nCircle.com >> nCircle Blog >> Sync

« Recent Smartphone News | Main | Cisco Call Manager 'Ping of Death'? »

On brand damage, stock prices, and America’s most trustworthy companies

Tim Erlin started us off on a popular topic - Is brand damage a myth. In other words, can we draw conclusive evidence to show that a company's financial value becomes altered by an external brand-damaging event? He takes case in point of 4 stocks - TJX, AMP, CPS and ADP. Nick Owens follows up with more data and now Adam promises us simple experiment.

Whatever the answer may be (if we ever can draw a reliable conclusion), today we have new data from Audit Integrity. Listed on Forbes are the America's Most Trustworthy Companies. The data provided are the results of their independent study on corporate governance best practices. In short, they have delivered a risk metric.

For quite some time now, I've been banging my head on a unification method by which we use financial risk models to represent information security risk. Lets face it; the financial sector has been going at it a lot longer than IT and certainly longer than information security. There are tried and relied upon inputs, metrics and statistical models. Out of these equations emerge basic risk metrics. We can answer the question, "Does the risk for which I'm about to take outweigh the potential reward?"

The problem I struggle with when joining these IT risk and financial risk models is they are flipped. We don't speak of risk/reward, we only deal with risk. The reward for patching my system isn't reward, its just less risk. Or in some cases, we find that patching a system may actually deliver a new or higher risk. How one quantifies the change in information risk is no easy calculation. I'd go as far as saying that there is no single model, which accounts for the diversity in each company or situation. Historically, from the financial world, when this quandary appears, it's tackled by adding more data inputs, changing metrics or statistical models. Unfortunately, IT risk seems to be lacking a well-defined set of all three.

Posted by Andrew Storms on March 27, 2007 3:56 PM |

TrackBack

TrackBack URL for this entry:
http://blog.ncircle.com/cgi-bin/mt-tb.cgi/190

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Verification (needed to reduce spam):

Bio

Blog: Sync
Author: Andrew Storms

As nCircle's Director of Security Operations, Andrew Storms is responsible for setting and enforcing the company's security compliance programs as well as overseeing day-to-day operations for the Information Technology department. He is a Certified Information Systems Security Professional (CISSP).

About

This page contains a single entry from the blog posted on March 27, 2007 3:56 PM.

The previous post in this blog was Recent Smartphone News .

The next post in this blog is Cisco Call Manager 'Ping of Death'?.

Many more can be found on the main index page or by looking through the archives.

Search


Subscribe to this blog's feed
[What is this?]