MITRE's System of Trust (SoT)
System of Trust (SoT) logo of interlocked building blocks

Supply Chain Security


Scoring Risk

One of the main elements required to achieve SoT’s goal is consistency – whether that be consistency of:

Providing a path towards achieving differing types of consistency will require engagement and participation from all parts of our collective marketplace. There is business value in understanding the expectations and needs of your customers and having consistent expectations across industry sectors. This identified value offers a strong incentive for businesses as does having colleges and universities educate the future workforce and leaders about supply chain risks in a manner that prepares graduates for varied career paths and professional endeavors.

An Explicit Methodology for Scoring Risks

Having an explicit methodology for scoring the individual risks, especially one that is supported by evidence, is a critical part of the SoT capability.

This includes addressing how risk assessment findings are collected and can reflect incomplete data or missing information. Additionally, it must allow for reflection of the risk tolerance or sensitivity of an assessing organization to the different risk areas. For example, foreign ownership of an entity can be a deal-breaker for some organizations in government but less of a concern for those in industry (unless of course that entity plans to supply those that have those concerns). For some types of transactions an organization may be highly concerned with whether a supplier’s infrastructure is located in an area susceptible to weather or political events. The significance of these risks must be tailorable to reflect an organization’s approach to assessing and addressing risks.

A final aspect of the SoT scoring approach is in addressing issues coming from aggregating many individual risk measurements together. There could be strong risk findings in a few items that get diluted by low-risk findings in others. But if strong risk findings point to risks that are critical to the organization then those findings cannot be hidden by a scoring approach that does not account for this use case. We are addressing all of these issues in the SoT scoring approach.

Learn More

For more information, please contact us.