Hope Springs Eternal for a Measure on Risk
You have to admire the “never say die” spirit of those trying to put a measure on risk.  Hundreds of different kinds of risk ratings, indemnification schemes, fairness guarantees, reputation rankings, test certifications, zero-vulnerability disclosures, insurance criteria, and even “goodness scores” have been tried.  Some of these attempts have succeeded within their own targeted domains (e.g., online Internet commerce), but no single measure works across the entire digital enterprise.  And so, the search for a globally accepted measure of risk continues.  Moody’s Investor Services is the latest to try with its recently announced Vendor Information Risk Rating (VIRR) Service.

This announcement is reminiscent of attempts by insurance companies in the late 1990s to establish a risk threshold measure for e-commerce or hacker/virus policies.  Often offered with what is commonly called a “survey” feature, applicants must undergo a risk assessment of enterprise Web practices and technology to see if their “risk” qualifies for a measure of insurance.  (See this report, which requires that you click the link, scroll to the bottom, and click Resources, then Construction Newsletters, then “Insurance for Internet-Related Risks,” November 8, 1999).

Theoretically, the results of the risk survey determine premiums and coverage.  Companies like AIG, Chubb, Zurich, and various Lloyds underwriters advertise such insurance.  But, their “surveys” are unique to each insurer.  Likewise, at least 10 major insurers offer identity theft insurance, but such insurance requires a survey of sorts as well, and those surveys once again differ.  (See Volume 2 of the Digital Trust report series, Identity Management, p. 23.)  So far, all attempts at measuring risk have fallen short.

Turn the Coin Over … Measuring Digital Trust
Volume 7 of the Digital Trust report series, Transparency and Assurance, examines this circumstance not by focusing on the purely defensive strategy of information risk management – i.e., a “risk ranking” – but rather by looking for ways in which value is actually created with a security technology or service – i.e., “digital trust.”  Digital trust is the flip side of the information risk management coin. 

By asking the seemingly nonsensical question “How much does digital trust weigh?” Volume 7 shows how digital trust actually has heft, and lists value outcomes that represent measures of payoff to the enterprise.  Digital trust has “weight,” and that weight can be substantial.  The “measure” for digital trust is the enterprise payoff and the payoff potential.  The greater the payoff, the greater (the “heavier”) the measure becomes, and the more value the measure represents.

Measure Without Value?
It’s hard to see how any measure of risk can succeed if it doesn’t carry with it a value for having a “good” measure.  The payoff of having a good VIRR is not disclosed in the Moody’s announcement.  But, it is possible that VIRR can be flipped over to see the digital trust payoff.  If a “better” VIRR attracts customers, or reduces the need for manpower, or satisfies some compliance mandate (like PCI DSS), or even improves the enterprise financial ranking, then we’re likely to see enterprises “warm up” to VIRR.

If not, VIRR is likely to stay pretty cold.