Economics of Information Security Ajit Appari Center for Digital Strategies at Tuck Institute for...
-
Upload
cynthia-douglas -
Category
Documents
-
view
216 -
download
3
Transcript of Economics of Information Security Ajit Appari Center for Digital Strategies at Tuck Institute for...
Economicsof
Information Security
Ajit AppariCenter for Digital Strategies at Tuck
Institute for Security, Technology, and Society
CDS @ Tuck
The Center for Digital Strategies fosters intellectual leadership by forging a learning community of scholars, executives, and students focused on the role of digital strategies in creating competitive advantage in corporations and value chains.
Scholarly Research:Connecting practice with scholarship anchored on IT enabled business strategy and processes.
Executive Dialog:Convening roundtables focused on the role of the CIO to enable business strategy.
MBA Program Enrichment:Bring digital strategies to the students through informative forums, exposure to executives in different settings, classes, and case development.
Case Studies @ CDS
CDS @ Tuck
Information Security 24X7 Headache
CIO/ CISO Roundtablesand Panels
Managing Security is a lot like Managing Quality.
Reduce Breaches while Controlling Cost.
Cost of Security–A Quality Approach
Failure Avoidance:• Costs of Prevention
• Costs of Appraisal
Failure:• Costs of Internal Failure
• Costs of External Failure
Optimal Security Level Analysis
LowSecurity
High Security
Cost
Cost of Quality Analogy Breakdown
• Quality problems rarely created through sabotage and terrorism.• Interdependencies
Quality and Fads
• Evolving Risk LandscapeCISO Workshop
Doug SmithCISO
Bank of America
John GallantPresidentNetwork World
Brad Boston
SVP and CIOCisco
Steven Boutelle
LTG and CIOU.S. Army
• Metrics: – Develop composite metrics: simple to understand
and clearly linked to the business.• Investment:
– Align business partners: security as an integrated part of the extended enterprise.
• Culture:– Foster info. security into the organization’s DNA.
CISO Workshop
Types of Security Failures• Direct (active) attacks
• Leaks: Inadvertent disclosure– Con
Technical vs. Human
Leaks: Inadvertent disclosure
P2P File Sharing Leakage– Indicative of many inadvertent disclosures in
blogs, myspace, youtube, ….
P2P File SharingBig Champagne Average Global P2P Users
0
2,000,000
4,000,000
6,000,000
8,000,000
10,000,000
12,000,000
Aug-
03
Sep-
03
Oct
-03
Nov
-03
Dec
-03
Jan-
04
Feb-
04
Mar
-04
Apr-
04
May
-04
Jun-
04
Jul-0
4
Aug-
04
Sep-
04
Oct
-04
Nov
-04
Dec
-04
Jan-
05
Feb-
05
Mar
-05
Apr-
05
May
-05
Jun-
05
Jul-0
5
Aug-
05
Sep-
05
Oct
-05
Nov
-05
Dec
-05
Jan-
06
Feb-
06
Mar
-06
Apr-
06
May
-06
Use
rs
The Bait
$25 Visa gift card
210 min phone card
File Path C:\Users\....\my documents\credit card and phone card numbers.doc
File Kept Moving!129.170.37.99 Hanover, NH 1/10/2006
4.246.63.41 Little Rock, CA 1/11/2006
24.161.53.32 Schenectady, NY 1/13/2006
67.141.95.34 Lincoln, NE 1/16/2006
68.238.52.206 Portland, ME 1/16/2006
71.108.75.183 Lancaster, CA 1/17/2006
70.16.103.184 Portland, ME 1/18/2006
201.135.62.34 Mexico 1/19/2006
24.57.6.89 Windsor, Canada 1/19/2006
82.23.135.185 UK 1/20/2006
69.227.188.170 Burbank, CA 1/21/2006
4.246.231.190 Little Rock, CA 1/21/2006
219.74.150.198 Singapore 1/22/2006
172.190.69.11 Sterling, VA 1/24/2006
24.152.146.206 Bakersfield, CA 1/25/2006
84.177.168.14 Germany 1/30/2006
24.203.29.111 Montreal, Canada 1/31/2006
69.246.139.247 Chattanooga, TN 2/1/2006
66.79.0.125 New Orleans, LA 2/2/2006
We stopped sharing, but the file kept propagating
Credit Card Use
Phone Card Use
Jan 21 2006· 1:56A 253· 3:16A 253· 10:21A 347· 12:06P 253· 6:42P 253· 6:57P 253 Jan 22 2006· 4:39P 347· 4:04 P 347· 6:27P 347 Jan 23 2006· 11:36A 347 Outside of Country to these area codes: · 347 – Bronx, NY· 253 - Tacoma, WA
First use on 1/21/06 (11 days after we started sharing the file).ALL calls were made from outside the United States to two area codes in the US.
A day later, the phone card was gone
What Businesses Are Doing?• Watch Videos @
http://link.brightcove.com/services/player/bcpid1243578225?bclid=1232219576&bctid=1233395381
• Internal Threat– Lessons from the firing line (ChoicePoint)• External Threat – Security in the age of ‘MySpace’
time
• Auditor’s lens– The Auditor Panel: Straight from
the Auditors
Info. Sec. Risks in the Healthcare
Why Health Info. Sec. is Complex
Information Flow in healthcare
Primary ProviderClinics; Hospitals; Home Healthcare; Nursing Homes; Institutional Services (e.g., Military, Prisons, Schools)
Social Uses of Health Data
Patient
PayersHealth Plans; Private Insurance; Medicare; Medicaid
Credential & Evaluative Decisions
Insurance; Employment; Licensing; Education; etc.
Public PolicyDisaster Response; Disease Control; Fraud Control; Law Enforcement; Medical & Social Research; National Health Information Network
Extended Health Enterprise
Employers
Business Associates(Subcontractors)
Pharmacist
Regional HealthInfo. Organizations
Health BankHealth Vault (Microsoft)Google Health, etc.
Secondary ProviderClinics,; Hospitals; Labs
HIPAA Compliance at Hospitals
39%Yes
25%Yes 78%
Yes 56% Yes
HIMSS 2006: 180 providersAHIMA 2006: 1100+ providers
Privacy Rules Security Rules
Where do we stand in HIPAA Compliance?
Privacy Rules Security Rules
HIPAA Compliance at Hospitals
HIPAA Compliance
Privacy Rules
Security Rules
18% For-Profit; 12% Academic StatusInstitutional Forces
Market Forces
Patient Inflow
Dedicated Compliance Officer (48%)
State Privacy Laws Comprehensiveness
Peer Pressure[45% Privacy and
12% Security Compliant]
External Consultants (24%)
Consumers’ Concern for Privacy
[37% across US]
Competitive Position
HIPAA Compliance at Hospitals
• Practice
• Policy