A locked door?

To many risk analysts, performing a quantitative security risk analysis for threat scenarios in Mainland China feels like trying to open a locked door.

Analysts Challenges:

1. Macro data such as crime rate, natural disaster, or fraud are usually not available at the public domain.

2. Authorities' websites are sometimes in the Chinese language only and often functioned as propaganda.

3. Information availability may not be geographically consistent. For example, crime data available in one province does not mean the same data is available in other provinces.

4. Authorities are often unresponsive to request for data. Words such as "security", "audit" and "investigate" are best avoided if one wants to increase the chance of response. Instead of the mentioned words, try "research", "understanding", or "study".

5. The source of information sometimes are not intuitive. For example, aviation related data are not held by the civil aviation department but are held by each local municipalities.

6. Public security (e.g. police) data are not transparent.

7. When data do show on the public domain, data may or may not be released regularly on a yearly basis.

Mitigating Techniques:

1. Talk to local acquaintances that are familiar with the matter (e.g.: supply chain theft or IT security breaches) that could help you to narrow down the analysis focus. However, not all have this luxury.

2. Look for year books that provinces or municipalities issue. Within those publication, there are sometimes sections that have statistics useful for security related analysis.

3. Look for research paper released by local universities.

4. Look for court verdicts. Unlike public security, court verdicts are transparent. This can be a proxy of estimating certain incidents growth or decline.

5. Baidu, as believed by many, is the most useful search engine for mainland China research.

6. There are websites that provide quantitative data based on voluntary peer input (think wikipedia), but the result may not be reliable especially when the number of input is low.

7. Ride on other analysts report for your own analysis. Be sure to seek permission if needed and give credit to the creator.

8. Look for reports released by local associations related to your research topic.

9. There are websites that provide quantitative data based on a combination of the techniques mentioned above. However, these usually require a paid subscription service.

Technique Caveats:

1. Information coming from Chinese sources have a tendency to show more positive information. When negativities do show, they often lack details.

2. Many of the above techniques mentioned require the reading of simplified Chinese.

Bottom line:

It is challenging to perform a quantitative risk assessment in Mainland China. However, it is doable if one attacks the problem from multiple angles.

When there are no hard data available, one can rely on multiple proxies or extrapolate from historical data in order to produce a reasonable risk assessment.

Be sure to show the methodologies and be transparent on any caveats, so analysts and client can enjoy a trusted relationship in the risk assessment effort.