All posts by Doug Clare

Fraud & Security Scoring Cyber Risk: The FICO® Enterprise Security Score

Scoring Cyber Risk
Aug282018

Welcome to the final blog in the series recapping Cyber Risk, Cyber Ratings and Cyber Risk Transfer at FICO World 2018, and my conversation with the session’s three panellists: Josh Ladeau, CISSP, Global Head of Cyber, Aspen Insurance Sasha Romanosky, Policy Researcher, RAND Corporation Dr. Mingyan Liu, Professor and Incoming Chair of Electrical Engineering & Computer Science, University of Michigan and founder of QuadMetrics In my last blog, we left off with Mingyan saying: “When we built the (cyber risk scoring) technology (that would become the FICO® Enterprise Security Score), the industry-standard practice was to send security questionnaires for prospective customers to fill out… Even though underwriters knew they needed something more modern, they weren’t ready to let go of their existing practices… When we showed how our cybersecurity ratings are tied to predicting data breaches, some underwriters said, ‘This approach is enough, and all we need,’ and others said, ‘What will... [Read More]

Leave a comment

Fraud & Security Cyber Risk Measurement: How to Measure a Moving Target

Cyber Risk Measurement
Aug222018

As I recently blogged, “Clearly, there’s a big disconnect between what companies perceive to be their strengths and the reality on the ground.” Now it’s time to move on to the reality of evolving cyber threats, and the important role of risk-scoring technology in cyber risk measurement. Again, I’ll draw on the session Cyber Risk, Cyber Ratings and Cyber Risk Transfer at the recent FICO World 2018 conference, and the conversation with my three panellists: Josh Ladeau, CISSP, Global Head of Cyber, Aspen Insurance Sasha Romanosky, Policy Researcher, RAND Corporation Mingyan Liu, Professor and Incoming Chair of Electrical Engineering & Computer Science, University of Michigan and founder of QuadMetrics. Cyber Risk Measurement: Cyber threats are multiplying Not surprisingly, the panellists’ perspectives on cyber risk growth were reflective of their professions. Josh said, “It’s about the interruption of business and systems being down; hackers aren’t the only source of cyber risk. Business outages... [Read More]

Leave a comment

Fraud & Security Cybersecurity: To Be (Empirical), or Not to Be?

Hamet with data background
Aug022017

That is the question for cybersecurity risk assessment. FICO has been in the analytics business since our inception back in 1956.  Our founders, Bill Fair and Earl Isaac, had the novel idea that businesses could make better decisions through data. Before anyone thought to call the resulting algorithms “analytics,” they set off to create game-changing approaches to correlating signals with outcomes to help companies manage risk, reduce expense, and maximize opportunities. Bill and Earl began looking for problems they could solve through an empirical analysis of data, and credit underwriting was a use case that was well-suited to the technique. Most credit-granting organizations had credit applications tucked away in filing cabinets (a source of consistent signal data), and most also had a reasonable handle on outcomes – i.e., who was managing credit to terms and who was in arrears or in default. The ability to relate data known at the time of the... [Read More]

Leave a comment

Fraud & Security 6 Principles for Cyber Risk Scores — and Why We Need Them

Cybersecurity risk score scale
Jun202017

The use of scores that rate a firm’s cybersecurity risk — such as the FICO® Enterprise Security Score — is picking up momentum. In an effort to ensure that these scores consistently add value, and to ensure that they help rather than harm businesses, a group of firms recently convened to develop industry standards for cybersecurity ratings. FICO joined this group, along with several Fortune 500 companies and a number of the country’s biggest banks, and I am proud of the principles we developed. By creating these principles, we sought to: Promote quality and accuracy in the production of security ratings Promote fairness in reporting Inject best-practice decision management governance standards into a new domain Include a coordinated process for adjudicating errors or inaccuracies in reported content Establish guidelines for appropriate use and disclosure of the scores and ratings Why were principles needed? One reason is that there is a... [Read More]

Leave a comment