From: Factors influencing network risk judgments: a conceptual inquiry and exploratory analysis
Factor | Mean risk | SD | Risk group |
---|---|---|---|
INFORMATION DIMENSION: Features related to the information stored on the network, the adversaries who want that information, and the consequences of the information being compromised. [Vignette #1: Hospital network] | |||
Recordkeeping could convert back to paper. | 40.6 | 21.8 | Â |
Hospital is in a metropolitan area. | 56.6 | 16.1 | Â |
Various adversarial organizations have growing concerns over the lack of medical record privacy because of the legislation. | 63.1 | 14.3 | Â |
The hacker’s intent was to motivate another reformation of the national health care system. | 63.1 | 18.0 | SR |
All patient records are digitized. | 65.0 | 16.0 | SR |
It (the network) involves a large hospital. | 68.4 | 17.4 | SR |
The type of data the hospital handles | 68.9 | 5.9 | SR |
Release of patient care information violates HIPAA regulations. | 71.9 | 24.1 | VR |
Hackers in the past few weeks have been attacking various medical centers nationwide. | 72.4 | 9.3 | VR |
These attacks in the past few weeks have leaked private patient care information on the internet. | 74.0 | 19.2 | VR |
These adversarial organizations are persistent and academically capable of executing an attack. | 74.3 | 20.6 | VR |
A prolonged outage of digital recordkeeping could cause significant damage to the hospital’s ability to serve its patients. | 75.2 | 18.0 | VR |
Release of patient care information damages hospital’s reputation. | 76.2 | 22.6 |  |
Release of patient care information puts the hospital in legal liability. | 79.9 | 18.0 | VR |
INFRASTRUCTURE DIMENSION: Features related to the infrastructure of the network and the compliance of the network with established protocols. [Vignette #1: Hospital network] | |||
Machines are not connected to both the private network and the internet. | 24.0 | 18.5 | VS |
The hospital recently installed additional emergency electrical generators. | 29.6 | 15.6 | VS |
The personnel manning facilities are competent. | 30.9 | 17.1 | SS |
The IT department is adequately staffed. | 31.7 | 17.2 | SS |
A disaster recovery plan has been implemented. | 32.0 | 18.8 | VS |
Results of the audit meet or exceed best practices for network configuration and maintenance. | 32.0 | 19.6 | VS |
The recovery effort from a natural disaster is expected to be rapid. | 32.3 | 21.2 | VS |
All digitized records are stored and processed on a private network. | 36.0 | 19.9 | SS |
IT had a yearly audit due to HIPAA requirements. | 36.6 | 18.5 | SS |
Database is Linux based for large-scale processing and storage. | 44.8 | 11.1 | Â |
Records are transferred from one hospital to another manually. | 45.3 | 20.6 | Â |
These adversarial organizations are not financially well funded. | 50.6 | 10.2 | Â |
The recent legislation on the reformation of the national health care system | 58.2 | 11.9 | Â |
Network is connected to programmable logic controllers (PLCs) for the medical equipment to receive test results and to manage and operate the machines. A PLC is a digital computer used for automating electromechanical processes. | 59.7 | 17.4 | Â |
The back-end servers are unique and housed in a single data center on the hospital premises. | 64.9 | 24.9 | Â |
PERSONNEL SKILL DIMENSION: Features related to the skill and training of network personnel. [Vignette #2: Military network] | |||
The network is a self-contained, segregated, and air-gapped network. | 26.0 | 20.8 | VS |
The IT staff man the network 24/7. | 34.6 | 20.9 | VS |
The network is in full compliance with the DoD. | 35.1 | 18.4 | SS |
The IT staff are fully trained. | 36.4 | 20.4 | SS |
An audit was recently passed. | 36.7 | 15.9 | Â |
The IT staff are well trained at various military schools. | 39.2 | 19.3 | Â |
The military installation has a mature emergency operation plan (EOP) and continuity of operations plan (COOP) that comply with the Federal Emergency Management Agency (FEMA) recommendations. | 41.0 | 19.3 | Â |
Full recovery is expected to occur quickly. | 41.6 | 22.3 | Â |
The systems running on the network use proprietary military operating systems. | 41.9 | 24.4 | Â |
The network is within a small geographical region near a war zone. | 68.5 | 20.2 | SR |
ADVERSARY SKILL DIMENSION: Features related to the skill, resources, and motivation of the adversary. [Vignette #2: Military network] | |||
The network has various UNIX systems. | 59.6 | 21.4 | Â |
The network is heterogeneous with Windows, UNIX, and proprietary military operating systems. | 67.1 | 22.1 | SR |
The network has Windows systems. | 78.8 | 16.4 | VR |
The primary adversary is a nation state. | 83.1 | 16.9 | VR |
The adversary is deeply interested in U.S. troop positioning. | 86.2 | 14.9 | VR |
The primary adversary is well funded. | 87.5 | 12.1 | VR |
The adversary is highly motivated. | 87.7 | 14.8 | VR |
The adversary was likely trained by the U.S. government in the past two years. | 88.8 | 13.9 | VR |
Malicious activity has been noted on the network in the past six months since wartime operations intensified in this region. | 92.2 | 12.1 | VR |
The primary adversary has excellent offensive cyber skills equal to or better than 90 existing nation states. | 92.6 | 10.2 | VR |