It just seems the either no one is measuring realized risk exposure numbers for their firms, or mums the word on their findings. The information that I collect is strongly covered by Non-Disclosure Agreements. To help with this, I want to start publishing de-identified statistical abstracts.
I included some of these statistical abstracts in the financial section of a paper published by ANSI. I am a coauthor on, "The Financial Impact of Breach Health Information, A Business Case for Enhanced ePHI Protection" http://webstore.ansi.org/ There are more, yet wrapping one's head around measured risk in this area takes time.
Still, there is a substantial financial costing approach as well as a selection of known failure paths that could be estimated. I want it to be an incremental step towared a better answer to the following question. How does anyone justify Information Secuirty Risk Exposure without any notion of what a data flow is worth and what a misrouted data flow might cost? In medical terms, "When can spending $10,000 on InfoSec be better for patients than buying a new heart monitor?"
Comments
How does anyone justify Information Secuirty Risk Exposure without any notion of what a data flow is worth and what a misrouted data flow might cost? In medical terms, "When can spending $10,000 on InfoSec be better for patients than buying a new heart monitor?"
You could probably start by researching the penalties an institution is exposed to under HIPAA for improperly securing their data and networks. This is way out of my area of expertise but the law is relatively static, not covered by NDA, and there are prior rulings to dig through. You could also examine civil liabilities.