Identity Asset Valuation

© 2018 Proprietary, The University of Texas at Austin, All Rights Reserved.
Identity Asset Valuation
Suzanne Barber
Director, Center for Identity
AT&T Endowed Professor in Engineering

The University of Texas at Aus3n established the
Center for Iden3ty (UT CID) to
serve as a center of excellence
delivering leadership and interdisciplinary
research and educa3onal programs in iden3ty
security and privacy.

The Center fulfills this mission through:
Conducting ID360
research to recognize
and resolve identity
challenges
Educating consumers and
workforce professionals
RESEARCH EDUCATION
Reaching out to consumers
and organizations to share
actionable knowledge
and resources

CONNECTION

UT CID brings together all the disciplines and
world class faculty to research and deliver
innovations in Identity.

UT CID STRATEGIC PARTNER PROGRAM
The Center for Identity believes a
interdisciplinary and multi-sector
partnership is critical to addressing
the critical and fundamental
identity challenges.

Government & Law
Enforcement Partners
•  Federal Bureau of Investigations
•  Texas Comptroller of Public Accounts
•  Texas Health and Human Services
•  Texas Department of Information Resources
•  Texas Department of Public Safety
•  United States Department of Veterans Affairs
•  United States Secret Service
•  United States Treasury Inspector General for Tax
Information
•  United States Department of Homeland Security –
Investigations (HSI ICE)
•  United States Department of Homeland Security -
Office of Biometric Identity Management (OBIM)
•  Netherlands Office of Identity Data (NOID)
Corporate
Partners
•  Acxiom
•  Applied Fundamentals
•  Gemalto
•  Generali Assist
•  HID Global
•  ID Analytics
•  LifeLock
•  IDEMIA
•  Symantec
•  TransUnion

The UT CID is investigating how
“identity assets” are used for …
(1) legitimate purposes
(2) fraud and other crimes.

UT CID investigates the business
operational uses of Identity Asset
through the lens of organizational
privacy policies.

UT CID studied privacy policies of
600 companies (10% of all
lis3ngs on NYSE, Nasdaq, and
AMEX stock markets) across
industries and inves3gate ten
diﬀerent privacy factors in them.
Privacy Check™ mines online privacy
policies to explain how an organization
handles personal data.
Explaining what you are “Clicking to Agree” to !

UT CID Privacy Check Project
learned …
•  97% of the companies collect email addresses
•  80% of the companies use PII (including email addresses) to
promote their own services or products.
•  24% of companies provide users’ PII to the law enforcement without
a warrant or subpoena.
•  93% of policies studied do not collect personally identifiable
information of children under 13.
•  Majority (82%) do not let users completely delete their record.
•  96%, over 90% of the companies in any industry, consider continued
use of the website as implicit agreement to any changes in the
privacy policy.
“Toeing the Line of Risk and Value: An Automated Study of Web Privacy Policies Across Industries,”
R.N. Zaeem and K.S. Barber, UT CID Report #043016, The University of Texas, 2017.

Which organizations have
demonstrated significant
understanding of how to use and
monetize identity assets?

Criminal Organiza3ons

Identity Threat Assessment and
Prediction (ITAP)™
mines actual empirical case reports to
build a computational model and analytics
describing how true, synthetic or
fabricated identity data is created and used
for legitimate and fraudulent in-person and
online transactions.
The Identity Threat Assessment and Prediction (ITAP) serves as a
national analytical knowledge repository of threats and
countermeasures across multiple market sectors, including but not
limited to DHS 16 critical infrastructure sectors.

Let’s take a test:
The test is titled,
“ How do identity thieves monetize
identity assets? ”

Which identity assets do identity
thieves and fraudsters find most
valuable?

Throughout the U.S., the Top 5
compromised PII attributes are the same.
Source: UT CID Iden0ty Threat Assessment and Predic0on (ITAP) project.

The UT CID Identity Ecosystem explores:
(1) Value of these identity assets
(2) Likelihood of their exposure & misuse
(3) Which assets maximize authentication
but reduce liability

The UT CID Identity Ecosystem™
analyzes the “periodic table” & physics
of identity characterizing identity
attributes and relationships between
those attributes
What you
KNOW
What you DO
What you
HAVE
What you ARE
How is TRUST created or
lost?
Which Iden@ty aAributes
are most valuable?
If Iden@ty aAribute_X
changes what else
changes?
TRUST
VALUE
CHANGE
RISK
VULNERABILITIES
SPECIALIZATIONS
Which iden@ty aAributes
are at most risk?
How is an iden@ty
compromised?
How is one Iden@ty
diﬀerent than another?
Demonstra3on

The Center for Iden-ty is
crea-ng a
UT CID Iden-ty Ecosystem
to describe
People, Device and
Organiza-onal Iden--es and
how these Iden--es aAributes
are Connected.

Iden-ty aAributes in the UT CID Iden-ty Ecosystem
are highly connected.
People a@ributes in orange
Device a@ributes in blue
Organiza0on a@ributes in green

The UT CID Identity Ecosystem describes
the Notorious Three (now Four)
Categories of Identifiable Information
What you KNOW
What you HAVE
What you ARE
What you DO

Which type of
identity assets
are most often
compromised?
Average Loss
per incident for
each type?
Source: UT CID Iden0ty Threat Assessment and Predic0on (ITAP) project.

Identity Asset Nodes in the UT CID Identity
Ecosystem can be sized by value and colored
by risk.
•  Low value high risk attributes connected to high value attributes signal trouble.
small
medium
large
green
yellow
red

Query: What is the most probable origin of a
breach given evidence of attribute exposure?
SSN
Query

Here is another question we could
ask in the UT CID Ecosystem
For customer enrollment, which identity
asset keys should be collected to …
1. minimize the risk of exposure
but at the same time
2. maximize the authentication strength?

We need to answer two questions:
–  Accessibility: How difficult is it for fraudsters to get to a
target node (identity asset) ?
–  Post Effect: If the target node (identity asset) is breached,
how big is the influence/impact on risk of exposure values
for other identity assets (i.e. does the risk of exposure
increase if a connected attribute is breached)?
26

Identity assets with
High Accessibility
(easy to access or learn)
≠
best choice in terms of
authentication.

27
Identity assets with High
Post Effect (high costs if
breached)
≠
best choice in terms of risk.

Will the “identity currency” of
today be the “identity currency” of
tomorrow?

UT CID Education

The Center
describes and
educates he
Identity Workforce.
Degrees
Short Courses
Certifications
Study that identifies the
numbers and types of
jobs in the identity field
EDUCATION
IDENTITY
WORKFORCE
STUDY
The Center
describes and
educate the
Identity Workforce

More information at
msims.ischool.utexas.edu

The Identity Leadership certificate program covers the
knowledge and skills to lead the complex business of
identity – from assets, liabilities, planning, operations
and workforce.
•  Designed for executives, managers and
professionals responsible for identity assets or
seeking to lead organizations with identity
management, security and privacy challenges and
solutions.
•  Learn about identity management and security in all
of its dimensions: people, processes, policy, legal,
and technology
•  Graduates receive a Center for Identity certiﬁcate in
Identity Leadership as well as 24 hours of
continuing education credits.
•  3 day program
Day 1: Your Identity Portfolio
Day 2: Identity Risk Assessment, Management,
Compliance and Response
Day 3: The Business of Identity: Strategic
Planning and Leadership

Suzanne Barber, Director
Center for Identity
The University of Texas at Austin
201 East 24th Street, POB 5.102
Austin, TX 78712
512.471.6152
sbarber@identity.utexas.edu

Identity Asset Valuation

More Related Content

Similar to Identity Asset Valuation

More from FIDO Alliance

Recently uploaded

Identity Asset Valuation