SBIR Phase II: Information Security Risk Rating
Bitsight Technologies, Inc., Boston MA
Investigators
Abstract
This Small Business Innovation Research (SBIR) Phase II project builds upon earlier work to develop an information security ratings service. When businesses connect their networks with partners or share data with them, they are often poorly informed about the potential risks they assume. Businesses have 3rd party relationships for a variety of operational reasons and these partnerships almost always involve sharing sensitive and confidential data. Data shared can be customer information, intellectual property, social security numbers etc. Businesses are worried about losing data through breaches in partner networks as they face the consequences - financial, legal, and regulatory. Existing risk management techniques are based on annual audits and only provide a snapshot of a partner's security posture. However, new vulnerabilities are discovered everyday and the industry needs a solution that enables a business to continuously monitor changing risk posture of all its partners and proactively manage assumed risks. The Phase II research objective is to build a scalable fully-automated ratings system. The research will focus on identifying and incorporating new data sources, improving the statistical properties of the ratings model, and making the ratings predictive of future behavior. Historically, credit scoring has been a "cost and time-saving technology" that has provided tremendous value to lenders and borrowers alike by reducing costs, predicting future performance, and improving credit accessibility and affordability. Unlike credit scoring, no industry standard scoring service exists to rate business with respect to their information security risk. With Saperix's ratings service, businesses and government will have the potential to reap the same time and cost savings that lenders do from credit scoring services. If the research is successful, Saperix's solution would provide market incentives for improving security outcomes, which would be a significant change in how security investments are viewed by businesses.
View original record on NSF Award Search →