Computer-Related Incidents in Colleges and Universities:

Factors and Categorization

Virginia Rezmierski

Daniel Rothschild

The University of Michigan

This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/2.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.

Previous work, new questions

Building on earlier studies Questions being asked today

Building on earlier studies

I-CAMP (Incident Cost Analysis and Monitoring Project)

How do we measure incident costs? What are the costs associated with incidents? Cost of 30 incidents: $1,015,810

Building on earlier studies

I-CAMP II What about smaller incident costs? What is the frequency of different incidents? Risk = Cost X Frequency Mean costs of incidents:

Access compromise: $1,800 Harmful code: $980 DoS: $22,350 Hacker attacks: $2,100 Warez sites: $340

Building on earlier studies

LAMP (Logging and Monitoring Privacy Project) Do administrators log and monitor? How far can we go within FERPA? Inadequate training and resources Inadequate protections Liability when departments function in

isolation

Computer Incident Factor Analysis and Categorization Project

How do incidents compare across institutions? How do other institutions handle similar

incidents? What are the causative and facilitative factors

associated with different incident types? What are the best practices available for

incident prevention and management?

Incidents and Models

What is an incident? Why is this important?

Involving people from across campus Disagreements within IT Narrow definitions

CIFAC Methodology 3 focus groups, 33 total participants

An incident is an event that utilizes or exploits information technology resources or security flaws therein, either byaccident or by design and through malice or otherwise, that causes, directly or indirectly, one or more of thefollowing occurrences:

Compromise of proprietary, confidential, or protected data, System disruption which impedes user(s)’ access to data or

other IT resources, Violates IT use policies set out and made known by the

administrator(s) of the IT systems in question, Violates norms commonly accepted within the community of

system user(s) for use of IT resources, Attempting or conspiring engage or represent oneself or

another to be engaged in any aforementioned behavior.

An incident is any action/event thattakes place through, on, or involving information technology resources, whether accidental or purposeful, that has the potential to destabilize, violate, or damage, the resources, services, policies, or data of the community or individual members of the community. Such incidents may focus on/target individuals, systems/networks, or data resources and result in a policy, education, disciplinary,or technical action.

Incidents and Models

Risk-management incident prevention Burden placed on IT staff

Historically left isolated Benefit-cost analysis: how to devote scarce

resources Thresholds: Codified rules of action

Reduces technologist liability Devote time to the problem

Incidents and Models

What’s happening in the literature? Convergence of corporate and educational

literature to holistic approach to management Robert Austin and Christopher Darby, “The Myth of Secure

Computing,” Harvard Business Review (June 2003), 120-126.

Focus on specific vulnerabilities and attack types Categorization of incidents

Colleges and universities moving from lists to codification and modeling

Seriousness

Short incidents and categorization System-focused: 37% Data-focused: 22% People-focused: 42%

Roles and perception of seriousness

Seriousness: Variables

Long incidents Seriousness ratings Three variables of interest:

Quantity or extent of loss Rank of the people involved Potential for further damage

Other identified variables

Risk (or lack) of harm to people Potential criminality Not my job/role/responsibility Policy issue/violation Outside authority involvement Number of people affected Financial/monetary cost to university/department Knowledge of quantity of damage Opportunity cost/time to fix Number of machines affected Type of data affected Fraud/Liability to uni/FERPA Public relations/reputation Types of machines affected Types/rank of people affected Other/misc

Seriousness: Variables

Variables list Most common variables:

Probability of danger to person(s) (84%) Type and sensitivity of data involved (50%) Probability of further access/damage (37%) Cost to the department/college/university (15%)

Getting Into Factors

1) User education (i.e.: no education or poor education) 2) Policy existence/quality (i.e.: no policy or poor policy) 3) Too much access/inappropriate access level available4) Physical security lacking

Remainder unrankedPolicy enforcement/or ignorance of policy

Ignorance of law/potential legal ramifications

Failure to audit/examine logs

Sysadmin training/performance; no or inadequate training

Too much bandwidth

Virtual security lacking

Ease of (mis)use; absence of tech. impediment to inappropriate use

IT department not consulted/left out of loop

Password poor or exposed

Human nature/behavior

Access termination procedures lacking or faulty

Inappropriate information in public directory

Configuration error

CIFAC/NSF

Second phase of CIFAC project: identifying causative and associative factors

Methodology 36 colleges and universities, 18 corporations Per respondent: three retrospective and three future

incidents Up to three respondents per institutions

CIFAC/NSF: Questions

Are there common factors associated with People-focused incidents? Systems-focused incidents? Data-focused incidents?

Is there a common set of variables used to rate seriousness?

What else can we find about the effects of role?

CIFAC/NSF

Geographic clusters: San Francisco Bay area Chicago area Atlanta area Baltimore/DC area Eastern Massachusetts

area Southeast

Michigan/Northern Ohio area

The CIFAC ProjectGerald R. Ford School of Public PolicyUniversity of Michigan712 Oakland StreetAnn Arbor, MI 48104-3021

734-615-9595cifac.staff@umich.edu

Final report to EDUCAUSE

http://www.educause.edu/asp/doclib/abstract.asp?ID=SEC0409