January 2012

Threat Modeling is the Exciting, Sexy Part of Risk Assessment

Posted on January 26, 2012 6:09 pm by Caroline Ramsey-Hamilton Comment

As a risk assessment professional, when I get into a risk discussion, most security people want to talk about THREAT! Threat is the most sexy and exciting part of doing a risk assessment.

Threats are exciting all by themselves. Think about all the threats you can name:

All the natural disasters like Earthquakes, Tornadoes, Storms, Hurricanes, Tsunamis, Lightning, Floods

Crimes like Homicide, Assault, Rape, Burglary, Theft, Kidnapping, Blackmail, Extortion

Terrorism like Sabotage, Explosions, Mail Bombs, Suicide Bombs

All the IT Threats like Malicous Code, Disclosure, Data Breaches, Theft of Data

And about 50 more including Chem/Bio incidents, Magnetic waves, High Energy Bursts, Microbursts, Contamination and Reputation Damage.

Each of these threats could theoretically occur at any time, but we try to establish a pattern of how often they have occurred in the past, in this location, in this county, in this country, in the company, etc. So NASA, for example, gets thousands of hacker attacks, but another company, like the local Salvation Army, gets 1 every 10 years.

Same model for natural disasters, although you might have to factor in climate change, it’s easy to get the threat incidents for hurricanes in Florida, snow storms in Cleveland, earthquakes in northern California, etc.

We also like to examine industry specific data to see if some threats are higher in a certain industry, like the high incidence of workplace violence incidents in hospitals and high risk retail establishments (like Wawa or 7-11).

Another factor we use in calculating threat likelihood is how the threat could actually affect different types of assets…. for example, would an earthquake damage a car? Probably not. Would it cause damage to an old historical building – probably (unless it had been retrofitted). Could it cause loss of life, or injuries (think Haiti).

So I use a multidimensional model that takes the threats list (I have a standard list of 75 threats that I use), and map it to each potential loss, based on the ‘asset’ that might be affected.

The more data you get, the better your model will be, and the more value it will have as a decision support tool!

Why Violence in Hospitals is Increasing

Posted on January 9, 2012 5:13 pm by Caroline Ramsey-Hamilton Comment

Why Violence in Hospitals is Increasing

Violence is not a concept that people usually associate with hospitals. For years, hospitals have been seen as almost a sanctuary of care for the sick and wounded in our society. However, the perception of hospitals has been changing over the last fifteen years due to a variety of factors.

Doctors are no longer thought of as “Gods”. This means they are
are more easily blamed when a patient’s condition deteriorates.
Hospitals are now regarded as businesses. This perception has been
been aggravated by television in shows like a recent “60 Minutes”, as well as
by the effects of the recession on jobs and the loss of health insurance.
Lack of respect and resources (funding) for hospital security departments
      Rather than being seen as a crucial protection for the hospital staff and
      patients, many security departments are chronically underfunded and used
      for a variety of non- security functions, such as making bank deposits for
      the hospital gift shop.
ASIS Security Association issued it’s industry guidelines for Workplace
   Violence Prevention in September 2011, in conjunction with the SHRM – the
    Society for Human Resources Management to address this issue.

The federal government issued a guidance document for dealing with violence issues in healthcare,   OSHA 3148.01R, 2004, Guidelines for Preventing Workplace Violence for Health Care & Social Service Workers.

To Learn more: join my webinar on Thursday, January 12th at 12 noon Eastern time by
Clicking on this link: https://www2.gotomeeting.com/register/835835290.

No Way to Win an Election – A Risk Assessment

Posted on January 2, 2012 3:57 pm by Caroline Ramsey-Hamilton Comment

Watching the pandemonium that is the build up to the Iowa Caucus, you can follow the thread that pandering and trying to appeal to the lowest common denominator brings to the Iowa Caucus candidates.

They have taken what could have been an asset, and transformed it into the threat that each of the candidates seems to be fixated on – that they will not be considered ‘enough of a social conservative’ and so will not win the caucus.

So, by having a field of five (Paul, Newt, Santorum, Perry and Bachman) competing to be the most dogmatic, the most restrictive, the most anti-abortion, the most anti-immigrant, the most family-oriented, etc., they have actually pared down their own chances of winning.

Romney is running in the slightly more moderate vertical, which no one wants to compete in because it’s not such a knee-jerk distinction, which is why I left him out of this analysis.

In risk assessment terns, this means they have focused on addressing the wrong potential threat (not being conversative enough), and failed to address the real threat (losing the election or coming in dead last).

For the field of five, it turns out that by directly competing against each other, they energize their narrow social conservative vertical and that keeps all five of them alive, and the eventual outcome is the splintering of that narrow field, which effectively prevents any one of them from anything close to a clear win.

It may be a great way to promote yourself for a later VP slot, or, who knows, maybe a future ambassadorship, but it’s NO WAY TO WIN AN ELECTION!

Categories:
Political Risk Assessment
Risk
risk assessment
Risk Assumptions
RiskAlert

Tags:
Election Analysis
Gingrich
Iowa Caucus
Paul
Perry
risk
risk assessment
Ron

Outlook on Risk & Security Compliance in 2012 – What to Expect.

Posted on January 1, 2012 6:59 pm by Caroline Ramsey-Hamilton Comment

This New Year’s Eve, I thought at times my neighbors were using a rocket launcher and several assault rifles to shoot up the New Year. Lucky for me, I spent the awake time to contemplate the outlook for risk, threat and security issues for 2012 and here’s what I see for 2012.

1. Government-Mandated Compliance Is Here to Stay for the Healthcare Industry.

I remember when the IT departments are many hospitals thought George W. was going to revoke the HIPAA Security Rule. It never happened, and this year, for the first time, there is a regulatory body in place that is intent on REAL ENFORCEMENT.

The Dept. of Health & Human Services, Office of Civil Rights, has expanded HIPAA Security and Privacy Rules to include “Business Associates” including lawyers working in healthcare, and the infamous “3^rd Party Providers” who do everything from warehouse data to taking over the IT function of a hospital, and this trend will continue as pressure builds from consumers who’s medical and financial data continues to be compromised.

2. Workplace Violence Prevention will become an OSHA mandate, if not in 2012, at least by 2015. Based on the slug-like pace of OSHA, who only recently provided directives for high risk industries, and the pressure from the more than 30 states who have passed their own regulations, the pressure to stop the number of incidents and to lower their intensities will increase and management will be forced to address it as a major corporate issue.

3. Pressure on the financial industry to protect consumer information will increase. Like many other areas, pressure is increasing to prevent the enormous data breaches we saw in 2011, like Tricare, the recent Stratfor hack by Anonymous, Wikileaks and HealthNet breaches. Consumers are the squeaky wheel and they want the convenience of plastic and internet use, and they will not tolerate breaches, and they are all registered voters!

The FFIEC has already tightened up on both risk assessment standards, as well as
authentication guidelines for all financial institutions.

There will be a increase in requirements for risk assessment as an accountability feature to force managers to maintain better security in all areas of their organizations.

Accountability means that individual managers will be held responsible for the decisions they make regarding other people’s:

1. Financial Data

2. Medical Records

3. Safety from both Violence & Bullying in their workplaces.

Budgets can be cut, and staff can be reduced but consumers are demanding protection of their information, and themselves, and the regulators will make sure they get it in 2012!