Rapid Security Risk Analysis
-
Upload
yvette-burns -
Category
Documents
-
view
44 -
download
2
description
Transcript of Rapid Security Risk Analysis
![Page 1: Rapid Security Risk Analysis](https://reader035.fdocuments.us/reader035/viewer/2022062314/56812cc6550346895d917f78/html5/thumbnails/1.jpg)
Rapid Security Risk Rapid Security Risk AnalysisAnalysis
Farrokh Alemi, Ph.D.Farrokh Alemi, Ph.D.Georgetown UniversityGeorgetown University
![Page 2: Rapid Security Risk Analysis](https://reader035.fdocuments.us/reader035/viewer/2022062314/56812cc6550346895d917f78/html5/thumbnails/2.jpg)
ProposalProposal
Set security risk prioritiesSet security risk priorities FasterFaster More accuratelyMore accurately More objectivelyMore objectively
![Page 3: Rapid Security Risk Analysis](https://reader035.fdocuments.us/reader035/viewer/2022062314/56812cc6550346895d917f78/html5/thumbnails/3.jpg)
Case of Attack on Boiler Case of Attack on Boiler RoomRoom Consultant’s visitConsultant’s visit
Card in boiler roomCard in boiler room ContractContract
Comprehensive Comprehensive Physical, electronic, personnel, natural causes, etc.Physical, electronic, personnel, natural causes, etc.
Based on opinionsBased on opinions ConsensusConsensus
Imagined risksImagined risks Attack on milk tanker will kill 500,000Attack on milk tanker will kill 500,000
Next consultantNext consultant
![Page 4: Rapid Security Risk Analysis](https://reader035.fdocuments.us/reader035/viewer/2022062314/56812cc6550346895d917f78/html5/thumbnails/4.jpg)
Cost of Comprehensive Cost of Comprehensive Security AnalysisSecurity Analysis
Wasted timeWasted time Less productivityLess productivity
Forgotten passwordsForgotten passwords Lack of coordinationLack of coordination
Missed prioritiesMissed priorities Anthrax versus Katrina Anthrax versus Katrina
![Page 5: Rapid Security Risk Analysis](https://reader035.fdocuments.us/reader035/viewer/2022062314/56812cc6550346895d917f78/html5/thumbnails/5.jpg)
Probabilistic Security Risk Probabilistic Security Risk AnalysisAnalysis
Collect incidence databasesCollect incidence databases Calculate Probability of eventsCalculate Probability of events
Use time to event Use time to event Set priorities Set priorities
Prevent events with high Prevent events with high expected damagesexpected damages
Mitigate consequences of events Mitigate consequences of events with low expected damageswith low expected damages
Ignore all othersIgnore all others
![Page 6: Rapid Security Risk Analysis](https://reader035.fdocuments.us/reader035/viewer/2022062314/56812cc6550346895d917f78/html5/thumbnails/6.jpg)
Example: Reduce Privacy Example: Reduce Privacy Security RisksSecurity Risks
Analyze legal casesAnalyze legal cases Analyze reports to DHHSAnalyze reports to DHHS
Description of risk factor
Prevalence of risk factor in
the organization
Prevalence of security violation
given the risk factor
1. Employee views paper documents or manipulates computer passwords to view records of patients not under his/her care
0.0003 1
2. Benefit Organizations or employers request employee information improperly
0.0003 0.8805
3. Employees engaged in whistle blowing to uncover illegal or unacceptable business or clinical practices
0.0003 0.0201
4. Clinician using unsecured email environment to contact patient
0.0003 0.1606
5. Employee removes patient records from secure location or workplace without authorization
0.0003 0.88
6. External infection of computers/password/network Systems (e.g. computer hacker)
0.0003 0.5888
7. Theft of computers or hard drives with patient records 0.0003 0.58678. ….
![Page 7: Rapid Security Risk Analysis](https://reader035.fdocuments.us/reader035/viewer/2022062314/56812cc6550346895d917f78/html5/thumbnails/7.jpg)
Example: Reduce Privacy Example: Reduce Privacy Security RisksSecurity Risks
Analyze legal casesAnalyze legal cases Analyze reports to DHHSAnalyze reports to DHHS
Description of risk factor
Prevalence of risk factor in
the organization
Prevalence of security violation
given the risk factor
1. Employee views paper documents or manipulates computer passwords to view records of patients not under his/her care
0.0003 1
2. Benefit Organizations or employers request employee information improperly
0.0003 0.8805
3. Employees engaged in whistle blowing to uncover illegal or unacceptable business or clinical practices
0.0003 0.0201
4. Clinician using unsecured email environment to contact patient
0.0003 0.1606
5. Employee removes patient records from secure location or workplace without authorization
0.0003 0.88
6. External infection of computers/password/network Systems (e.g. computer hacker)
0.0003 0.5888
7. Theft of computers or hard drives with patient records 0.0003 0.58678. ….
Calculate from tim
e to re-
occurrence of the event
![Page 8: Rapid Security Risk Analysis](https://reader035.fdocuments.us/reader035/viewer/2022062314/56812cc6550346895d917f78/html5/thumbnails/8.jpg)
Example: Reduce Privacy Example: Reduce Privacy Security RisksSecurity Risks
Analyze legal casesAnalyze legal cases Analyze reports to DHHSAnalyze reports to DHHS
Description of risk factor
Prevalence of risk factor in
the organization
Prevalence of security violation
given the risk factor
1. Employee views paper documents or manipulates computer passwords to view records of patients not under his/her care
0.0003 1
2. Benefit Organizations or employers request employee information improperly
0.0003 0.8805
3. Employees engaged in whistle blowing to uncover illegal or unacceptable business or clinical practices
0.0003 0.0201
4. Clinician using unsecured email environment to contact patient
0.0003 0.1606
5. Employee removes patient records from secure location or workplace without authorization
0.0003 0.88
6. External infection of computers/password/network Systems (e.g. computer hacker)
0.0003 0.5888
7. Theft of computers or hard drives with patient records 0.0003 0.58678. ….
Evidence Based Legal Analysis
![Page 9: Rapid Security Risk Analysis](https://reader035.fdocuments.us/reader035/viewer/2022062314/56812cc6550346895d917f78/html5/thumbnails/9.jpg)
Example: Security Risks at a Example: Security Risks at a Nursing SchoolNursing School
What should we do?What should we do? Protect against computer virusesProtect against computer viruses Educate faculty about theftEducate faculty about theft Require background checks for Require background checks for
studentsstudents Introduce camera surveillanceIntroduce camera surveillance
![Page 10: Rapid Security Risk Analysis](https://reader035.fdocuments.us/reader035/viewer/2022062314/56812cc6550346895d917f78/html5/thumbnails/10.jpg)
Example: Security Risks at a Example: Security Risks at a Nursing SchoolNursing School
Category of risk factor Events
First reported
dateLast reported
date
Average days
between events
Daily rate
Theft of computer 21 7/1/99 11/29/04 99 0.010Theft of other equipment 36 2/5/00 8/10/99 63 0.016Theft of personal property 2 7/12/01 7/11/03 365 0.003Property damage 26 10/7/99 10/7/04 73 0.013Vehicle accident on premise 10 10/27/00 8/3/05 193 0.005Damage from natural causes 40 10/26/99 6/30/05 51.62 0.019Hazmat incidents 1 10/10/03 10/10/03 726 0.001Student shootings 1 Once four years ago in 100 schools 0.00005
![Page 11: Rapid Security Risk Analysis](https://reader035.fdocuments.us/reader035/viewer/2022062314/56812cc6550346895d917f78/html5/thumbnails/11.jpg)
Example: Security Risks at a Example: Security Risks at a Nursing SchoolNursing School
IT Security violationEstimated days
to eventProbability of
occurrenceDollar amount of
damageDesk top security violations
3 months 0.03 $500
Unsolicited emails requesting personal information
Once a week 0.14 $18,000
Unsolicited emails not requesting personal information
Daily 1 $110
Network penetration
Once in last two years
0.0014 $300,000
![Page 12: Rapid Security Risk Analysis](https://reader035.fdocuments.us/reader035/viewer/2022062314/56812cc6550346895d917f78/html5/thumbnails/12.jpg)
Probabilistic Security Risk Probabilistic Security Risk AnalysisAnalysis
RapidRapid Relative risks (numeric)Relative risks (numeric) ObjectiveObjective Verifiable accuracyVerifiable accuracy