Tuesday, February 07, 2006

Against the Gods

I've been reading a fascinating book by Peter Bernstein called Against the Gods: the Remarkable Story of Risk. It's the story of the role risk has played in the history of the human race.

The book leads with a fascinating hypothesis - that before the concept of risk was formed, we as a species were creatures of habit, fear, and superstition. If one of our ancient ancestors successfully accomplished a task by doing one thing, he and all his tribe would continue to do that thing. When variables (such as weather) caused a different outcome than the expected, action was taken to appease the forces responsible.

The emergence of the concept and subsequent mastery of risk is what propelled our species over mountains and across the seas, led to the advancement of scientific discovery and the sophistication of the arts.

The mastery of risk is still a factor in business, and an important one in the realm of privacy, where those companies responsible for managing and protecting sensitive data seek ways to measure their level of risk, and then take the necessary steps to minimize their exposure to the downside.

Dr. Larry Ponemon has done a number of excellent studies to show the importance of responsible data management (and the consequences of failing to manage data responsibly), and many companies out there tout their ability to help organizations mitigate risk associated with data management, but I haven't seen a formula or methodology that helps companies truly measure their level of risk.

The Ponemon Institute conducted a post-mortem study of data loss events from 2005, based on disclosures under California SB 1386, and found that it can cost companies as much as $1,000 per data file when a privacy breach occurs, and that the average total cost for such a breach is about $14 million. The potential for an organization to come out on the bad side of risk, however, is much different than that organization's total exposure. A lack of understanding of the level of risk often leads to poor decision making. A lack of knowledge related to the factors contributing to an organization's level of risk can also lead to bad decision making.

But as companies in possession of PII go racing for the panic button, there is an opportunity for solutions providers to communicate their value. When that value is offered in terms that are attainable -- described in ways that put the problem/solution equation in real terms rather than merely offering jargon-addled hyperbole -- the effort to establish credibility is made simpler.

Recommendation: Direct, simple communication works best when dealing with elusive, intangible concepts. Identify the problem within a context that makes sense, show the risk involved, and draw clear lines between the problem(s) and the ways you can address the issue. Back it all up with credible, corroborating research from trusted sources.

And if you have a formula for calculating an organization's level of risk, let me know.

0 Comments:

Post a Comment

<< Home