There\u2019s a reason companies are asking CIOs to solve a new kind of security risk every time they turn around. Business continuity threats, data breaches, malicious code and stolen laptops all have one thing in common\u2014they\u2019re the price of information technology\u2019s success. Information security is an issue because most of our core business processes incorporate IT, and technology has started to break down the stovepipes that used to protect corporate data. CIOs have always had to prioritize risks when deciding how to allocate resources. What\u2019s different about information security risks today is the uneven ability of CIOs and their business partners to assess them. Every company faces a different mix of security risks. And every one has a different set of information advantages and disadvantages\u2014call this risk intelligence\u2014for assessing each of those risks. IT executives have no choice but to sort out which security risks are big, which ones are small and, most important, which ones they and their colleagues are not very good at evaluating. This last challenge is new. The methods for estimating the size of a risk usually involve polling business partners to determine the worst-case loss they expect in a given period of time. But CIOs still have to evaluate how accurate these assessments are. One company may know from experience how information integration can compromise records. Another might have learned what a data breach costs. But it would be a mistake to assume every company, or even every business leader within a company, has the same ability to assess the likelihood or impact of fast-evolving threats. So a critical new step in allocating resources for security risks is to determine which ones your organization is good at assessing before you rank the risks and estimate how much it would cost to mitigate each one.How to Assess Risk Intelligence To assess your risk intelligence, ask yourself these five questions for each major security risk you face. How frequently do you have experiences related to the risk you\u2019re evaluating? How surprising are these experiences? How relevant is your experience to the risk you\u2019re evaluating? How diverse are the sources of information about the risk? How methodically do you track what you learn from past experience about mitigating risks? Score your answers on a scale of 0 to 2, where 0 means you and your business partners have less understanding about this risk and its contributing factors than others on your list; 1 means your understanding is about average; and 2 means you understand it better than other risks. Add up your answers for all five questions. Scores fall between 0 and 10; 5 means you think your ability to weigh a risk is average across the five factors. It doesn\u2019t matter if you\u2019re a tough or an easy grader: What you\u2019re doing is ranking your risk competence.\n\n Now rank your organization\u2019s information security risks by their risk intelligence score. You may want to allocate more mitigation resources to the ones that score the lowest, because these are the ones you are worst at assessing. For larger companies, it may be important to score the risk intelligence of each business unit facing a single risk. In this way, you can figure out which business unit has the clearest understanding of the threat, though you may still allocate more resources to the unit that scores the lowest.\n\n By the way, this is the opposite of the conclusion you\u2019d draw for elective projects. It makes sense to pursue discretionary projects that pose risks we\u2019re good at assessing. But when the risks are unavoidable, the question is different. We need to focus on the risks\u2014or the parts of the business\u2014where we\u2019re most likely to make a mistake. \n\nHow Assessments Help Decision Making\n\n Here\u2019s how to apply the risk intelligence methodology. Suppose your company has been spooked by recent security breaches that have compromised customer data. You\u2019re trying to figure out just how much\u2014and where\u2014to invest in security safeguards. The company\u2019s network has never been breached, although a competitor\u2019s customer database was compromised and the story was all over the news. Closer to home, a laptop was stolen from a salesperson\u2019s car a few weeks earlier. \n\n So you ask the heads of your company\u2019s business units (let\u2019s say there are three) what would be their worst-case loss for a security breach. Compared to their revenue, the estimate from business unit A seems too large, B seems too small, and C falls between A and B. You want to judge who is most likely to be accurate, so you score the risk intelligence of each of the three business unit leaders.\n\n The business leaders have different amounts of experience with security breaches. Because of the volume of its customer data, you give a 2 to business unit A, meaning a lot of potentially valuable experience. You give B and C each a 1 because their experience is about average for their business segments\u2014they keep track of the problem but haven\u2019t suffered a breach so far.\n\n Next you ask how surprising the experience of each of these business units tends to be. The salesperson who lost the laptop works for A, so A gets another 2. B hasn\u2019t typically attracted privacy threats, so it gets a 0. C gets a 1 because its experience in this area is about as surprising as that of most companies.\n\n Now evaluate how relevant this experience is. You believe the number of integrated customer files is a big factor. A keeps each set of data in separate systems, so it gets a 0. B has both multiple- and single-file customer systems; it gets a 2 because this experience should be highly relevant to whether the integration of files really matters. C\u2019s experience seems average, so you assign a 1.\n\n And so on. Tallying the scores, it turns out A has the best understanding of the magnitude of your company\u2019s problem with security breaches. Thus, you apply A\u2019s standard for evaluating the risk to the whole company. But you decide to pilot new security systems with C because there\u2019s reason to expect it is least prepared to deal with the risk of a security breach.\n\n Risk intelligence analysis does not replace the exercise of judgment in prioritizing security or any other IT-related risks. But laying out the main issues\u2014the worst-case loss assessments and the reliability of those assessments\u2014helps you apply your judgment systematically. And it provides a basis for discussing with your executive colleagues the key trade-offs in your risk management strategy.\n\nDavid Apgar is the author of Risk Intelligence: Learning to Manage What We Don\u2019t Know.