This is just a quick announcement about a new project we are starting at MSI. The name of the project is the Stolen Data Impact Model (SDIM).
The goal of the project is to identify a methodology for scoring the impact of data stolen in a breach. We believe the scoring mechanism will be some kind of curve, based on the impact of the loss over time. Currently, we are spreading that loss over four time frames: immediate, short term, intermediate term and long term.
We also believe that there are more than one facet of impact that could be in play and we are currently discussing how to handle the multiple facets.
We are just starting the project, and plan to work through it with the input f the community. We searched for models to address this, but were unable to identify any. If your organization has a model, methodology or process for this and you are open to sharing, please get in touch. You can always contact us in the comments or via Twitter (@lbhuston) or (@microsolved).
Thanks and we hope to present more on this topic shortly.