Secret to security best practices: incentivize

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.healthcareitnews.com/news/incentivizing-security-best-practices-privacy

The view that cybersecurity is purely a technical, engineering challenge is
a shortsighted one, and that is repeatedly proven by breaches that confound
CIOs who thought their healthcare organization was safe from hackers.

Recently, that view is being replaced by the recognition that security
challenges are less technical than human-oriented, pointing to the behavior
of organizations trying to defend themselves.

"The misalignment of incentives explains why security failures often take
place," said Tyler Moore, Tandy Assistant Professor of Cyber Security and
Information Assurance at the University of Tulsa. "So whenever
organizations don't have appropriate incentives to protect information,
they will not be able to adopt countermeasures to protect their systems."

Moore will address these and other behavioral issues in a presentation
"What is Security Economics and Why Should You Care?" at the HIMSS and
Healthcare IT News Privacy & Security Forum.

"The importance of incentives in choosing the best types of security
mechanisms cannot be underestimated," Moore added.

Another human factor that impacts security decisions is information
asymmetry, which occurs in relations between two parties when one doesn't
have adequate info about the other, Moore said.

A hospital may be evaluating a security system from a provider where it can
be hard to ascertain the quality of security of the solution, for instance.
"This can lead to a problem where there can be an emphasis on other
features of the product that can be observed instead of the dozens of other
things that can't be observed," Moore said. "So organizations may not
devote as many resources to something like security because it's not as
easily observable as other services.

One of the best ways to ensure a healthy security strategy is to take
advantage of information sharing, Moore said.

"There are so many threats healthcare systems are facing that they often
can encounter the same threats as their peers," Moore said. "Information
sharing can help when one hospital shares with another that hasn't been
targeted yet. The hospital can take advantage in ways it wouldn't have been
able to do otherwise."

Healthcare organizations can also access valuable information from public
regulation compliance filings and adhering to security frameworks that
outlines structures of security controls that can be adopted.

"This type of information is giving them guidance where they should be
trying to spend more money (on security) effectively," Moore said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!