| Dino Dai Zovi, one of the men behind the MacBook hack at last year's CanSecWest conference, is a respected researcher, and that's just in his spare time. By day, Dai Zovi is a security professional in the financial services industry, where he's knee-deep in the movement toward quantifying risk in an organization.
DINO DAI ZOVI
On the information security side, if you can quantify risk and compare that to the cost of dealing with security incidents or the likelihood of them happening, you can choose your risk threshold and exert the appropriate amount of remediation effort that's in line with that risk tolerance.
Security risk models are nowhere near as robust or proven as financial risk models, so at this time the information security practitioners have the best knowledge of the field to be able to assess this risk.
I think the industry as a whole will be served when we have better anonymized data on incidents. Companies are often very reluctant to share data or even the fact that there's been an incident. So if you have more data on how often these occur and other points, we can basically estimate, based on our size and our business profile, there's x-percent chance of a customer information leak. And based on how much it would cost to prevent that leak, we can choose whether we want to take actions to remediate that or just run with it.
Read the complete interview at searchsecurity.com.