[unisog] Risk analysis

Glenn Forbes Fleming Larratt gl89 at cornell.edu
Thu Feb 16 14:25:46 GMT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

...not to mention the fact that the faculty members' data may include:

   - research data (which may not be regulated, but may also be
      irreplaceable);

   - grades, which are regulated under FERPA;

   - other per-student "directory information" per FERPA;

   - financial data (unit budgets, grad student stipends, whatever), which
     may be regulated and is certainly sensitive;

   - etc.

It's also worth considering the difference between the compromise of a
faculty machine managed (...) by university employees and the compromise
of a student-owned machine connected to a ResNet.

In SANS' Intrusion Detection track back when I took it, they taught us
to evaluate an attack using the "equation" [IIRC]

   Severity =   ( (criticality of target) + (lethality of attack)
              - ( (host countermeasures) + (network countermeasures) )

However, that's more a tool for analyzing attacks, rather than evaluating
damage of a compromise.

 	-g

- --
Glenn Forbes Fleming Larratt
Cornell University IT Security Office

On Wed, 15 Feb 2006, Michael Holstein wrote:

> That's all just a theoretical exercise. IIRC (from back when I studied for 
> the CISSP), the idea is to assign a value like this :
>
> What will it cost us if that gets hacked?
> 	loss of business activity
> 	loss of business integrity
> 	legal (or criminal) liability
> 	etc.
>
> So .. is a faculty member more valuable than a student?
>
> Well, without assigning hard numbers, consider :
>
> I loose a student's data. That affects one person (directly) plus the support 
> staff to remedy the problem.
>
> I loose a professor's data. That affects all 100+ of his/her students, plus 
> all the support staff to deal with 100+ problems.
>
> Just my quick $0.02 at 4:59pm.
>
> Cheers,
>
> Michael Holstein CISSP GCIA
> Cleveland State University
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)

iD8DBQFD9ItvLyw7nZwiKgQRAsAzAKDjQJrl4f9XaVmQok3XOHvW+RGuQACgyj7r
9SEKe6EQMLSRP0NVpaqhbv8=
=Gn/Y
-----END PGP SIGNATURE-----


More information about the unisog mailing list