An analytics company is trying a novel approach to evaluating risk: by putting a price on it.
Companies know that losing credit card data in a hack can cost them a lot of money, not to mention diminish their customers’ confidence in them. But risk is frequently described to executives in high-low, red-green scales, which “don’t make any sense to business,” said Amad Fida, Brinqa’s CEO.
One part of Brinqa’s software is attempting to bridge that gap, delivering estimations of what a data breach would cost, including aspects such as how much revenue the data generates and how much remediation would be.
The estimates, Fida said, aren’t “100 percent perfect.” But the approach has so far appealed to financial services companies, some of whom are running Brinqa’s software. They understand a cost figure better than, for example, the number of unpatched hosts on a network, Fida said.
“We are saying you need to bring economics into technical risks and operations,” he said.
To do this, Brinqa uses a framework that pulls data from a variety of business systems, such as databases, servers, security tools and applications. The data is stored in a Brinqa NoSQL database, where it is normalized and correlated in a graph-based model, Fida said.
Companies need to do a fair bit of preparation as well, such as creating a data inventory for different applications, calculating compliance costs and building revenue estimates.
Vivian Tero, a program director for governance, risk and compliance infrastructure with analyst IDC, said Brinqa’s software would likely interest a company’s board looking to quantify threats with a cost. But the devil is in the details.
A new solution
Brinqa, Tero said, is attempting to solve a problem tackled by security information and event management vendors: expose relationships between physical machines, networks, business processes and data and present the risks and threats in context.
“At the end of the day, a successful implementation of any risk management solution is contingent on the enterprise’s risk model and the ability to effectively identify the critical data sets needed to build these algorithms,” Tero said via email. “Never forget the human element - i.e. the process, security, risk management managers, and data scientists who need to work together to architect this system.”
Fida said a large German bank has been using Brinqa for more than three years to analyze 11 applications. Brinqa is also being used by some large technology companies and education institutions. The software is licensed on a per-user, per-month basis, Fida said.