Incident Cost Analysis and Modeling Project II (I-CAMP II)

by Gale Berkowitz
USENIX Deputy Executive Director
<[email protected]>

Colleges and universities are becoming increasingly concerned about security incidents in the distributed and diverse electronic networks and services they have created on their campuses. This concern is being heard from data handlers, data stewards, data administrators, and system administrators. Decision-makers are often reluctant to invest the required level of resources in security-related functions, simply because they lack information about data security and the costs and benefits associated with it.

Some people at the University of Michigan are concerned enough about security incidents to study them systematically. The USENIX Association is providing funding to conduct the study.

The Incident Cost Analysis and Modeling Project II (I-CAMP II) project is under the direction of Dr. Virginia Rezmierski, Director of the Office of Policy Develop-ment at the University of Michigan. It is designed to learn more about the types of information-technology (IT) incidents occurring, how often they occur, and the costs associated with rectifying them. Examples of common IT-related incidents include unauthorized access to data, denial of service, power interruptions, hardware failures, and backup failures.

During the first phase of the project, I-CAMP-I, researchers gathered a sample of IT incidents, developed a cost-analysis model, and reviewed existing IT risk management models in higher education. The I-CAMP-I report found that:

• IT incidents were occurring at a steady and perhaps alarming rate.
• Managing such IT incidents takes valuable technologist time away from needed production and development responsibilities.
• Real, and in some cases significant, costs are associated with these IT incidents, even when a conservative approach to cost analysis is taken.
• Whereas hacker-type incidents were most readily identified by initial campus contacts, a greater variety of incidents, including data theft, were identified as the project progressed and others became involved.
• Frequency data, not collected in this project, is needed to estimate overall risks and costs to campuses.
• Recommendations for management were needed to begin to reduce or eliminate these costs.

I-CAMP-II expands on the design and implications from the first phase in the following ways:

• It expands the sample of incidents to other representative campuses from among the Committee for Institutional Cooperation (CIC) Big Ten campuses, as well as a select sample of large universities that have incident databases.
• It expands the range of incidents tracked and factors affecting them.
• It develops specific recommendations to reduce or eliminate the risks of identified types of IT incidents.

At the end of the first quarter of the proj-ect, I-CAMP-II is well underway. An advisory board has been selected, participating schools have been chosen, and the project methodology has been refined. The project team has already been working on better ways to classify incident types. It has divided existing incidents into two groups — those determined to be malicious behaviors and those that are seen as unthinking acts. Both categories of incidents jeopardize operations and security and/or add liability to the
institutions.

The I-CAMP-II study will provide system administrators with critical information to increase security awareness within their organizations. A final report from the project is expected early in 2000.

For more information about the project, please contact Virginia Rezmierski, Director of the Office of Policy Development at the University of Michigan, at 734.647.4274, or by email at <[email protected]>.