In the context of the HP Labs' Security and Identity Analytics project I have been investigating the implications of "unstructured data" (i.e. emails, documents, multimedia files, pages in data sharing sites, messages exchanged with Instant Messaging tools, blog posts, data mash-ups, etc.) within organizations, along with how to explain and predict involved risks and explore the consequences of related security (policy) choices.

Is "unstructured data" really a problem for organizations? If so, where is this problem? Well, the content of unstructured data (and/or an aggregation of it) can be confidential as it might include personal, financial and business-critical information. Because of the nature of unstructured data (and associated, emerging tools to handle and share it), there are many ways this data could leak and/or be misused, ranging from accidental disclosures to aggregations of information posted in public areas.

The threat landscape (including threats to data confidentiality, integrity and availability) is potentially broad as many contextual elements, IT components, processes and behavioral aspects are involved.

Most of the current approaches (I am aware of), that mitigate some of the involved risks, are based on traditional IT security and identity "control points" (such as access control, interception points, complex document lifecycle management tools, etc.), addressing "point problems".

I believe this is not enough. Solutions are required to help organizations (and decision makers) to: (1) fully understand the nature of the problem, based on their specific context and environment; (2) have a picture of their overall risk exposure; (3) make informed decisions on which approaches to follow, explain and predict the consequences and define appropriate policies; (3) explore trade-offs.

So far I have found no comprehensive approach/solution providing these features. Is anybody aware of any?

--- NOTE:  use this mirror blog if you prefer posting on an external blog site  ---