Important Update: Community URLs redirect issues are partially resolved. Learn More. .

This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Is Traditional Cyber Risk Quantification a Proxy for Privacy?

MarshallToburen
Archer Employee
Archer Employee
‎2018-04-05 10:14 AM

canstockphoto13567276.jpg

I have been obsessing over the question of whether cyber risk quantification, as we understand it today, can serve as a reasonable proxy in assessing risk associated with privacy regulations such as the EU General Data Protection Regulation.  The EU-GDPR says the obligation of companies is to “protect fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.”  Article 6 of the Charter of Fundamental Rights of the European Union states that one “fundamental right is the right to Liberty", which encompasses the concept of self-determination.

 

I am not at all confident that traditional cyber risk quantification is a suitable proxy for an individual’s privacy risk related to this fundamental right.  For example, a company might perform a quantified risk assessment of non-compliance with the EU-GDPR that concludes there is an 80% probability of a fine of 4% of global revenue + 10 million Euros of customer litigation.  This is a great approach if you need to understand the potential monetary impact to the organization for non-compliance but, if your intent is to truly comply with the law, it seems to me that you may have to take an individual-focused approach to risk assessment. 

 

In short, what is the risk to an individual's fundamental rights if they are subject to psychographic profiling by a company like Cambridge Analytica, for the purpose of manipulating public opinion that undermines the individual's right to self-determination?

 

After pondering this with a number of people, I think the answer is that different risk assessment approaches must be employed.  In those circumstances where you want to understand the monetary impact to the organization, you would use cyber risk quantification.  In those circumstances where you want to understand the impact to an individual, you must do the assessment from the individual's perspective.  This bifurcated approach will no doubt leave many organizations faced with circumstances where they have determined that the risk to the individual is great but to the organization, comparatively small.  

 

What do you think?

 

Popular Articles