A consortium of companies including the Big Four accounting firms and at least one large insurer is working on a cybersecurity risk measurement framework for large enterprises.
The Risk Preparedness Index is being developed by the Global Security Consortium (GSC) which, so far, includes PricewaterhouseCoopers, Ernst & Young, Deloitte & Touche, KPMG International and insurance giant AIG International.
The RPI was originally being developed to provide a risk measurement model for use within the insurance and accounting industries. But the goal now is for the index to provide the basis for a much more broadly applicable system for measuring and rating organisational risk preparedness.
The GSC has been in active discussions with several industry groups, including The Open Group standards body, for several months to gain endorsements and wider support for the effort to build the framework.
A GSC spokesman declined to comment on the status of that effort, but the source close to the body confirmed that the GSC is working on delivering the framework and said it will be available by this summer.
All of the Big Four accounting firms were unable to provide comments on their participation by press time.
"The RPI will allow third-party auditors to come in and make a judgment as to whether or not you are complying with established cybersecurity practices," said Larry Clinton, chief operating officer at the Internet Security Alliance. ISA members that score above a certain level on the RPI could qualify for lower insurance rates.
ISA is a collaborative effort between the CERT Co-ordination Center at Carnegie Mellon University in Pittsburgh and the Electronic Industries Alliance, a federation of trade associations.
Robert A Parisi, senior vice president and chief underwriting officer for AIG's eBusiness Risk Solutions group, said he unaware of the specifics of the arrangement with the ISA. But ISA members assessed by means of tools such as the RPI will be viewed as "highly desirable risks and ones that we want to price in a highly competitive fashion because we view them as doing the right thing", Parisi said.
"When you have all of the big accounting firms applying a certain standard, it carries a certain amount of weight," he added.
The relative lack of broadly applicable quantitative risk-measurement tools for the critical infrastructure and for enterprise IT has been a long-lamented issue among security professionals.
There are standards such as the ISO 7799, ISO 1799 and those from the National Institute of Standards and Technology that are used by organisations as benchmarks and assessment frameworks, but there are few widely accepted standards that are comparable to the generally accepted accounting principles and generally accepted auditing standards that auditors in the financial services industry are able to use.
"At the moment, there really isn't an equivalent to that when it comes to information security," Parisi said.
Jaikumar Vijayan writes for Computerworld