Using risk scoring, a method used by financial services for management of cyber risks.

Updated: Aug 30, 2019

Risk score (or risk scoring) is the name given to a general practice in applied statisticsbio-statisticseconometrics and other related disciplines, of creating an easily calculated number (the score) that reflects the level of risk in the presence of some risk factors (e.g. risk of mortality or disease in the presence of symptoms or genetic profile, risk financial loss considering credit and financial history, etc).

Risk scores are designed to be:

  • Simple to calculate: In many cases all you need to calculate a score is a pen and a piece of paper (although some scores use rely on more sophisticated or less transparent calculations that require a computer program).

  • Easily interpreted: The result of the calculation is a single number, and higher score usually means higher risk. Furthermore, many scoring methods enforce some form of monotonicity along the measured risk factors to allow a straight forward interpretation of the score (e.g., risk of mortality only increases with age, risk of payment default only increase with the amount of total debt the customer has, etc).

  • Actionable: Scores are designed around a set of possible actions that should be taken as a result of the calculated score. Effective score-based policies can be designed and executed by setting thresholds on the value of the score and associating them with escalating actions.

Experts in the cybersecurity are now propagating that the cybersecurity industry uses a similar type of method i.e., risk scoring in assessing and managing cyber risks for IoT and Big Data. Risks factors are defined and ranked from highest risks to low risks.

The experts argued that since the risks scoring methods are management tools, both IT and operations managers can use these tools to manage cyber risks instead of just relying solely on the IT people.