2019 ITU Kaleidoscope Academic Conference




           knowledge when assessing IoHT cybersecurity. This is not   because the new technology itself becomes a low-probability,
           something that could be accomplished by the IT department   high-impact threat vector. A better alternative would be to
           or  outside  cybersecurity  experts  as  it  requires  healthcare   increase the upfront costs to mitigate the catastrophic case
           domain-specific knowledge.                         with other controls and/or insurance.

                         3.  RISK ANALYSIS

           Cybersecurity spending for the period 2017-2021 is expected
           to total over 1 trillion dollars [25]. At the same time, the cost
           of cybercrime is projected to reach two trillion  dollars by
           2019 [26] despite the increased spending on cyber defense.
           Problems  are  exacerbated  by  the  lack  of  trained  security
           personnel [27,28].

           The  main  purpose  of  cybersecurity  is  to  reduce  risk.
           However,  most  cybersecurity  decisions  today  are  made
           based on fear, uncertainly and doubt (FUD) [29]. Informed
           risk decisions should be made using mathematics, science
           and engineering. “There are plenty of fields with massive risk,
           minimal  data,  and  profoundly  chaotic  actors  that  are
           regularly modeled using traditional mathematical models”   Figure 2 – Comparing Loss Exceedance Curves
           [30]. Cybersecurity can learn from other fields such as the
           insurance industry where loss exceedance curves are used as   Loss exceedance curves can apply to casualty information.
           a  tool  for  catastrophe  planning  such  as:  river  flooding,   IoHT would need to incorporate both financial and casualty
           tornadoes,  hurricane  storm  surges  and  droughts  [31].   data to make informed risk decisions. Cybersecurity controls
           Similarly, loss exceedance curves are also used in oil and   could potentially increase patient mortality in cases where
           natural gas exploration [32].                      the  control  impacts  emergency  access  or  constrained
                                                              resources [33]. Quantitative studies optimize overall health
           Loss  exceedance  curves  can  be  used  in  cybersecurity  for   outcomes by including both the positive impacts (e.g reduced
           mathematically  modeling  risk  [30].  This  approach   mortality due to preventing attack) and negative impacts (e.g.
           incorporates decomposition, summation and validation over   increased  mortality  due  to  reduced  emergency  access)  of
           time.  An  example  is  shown  in  Figure  1.  The  curve  is   cybersecurity controls.
           probabilistic and shows the likelihood of losses exceeding a
           certain amount. Note the x-axis is log scale and the entire   Factor Analysis of Information Risk (FAIR ) [34] is one
                                                                                                  TM
           chart is for a fixed time period, e.g. one year.
                                                              methodology for conducting quantitative risk analysis and
                                                              creating  loss  exceedance  curves.  Taxonomy  and  analysis
                                                                                               TM
                                                              standards have been developed for FAIR  [35,36].
                                                              Duty  of  Care  Risk  Analysis  (DoCRA)  is  a  standard  [37]
                                                              developed  to  help  organizations  determine  whether  their
                                                              safeguards  appropriately  protect  others  from  harm  while
                                                              incurring a reasonable burden.

                                                              Chris Chronin, Chair of the DoCRA Council, recommends
                                                              extending FAIR  to explicitly balance the likelihood and
                                                                           TM
                                                              impact  of  foreseeable  threats  against  the  burden  of
                                                              safeguards in such a way as to meet the legal definition of
                                                              ‘reasonable’  from  the  judge’s  viewpoint  in  a  case  to
                                                              determine liability [38].

                                                                             4.  AUTOMATION
                     Figure 1– Loss Exceedance Curve          The defense has not kept pace with the offense. Attackers
                                                              can,  on  average,  breach  a  system  in  seconds  or  minutes
           The real advantage comes from comparing two alternatives,   whereas it takes defenders weeks, months or even years to
           as in Figure 2. The existing base case is shown in blue. The   respond [39]. The attacker utilizes sophisticated, adaptive,
           red alternative costs $500k to implement and decreases the   automated tools and the defender reactively responds with
           50% loss by over $4M. But note this particular alternative   manual,  slow,  uncoordinated  tools  and  processes.  The
           also increases the chance of a catastrophic loss by a factor of   defense must automate to operate at the speed of the offense.
           10. Although this may seem counterintuitive, it is common  Automation is a win/win, cheaper AND better.





                                                          – 164 –