Resumo

Given that an adequate prioritization of data losses (DL) events is crucial for risk management in institutions of any nature, the present paper proposes a methodology aimed at hierarchizing the events associated with this type of risk. This proposal incorporates three specifications : parametric independence, objectivity and applicability.

How to objectively prioritize the processes to be modeled, since they generally constitute a reasonable volume in the company and have different patterns of behavior?

The contributions of researchers such as Cruz (2004), Chernobai, Rachev & Fabozzi (2007), Bühlmann, Shevchenko & Wüthrich (2007), Yasuda (2003) were very important to mitigate OR. The complexity of this type of risk was pointed out by Jobst (2007), cannot be considered a “mere segment of other risks”, but one that tends to have its “own life”.

The method developed was applied to records of Data Loss (DL) events reported to DatalossDB. Each record refers to a company and contains the following variables: Industry sector , Date of the incident , Incident source , Country and Incident Description , Quantity of information items affected by the incident, Financial , Type of information items affected and Breach type. From 2013 to July 2014, 1982 data loss cases were reported to DatalossDB, including companies that did not report financial losses and those located in other countries.

After knowing the set of events, a public sector risk manager was requested to rank the thirty events in order of importance for risk mitigation purposes. CA resulted the following measures : (a)Utility-generating function coefficients, (b) Correlation and Significance and (c) importance of attributes. The resulting utilities are based on the values that make up the event. Considering the “Frequency” criterion, the utility of the “Business-Outside-Fraud…” event is calculated as 4.167 + 4.300 + 15.300 + 12.033, resulting in 35.8, which corresponds to the priority assigned by the CA

In the Conjoint Analysis, the decision-maker was requested to classify, in an ordinal ranking, the previously formatted risk events. After that, the procedure determined the importance of the attributes involved and allowed the prioritization of risk events using multiple criteria, which was the purpose of the study. Another relevant aspect is the possibility of quantifying the importance that levels and factors related to data breaches have for those in charge of risk management, which will certainly be useful in guiding their actions towards minimizing the problem.

Borges, J., F., Moura, H.,J,.(2010) Integração entre abordagens qualitativa e quantitativa para a mitigação do risco operacional: estudo no Banco Central do Brasil. Anais do ENANPAD 2010. Encontro da ANPAD, Rio de Janeiro. Gabbay, A.,M.(2010) Simulação de Monte Carlo para Mensuração do Risco Operacional: Aplicação do Modelo LDA, Dissertação de mestrado. Universidade Presbiteriana Mackenzie São Paulo. OSF Open Security Foundation (2014). DataLossDB [data file]. Retrieved from http://datalossdb.org. Ribas, J. ,R., Vieira, P., R. ,C.(2011) Análise multivariada com o uso do SPSS, Rio de Janeiro