Presentation is loading. Please wait.

Presentation is loading. Please wait.

Rapid Security Risk Analysis Farrokh Alemi, Ph.D. Georgetown University.

Published byPaulina Gregory Modified over 8 years ago

Similar presentations

Presentation on theme: "Rapid Security Risk Analysis Farrokh Alemi, Ph.D. Georgetown University."— Presentation transcript:

1 Rapid Security Risk Analysis Farrokh Alemi, Ph.D. Georgetown University

2 Proposal Set security risk priorities Set security risk priorities Faster Faster More accurately More accurately More objectively More objectively

3 Case of Attack on Boiler Room Consultant’s visit Consultant’s visit Card in boiler room Card in boiler room Contract Contract Comprehensive Comprehensive Physical, electronic, personnel, natural causes, etc. Physical, electronic, personnel, natural causes, etc. Based on opinions Based on opinions Consensus Consensus Imagined risks Imagined risks Attack on milk tanker will kill 500,000 Attack on milk tanker will kill 500,000 Next consultant Next consultant

4 Cost of Comprehensive Security Analysis Wasted time Wasted time Less productivity Less productivity Forgotten passwords Forgotten passwords Lack of coordination Lack of coordination Missed priorities Missed priorities Anthrax versus Katrina Anthrax versus Katrina

5 Probabilistic Security Risk Analysis Collect incidence databases Collect incidence databases Calculate probability of events Calculate probability of events Use time to event Use time to event Set priorities Set priorities Prevent events with high expected damages Prevent events with high expected damages Mitigate consequences of events with low expected damages Mitigate consequences of events with low expected damages Ignore all others Ignore all others

6 Example: Reduce Privacy Security Risks Analyze legal cases Analyze legal cases Analyze reports to DHHS Analyze reports to DHHS Description of risk factor Prevalence of risk factor in the organization Prevalence of security violation given the risk factor 1. Employee views paper documents or manipulates computer passwords to view records of patients not under his/her care 0.00031 2. Benefit Organizations or employers request employee information improperly 0.00030.8805 3. Employees engaged in whistle blowing to uncover illegal or unacceptable business or clinical practices 0.00030.0201 4. Clinician using unsecured email environment to contact patient 0.00030.1606 5. Employee removes patient records from secure location or workplace without authorization 0.00030.88 6. External infection of computers/password/network Systems (e.g. computer hacker) 0.00030.5888 7. Theft of computers or hard drives with patient records0.00030.5867 8. ….

7 Example: Reduce Privacy Security Risks Analyze legal cases Analyze legal cases Analyze reports to DHHS Analyze reports to DHHS Description of risk factor Prevalence of risk factor in the organization Prevalence of security violation given the risk factor 1. Employee views paper documents or manipulates computer passwords to view records of patients not under his/her care 0.00031 2. Benefit Organizations or employers request employee information improperly 0.00030.8805 3. Employees engaged in whistle blowing to uncover illegal or unacceptable business or clinical practices 0.00030.0201 4. Clinician using unsecured email environment to contact patient 0.00030.1606 5. Employee removes patient records from secure location or workplace without authorization 0.00030.88 6. External infection of computers/password/network Systems (e.g. computer hacker) 0.00030.5888 7. Theft of computers or hard drives with patient records0.00030.5867 8. …. Calculate from time to re- occurrence of the event

8 Example: Reduce Privacy Security Risks Analyze legal cases Analyze legal cases Analyze reports to DHHS Analyze reports to DHHS Description of risk factor Prevalence of risk factor in the organization Prevalence of security violation given the risk factor 1. Employee views paper documents or manipulates computer passwords to view records of patients not under his/her care 0.00031 2. Benefit Organizations or employers request employee information improperly 0.00030.8805 3. Employees engaged in whistle blowing to uncover illegal or unacceptable business or clinical practices 0.00030.0201 4. Clinician using unsecured email environment to contact patient 0.00030.1606 5. Employee removes patient records from secure location or workplace without authorization 0.00030.88 6. External infection of computers/password/network Systems (e.g. computer hacker) 0.00030.5888 7. Theft of computers or hard drives with patient records0.00030.5867 8. …. Evidence Based Legal Analysis

9 Example: Security Risks at a Nursing School What should we do? What should we do? Protect against computer viruses Protect against computer viruses Educate faculty about theft Educate faculty about theft Require background checks for students Require background checks for students Introduce camera surveillance Introduce camera surveillance

10 Example: Security Risks at a Nursing School Category of risk factorEvents First reported date Last reported date Average days between events Daily rate Theft of computer217/1/9911/29/04990.010 Theft of other equipment362/5/008/10/99630.016 Theft of personal property27/12/017/11/033650.003 Property damage 2610/7/9910/7/0473 0.013 Vehicle accident on premise1010/27/008/3/051930.005 Damage from natural causes4010/26/996/30/0551.620.019 Hazmat incidents1 10/10/03 7260.001 Student shootings1 Once four years ago in 100 schools 0.00005

11 Example: Security Risks at a Nursing School IT Security violation Estimated days to event Probability of occurrence Dollar amount of damage Desk top security violations 3 months0.03$500 Unsolicited emails requesting personal information Once a week0.14$18,000 Unsolicited emails not requesting personal information Daily1$110 Network penetration Once in last two years 0.0014$300,000

12 Probabilistic Security Risk Analysis Rapid Rapid Relative risks (numeric) Relative risks (numeric) Objective Objective Verifiable accuracy Verifiable accuracy

Download ppt "Rapid Security Risk Analysis Farrokh Alemi, Ph.D. Georgetown University."

Similar presentations

31511230/0403 © 2004 Business & Legal Reports, Inc. BLRs Training Presentations Privacy Issues in the Workplace.

/0403 © 2004 Business & Legal Reports, Inc. BLRs Training Presentations Privacy Issues in the Workplace.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Backing up and Archiving Data Chapter 1. Introduction This presentation covers the following: – What is backing up – What is archiving – Why are both.

Backing up and Archiving Data Chapter 1. Introduction This presentation covers the following: – What is backing up – What is archiving – Why are both.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
Ethics, Privacy and Information Security

Ethics, Privacy and Information Security
Property Theft FY 2014 July - May Reported Thefts Unfounded Actual UGA as Victim Total Loss 384 82 302 71 $321,058.

Property Theft FY 2014 July - May Reported Thefts Unfounded Actual UGA as Victim Total Loss $321,058.
Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.

Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.

Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Copyright © 2014 Merck Sharp & Dohme Corp., a subsidiary of Merck & Co., Inc. All rights reserved. In practice, how do we recognize a potential Privacy.

Copyright © 2014 Merck Sharp & Dohme Corp., a subsidiary of Merck & Co., Inc. All rights reserved. In practice, how do we recognize a potential Privacy.
Greg Lamb. Introduction It is clear that we as consumers and entrepreneurs cannot expect complete privacy when discussing business matters. However… There.

Greg Lamb. Introduction It is clear that we as consumers and entrepreneurs cannot expect complete privacy when discussing business matters. However… There.
Probabilistic Risk Analysis Farrokh Alemi, Ph.D. April 12, 2004.

Probabilistic Risk Analysis Farrokh Alemi, Ph.D. April 12, 2004.
Hectic Ethics Computer Applications Mrs. Wohleb. Objectives Students will be able to: Describe ethical considerations resulting from technological advances.

Hectic Ethics Computer Applications Mrs. Wohleb. Objectives Students will be able to: Describe ethical considerations resulting from technological advances.
The Islamic University of Gaza

The Islamic University of Gaza
Security, Privacy, and Ethics Online Computer Crimes.

Security, Privacy, and Ethics Online Computer Crimes.
9 99 CHAPTER Privacy and Security. 9 © The McGraw-Hill Companies, Inc. 2002 Objectives 1.Privacy 2.Security 3.Ergonomics 4.Environment.

9 99 CHAPTER Privacy and Security. 9 © The McGraw-Hill Companies, Inc Objectives 1.Privacy 2.Security 3.Ergonomics 4.Environment.
Probabilistic Risk Analysis Farrokh Alemi, Ph.D. April 12, 2004.

Probabilistic Risk Analysis Farrokh Alemi, Ph.D. April 12, 2004.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Course Code: SW-SFTY.  Sizewise Rentals is committed to working with our employees to provide a safe work place.  It is our policy that employees should.

Course Code: SW-SFTY.  Sizewise Rentals is committed to working with our employees to provide a safe work place.  It is our policy that employees should.
Session 3 – Information Security Policies

Session 3 – Information Security Policies

Similar presentations

Ads by Google