Security screening metrics for information-sharing partnerships.

Abstract

Recent history has shown both the benefits and risks of information sharing among firms. Information is shared to facilitate mutual business objectives. However, information sharing can also introduce security-related concerns that could expose the firm to a breach of privacy, with significant economic, reputational, and safety implications. It is imperative for organizations to leverage available information to evaluate security related to information sharing when evaluating current and potential information-sharing partnerships. The "fine print" or privacy policies of firms can provide a signal of security across a wide variety of firms being considered for new and continued information-sharing partnerships. In this article, we develop a methodology to gauge and benchmark information security policies in the partner-selection process that can help direct risk-based investments in information sharing security. We develop a methodology to collect and interpret firm privacy policies, evaluate characteristics of those policies by leveraging natural language processing metrics and developing benchmarking metrics, and understand how those characteristics relate to one another in information-sharing partnership situations. We demonstrate the methodology on 500 high-revenue firms. The methodology and managerial insights will be of interest to risk managers, information security professionals, and individuals forming information sharing agreements across industries.