I have been obsessing over the question of whether cyber risk quantification, as we understand it today, can serve as a reasonable proxy in assessing risk associated with privacy regulations such as the EU General Data Protection Regulation. The EU-GDPR says the obligation of companies is to “protect[s] fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.” Article 6 of the Charter of Fundamental Rights of the European Union states that one “fundamental right[s] is the right to Liberty", which encompasses the concept of self-determination.
I am not at all confident that traditional cyber risk quantification is a suitable proxy for an individual’s privacy risk related to this fundamental right. For example, a company might perform a quantified risk assessment of non-compliance with the EU-GDPR that concludes there is an 80% probability of a fine of 4% of global revenue + 10 million Euros of customer litigation. This is a great approach if you need to understand the potential monetary impact to the organization for non-compliance but, if your intent is to truly comply with the law, it seems to me that you may have to take an individual-focused approach to risk assessment.
In short, what is the risk to an individual's fundamental rights if they are subject to psychographic profiling by a company like Cambridge Analytica, for the purpose of manipulating public opinion that undermines the individual's right to self-determination?
After pondering this with a number of people, I think the answer is that different risk assessment approaches must be employed. In those circumstances where you want to understand the monetary impact to the organization, you would use cyber risk quantification. In those circumstances where you want to understand the impact to an individual, you must do the assessment from the individual's perspective. This bifurcated approach will no doubt leave many organizations faced with circumstances where they have determined that the risk to the individual is great but to the organization, comparatively small.
What do you think?