Embed Size (px)
DESCRIPTION
Rapid Security Risk Analysis. Farrokh Alemi, Ph.D. Georgetown University. Proposal. Set security risk priorities Faster More accurately More objectively. Case of Attack on Boiler Room. Consultant’s visit Card in boiler room Contract Comprehensive - PowerPoint PPT Presentation
Citation preview
Rapid Security Risk Rapid Security Risk AnalysisAnalysis
Farrokh Alemi, Ph.D.Farrokh Alemi, Ph.D.Georgetown UniversityGeorgetown University
ProposalProposal
Set security risk prioritiesSet security risk priorities FasterFaster More accuratelyMore accurately More objectivelyMore objectively
Case of Attack on Boiler Case of Attack on Boiler RoomRoom Consultant’s visitConsultant’s visit
Card in boiler roomCard in boiler room ContractContract
Comprehensive Comprehensive Physical, electronic, personnel, natural causes, etc.Physical, electronic, personnel, natural causes, etc.
Based on opinionsBased on opinions ConsensusConsensus
Imagined risksImagined risks Attack on milk tanker will kill 500,000Attack on milk tanker will kill 500,000
Next consultantNext consultant
Cost of Comprehensive Cost of Comprehensive Security AnalysisSecurity Analysis
Wasted timeWasted time Less productivityLess productivity
Forgotten passwordsForgotten passwords Lack of coordinationLack of coordination
Missed prioritiesMissed priorities Anthrax versus Katrina Anthrax versus Katrina
Probabilistic Security Risk Probabilistic Security Risk AnalysisAnalysis
Collect incidence databasesCollect incidence databases Calculate Probability of eventsCalculate Probability of events
Use time to event Use time to event Set priorities Set priorities
Prevent events with high Prevent events with high expected damagesexpected damages
Mitigate consequences of events Mitigate consequences of events with low expected damageswith low expected damages
Ignore all othersIgnore all others
Example: Reduce Privacy Example: Reduce Privacy Security RisksSecurity Risks
Analyze legal casesAnalyze legal cases Analyze reports to DHHSAnalyze reports to DHHS
Description of risk factor
Prevalence of risk factor in
the organization
Prevalence of security violation
given the risk factor
1. Employee views paper documents or manipulates computer passwords to view records of patients not under his/her care
0.0003 1
2. Benefit Organizations or employers request employee information improperly
0.0003 0.8805
3. Employees engaged in whistle blowing to uncover illegal or unacceptable business or clinical practices
0.0003 0.0201
4. Clinician using unsecured email environment to contact patient
0.0003 0.1606
5. Employee removes patient records from secure location or workplace without authorization
0.0003 0.88
6. External infection of computers/password/network Systems (e.g. computer hacker)
0.0003 0.5888
7. Theft of computers or hard drives with patient records 0.0003 0.58678. ….
Example: Reduce Privacy Example: Reduce Privacy Security RisksSecurity Risks
Analyze legal casesAnalyze legal cases Analyze reports to DHHSAnalyze reports to DHHS
Description of risk factor
Prevalence of risk factor in
the organization
Prevalence of security violation
given the risk factor
1. Employee views paper documents or manipulates computer passwords to view records of patients not under his/her care
0.0003 1
2. Benefit Organizations or employers request employee information improperly
0.0003 0.8805
3. Employees engaged in whistle blowing to uncover illegal or unacceptable business or clinical practices
0.0003 0.0201
4. Clinician using unsecured email environment to contact patient
0.0003 0.1606
5. Employee removes patient records from secure location or workplace without authorization
0.0003 0.88
6. External infection of computers/password/network Systems (e.g. computer hacker)
0.0003 0.5888
7. Theft of computers or hard drives with patient records 0.0003 0.58678. ….
Calculate from tim
e to re-
occurrence of the event
Example: Reduce Privacy Example: Reduce Privacy Security RisksSecurity Risks
Analyze legal casesAnalyze legal cases Analyze reports to DHHSAnalyze reports to DHHS
Description of risk factor
Prevalence of risk factor in
the organization
Prevalence of security violation
given the risk factor
1. Employee views paper documents or manipulates computer passwords to view records of patients not under his/her care
0.0003 1
2. Benefit Organizations or employers request employee information improperly
0.0003 0.8805
3. Employees engaged in whistle blowing to uncover illegal or unacceptable business or clinical practices
0.0003 0.0201
4. Clinician using unsecured email environment to contact patient
0.0003 0.1606
5. Employee removes patient records from secure location or workplace without authorization
0.0003 0.88
6. External infection of computers/password/network Systems (e.g. computer hacker)
0.0003 0.5888
7. Theft of computers or hard drives with patient records 0.0003 0.58678. ….
Evidence Based Legal Analysis
Example: Security Risks at a Example: Security Risks at a Nursing SchoolNursing School
What should we do?What should we do? Protect against computer virusesProtect against computer viruses Educate faculty about theftEducate faculty about theft Require background checks for Require background checks for
studentsstudents Introduce camera surveillanceIntroduce camera surveillance
Example: Security Risks at a Example: Security Risks at a Nursing SchoolNursing School
Category of risk factor Events
First reported
dateLast reported
date
Average days
between events
Daily rate
Theft of computer 21 7/1/99 11/29/04 99 0.010Theft of other equipment 36 2/5/00 8/10/99 63 0.016Theft of personal property 2 7/12/01 7/11/03 365 0.003Property damage 26 10/7/99 10/7/04 73 0.013Vehicle accident on premise 10 10/27/00 8/3/05 193 0.005Damage from natural causes 40 10/26/99 6/30/05 51.62 0.019Hazmat incidents 1 10/10/03 10/10/03 726 0.001Student shootings 1 Once four years ago in 100 schools 0.00005
Example: Security Risks at a Example: Security Risks at a Nursing SchoolNursing School
IT Security violationEstimated days
to eventProbability of
occurrenceDollar amount of
damageDesk top security violations
3 months 0.03 $500
Unsolicited emails requesting personal information
Once a week 0.14 $18,000
Unsolicited emails not requesting personal information
Daily 1 $110
Network penetration
Once in last two years
0.0014 $300,000
Probabilistic Security Risk Probabilistic Security Risk AnalysisAnalysis
RapidRapid Relative risks (numeric)Relative risks (numeric) ObjectiveObjective Verifiable accuracyVerifiable accuracy
