Economicsof
Information Security
Ajit AppariCenter for Digital Strategies at Tuck
Institute for Security, Technology, and Society
CDS @ Tuck
The Center for Digital Strategies fosters intellectual leadership by forging a learning community of scholars, executives, and students focused on the role of digital strategies in creating competitive advantage in corporations and value chains.
Scholarly Research:Connecting practice with scholarship anchored on IT enabled business strategy and processes.
Executive Dialog:Convening roundtables focused on the role of the CIO to enable business strategy.
MBA Program Enrichment:Bring digital strategies to the students through informative forums, exposure to executives in different settings, classes, and case development.
Case Studies @ CDS
CDS @ Tuck
Information Security 24X7 Headache
CIO/ CISO Roundtablesand Panels
Managing Security is a lot like Managing Quality.
Reduce Breaches while Controlling Cost.
Cost of Security–A Quality Approach
Failure Avoidance:• Costs of Prevention
• Costs of Appraisal
Failure:• Costs of Internal Failure
• Costs of External Failure
Optimal Security Level Analysis
LowSecurity
High Security
Cost
Cost of Quality Analogy Breakdown
• Quality problems rarely created through sabotage and terrorism.• Interdependencies
Quality and Fads
• Evolving Risk LandscapeCISO Workshop
Doug SmithCISO
Bank of America
John GallantPresidentNetwork World
Brad Boston
SVP and CIOCisco
Steven Boutelle
LTG and CIOU.S. Army
• Metrics: – Develop composite metrics: simple to understand
and clearly linked to the business.• Investment:
– Align business partners: security as an integrated part of the extended enterprise.
• Culture:– Foster info. security into the organization’s DNA.
CISO Workshop
Types of Security Failures• Direct (active) attacks
• Leaks: Inadvertent disclosure– Con
Technical vs. Human
Leaks: Inadvertent disclosure
P2P File Sharing Leakage– Indicative of many inadvertent disclosures in
blogs, myspace, youtube, ….
P2P File SharingBig Champagne Average Global P2P Users
0
2,000,000
4,000,000
6,000,000
8,000,000
10,000,000
12,000,000
Aug-
03
Sep-
03
Oct
-03
Nov
-03
Dec
-03
Jan-
04
Feb-
04
Mar
-04
Apr-
04
May
-04
Jun-
04
Jul-0
4
Aug-
04
Sep-
04
Oct
-04
Nov
-04
Dec
-04
Jan-
05
Feb-
05
Mar
-05
Apr-
05
May
-05
Jun-
05
Jul-0
5
Aug-
05
Sep-
05
Oct
-05
Nov
-05
Dec
-05
Jan-
06
Feb-
06
Mar
-06
Apr-
06
May
-06
Use
rs
The Bait
$25 Visa gift card
210 min phone card
File Path C:\Users\....\my documents\credit card and phone card numbers.doc
File Kept Moving!129.170.37.99 Hanover, NH 1/10/2006
4.246.63.41 Little Rock, CA 1/11/2006
24.161.53.32 Schenectady, NY 1/13/2006
67.141.95.34 Lincoln, NE 1/16/2006
68.238.52.206 Portland, ME 1/16/2006
71.108.75.183 Lancaster, CA 1/17/2006
70.16.103.184 Portland, ME 1/18/2006
201.135.62.34 Mexico 1/19/2006
24.57.6.89 Windsor, Canada 1/19/2006
82.23.135.185 UK 1/20/2006
69.227.188.170 Burbank, CA 1/21/2006
4.246.231.190 Little Rock, CA 1/21/2006
219.74.150.198 Singapore 1/22/2006
172.190.69.11 Sterling, VA 1/24/2006
24.152.146.206 Bakersfield, CA 1/25/2006
84.177.168.14 Germany 1/30/2006
24.203.29.111 Montreal, Canada 1/31/2006
69.246.139.247 Chattanooga, TN 2/1/2006
66.79.0.125 New Orleans, LA 2/2/2006
We stopped sharing, but the file kept propagating
Credit Card Use
Phone Card Use
Jan 21 2006· 1:56A 253· 3:16A 253· 10:21A 347· 12:06P 253· 6:42P 253· 6:57P 253 Jan 22 2006· 4:39P 347· 4:04 P 347· 6:27P 347 Jan 23 2006· 11:36A 347 Outside of Country to these area codes: · 347 – Bronx, NY· 253 - Tacoma, WA
First use on 1/21/06 (11 days after we started sharing the file).ALL calls were made from outside the United States to two area codes in the US.
A day later, the phone card was gone
What Businesses Are Doing?• Watch Videos @
http://link.brightcove.com/services/player/bcpid1243578225?bclid=1232219576&bctid=1233395381
• Internal Threat– Lessons from the firing line (ChoicePoint)• External Threat – Security in the age of ‘MySpace’
time
• Auditor’s lens– The Auditor Panel: Straight from
the Auditors
Info. Sec. Risks in the Healthcare
Why Health Info. Sec. is Complex
Information Flow in healthcare
Primary ProviderClinics; Hospitals; Home Healthcare; Nursing Homes; Institutional Services (e.g., Military, Prisons, Schools)
Social Uses of Health Data
Patient
PayersHealth Plans; Private Insurance; Medicare; Medicaid
Credential & Evaluative Decisions
Insurance; Employment; Licensing; Education; etc.
Public PolicyDisaster Response; Disease Control; Fraud Control; Law Enforcement; Medical & Social Research; National Health Information Network
Extended Health Enterprise
Employers
Business Associates(Subcontractors)
Pharmacist
Regional HealthInfo. Organizations
Health BankHealth Vault (Microsoft)Google Health, etc.
Secondary ProviderClinics,; Hospitals; Labs
HIPAA Compliance at Hospitals
39%Yes
25%Yes 78%
Yes 56% Yes
HIMSS 2006: 180 providersAHIMA 2006: 1100+ providers
Privacy Rules Security Rules
Where do we stand in HIPAA Compliance?
Privacy Rules Security Rules
HIPAA Compliance at Hospitals
HIPAA Compliance
Privacy Rules
Security Rules
18% For-Profit; 12% Academic StatusInstitutional Forces
Market Forces
Patient Inflow
Dedicated Compliance Officer (48%)
State Privacy Laws Comprehensiveness
Peer Pressure[45% Privacy and
12% Security Compliant]
External Consultants (24%)
Consumers’ Concern for Privacy
[37% across US]
Competitive Position
HIPAA Compliance at Hospitals
• Practice
• Policy
Top Related