In “BYOI (Bring You Own Identity) : An introduction to Contextualized Identity in a digitalized world” I define a contextualized identity as:

A contextualized identity is made by a superset of metadata who represent in a variable form a unique subject. This superset is made of general (static) and detailed (dynamic) metadata who represent the identity contextualized to the moment in time where it is used.

based on this definition what I expect is the need to evaluate constantly not only the information’s I have as “pre-filled”, the static metadata I collect from the identity lifecycle, but even the dynamic ones. This need offer the side to a couple of questions:

- Where the metadata should be stored?
- For how long this metadata should be available, if should be available?

I’ll try to get back on this two question at the end of this post, in the mean time, the real question that a contextualized identity raise is:

How I index and define Risk when the context is, by definition, never static?

Let me clarify. Risk or better Risk Management is defined as:

*“The process of identification, analysis and either acceptance or mitigation of uncertainty in investment decision-making. Essentially, risk management occurs anytime an investor or fund manager analyzes and attempts to quantify the potential for losses in an investment and then takes the appropriate action (or inaction) given their investment objectives and risk tolerance.”*

Investopedia –” Risk Management definition “(http://www.investopedia.com/terms/r/riskmanagement.asp)

and yes I took the financial/economic definition of risk management on purpose.

Let define Risk and Risk Management in the IT industry:

from ISO definition:

*“The potential that a given **threat** will exploit **vulnerabilities** of an **asset** or group of assets and thereby cause harm to the organization. It is measured in terms of a combination of the probability of occurrence of an event and its consequence.”*

From NIST FIPS 200:

*“Risk – The level of impact on organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring.”*

From ISACA:

*“The business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise”*

So I may summarize that Risk, by definition is usually associated to:

- A known event
- A probabilistic calculation of a known event
- The knowledge that a certain category of events will occurs
- The probabilistic calculation of the occurrence of those categories of events

Works? yes of course since if I look to the financial/economic definition of Risk Management I found that “..occurs anytime an investor or fund manager analyzes and attempts to quantify the potential for losses in an investment ..” and to do so I have to consider something I know (the investment), something I think may happen (the potential threat that will disrupt the investment), something correlated (the variables that may influence the whole analysis).

If the world would be…well flat yes it would work. No I’m not kidding since if the Risk Analysis and the Risk assessments were right that this would not ever happened:

http://en.wikipedia.org/wiki/Bankruptcy_of_Lehman_Brothers

it’s not about what they did, it’s about why anybody was not ready to expect this. Simple the information’s you need to evaluate were not in the “static” range of information’s.

A probabilistic event is something you define along a “line”, this line could be as much as complex you desire but in the very end could be simplified and reduced to:

- value 1: will happen
- value 0: will not happen

Make no mistake, you may tease you’re self with many “%” signs beside those two values but in the very end, still will be at the same point: it happens or not.

You’re living in a static world where the capability of collect and analys data is just still at the beginning of its journey.What all this means? you lack of knowledge and you’re a

## Dinosaur

This is you’re risk analysis and what a risk assessment does every time:

It starts from the usual principles:

- Identify
- Assess
- Evaluate
- Record
- Review

*Identify:* how do you identify something you don’t know yet? it’s a 1 or a 0

*Assess:* You define your assess something you don’t know? You can’t no matter how much is sophisticated your algorithm. Again it’s a 1 or a 0

*Evaluate:* We said it before, the evaluation is based on the findings of the previous two. It’s again a 1 or a 0

I may continue but would like to be clear. I’m not saying the Risk analysis as it is has no value I am simply state that works only on specific conditions and nowadays these conditions are not met anymore.

An Identity is represented or at least could be represented by it’s own “static” metadata:

Is a set, sometimes a superset of data that varies from name to unique identifications, from your phone number to your credit card number through the validity of the latter and the potential changes updates of the other. I may collect those metadata and link them into a map that I may re-use to approximately calculate who you are in a specific ecosystem, what grants you got there and so how much risky you may be.

I simplified on purpose the concept but still we’re at 1 and 0 value.

What is a contextual identity? Let me re-phrase:

*A contextualized identity is made by a superset of metadata who represent in a variable form a unique subject. This superset is made of general (static) and detailed (dynamic) metadata who represent the identity contextualized to the moment in time where it is used.*

I have a set or a superset of a dynamic metadata that is “linked” to the identity in the moment I look at it, that will vary the moment after and that could be totally different even if the identity present itself again in a similar if not exactly equal “moment”.

I consider the dynamic metadata like:

- Geo-localization
- Devices in use
- number of request per moment in time
- related/linked/federated application/resources requested before,between,after the evaluated request
- identity in use and identity presented

All of these are just a part of a dynamic superset that vary continuously and could not be encapsulated easily. In a more formal definition:

A contextualized identity is a uniquely set of metadata that may be fully understood by any party without requiring a specific knowledge of them but only a minimal capability of use them in accordance with what the identity request. It is dynamic in the form that may adapt itself to the context where it operate without the need of become part of it completely or just in part.

This definition lead us to a multi-value definition of the risk since we should consider:

- Identify
*Contextualize the***moment***Contextualize the***request**associated*Contextualize the***behavior**linked to the two above- Assess

*The capability to adapt to the***context***The capability to adopt to a***behavioral deviation**- Evaluate

- evaluation of a 0,1,1,0 scenario
- Record
- Review

in a more formal word:Randomization tests applied to Risk analysis.

Let me explain:

“The Lady Tasting tea:

to test a lady’s claim that she can tell whether the tea or the milk is poured into the cup ﬁrst. The null hypothesis is that she cannot tell the difference.

Fisher proposed presenting eight cups in random order, four each with milk and tea poured ﬁrst, and she would be required to list the order she thought was correct. If we use M for milk ﬁrst and T for tea ﬁrst, she might give a response such as MMTMTTMT.

This is a simple example of a single-case design with two conditions which can be randomly assigned to the eight available observation occasions. The test statistic will be the number of correct cups in her response sequence…it is easy to show that there are

70 ways to arrange four Ms and four Ts in order, so if her list is completely correct she either can tell the difference or else she made a lucky guess and picked at random the correct order out of the 70 possible. If she got them all correct we might believe her

claim, but what if she just got most correct? We would need to list the 69 unused arrangements, compare each with the one used for the experiment and count how many of the 69 got at least as many correct as the lady. If she got six correct there would be 17 arrangements at least as good (16 with 6 correct and the one actually used with all correct). So she has a probability of 17/70 of choosing at random an arrangement with at least 6 correct.”

Fisher 1935

If you look at it closely this simple test allow us to solve the evaluation scenario0,1,1,0 of the “Risk Square”.

but… do you remember our two initial questions?

- Where the metadata should be stored?
- For how long this metadata should be available, if should be available?

If I take in account what I just defined I do not need to store them but the result that comes from the analysis of their contextual behavior and the various identities that are linked to them in a specific moment in time. But around the topic of the “right to be deleted I’ll took soon in another post so keep reading this blog.