240 likes | 408 Views
Chapter 2. Sources of Digital Liability. Introduction. This chapter provides an overview of how a company’s digital assets create liability exposure Liability exposure refers to needless risk from the organization’s failure to take action, which results in harm
E N D
Chapter 2 Sources of Digital Liability
Introduction • This chapter provides an overview of how a company’s digital assets create liability exposure • Liability exposure refers to needless risk from the organization’s failure to take action, which results in harm • Some sources of the exposure can be: • Use of networked computers, ecommerce, websites, electronic records, automated transactions, digital signatures, and electronic contracting • The chapter introduces the difficulty in evaluating and protecting digital assets and the consequences of failure
Foundation Chapter • Book will cover how to identify, qualify, and quantify risk exposure to hackers and lawyers • First step to protecting digital assets is to take time to evaluate the value of data and then its financial impact on business operations if certain systems become unavailable or compromised
Assessing and Protecting Digital Assets • Risk Assessment • An organization must know which of its assets require protection and the real or perceived threats against them • A company cannot budget for nor manage needed defenses to mitigate risks w/o an accurate assessment of risk
Protecting a Computer Network begins with • Nature and location of all electronic data and knowledge assets • Estimates of the extent of their exposure and the probability of attack from known threats • Appropriate responses to intrusions, or options if the company suffers a loss or causes another company to suffer a loss • The legal issues that can be triggered by release or corruption of those assets • The opportunity costs of disrupted business functions • These are measurements of missed or lost sales or profits or how long it might take to recover from an attack
Gray Boxes • Note that the boxes on pages 15-18 focus on threats from • Hackers (Russian stealing credit card numbers) • Lawyers (subpoenas to Merrill Lynch looking at company e-mails) • Internal Intrusions • 70% of all computer attacks enter via the Internet but 75% of all dollar losses stem from internal intrusions • Just glance at the risks from internal employees
Insufficient Protection Against Avoidable Losses • We continue to read in the media how government agencies and businesses fail to protect themselves against avoidable losses • @Lert – Access that is easy and convenient for employees is also easy and convenient for hackers
Digital Liability Management (DLM) • Digital Liability is: all the ways the information on computer devices and networks can actually hurt a company or individual • Even if all risks are known, managing the digital info that can cause the liability is very hard • Usually we don’t know all of the risks which makes it even harder • Often deleting the info causing the risk is difficult and could be illegal • Illegal destruction of documents can create a series of legal problems and possibly felony convictions • Deleted e-mail can still cause problems later • Look at Figure 2.1 on page. 18 (go over all 3 parts)
Activities that Cause Digital Liability • Author lists six causes of digital liability • 1) Evidence of unlawful civil or criminal activity • 2) Illegal possession of unlicensed software or other intellectual property • 3) Theft of trade secrets and other privileged information • 4) Theft of customer or partner information • 5) Disclosure of confidential information • 6) Deletion of records in violation of statutory or regulatory retention requirements
@Lert • Proper Information management means secure access to what should be available and denied access to what should not be available
Digital Liability: Post- 1999 • E-mail borne viruses • By 2003 there were genuine virus threats as well as false warnings of nonexistant viruses • Companies would incur the costs of wasted time and bandwidth as users forwarded these hoaxes to others • Dirty Laundry Websites • Sites popped up containing corporate memos or employee venting • Two are mentioned in the text • Self-Restraint • Employees must learn which files to open and which to delete • Need to realize that firewalls and antivirus mechanisms don’t detect and cannot deter all threats
Damage Estimations • A 2001 study by the Computer Security Institute and FBI (Computer Crime and Security Survey) indicated that cybercrimes accounted for losses of $378 million • This was twice the average loss incurred in 2000. • Majority of losses came from theft of trade secrets, financial fraud, and damage from computer viruses • Can find this site online with a search • In 2002 223 respondents totaled $455 million in losses ( no improvement) • Leaders were loss or proprietary info and financial fraud
More Damage Estimations • Highlights of the 2004 Computer Crime and Security Survey include the following: • Overall financial losses totaled from 494 survey respondents were $141,496,560. This is down significantly from 530 respondents reporting $201,797,340 last year. • In a shift from previous years, the most expensive computer crime was denial of service. Theft of intellectual property, the prior leading category, was the second most expensive last year. • Organizations are using metrics from economics to evaluate their security decisions. Fifty-five percent use Return on Investment (ROI), 28 percent use Internal Rate of Return (IRR), and 25 percent use Net Present Value (NPV). • The vast majority of organizations in the survey do not outsource computer security activities. Among those organizations that do outsource some computer security activities, the percentage of security activities outsourced is quite low.
Common Sources of Risk • User ignorance – users and managers must learn how to recognize dangers and respond safely • Secure-use training (mentioned later in text) can produce a very high return on investment (ROI) b/c the savings exceed the costs • Dangers: indiscriminate opening of email, forwarding email, unprotected use of wireless devices, web surfing, lack of discretion w/ email content • Lack of Enforceable Policy – strict email Acceptable Use Policies could save companies millions of dollars in damages and fees • Policies that tell employees not to open e-mail from unknown sites, cannot forward e-mail indiscriminately, etc • Social Engineering – psychologically manipulating or tricking the end-user into doing something risky or damaging • Highly successful b/c it is so easy to impersonate on the Internet • I Love You Virus so successful b/c it enticed recipients • Klez.H successful b/c infected messages appeared to the recipients as coming from a familiar and trusted source • Malware – malicious software programs like viruses, worms, and trojan horses
@Lert • A Security policy that is complex, obtrusive, and difficult to comply with is self-defeating. For example, requiring overly frequent password changes or using unreliable swipe cards to unlock doors. • Staff will find workarounds to the policy by sharing passwords, writing them down, or propping doors open • In this type of organization, employees will unknowingly help an intruder gain access to critical business information
More Sources of Risk • Excessive Sharing • People often want to forward a joke found on the Net. There is a potential liability w/ significant implications • An individuals civil rights can be violated, communication may be misinterpreted as harassment or offensive • Read the last paragraph of page 22 and top two paragraphs of page 23 • Revealing Candor • Email being used in cases of white collar crime (any nonviolent crime committed in a commercial context like embezzlement, threats, or fraud • Electronic fraud is the fraudulent use of electronic records, like illegal interception or manipulation
Factors Exacerbating Digital Liability • We see that digital records and communication are at the center of legal issues or used as supporting evidence • Employees undisciplined practices at the computer can be dangerous for the organization • Risk exposure can escalate when uses assume that their cyber activities will remain undetectable • With these false expectations, users will write things they would not normally say aloud much less as a business record
Intractable Problems • For businesses any email message, sent by anyone with a company email acct may • Be interpreted legally as the company’s official corporate policy • Be used as evidence of company misconduct • Become ammunition against a company even if that message would have been disregarded by anyone w/ common sense and maturity at the company
Lagging Practices • The deployment of cyber security defenses lags significantly behind the discovery of threats • Investments aimed at changing user behavior lag investments in defensive technology • Why?
Business and Legal Reasons for Concern • So, what are some business and legal reasons for protecting digital assets? • Companies more thoroughly accessing their partners’ overall data security policies as well as their own • Many businesses now demand extensive third-party audits (see fig 2-2 pg. 25) (READ bottom paragraph pg. 24)
The Standard of Reasonableness • To recover damages from a perpetrator will involve defense attorneys, judges, or juries • Courts will look at the extent to which a company exercised reasonable diligence by safeguarding its own network and informational assets • If a company does not safeguard secret information from misconduct by employees or others, courts or insurers may deny action to recover those losses • If a company does not implement and enforce reasonable cybersecurity measures it may not have any legal recourse if its confidential information was stolen by employees, hackers, or industrial spies
Consequences When Reasonable Precautions are Neglected • Read – pg. 26
Because of Privileged Information • Pg. 27 • Read PIHI paragraph • How much is the potential fine for “obtaining and disclosing protected health information with the intent to sell, transfer, or use it for personal gain, commercial advantage, or malicious harm.”
Tests of Negligence • Judge Learned Hand outlined a standard for negligence and liability based on the economic model of marginal cost-benefit analysis • According to this, the firm is not negligent if and only if the marginal costs of safeguards are greater than the marginal benefits of those safeguards • I.e., If a $1,000 investment in security training could prevent an estimated $1,000 or more in damages, that investment must be made • The benefits are calculated by multiplying the estimated probability of a security breach by the expected average cost of damages. • This test has received overwhelming acceptance in the courts • End Chapter, look at discussion questions, pg. 29