Economicsof

Information Security

Ajit AppariCenter for Digital Strategies at Tuck

Institute for Security, Technology, and Society

CDS @ Tuck

The Center for Digital Strategies fosters intellectual leadership by forging a learning community of scholars, executives, and students focused on the role of digital strategies in creating competitive advantage in corporations and value chains.

Scholarly Research:Connecting practice with scholarship anchored on IT enabled business strategy and processes.

Executive Dialog:Convening roundtables focused on the role of the CIO to enable business strategy.

MBA Program Enrichment:Bring digital strategies to the students through informative forums, exposure to executives in different settings, classes, and case development.

Case Studies @ CDS

CDS @ Tuck

Information Security 24X7 Headache

CIO/ CISO Roundtablesand Panels

Managing Security is a lot like Managing Quality.

Reduce Breaches while Controlling Cost.

Cost of Security–A Quality Approach

Failure Avoidance:• Costs of Prevention

• Costs of Appraisal

Failure:• Costs of Internal Failure

• Costs of External Failure

Optimal Security Level Analysis

LowSecurity

High Security

Cost

Cost of Quality Analogy Breakdown

• Quality problems rarely created through sabotage and terrorism.• Interdependencies

Quality and Fads

• Evolving Risk LandscapeCISO Workshop

Doug SmithCISO

Bank of America

John GallantPresidentNetwork World

Brad Boston

SVP and CIOCisco

Steven Boutelle

LTG and CIOU.S. Army

• Metrics: – Develop composite metrics: simple to understand

and clearly linked to the business.• Investment:

– Align business partners: security as an integrated part of the extended enterprise.

• Culture:– Foster info. security into the organization’s DNA.

CISO Workshop

Types of Security Failures• Direct (active) attacks

• Leaks: Inadvertent disclosure– Con

Technical vs. Human

Leaks: Inadvertent disclosure

P2P File Sharing Leakage– Indicative of many inadvertent disclosures in

blogs, myspace, youtube, ….

P2P File SharingBig Champagne Average Global P2P Users

0

2,000,000

4,000,000

6,000,000

8,000,000

10,000,000

12,000,000

Aug-

03

Sep-

03

Oct

-03

Nov

-03

Dec

-03

Jan-

04

Feb-

04

Mar

-04

Apr-

04

May

-04

Jun-

04

Jul-0

4

Aug-

04

Sep-

04

Oct

-04

Nov

-04

Dec

-04

Jan-

05

Feb-

05

Mar

-05

Apr-

05

May

-05

Jun-

05

Jul-0

5

Aug-

05

Sep-

05

Oct

-05

Nov

-05

Dec

-05

Jan-

06

Feb-

06

Mar

-06

Apr-

06

May

-06

Use

rs

The Bait

$25 Visa gift card

210 min phone card

File Path C:\Users\....\my documents\credit card and phone card numbers.doc

File Kept Moving!129.170.37.99 Hanover, NH 1/10/2006

4.246.63.41 Little Rock, CA 1/11/2006

24.161.53.32 Schenectady, NY 1/13/2006

67.141.95.34 Lincoln, NE 1/16/2006

68.238.52.206 Portland, ME 1/16/2006

71.108.75.183 Lancaster, CA 1/17/2006

70.16.103.184 Portland, ME 1/18/2006

201.135.62.34 Mexico 1/19/2006

24.57.6.89 Windsor, Canada 1/19/2006

82.23.135.185 UK 1/20/2006

69.227.188.170 Burbank, CA 1/21/2006

4.246.231.190 Little Rock, CA 1/21/2006

219.74.150.198 Singapore 1/22/2006

172.190.69.11 Sterling, VA 1/24/2006

24.152.146.206 Bakersfield, CA 1/25/2006

84.177.168.14 Germany 1/30/2006

24.203.29.111 Montreal, Canada 1/31/2006

69.246.139.247 Chattanooga, TN 2/1/2006

66.79.0.125 New Orleans, LA 2/2/2006

We stopped sharing, but the file kept propagating

Credit Card Use

Phone Card Use

Jan 21 2006· 1:56A 253· 3:16A 253· 10:21A 347· 12:06P 253· 6:42P 253· 6:57P 253 Jan 22 2006· 4:39P 347· 4:04 P 347· 6:27P 347 Jan 23 2006· 11:36A 347 Outside of Country to these area codes: · 347 – Bronx, NY· 253 - Tacoma, WA

First use on 1/21/06 (11 days after we started sharing the file).ALL calls were made from outside the United States to two area codes in the US.

A day later, the phone card was gone

What Businesses Are Doing?• Watch Videos @

http://link.brightcove.com/services/player/bcpid1243578225?bclid=1232219576&bctid=1233395381

• Internal Threat– Lessons from the firing line (ChoicePoint)• External Threat – Security in the age of ‘MySpace’

time

• Auditor’s lens– The Auditor Panel: Straight from

the Auditors

Info. Sec. Risks in the Healthcare

Why Health Info. Sec. is Complex

Information Flow in healthcare

Primary ProviderClinics; Hospitals; Home Healthcare; Nursing Homes; Institutional Services (e.g., Military, Prisons, Schools)

Social Uses of Health Data

Patient

PayersHealth Plans; Private Insurance; Medicare; Medicaid

Credential & Evaluative Decisions

Insurance; Employment; Licensing; Education; etc.

Public PolicyDisaster Response; Disease Control; Fraud Control; Law Enforcement; Medical & Social Research; National Health Information Network

Extended Health Enterprise

Employers

Business Associates(Subcontractors)

Pharmacist

Regional HealthInfo. Organizations

Health BankHealth Vault (Microsoft)Google Health, etc.

Secondary ProviderClinics,; Hospitals; Labs

HIPAA Compliance at Hospitals

39%Yes

25%Yes 78%

Yes 56% Yes

HIMSS 2006: 180 providersAHIMA 2006: 1100+ providers

Privacy Rules Security Rules

Where do we stand in HIPAA Compliance?

Privacy Rules Security Rules

HIPAA Compliance at Hospitals

HIPAA Compliance

Privacy Rules

Security Rules

18% For-Profit; 12% Academic StatusInstitutional Forces

Market Forces

Patient Inflow

Dedicated Compliance Officer (48%)

State Privacy Laws Comprehensiveness

Peer Pressure[45% Privacy and

12% Security Compliant]

External Consultants (24%)

Consumers’ Concern for Privacy

[37% across US]

Competitive Position

HIPAA Compliance at Hospitals

• Practice

• Policy