economics of information security ajit appari center for digital strategies at tuck institute for...
TRANSCRIPT
![Page 1: Economics of Information Security Ajit Appari Center for Digital Strategies at Tuck Institute for Security, Technology, and Society](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7a1a28abf838c82ad8/html5/thumbnails/1.jpg)
Economicsof
Information Security
Ajit AppariCenter for Digital Strategies at Tuck
Institute for Security, Technology, and Society
![Page 2: Economics of Information Security Ajit Appari Center for Digital Strategies at Tuck Institute for Security, Technology, and Society](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7a1a28abf838c82ad8/html5/thumbnails/2.jpg)
CDS @ Tuck
The Center for Digital Strategies fosters intellectual leadership by forging a learning community of scholars, executives, and students focused on the role of digital strategies in creating competitive advantage in corporations and value chains.
Scholarly Research:Connecting practice with scholarship anchored on IT enabled business strategy and processes.
Executive Dialog:Convening roundtables focused on the role of the CIO to enable business strategy.
MBA Program Enrichment:Bring digital strategies to the students through informative forums, exposure to executives in different settings, classes, and case development.
![Page 3: Economics of Information Security Ajit Appari Center for Digital Strategies at Tuck Institute for Security, Technology, and Society](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7a1a28abf838c82ad8/html5/thumbnails/3.jpg)
Case Studies @ CDS
![Page 4: Economics of Information Security Ajit Appari Center for Digital Strategies at Tuck Institute for Security, Technology, and Society](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7a1a28abf838c82ad8/html5/thumbnails/4.jpg)
CDS @ Tuck
![Page 5: Economics of Information Security Ajit Appari Center for Digital Strategies at Tuck Institute for Security, Technology, and Society](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7a1a28abf838c82ad8/html5/thumbnails/5.jpg)
Information Security 24X7 Headache
![Page 6: Economics of Information Security Ajit Appari Center for Digital Strategies at Tuck Institute for Security, Technology, and Society](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7a1a28abf838c82ad8/html5/thumbnails/6.jpg)
CIO/ CISO Roundtablesand Panels
Managing Security is a lot like Managing Quality.
Reduce Breaches while Controlling Cost.
![Page 7: Economics of Information Security Ajit Appari Center for Digital Strategies at Tuck Institute for Security, Technology, and Society](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7a1a28abf838c82ad8/html5/thumbnails/7.jpg)
Cost of Security–A Quality Approach
Failure Avoidance:• Costs of Prevention
• Costs of Appraisal
Failure:• Costs of Internal Failure
• Costs of External Failure
![Page 8: Economics of Information Security Ajit Appari Center for Digital Strategies at Tuck Institute for Security, Technology, and Society](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7a1a28abf838c82ad8/html5/thumbnails/8.jpg)
Optimal Security Level Analysis
LowSecurity
High Security
Cost
![Page 9: Economics of Information Security Ajit Appari Center for Digital Strategies at Tuck Institute for Security, Technology, and Society](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7a1a28abf838c82ad8/html5/thumbnails/9.jpg)
Cost of Quality Analogy Breakdown
• Quality problems rarely created through sabotage and terrorism.• Interdependencies
![Page 10: Economics of Information Security Ajit Appari Center for Digital Strategies at Tuck Institute for Security, Technology, and Society](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7a1a28abf838c82ad8/html5/thumbnails/10.jpg)
Quality and Fads
![Page 11: Economics of Information Security Ajit Appari Center for Digital Strategies at Tuck Institute for Security, Technology, and Society](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7a1a28abf838c82ad8/html5/thumbnails/11.jpg)
• Evolving Risk LandscapeCISO Workshop
![Page 12: Economics of Information Security Ajit Appari Center for Digital Strategies at Tuck Institute for Security, Technology, and Society](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7a1a28abf838c82ad8/html5/thumbnails/12.jpg)
Doug SmithCISO
Bank of America
John GallantPresidentNetwork World
Brad Boston
SVP and CIOCisco
Steven Boutelle
LTG and CIOU.S. Army
• Metrics: – Develop composite metrics: simple to understand
and clearly linked to the business.• Investment:
– Align business partners: security as an integrated part of the extended enterprise.
• Culture:– Foster info. security into the organization’s DNA.
CISO Workshop
![Page 13: Economics of Information Security Ajit Appari Center for Digital Strategies at Tuck Institute for Security, Technology, and Society](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7a1a28abf838c82ad8/html5/thumbnails/13.jpg)
Types of Security Failures• Direct (active) attacks
• Leaks: Inadvertent disclosure– Con
Technical vs. Human
![Page 14: Economics of Information Security Ajit Appari Center for Digital Strategies at Tuck Institute for Security, Technology, and Society](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7a1a28abf838c82ad8/html5/thumbnails/14.jpg)
Leaks: Inadvertent disclosure
P2P File Sharing Leakage– Indicative of many inadvertent disclosures in
blogs, myspace, youtube, ….
![Page 15: Economics of Information Security Ajit Appari Center for Digital Strategies at Tuck Institute for Security, Technology, and Society](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7a1a28abf838c82ad8/html5/thumbnails/15.jpg)
P2P File SharingBig Champagne Average Global P2P Users
0
2,000,000
4,000,000
6,000,000
8,000,000
10,000,000
12,000,000
Aug-
03
Sep-
03
Oct
-03
Nov
-03
Dec
-03
Jan-
04
Feb-
04
Mar
-04
Apr-
04
May
-04
Jun-
04
Jul-0
4
Aug-
04
Sep-
04
Oct
-04
Nov
-04
Dec
-04
Jan-
05
Feb-
05
Mar
-05
Apr-
05
May
-05
Jun-
05
Jul-0
5
Aug-
05
Sep-
05
Oct
-05
Nov
-05
Dec
-05
Jan-
06
Feb-
06
Mar
-06
Apr-
06
May
-06
Use
rs
![Page 16: Economics of Information Security Ajit Appari Center for Digital Strategies at Tuck Institute for Security, Technology, and Society](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7a1a28abf838c82ad8/html5/thumbnails/16.jpg)
The Bait
$25 Visa gift card
210 min phone card
File Path C:\Users\....\my documents\credit card and phone card numbers.doc
![Page 17: Economics of Information Security Ajit Appari Center for Digital Strategies at Tuck Institute for Security, Technology, and Society](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7a1a28abf838c82ad8/html5/thumbnails/17.jpg)
File Kept Moving!129.170.37.99 Hanover, NH 1/10/2006
4.246.63.41 Little Rock, CA 1/11/2006
24.161.53.32 Schenectady, NY 1/13/2006
67.141.95.34 Lincoln, NE 1/16/2006
68.238.52.206 Portland, ME 1/16/2006
71.108.75.183 Lancaster, CA 1/17/2006
70.16.103.184 Portland, ME 1/18/2006
201.135.62.34 Mexico 1/19/2006
24.57.6.89 Windsor, Canada 1/19/2006
82.23.135.185 UK 1/20/2006
69.227.188.170 Burbank, CA 1/21/2006
4.246.231.190 Little Rock, CA 1/21/2006
219.74.150.198 Singapore 1/22/2006
172.190.69.11 Sterling, VA 1/24/2006
24.152.146.206 Bakersfield, CA 1/25/2006
84.177.168.14 Germany 1/30/2006
24.203.29.111 Montreal, Canada 1/31/2006
69.246.139.247 Chattanooga, TN 2/1/2006
66.79.0.125 New Orleans, LA 2/2/2006
We stopped sharing, but the file kept propagating
![Page 18: Economics of Information Security Ajit Appari Center for Digital Strategies at Tuck Institute for Security, Technology, and Society](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7a1a28abf838c82ad8/html5/thumbnails/18.jpg)
Credit Card Use
![Page 19: Economics of Information Security Ajit Appari Center for Digital Strategies at Tuck Institute for Security, Technology, and Society](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7a1a28abf838c82ad8/html5/thumbnails/19.jpg)
Phone Card Use
Jan 21 2006· 1:56A 253· 3:16A 253· 10:21A 347· 12:06P 253· 6:42P 253· 6:57P 253 Jan 22 2006· 4:39P 347· 4:04 P 347· 6:27P 347 Jan 23 2006· 11:36A 347 Outside of Country to these area codes: · 347 – Bronx, NY· 253 - Tacoma, WA
First use on 1/21/06 (11 days after we started sharing the file).ALL calls were made from outside the United States to two area codes in the US.
![Page 20: Economics of Information Security Ajit Appari Center for Digital Strategies at Tuck Institute for Security, Technology, and Society](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7a1a28abf838c82ad8/html5/thumbnails/20.jpg)
A day later, the phone card was gone
![Page 21: Economics of Information Security Ajit Appari Center for Digital Strategies at Tuck Institute for Security, Technology, and Society](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7a1a28abf838c82ad8/html5/thumbnails/21.jpg)
What Businesses Are Doing?• Watch Videos @
http://link.brightcove.com/services/player/bcpid1243578225?bclid=1232219576&bctid=1233395381
• Internal Threat– Lessons from the firing line (ChoicePoint)• External Threat – Security in the age of ‘MySpace’
time
• Auditor’s lens– The Auditor Panel: Straight from
the Auditors
![Page 22: Economics of Information Security Ajit Appari Center for Digital Strategies at Tuck Institute for Security, Technology, and Society](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7a1a28abf838c82ad8/html5/thumbnails/22.jpg)
Info. Sec. Risks in the Healthcare
![Page 23: Economics of Information Security Ajit Appari Center for Digital Strategies at Tuck Institute for Security, Technology, and Society](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7a1a28abf838c82ad8/html5/thumbnails/23.jpg)
Why Health Info. Sec. is Complex
Information Flow in healthcare
Primary ProviderClinics; Hospitals; Home Healthcare; Nursing Homes; Institutional Services (e.g., Military, Prisons, Schools)
Social Uses of Health Data
Patient
PayersHealth Plans; Private Insurance; Medicare; Medicaid
Credential & Evaluative Decisions
Insurance; Employment; Licensing; Education; etc.
Public PolicyDisaster Response; Disease Control; Fraud Control; Law Enforcement; Medical & Social Research; National Health Information Network
Extended Health Enterprise
Employers
Business Associates(Subcontractors)
Pharmacist
Regional HealthInfo. Organizations
Health BankHealth Vault (Microsoft)Google Health, etc.
Secondary ProviderClinics,; Hospitals; Labs
![Page 24: Economics of Information Security Ajit Appari Center for Digital Strategies at Tuck Institute for Security, Technology, and Society](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7a1a28abf838c82ad8/html5/thumbnails/24.jpg)
HIPAA Compliance at Hospitals
39%Yes
25%Yes 78%
Yes 56% Yes
HIMSS 2006: 180 providersAHIMA 2006: 1100+ providers
Privacy Rules Security Rules
Where do we stand in HIPAA Compliance?
Privacy Rules Security Rules
![Page 25: Economics of Information Security Ajit Appari Center for Digital Strategies at Tuck Institute for Security, Technology, and Society](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7a1a28abf838c82ad8/html5/thumbnails/25.jpg)
HIPAA Compliance at Hospitals
HIPAA Compliance
Privacy Rules
Security Rules
18% For-Profit; 12% Academic StatusInstitutional Forces
Market Forces
Patient Inflow
Dedicated Compliance Officer (48%)
State Privacy Laws Comprehensiveness
Peer Pressure[45% Privacy and
12% Security Compliant]
External Consultants (24%)
Consumers’ Concern for Privacy
[37% across US]
Competitive Position
![Page 26: Economics of Information Security Ajit Appari Center for Digital Strategies at Tuck Institute for Security, Technology, and Society](https://reader035.vdocument.in/reader035/viewer/2022062809/5697bf7a1a28abf838c82ad8/html5/thumbnails/26.jpg)
HIPAA Compliance at Hospitals
• Practice
• Policy