The posts at Emergent Chaos and RiskAnalys.is seem to be to be too much of a zero-sum analysis for my tastes.
The Emergent Chaos post reflects the effects I described in my September 2005 keynote address “How It’s Difficult to Ruin a Good Name: An Analysis of Reputational Risk” that discusses reputational risk, security breaches and stock prices.
It would also be helpful to think of information security breaches in terms of Nash Equilibriums.
It unfair to categorize the corporate mentality of breaches as that “TJX, at least publicly, doesn’t really care about the losses it has incurred as a result of the incident there.”
Businesses want to prevent loss. The question is at what price…
The market determines the the weight of a security breach, not information security professionals.
Popularity: 12%
One Comment
My observations are based on several items:
1.) Experience with Fortune 500 retailers and PCI
2.) Experience with Fortune 500 retailers and incidents
3.) The comments made by TJX
TJX, DSW… how many more recalcitrant retailers do we need before we can say that, in general, the risk tolerance of the data owners at these places don’t match what we (or the payment card industry) wish them to be?
It would be nice to say that $5 million really hurt TJX, and I’m sure that at some line management level it does and will continue to. But in the context of their _quarter_, it’s what, 2.4% of *profit*?
My experience is a small sample size of 3, I’ve not seen incident change culture, perspective, or even risk tolerance at the highest level at all. Maybe you have different experiences, and I would love to hear about them!
One Trackback
[...] to say there is a direct influence from my research, I can say thanks for spreading the word: it’s tough being the lone voice of this perspective! Bookmark to: [...]