Would You Put Your Security in the Hands of a Guess?
3 minute read | Last updated 17-Jan-2022 | 
Rant, Risk, Security, Ship30for30
If I asked you to cross the street without looking for traffic, but instead just guessing if there was an oncoming car, would you cross?
Of course not! That’s absurd. Why take such a huge risk with any data to make an informed decision.
Sadly, in the digital world, we’re crossing the street all of the time. Digital risk evaluation is often based on best guesses and not data.
Remember, risk is a combination of the impact of an event and the likelihood it will happen.
Guess What?
Say you’ve just download a new mobile game and it wants you to create an account in order to play.
That process requires you to enter your full name, email address, physical address, gender, annual household income, and phone number.
When you’re deciding to whether or not to give the game this information, what are you basing the decision on?
The look of the app? The fact that they haven’t been in the headlines? Their terms of service and privacy policy?
It usually boils down to reputation. Why?
What’s The Event?
To properly figure out the risk here, we need to understand what could happen.
This information is considered PII or personally identifiable information. Some of it is available other places (like the online shops you frequent) but it’s not something you want to give out readily.
What is the impact is this information being in the hands of the app developer? What if the information was made public?
What’s The Impact?
The information could make you a target in the real world.
After all, the household income typically correlates to the amount of goods in the home. It also indicates the earning potential if someone stole your identity.
The impact could be massive.
Data Desperately Needed
The challenge is now finding data that could indicate how likely that impact is to occur.
You could search online about the company’s reputation. Have they had breaches in the past? Do they have a clear privacy policy and terms of service?
You could look for discussions about their reputation. Information about how they use the data they collect and how they make money will help here.
But at the end of the day, it’s not enough to make an informed decision. There’s no statistic that says, “This app has a 48% of exposing your personal information.”
That’s no way to make a risk decision, but we do it every day!
For the record, when you can’t gather enough data to get an idea of the likelihood, the potential impact should sway your decision…especially with PII.