Risk Scoring with OSINT
What is open source intelligence?
Open source intelligence (OSINT) is intelligence that is derived from data gathered from open or publicly available sources.
There are two types of open sources – paid, such as fee-based news services and databases (e.g. Lexis Nexis) and free sources.
Open sources can be broken down into three categories:
Surface web – the area of the Internet that is indexed by search engines. Includes social media platforms such as Twitter, Facebook and LinkedIn and news sites such as Google News.
Deep web – content that is not indexed by search engines such as from controlled websites, password controlled access, and sites that exclude robots (such as search spiders).
Dark web – a sub set of the deep web that requires additional tools (such as TOR) to access.
Figure 1. The Balance of Data – Surface Web, Deep Web, and Dark Web Percentages
What is risk scoring?
Risk scoring is a way of generating a number which tells you how risky something is. Risk relates to the likelihood and consequence of an event occurring. A simple risk scoring model involves assigning a value to the likelihood and consequence of a risk eventuating. These risk values are then added together to provide an overall risk score.
What are the benefits of risk scoring?
Time. A risk score can be used as an initial check to determine if a risk requires further investigation. When resources are limited, risk scores can help you focus your efforts. For example, when assessing candidates for employment, a higher risk score may warrant closer attention to certain areas during a job interview. The risk score threshold will be different for each organization and what it deems as an acceptable level of risk.
Another use for a risk score is to aid in decision making. For example, when assessing the risk that an organisation may suffer a cyber security incident, a low risk score may indicate that an organisation is more desirable to do business with than one with a higher risk score.
How can open source intelligence and risk scoring be applied to my business?
- Credit Risk – Financial institutions rely on credit databases to make decisions about whether to provide credit. By looking at what a person or organisation has said or has been said about them online, a risk score can be generated to provide an additional objective measure of credit risk.
- Cyber Risk – The information available online about your company, its infrastructure and its people will be used by attackers as inputs into cyber attacks. A risk score can be generated based on the type and volume of information available.
- Third Party Risk – Your suppliers have privileged access to your people, data and infrastructure. You rely on them to provide the inputs that you need to run your business. By looking at the behaviours of the supplier’s executives and what is being said about them and their company online, a risk score can be generated to help identify areas of concern.
- Employment Screening and Ongoing Monitoring – Your employees have access to your most sensitive data, and represent your business. By assessing a candidate’s online behaviour, you can generate a risk score that will help guide the interview process.
Once an employee joined your organisation, you can protect your assets by monitoring online behaviour. Depending on the organisations risk tolerance, risk scores above the tolerance can be turned into alerts for action by your security team.
Bringing it all together
Risk scoring is a great way to support decision making.
Open source intelligence is an objective way of generating a risk score for a person or organization, based on publicly available information.