More often than not security and IT teams might not care to admit that decisions around information security sometimes get made in an ad hoc fashion. Organizations should invest in developing the processes to make systematic decisions about how to understand the threat environment and the optimum mechanisms to protect their business. The following discussion illustrates the systematic use of risk analysis to evaluate security approaches to a healthcare web application. We will use risk assessment methods to evaluate the threats and potential vulnerabilities to the primary assets within the system. Qualitative methods will allow us to focus on the most significant issues. Quantitative methods will then be used to further understand the business implications of the threats. Finally, we will present a financial model to justify the security investments necessary to protect against the threats.
For the purposes of this analysis we need to consider three broad classes of threats: external attackers, insiders, and partners/business associates.
External attackers can be classified into three groups.
Group A consists of financially motivated cyber criminals with advanced skills and existing monetization networks for generating multiple forms of profit from the data they steal. This group is capable of attacking the end users of the web application with various forms of malware, gathering application credentials, exploiting application vulnerabilities to escalate privileges, and stealing data at will.
Group B consists of financially motivated cyber criminals using standard cyber crime tool kits. This group is capable of attacking web application end users, gaining access to the application with valid credentials, and stealing data to which that user is authorized.
Group C consists of hackers and other general external adversaries. This group is expected to carry out their activities using common exploits such as man-in-the-browser or dictionary attacks against the system.
Insider threats consist of employees of the application vendor or organization deploying the system. This group has privileged access to data and may be motivated by financial gain or retribution against the organization. There is no need to subset this group. We will refer to it as group D.
Threats from business/partners consist of employees of organizations who are part of the overall application solution. This group has more knowledge of the system than the general hacker community and potential privileged access to data. Motivations for malicious behavior range from financial gain to desire to attain competitive advantage. There is no need to subset this group we will refer to it as group E.
The vulnerabilities we are concerned with are technical application vulnerabilities, business logic problems as well as lack of adequate detection and prevention in the face skilled attack.
The primary assets that we are trying to protect are medical records accessible from within the web application.
Before providing a qualitative risk analysis we need to further develop an understanding of groups A and B. These groups are cyber crime organizations that are organized, skilled and well funded. For the past several years these groups largely directed their efforts at financial services organizations stealing credit card data and carrying out wire fraud as well as other malicious activities. In recent years these organizations have realized that they can make more money with the same infrastructure and similar attack methods by stealing medical records. Medical records offer higher resale value (typically $0.50 for credit card data versus $15.00 to $20.00 for a complete medical record). They also offer the ability to carry out much higher value fraud such as filing for and collecting false medical claims. These organizations have the infrastructure and operational capability to successfully execute these types of crimes. An illustration of the malware ecosystem and the cyber crime organization is shown in the figure below.
Qualitative risk analysis
To focus effort on the most significant information security issues we will use a qualitative risk analysis. Shown in the table below are the five groups of threats that have been identified, organized by impact to the business and probability of occurrence.
The table shows that the threats we need to be primarily concerned with are those presented by groups A and B. While we should not ignore the threats presented by the other groups the strategies used to mitigate the risk from the primary threats will also cover those presented by the other groups.
The next step in determining a plan of action to defend against the threats requires quantitative analysis. First we will use our understanding of the threat environment and knowledge of crime activity in the healthcare market to assign some values to the probability-impact matrix. These include an estimate of business impact in terms of records stolen on an annual basis as well as the probability of occurrence over the course of a year. The table below presents the impact in terms of medical records stolen and the range of probabilities for occurrence of the threat groups.
Now we are ready to evaluate the business impact presented by the two primary threat groups. We need make an association between a stolen medical record and the dollar value impact or liability to the business. Analysts groups such as the Ponemon Institute and the Javelin Group have conduct a number of studies that estimate costs ranging from $121 to $204 per record. We will use a study by Khalid Clark and other analysts at the Forrester group since they present a more detailed analysis of the cost components per record.
These cost components are as follows:
Opportunity cost – customer churn, internal disruption and difficulty in acquiring new customers as a result of the breach: $50 per record.
Employee productivity – employees diverted from primary tasks: $30 per record.
Regulatory fines – fines imposed by OCR, HHS, state departments of public health, etc.: $25 per record.
Incident response – discovery, notification and response: $50 per record.
Increased audit and security requirements – the security and audit requirements levied as a result of a breach: $10 per record.
This gives a total of $165 per record.
Now, given the quantitative probability-impact table we can calculate the annual financial loss potential associated with the threats from groups A and B. To do this we define some assumptions regarding the statistical distribution of record loss and probability of occurrence. These assumptions are outlined in the table below.
Next, we will run a statistical analysis using Monte Carlo simulation to determine the mean number of records at risk and the corresponding statistical distribution using the assumptions shown in the table above. The results of the simulation follow. We will use the mean value of 50,643 records in justifying our investment in protecting the application.
The business impact is associated with the reduced liability with threats from group A and B. The risk mitigation measures to defend against these threats are also assumed to mitigate the risk from the other identified groups.
• Liability: 50,642 records * $165 per record = $8,356,024
The categories of programs to mitigate the risk include the following:
• Engineering investment required for fixing technical vulnerabilities as well as adding detection and protection logic, enhanced authorization methods, and enhanced authentication techniques.
• QA and operations investment for testing and deploying new security measures.
• Operations and information security investment for incident response planning and increased threat specific infrastructure monitoring.
The task at this point is to quantify the immediate investment requirements as well as the levels of ongoing spend. Since the “return” is well understood in terms of the liability associated with the threats, investments can be justified, easily calculated and presented in terms of Return on Investment (ROI) or net present value (NPV). This allows the business to understand the rationale for information security investments and have clear expectations regarding the results.