[unisog] Risk analysis

Glenn Forbes Fleming Larratt gl89 at cornell.edu
Thu Feb 16 14:25:46 GMT 2006

Hash: SHA1

...not to mention the fact that the faculty members' data may include:

   - research data (which may not be regulated, but may also be

   - grades, which are regulated under FERPA;

   - other per-student "directory information" per FERPA;

   - financial data (unit budgets, grad student stipends, whatever), which
     may be regulated and is certainly sensitive;

   - etc.

It's also worth considering the difference between the compromise of a
faculty machine managed (...) by university employees and the compromise
of a student-owned machine connected to a ResNet.

In SANS' Intrusion Detection track back when I took it, they taught us
to evaluate an attack using the "equation" [IIRC]

   Severity =   ( (criticality of target) + (lethality of attack)
              - ( (host countermeasures) + (network countermeasures) )

However, that's more a tool for analyzing attacks, rather than evaluating
damage of a compromise.


- --
Glenn Forbes Fleming Larratt
Cornell University IT Security Office

On Wed, 15 Feb 2006, Michael Holstein wrote:

> That's all just a theoretical exercise. IIRC (from back when I studied for 
> the CISSP), the idea is to assign a value like this :
> What will it cost us if that gets hacked?
> 	loss of business activity
> 	loss of business integrity
> 	legal (or criminal) liability
> 	etc.
> So .. is a faculty member more valuable than a student?
> Well, without assigning hard numbers, consider :
> I loose a student's data. That affects one person (directly) plus the support 
> staff to remedy the problem.
> I loose a professor's data. That affects all 100+ of his/her students, plus 
> all the support staff to deal with 100+ problems.
> Just my quick $0.02 at 4:59pm.
> Cheers,
> Michael Holstein CISSP GCIA
> Cleveland State University
Version: GnuPG v1.4.1 (MingW32)


More information about the unisog mailing list