Upon questioning our Chief Information Officer regarding risk assessment and management in our organization, I was informed that we had a very well-developed system in place, one whose efficiency and effectiveness were an outcome of trial and error.
At the end of the 20th century, we have witnessed the massive transition from isolated, disconnected computers to networked computer clusters all over the world. At present time, there are an estimated 250 million networked hosts world-wide (Telcordia, 2002). This global pervasive connectivity has been a boon for consumers, businesses and governments alike due to the ease, convenience and speed of electronic data exchange. However, the ease of use and relative anonymity that the Internet affords has been leveraged by criminal elements, as well. Indeed, no private, commercial or government agency is completely safe or has been unaffected by the proliferation of this kind of cyber-crime. E-Commerce Times reported that the ILOVEYOUvirus affected 45 million hosts and inflicted monetary damages to the tune of estimated $2.6 billion (Enos, 2000). The infamous Melissa macro virus caused an estimated $300 million in damage in 1999 and several prominent e-commerce sites were hit by Distributed Denial of Service attacks in the beginning of 2000 (Committee on Science, 2000). The estimated worldwide damage caused by automated digital attacks over $30 billion for 2002 (Economic Damage, 2002). These estimated damage figures have to be taken with a grain of salt, but the trend is clear. Moreover, in just a dozen years' time, the propagation speed, as well as the estimated damages has increased by five, and two orders of magnitude, respectively.
The healthcare organization in question has been affected by both viruses and DoS attacks. As the Chief Information Officer noted, each virus or DoS incident proved extremely costly, whether calculated in terms of financial loss or the cost of resolving the problem. Therefore, to prevent, or limit, the possibility of future attacks, the organization has adopted a rather comprehensive information security framework. Key components of this framework, according to the CIO, are risk assessment and risk management.
3 Risk Assessment
Risk is commonly defined as the product of probability and severity of adverse effects, and the most common approach to quantify risk is a single figure - its expected value [Hai98, p. 29]. Mathematically speaking, given a random variable with probability function and loss function , the expected risk value in the discrete case is equal to . It is apparent that these are generic probability weighed averaging formulas. As further explained by the CIO, its semantic specialization into an expected value of risk occurs through the loss function. The unit of the expected risk value is the unit used by the loss function and could be downtime, cost, credibility, etc.
As a preliminary example, the simplified risk of attack consequences on a host that is running one application is shown in the table below:
Hypothetical Risk Confronted by the Healthcare