Computer-Related Incidents in Colleges and Universities:
Factors and Categorization
Virginia Rezmierski
Daniel Rothschild
The University of Michigan
This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/2.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.
Previous work, new questions
Building on earlier studies Questions being asked today
Building on earlier studies
I-CAMP (Incident Cost Analysis and Monitoring Project)
How do we measure incident costs? What are the costs associated with incidents? Cost of 30 incidents: $1,015,810
Building on earlier studies
I-CAMP II What about smaller incident costs? What is the frequency of different incidents? Risk = Cost X Frequency Mean costs of incidents:
Access compromise: $1,800 Harmful code: $980 DoS: $22,350 Hacker attacks: $2,100 Warez sites: $340
Building on earlier studies
LAMP (Logging and Monitoring Privacy Project) Do administrators log and monitor? How far can we go within FERPA? Inadequate training and resources Inadequate protections Liability when departments function in
isolation
Computer Incident Factor Analysis and Categorization Project
How do incidents compare across institutions? How do other institutions handle similar
incidents? What are the causative and facilitative factors
associated with different incident types? What are the best practices available for
incident prevention and management?
Incidents and Models
What is an incident? Why is this important?
Involving people from across campus Disagreements within IT Narrow definitions
CIFAC Methodology 3 focus groups, 33 total participants
An incident is an event that utilizes or exploits information technology resources or security flaws therein, either byaccident or by design and through malice or otherwise, that causes, directly or indirectly, one or more of thefollowing occurrences:
Compromise of proprietary, confidential, or protected data, System disruption which impedes user(s)’ access to data or
other IT resources, Violates IT use policies set out and made known by the
administrator(s) of the IT systems in question, Violates norms commonly accepted within the community of
system user(s) for use of IT resources, Attempting or conspiring engage or represent oneself or
another to be engaged in any aforementioned behavior.
An incident is any action/event thattakes place through, on, or involving information technology resources, whether accidental or purposeful, that has the potential to destabilize, violate, or damage, the resources, services, policies, or data of the community or individual members of the community. Such incidents may focus on/target individuals, systems/networks, or data resources and result in a policy, education, disciplinary,or technical action.
Incidents and Models
Risk-management incident prevention Burden placed on IT staff
Historically left isolated Benefit-cost analysis: how to devote scarce
resources Thresholds: Codified rules of action
Reduces technologist liability Devote time to the problem
Incidents and Models
What’s happening in the literature? Convergence of corporate and educational
literature to holistic approach to management Robert Austin and Christopher Darby, “The Myth of Secure
Computing,” Harvard Business Review (June 2003), 120-126.
Focus on specific vulnerabilities and attack types Categorization of incidents
Colleges and universities moving from lists to codification and modeling
Seriousness
Short incidents and categorization System-focused: 37% Data-focused: 22% People-focused: 42%
Roles and perception of seriousness
Seriousness: Variables
Long incidents Seriousness ratings Three variables of interest:
Quantity or extent of loss Rank of the people involved Potential for further damage
Other identified variables
Risk (or lack) of harm to people Potential criminality Not my job/role/responsibility Policy issue/violation Outside authority involvement Number of people affected Financial/monetary cost to university/department Knowledge of quantity of damage Opportunity cost/time to fix Number of machines affected Type of data affected Fraud/Liability to uni/FERPA Public relations/reputation Types of machines affected Types/rank of people affected Other/misc
Seriousness: Variables
Variables list Most common variables:
Probability of danger to person(s) (84%) Type and sensitivity of data involved (50%) Probability of further access/damage (37%) Cost to the department/college/university (15%)
Getting Into Factors
1) User education (i.e.: no education or poor education) 2) Policy existence/quality (i.e.: no policy or poor policy) 3) Too much access/inappropriate access level available4) Physical security lacking
Remainder unrankedPolicy enforcement/or ignorance of policy
Ignorance of law/potential legal ramifications
Failure to audit/examine logs
Sysadmin training/performance; no or inadequate training
Too much bandwidth
Virtual security lacking
Ease of (mis)use; absence of tech. impediment to inappropriate use
IT department not consulted/left out of loop
Password poor or exposed
Human nature/behavior
Access termination procedures lacking or faulty
Inappropriate information in public directory
Configuration error
CIFAC/NSF
Second phase of CIFAC project: identifying causative and associative factors
Methodology 36 colleges and universities, 18 corporations Per respondent: three retrospective and three future
incidents Up to three respondents per institutions
CIFAC/NSF: Questions
Are there common factors associated with People-focused incidents? Systems-focused incidents? Data-focused incidents?
Is there a common set of variables used to rate seriousness?
What else can we find about the effects of role?
CIFAC/NSF
Geographic clusters: San Francisco Bay area Chicago area Atlanta area Baltimore/DC area Eastern Massachusetts
area Southeast
Michigan/Northern Ohio area
The CIFAC ProjectGerald R. Ford School of Public PolicyUniversity of Michigan712 Oakland StreetAnn Arbor, MI 48104-3021
Final report to EDUCAUSE
http://www.educause.edu/asp/doclib/abstract.asp?ID=SEC0409
Top Related