I was toiling away today on the third version of my dissertation proposal (more like a complete redo!) and I came across a paper “An Ontology-based approach to Information Systems Security Management” written by three researchers from Greece. What struck me as an important idea from their paper was that they created a way to categorize security management into a framework that could be codified as a schema in a database (more on that in a sec) and most importantly was based on “security knowledge”.
Why is “security knowledge” (SK) such an important construct? To those who have been in the security business a long time – they probably already have a good idea of what SK is. SK is made up of a thorough understanding of context of the infrastructure, the collecting of requirements, the actions that are to be deployed, and value of information assets. Most organizations have some or all of these elements in their security knowledge base – though it is likely diffused over several people or even departments or stored in multiple products. The diffusion of security knowledge is not a trivial problem in its own though beyond what I wanted to try to get to in this posting.
As a privacy researcher, what struck me as a key concept in this research is that there is a parallel need for “privacy knowledge” and it has to stop being an “also ran” to security knowledge. Privacy is important because privacy is based on Information and we are literally exuding Exabytes of information annually – much of it personal (70% according to this IDC link).
What if we had a full-blown PK though? To some folks this seems like slicing the onion a different way – but bear with me for a minute. What if you actually took all the SK steps and applied to privacy knowledge and treated privacy knowledge as important as we do security knowledge? The steps would be:
- Get a full inventory of all your information assets (instead of the infrastructure itself) that applied to your customers, employees, and intellectual property.
- Understand who has access to the information and can transform, store, or transmit this information (who being people, process, or technology!)
Hypothetically speaking if you took these steps and put the resulting information into a database, married it to the Privacy Rights Clearinghouse database, throw in some information asset values – you could begin to perform analytics against the policies. With the historical breach data you could model potential exposures and perform what if’s. Minimally you could begin to evaluate privacy risk quantitatively. If nothing else you would be a lot closer to understanding X, X standing for the unknown.