Duty of Care Risk Analysis (DoCRA) is a new standard that describes processes for evaluating information security risks and their safeguards so that the resulting analysis is easily communicated to and accepted by authorities, such as regulators and judges, and to other parties who may be harmed by those risks. Regulators expect that the burden of safeguards should be balanced against an organization’s mission. Attorneys and judges similarly use balancing tests to determine whether foreseeable harm could have been prevented by safeguards that would pose a reasonable burden.
While conventional risk analysis methods have neglected to include these significant perspectives, DoCRA describes how they may be incorporated. To bridge information security risk analysis with legal and regulatory expectations, DoCRA builds on and extends the classic risk analysis calculus. The new standard also serves as the foundation for CIS RAM, the Center for Internet Security® Risk Assessment Method co-developed by HALOCK Security Labs and published earlier this year.
Midwest Cyber Security Alliance’s meeting on Wednesday, September 19 discussed DoCRA and CIS RAM. The MCSA’s very own Terry Kurzynski and Jennifer Rathburn provided a history lesson on how the courts decide on negligence as well as discuss:
- Why the disconnect persists between the legal system and information security community
- How current risk frameworks are failing to protect us
- How to upgrade organization’s risk assessment methods to meet Duty of Care