All posts by Doug Clare

Fraud & Security Cybersecurity: To Be (Empirical), or Not to Be?

Hamet with data background

That is the question for cybersecurity risk assessment. FICO has been in the analytics business since our inception back in 1956.  Our founders, Bill Fair and Earl Isaac, had the novel idea that businesses could make better decisions through data. Before anyone thought to call the resulting algorithms “analytics,” they set off to create game-changing approaches to correlating signals with outcomes to help companies manage risk, reduce expense, and maximize opportunities. Bill and Earl began looking for problems they could solve through an empirical analysis of data, and credit underwriting was a use case that was well-suited to the technique. Most credit-granting organizations had credit applications tucked away in filing cabinets (a source of consistent signal data), and most also had a reasonable handle on outcomes – i.e., who was managing credit to terms and who was in arrears or in default. The ability to relate data known at the time of the... [Read More]

Leave a comment

Fraud & Security 6 Principles for Cyber Risk Scores — and Why We Need Them

Cybersecurity risk score scale

The use of scores that rate a firm’s cybersecurity risk — such as the FICO® Enterprise Security Score — is picking up momentum. In an effort to ensure that these scores consistently add value, and to ensure that they help rather than harm businesses, a group of firms recently convened to develop industry standards for cybersecurity ratings. FICO joined this group, along with several Fortune 500 companies and a number of the country’s biggest banks, and I am proud of the principles we developed. By creating these principles, we sought to: Promote quality and accuracy in the production of security ratings Promote fairness in reporting Inject best-practice decision management governance standards into a new domain Include a coordinated process for adjudicating errors or inaccuracies in reported content Establish guidelines for appropriate use and disclosure of the scores and ratings Why were principles needed? One reason is that there is a... [Read More]

Leave a comment

Fraud & Security 10 Ways We Make the Cybersecurity Executive Order Actionable

White House logo

The President’s May 11 executive order Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure seems to have been met with broad support.  While a few have been critical that it was not bold enough, most reviewers seem to be endorsing the main message, both for what it does (initiating broad self-assessments by agencies), and for what it does not do (consolidate all accountability in the DoD). The broad strokes: This order endorses, mandates, and accelerates the adoption of existing frameworks as well as ongoing risk assessment and mitigation, but it does not set the game clock back by forcing the creation of new frameworks or imposing stifling centralization. Full disclosure: I’m accountable for growing the cybersecurity business line at FICO. That said, in reading the text of the order, I was struck by the broad alignment of its goals and directives with the goals, use cases, and specific capabilities... [Read More]

Leave a comment

Fraud & Security 5 Reasons Cyber Scoring Is the Next Big Idea for Credit Unions

Cybersecurity posture score dial

The greatest risk to credit unions and CUSOs today is the loss of your members’ trust and financial safety. Can your institution survive a cyber breach? Understanding your cyber risk is a critical part of protecting yourself and your members. That’s why we launched the FICO® Enterprise Security Score last year. And now, our cyber score has been selected as one of 5 big ideas to be presented at the National Association of Credit Union Service Organizations (NACUSO) 2017 Network Conference “Next Big Idea Competition.” Why is cyber scoring the next big idea for credit unions? Fraud/cybersecurity is the top priority for credit union CEOs and, by extension, CUSOs. Today’s breach risk measurements are inadequate and inaccurate. They’re manual rather than scalable, judgmental rather than empirical, point-in-time rather than predictive. ESS is rapidly deployed. You don’t install software, you just throw a switch. ESS is multi-tenant, so CUSOs can rapidly... [Read More]

Leave a comment

Fraud & Security Hackers vs. Dracula: Biometrics Are No Silver Bullet

Bela Lugosi as Dracula

I’m not a big fan of vampire movies—I’d pick Blackhat over Abraham Lincoln: Vampire Hunter any night of the week—but there are a lot of similarities between hackers and vampires. First, they’re afraid of the light. What hacker wants his true identity to be revealed? Second, they suck the blood out of their victims. Whether stealing data or demanding payment for ransomware, “bloodsucking” is one of the kinder adjectives used to describe cyber criminals. However, even though vampires are theoretically immortal, vanquishing them is pretty straightforward; any True Blood fan can tell you that a wooden dagger or silver bullet will do the trick. It’s not quite so easy to stop hackers in their tracks.  Encryption can be effective …  … but it’s not a stake through the heart of hacking. Data encryption is a highly effective defense against hackers, particularly in achieving HIPAA compliance to protect Protected Health Information... [Read More]

Leave a comment