw experience to applicable information. Only then can the significantly different profiles of risk be combined to help build a safer pathway through the chaos of cyberbusiness. Without looking at operational and security risk, both separately and together, business is making decisions with only part of the picture.
This post will continue with CyberBusiness - Components of Risk later this week.