BreachExchange mailing list archives
Secret to security best practices: incentivize
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 20 Nov 2015 13:45:43 -0700
http://www.healthcareitnews.com/news/incentivizing-security-best-practices-privacy The view that cybersecurity is purely a technical, engineering challenge is a shortsighted one, and that is repeatedly proven by breaches that confound CIOs who thought their healthcare organization was safe from hackers. Recently, that view is being replaced by the recognition that security challenges are less technical than human-oriented, pointing to the behavior of organizations trying to defend themselves. "The misalignment of incentives explains why security failures often take place," said Tyler Moore, Tandy Assistant Professor of Cyber Security and Information Assurance at the University of Tulsa. "So whenever organizations don't have appropriate incentives to protect information, they will not be able to adopt countermeasures to protect their systems." Moore will address these and other behavioral issues in a presentation "What is Security Economics and Why Should You Care?" at the HIMSS and Healthcare IT News Privacy & Security Forum. "The importance of incentives in choosing the best types of security mechanisms cannot be underestimated," Moore added. Another human factor that impacts security decisions is information asymmetry, which occurs in relations between two parties when one doesn't have adequate info about the other, Moore said. A hospital may be evaluating a security system from a provider where it can be hard to ascertain the quality of security of the solution, for instance. "This can lead to a problem where there can be an emphasis on other features of the product that can be observed instead of the dozens of other things that can't be observed," Moore said. "So organizations may not devote as many resources to something like security because it's not as easily observable as other services. One of the best ways to ensure a healthy security strategy is to take advantage of information sharing, Moore said. "There are so many threats healthcare systems are facing that they often can encounter the same threats as their peers," Moore said. "Information sharing can help when one hospital shares with another that hasn't been targeted yet. The hospital can take advantage in ways it wouldn't have been able to do otherwise." Healthcare organizations can also access valuable information from public regulation compliance filings and adhering to security frameworks that outlines structures of security controls that can be adopted. "This type of information is giving them guidance where they should be trying to spend more money (on security) effectively," Moore said.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Secret to security best practices: incentivize Audrey McNeil (Nov 23)