Even with strong security, e-business risk is a fact of life in today's interconnected business world. But the fundamental problem with managing this new form of business risk, say IT managers, is that there are no metrics and no standards to measure the level of risk.
Nevertheless, your board of directors needs to see that those bits and bytes they call "just data" are really the corporation's lifeblood. And they must get their arms around the ultimate cost to the business if that data were lost, stolen or altered.
"We need to make a model where e-business risk is wrapped in the cost of doing business - like automobiles [that] transfer regulatory costs to the consumers," says Frank Reeder, who chairs both the computer system security and privacy advisory board at the U.S. Department of Commerce and the Center for Internet Security in Bethesda, Md.
But quantifying risk calls for statistics and benchmarks, things that are sorely lacking in this new era of e-business, says Paul Raines, head of global information risk management at Barclay's Capital, the investment division of Barclay's Group PLC in London.
"Most risk models so far have been qualitative: Define your assets by classifying your data sensitivity; define your risks [for] theft, disaster, hacking. Then you evaluate your site against these risks," Raines says. "To develop a quantitative model, you need data to determine chance and frequency. The problem is, there hasn't been historical data to draw from. The equivalent of actuarial tables will help."
The amount of data gathered concerning e-business risk is nowhere near the amount gathered during 100-plus years of the automobile. But business risk managers are currently looking at e-business risk as another element of business risk. In so doing, they're developing some early standards and metrics that will ultimately make it easier for business leaders and IT managers to understand and evaluate e-business risk.
For starters, regulators and standards bodies are developing best practice guidelines for information security, a crucial first step in building a framework for metrics. Insurers are selling e-business security and liability insurance, so they're already attaching a price to some risks. Private incident-response centers are gathering and publishing statistical data on the frequency of certain events that could expose risk. And internal auditors are beginning to define e-business risk for their boards of directors.
Managing risk starts with security standards and best practices, says Mark Rasch, vice president of cyberlaw and global integrity at Predictive Systems Inc., an e-business services company in New York.
And IT managers shouldn't have any trouble finding security standards anymore. For example, the Bethesda, Md.-based IT education group SANS Institute and a new nonprofit standards group, e-Security.org, are collecting data on best practices and publishing a growing set of guidelines that identifies the following as top-level risk areas: connected computers on the other side of the Internet (such as Web sites and business partners) and the integrity of the information on a Web site and its impact on corporate reputation.
And last month, the International Organization for Standardization approved a security standard that grew out of one used in Britain. This new standard includes a certification program in the areas of policy, asset classification, allocation of security resources and responsibilities, systems and network security, government compliance, physical security, employee training and awareness and access controls.
Visa International Inc. in Foster City, Calif., and American Express Co. in New York are also throwing their weight into security standards by making them mandatory for their electronic merchants. Their requirements are a little broader, encompassing mostly server-side credit card processing and storage, access controls and encrypted tunnels. Analysts say these efforts will go a long way toward setting up future risk frameworks in the business-to-consumer market.
"I consider the reach of Visa much stronger than any government agency or security company, because credit companies can say, If you don't follow our security policies, you can't process our cards,' " says Pete Lindstrom, an analyst at Boston-based Hurwitz Group Inc.
The quest for data
One of the best places to begin looking for data and metrics is the insurance industry. A handful of business insurers, including The Fidelity and Deposit Cos. in Baltimore and American International Group Inc. (AIG) in New York have already started insuring against e-business risk and building actuarial tables.
AIG, for example, offers three areas of risk insurance: The first, says underwriting director Matthew Berman, is media liability (broadcast of information on the Web site), which covers US$500,000 in losses with premiums starting at $3,000. For 1 to 3 cents on every dollar of coverage, AIG also covers network security insurance against hackers, business interruption, theft of intellectual property and downstream liability. The average coverage is $1 million. A third program insures professional services like Internet service providers and data management centers for similar premiums.
But e-business insurance program managers at AIG and Fidelity and Deposit say they don't yet have metrics for frequency, cost and probability because they've had no claims. Nor do they have a lot of customer data or actuary information. Each of these two insurers has fewer than 50 e-business risk customers. And the actuarial tables for those clients are all custom-made.
"These insurance products are so new, the $64,000 question is: Are we charging the right premium for the exposure?" says Dave O'Neill, vice president of e-business solutions at Fidelity and Deposit.
Government, research and private-sector incident-reporting centers are also filling databases with information that's quickly growing large enough to detect trends and probabilities, according to Rasch, whose company manages information sharing and analysis centers (ISAC) for Japan and the financial services industry. ISACs are privately owned security incident reporting centers spawned by the educational efforts of the federal Critical Infrastructure Assurance Office (CIAO).
Businesses and educational groups are also gathering statistics and crunching numbers. The CERT Coordination Center at Carnegie Mellon University in Pittsburgh, for example, says 15,167 incidents were reported last year, an increase from 9,859 in 1999. And these incident reports could be mined for deeper statistical data.
But organizations like the CIAO aren't waiting for hard statistics to catch up with perceived risk. They're already taking the concept of e-business risk to their boards.
"Historically, corporations have developed a set of business-risk approaches - insurance, auditing, financial controls and other risk management techniques - to protect their business assets," says Jeffrey Hunker, outgoing senior director of critical infrastructure protection efforts at the National Security Council. "It's a cliché, but the most important assets today are all information assets, and this information is all on networks. Boards of directors for the most part don't understand that that's the risk to business right now," he says.
The CIAO's outreach to the audit community has been helpful in driving the message of e-business risk up to various boards of directors.
For example, Jackie Wagner, general auditor at General Motors Corp., attended a CIAO meeting last April and brought along the chairman of GM's audit committee, Dennis Weatherstone, former CEO and chairman of J.P. Morgan & Co. When Weatherstone returned to GM, he brought the automaker's CIO into the boardroom to update the board of directors on system security.
"The audit committee and the board asked a lot of questions. All were about our level of risk and how we're addressing it," says Wagner. (Specifically, she notes, the board asked how GM drives accountability beyond the IT organization in managing exposure to risk.) Wagner says the board was happy with GM's security controls.
The audit team hired Glenn Yauch, a Deloitte & Touche LLP consultant then stationed at GM, and placed him as director of GM's e-business. Yauch then launched a series of companywide powwows about risk.
"I pulled together resources from GM's audit services and mixed them with technical consultants. We put every risk we could think of on a board and created buckets of risk," he says.
These buckets include:
- E-business strategy: Alignment with existing strategy and marketing channels, marketplace and opportunity strengths; stakeholders (suppliers, customers, trading partners); and sponsorship.
- Business policy: regulations and customer data privacy.
- End-to-end process/transaction flow.
- Data management: Integrity, availability and confidentiality of data stored in databases and in customer relationship management systems.
- Infrastructure: servers, firewalls, operating systems, routers and applications.
Yauch adds, "Once we put this list together, we found this framework was flexible enough to address other business units as they rolled out e-business initiatives."
In due time, all these data collected by auditors, insurers and emergency notification centers will become the foundation of new risk metrics systems. And time, say analysts, is the one thing that anyone developing risk metrics can count on.
"Only time and practice will allow us to get to a point where we can really be finite about whether we're looking at a $10 or a $10 million e-business risk," says Doug Goodall, executive director of Red Leaf Secure Systems Inc., an IT security incubator and holding company in Pittsburgh. "That's where business judgment really needs to be applied."
Keeping the Faith
First Union Corp., whose core business is trust, can't wait for outside interests to determine risk metrics. So last year, the Charlotte, N.C.-based bank implemented Phase 1 of a risk-compliance program by standardizing policy and tracking compliance.
"We wanted to make it measurable whether files, systems and risk parameters are appropriate," says Pat Hymes, manager of distributed computing at First Union's information security division.
Hymes' team started by assessing whether its published operating system security policy was being followed using commercial and home-written software agents that report the state of the operating systems.
The agents reported back that "the general state of our operating system-level security wasn't very good," Hymes says. "A lot of the system administrators didn't even know security was part of their jobs. So we put together a training class."
This compliance data is now used to chart measurements, which are routed to department heads and IT leaders with bullet points that say, "Here are the common risk areas and here are our concerns," he adds.
Hymes' next step: Develop similar measurements for compliance in networks and applications and among employees.