Tim Erlin started us off on a popular topic - Is brand damage a myth. In other words, can we draw conclusive evidence to show that a company's financial value becomes altered by an external brand-damaging event? He takes case in point of 4 stocks - TJX, AMP, CPS and ADP. Nick Owens follows up with more data and now Adam promises us simple experiment.

Whatever the answer may be (if we ever can draw a reliable conclusion), today we have new data from Audit Integrity. Listed on Forbes are the America's Most Trustworthy Companies. The data provided are the results of their independent study on corporate governance best practices. In short, they have delivered a risk metric.

For quite some time now, I've been banging my head on a unification method by which we use financial risk models to represent information security risk. Lets face it; the financial sector has been going at it a lot longer than IT and certainly longer than information security. There are tried and relied upon inputs, metrics and statistical models. Out of these equations emerge basic risk metrics. We can answer the question, "Does the risk for which I'm about to take outweigh the potential reward?"

The problem I struggle with when joining these IT risk and financial risk models is they are flipped. We don't speak of risk/reward, we only deal with risk. The reward for patching my system isn't reward, its just less risk. Or in some cases, we find that patching a system may actually deliver a new or higher risk. How one quantifies the change in information risk is no easy calculation. I'd go as far as saying that there is no single model, which accounts for the diversity in each company or situation. Historically, from the financial world, when this quandary appears, it's tackled by adding more data inputs, changing metrics or statistical models. Unfortunately, IT risk seems to be lacking a well-defined set of all three.