From: Factors influencing network risk judgments: a conceptual inquiry and exploratory analysis
Vignette | Median risk | Mean risk | SD | Factor |
---|---|---|---|---|
Very safe (Median risk rating <30) | Â | |||
1 | 26.0 | 30.0 | 15.2 | The hospital recently installed additional emergency electrical generators. |
1 | 28.5 | 31.9 | 18.4 | A disaster recovery plan has been implemented. |
1 | 24.5 | 24.2 | 18.5 | Machines are not connected to both the private network and the internet. |
1 | 29.0 | 32.1 | 19.0 | Results of the audit meet or exceed best practices for network configuration and maintenance. |
1 | 25.0 | 32.8 | 20.8 | The recovery effort from a natural disaster is expected to be rapid. |
2 | 25.0 | 26.0 | 20.8 | The network is a self-contained, segregated, and air-gapped network. |
2 | 30.0 | 34.6 | 20.9 | The IT staff man the network 24/7. |
3 | 25.0 | 27.1 | 13.4 | The networks are fully manned with very little employee turnover. |
3 | 30.0 | 30.7 | 17.7 | IT staff is highly trained in their area of expertise via outside training firms and local universities. |
3 | 24.0 | 24.7 | 18.0 | The chief strategy officer (CSO) has put in place a dedicated controls management team whose job is to make sure that the security controls implemented are the most effective ones possible whether or not they are required for compliance. |
3 | 29.5 | 29.0 | 19.8 | The CSO is passionate about security. |
Somewhat safe (Median risk rating between 30 and 45) | Â | |||
1 | 32.0 | 30.7 | 16.6 | The personnel manning facilities are competent. |
1 | 33.5 | 31.1 | 17.1 | The IT department is adequately staffed. |
1 | 42.0 | 36.5 | 18.0 | IT had a yearly audit due to HIPAA requirements. |
1 | 34.5 | 35.8 | 19.4 | All digitized records are stored and processed on a private network. |
2 | 35.0 | 36.7 | 15.9 | An audit was recently passed. |
2 | 35.0 | 35.1 | 18.4 | The network is in full compliance with the DoD. |
2 | 34.0 | 36.4 | 20.4 | The IT staff are fully trained. |
3 | 35.5 | 33.9 | 17.5 | 85% of these employees have been employees of the company for 15 years or more. |
Somewhat risky (Median risk rating between 55 and 72) | Â | |||
1 | 56.0 | 58.0 | 11.6 | The recent legislation on the reformation of the national health care system |
1 | 58.5 | 62.6 | 14.0 | Various adversarial organizations have growing concerns over the lack of medical record privacy because of the legislation. |
1 | 69.5 | 69.8 | 15.9 | The type of data the hospital handles |
1 | 65.5 | 64.6 | 16.2 | All patient records are digitized. |
1 | 70.0 | 66.8 | 16.6 | End users have Windows machines. |
1 | 65.0 | 68.2 | 17.3 | It (the network) involves a large hospital. |
1 | 59.5 | 63.1 | 17.4 | The hacker’s intent was to motivate another reformation of the national health care system. |
2 | 70.0 | 68.5 | 20.2 | The network is within a small geographical region near a war zone. |
2 | 65.0 | 67.1 | 22.1 | The network is heterogeneous with Windows, UNIX, and proprietary military operating systems. |
3 | 68.5 | 66.5 | 10.2 | The organization has 20 offices worldwide. |
3 | 56.0 | 61.3 | 13.9 | The software development firm has 13,000 employees. |
3 | 70.0 | 71.5 | 14.1 | Competition is fierce in the business intelligence domain. |
3 | 60.0 | 63.8 | 14.2 | Offices are located in North America, South America, Asia, Europe, and Australia. |
3 | 72.0 | 73.8 | 14.9 | It took a couple of years to recover from these two incidents. |
3 | 70.0 | 74.2 | 17.8 | Clients are from the government military and commercial sectors of 135 countries. |
3 | 71.0 | 69.9 | 18.9 | The intranet hosts a database of technical reports, proprietary design information, social collaboration tools, email servers, etc. |
1 | 76.0 | 74.9 | 18.1 | A prolonged outage of digital recordkeeping could cause significant damage to the hospital’s ability to serve its patients. |
1 | 82.5 | 78.6 | 18.5 | Release of patient care information puts the hospital in legal liability. |
1 | 75.0 | 72.9 | 18.8 | Hackers in the past few weeks have been attacking various medical centers nationwide. |
1 | 74.5 | 73.2 | 19.1 | These attacks in the past few weeks have leaked private patient care information on the internet. |
1 | 75.0 | 74.4 | 20.0 | These adversarial organizations are persistent and academically capable of executing an attack. |
1 | 77.5 | 75.9 | 22.5 | Release of patient care information damages the hospital’s reputation. |
1 | 75.0 | 70.6 | 24.0 | Release of patient care information violates HIPAA regulations. |
2 | 95.0 | 92.6 | 10.2 | The primary adversary has excellent offensive cyber skills equal to or better than 90 existing nation states. |
2 | 90.0 | 87.5 | 12.1 | The primary adversary is well funded. |
2 | 100.0 | 92.2 | 12.1 | Malicious activity has been noted on the network in the past six months since wartime operations intensified in this region. |
2 | 95.0 | 88.8 | 13.9 | The adversary was likely trained by the U.S. government in the past two years. |
2 | 95.0 | 87.7 | 14.8 | The adversary is highly motivated. |
2 | 90.0 | 86.2 | 14.9 | The adversary is deeply interested in U.S. troop positioning. |
2 | 80.0 | 78.8 | 16.4 | The network has Windows systems. |
2 | 85.0 | 83.1 | 16.9 | The primary adversary is a nation state. |
2 | 90.0 | 84.3 | 17.1 | The network stores highly sensitive data related to enemy versus U.S. troop positioning and high-value target location information. |
2 | 80.0 | 77.0 | 17.3 | This network stores and processes time-sensitive intelligence information. |
2 | 87.0 | 80.4 | 18.8 | The information stored and processed on this network includes Top Secret SEI 5 Eyes NOFORN information. |
2 | 77.0 | 69.9 | 24.1 | This involves a classified military network. |
3 | 77.5 | 82.5 | 12.6 | Competitors have sophisticated well-funded espionage teams to steal competitive information. |
3 | 75.0 | 77.9 | 14.8 | Almost all employee machines have access to both the internet and intranet. |