Page 184 - ITU KALEIDOSCOPE, ATLANTA 2019
P. 184
2019 ITU Kaleidoscope Academic Conference
knowledge when assessing IoHT cybersecurity. This is not because the new technology itself becomes a low-probability,
something that could be accomplished by the IT department high-impact threat vector. A better alternative would be to
or outside cybersecurity experts as it requires healthcare increase the upfront costs to mitigate the catastrophic case
domain-specific knowledge. with other controls and/or insurance.
3. RISK ANALYSIS
Cybersecurity spending for the period 2017-2021 is expected
to total over 1 trillion dollars [25]. At the same time, the cost
of cybercrime is projected to reach two trillion dollars by
2019 [26] despite the increased spending on cyber defense.
Problems are exacerbated by the lack of trained security
personnel [27,28].
The main purpose of cybersecurity is to reduce risk.
However, most cybersecurity decisions today are made
based on fear, uncertainly and doubt (FUD) [29]. Informed
risk decisions should be made using mathematics, science
and engineering. “There are plenty of fields with massive risk,
minimal data, and profoundly chaotic actors that are
regularly modeled using traditional mathematical models” Figure 2 – Comparing Loss Exceedance Curves
[30]. Cybersecurity can learn from other fields such as the
insurance industry where loss exceedance curves are used as Loss exceedance curves can apply to casualty information.
a tool for catastrophe planning such as: river flooding, IoHT would need to incorporate both financial and casualty
tornadoes, hurricane storm surges and droughts [31]. data to make informed risk decisions. Cybersecurity controls
Similarly, loss exceedance curves are also used in oil and could potentially increase patient mortality in cases where
natural gas exploration [32]. the control impacts emergency access or constrained
resources [33]. Quantitative studies optimize overall health
Loss exceedance curves can be used in cybersecurity for outcomes by including both the positive impacts (e.g reduced
mathematically modeling risk [30]. This approach mortality due to preventing attack) and negative impacts (e.g.
incorporates decomposition, summation and validation over increased mortality due to reduced emergency access) of
time. An example is shown in Figure 1. The curve is cybersecurity controls.
probabilistic and shows the likelihood of losses exceeding a
certain amount. Note the x-axis is log scale and the entire Factor Analysis of Information Risk (FAIR ) [34] is one
TM
chart is for a fixed time period, e.g. one year.
methodology for conducting quantitative risk analysis and
creating loss exceedance curves. Taxonomy and analysis
TM
standards have been developed for FAIR [35,36].
Duty of Care Risk Analysis (DoCRA) is a standard [37]
developed to help organizations determine whether their
safeguards appropriately protect others from harm while
incurring a reasonable burden.
Chris Chronin, Chair of the DoCRA Council, recommends
extending FAIR to explicitly balance the likelihood and
TM
impact of foreseeable threats against the burden of
safeguards in such a way as to meet the legal definition of
‘reasonable’ from the judge’s viewpoint in a case to
determine liability [38].
4. AUTOMATION
Figure 1– Loss Exceedance Curve The defense has not kept pace with the offense. Attackers
can, on average, breach a system in seconds or minutes
The real advantage comes from comparing two alternatives, whereas it takes defenders weeks, months or even years to
as in Figure 2. The existing base case is shown in blue. The respond [39]. The attacker utilizes sophisticated, adaptive,
red alternative costs $500k to implement and decreases the automated tools and the defender reactively responds with
50% loss by over $4M. But note this particular alternative manual, slow, uncoordinated tools and processes. The
also increases the chance of a catastrophic loss by a factor of defense must automate to operate at the speed of the offense.
10. Although this may seem counterintuitive, it is common Automation is a win/win, cheaper AND better.
– 164 –