For whatever reason, I’ve been pondering similarities and differences between financial and IT risk lately, and one big difference seems to be around reputation in these two areas.  The financial world painstakingly maintains institutionalized memory of credit issues through standardized credit ratings.  Companies, cities, and even countries are rated based on current and past performance, and a ratings downgrade is a BIG deal.

Why isn’t there an analogous service for systems security risk?  For example,  Mike Ramirez just pointed out a data breach at,  I’d love to go somewhere and see, was that the first time?  Have they been breached before, and I simply didn’t hear about it? How about Heartland Payment Systems?  It seems to me that right now, companies can get away with repeat offenses,  simply by flying under the radar.

Of course, there is always the Listeriosis Clause to consider — who do you trust more, the company with a dedication to quality that is forced to disclose, or the lazy/ignorant company who never even looks, and therefore never has to tell?

In any case, I’d like to see collections of disclosures about the various services I choose to use or do business with.  I’d like to see data collection for the purposes of comparing privacy policies,  TOSs, known breaches of or challenges to those policie. Another issue that I believe could gain prominence is being able to easily research whether the companies I interact with are sending/storing my information across international borders.   I think there would be some really interesting discoveries in such a body of data.

One thought on “Analogous?

  1. A good arcticle on the similarities. There are sources around, for reading about data losses. But we are still years away from what credit risk statistics are currently from the number of incidents to calculate then mathematical models. The number of incidents is then still too small.
    The other side is that you would like to prevent such big incidents as mentioned in the article. Here all classical risk calculation model will never work, as also proved by the financial crisis.

Comments are closed.