Risk Quantification to Measure Security Performance - SecurityScore Assessment Methodology

With the digitalisation of information, the security aspect of it has become more important than ever before. It was reported in an independent study that 7 out of 10 attacks on information assets of an organisation are carried out via their partners. Despite all the statistics, little or no attention is paid towards ensuring information security. Likewise, when two companies merge, it is the information security template of the larger party that is incoherently applied to the smaller organisation in question. Only if information security could be quantified using a universal scale, better decisions could be made while choosing the business partners like contracted vendors and new acquisitions, and better information security models irrespective of the size of the origin-organisation. In this project, management of the top consulting firms like KPMG and Deloitte were consulted to establish the problem questions in conjunction with the acquisitioning or acquisitioned party. The challenges circumference around the lack of standard frameworks which hinders repeatability of the results when performed by two different organisations using their proprietary methodologies. These processes are not only expensive, timeconsuming and complicated, but also completely opaque to the hosts. The methodology is a trade-secret to the conducting consultant organisations, and therefore cannot be evaluated for efficacy or relevance. Also, when large organisations invite tenders for collaborative work, the main focus is the financial numbers. No or little attention is paid towards the security posture of these contractor firms, which acts as an attack surface for future potential breaches due to shared IT platforms. A three-prong approach is being proposed to remedy the situation. Each prong denotes a step towards quantifying the information security posture of an organisation. The first step is asking the rated organization to answer a questionnaire, second is to evaluate and grade them based on their answers both based on the general threat landscape, and the sectorbased and third step is to provide them with relevant mitigation steps based on their security posture. These mitigation steps are to be derived from the ISO 27001 standard. For sector-specific analysis, three industry types have been piloted with, i.e. Education, Maritime and Healthcare. These security models are framed in the form of a questionnaire and have been named SecurityScore Assessment Methodology that quantifies the information security posture. Then feedback is sought from them, to give direction to any future research in this area. Some unforeseen benefits of these models include – a benchmarking tool which can internally be utilised by these organisations to improve their security posture, basis to evolve a universal security scoring system which will be easy to use and completely transparent. Additionally, insurance companies can use the security scores to decide the annual premium for the organisations choosing insurance as a means of risk-transfer