[BreachExchange] Understanding hacker economics: the key to developing effective cybersecurity

[Audrey McNeil]

http://www.himssfuturecare.com/blog/understanding-hacker-
economics-key-developing-effective-cybersecurity

You might think economics is about making money, and to a significant
extent it certainly is.

But according to Scott Borg, chief economist at the U.S. Cyber Consequences
Unit, an independent, nonprofit research institute that investigates
strategic and economic consequences of cyberattacks, healthcare executives
need to recognize that there’s an economics of cybersecurity, too.

“An important thing to realize in economics is it’s not just about money,
it is about choices – economics is about making the best decisions and
creating the most value you can,” Borg explained recently over at
HealthcareIT News. “In terms of cybersecurity, economics is about
protecting your organization’s ability to create value. Cybersecurity
executives need to understand how the systems that are protecting assets
create value, and they have to know how much value they are creating.”

In other words, he said, they must also clearly understand what their
organizations actually do.

According to Borg, who will be speaking at the upcoming HIMSS Privacy &
Security Forum in Boston, executives with a clear idea of their hospitals
or clinics are actually doing “will immediately see that a lot of things
they are protecting do not really deserve a lot of attention and are not
things attackers are likely to go after. Meanwhile, they will also see that
other systems are both totally important to their organization and are
prime targets for the attackers of the near future.”

With that overview in hand, they can start customizing security to fit
their organizations, an approach that is going to become increasingly
important as the Internet of Things significantly expands the kinds of
attacks that hospitals and clinics could potentially suffer.

“The Internet of Things is the big new worry, but healthcare executives
need to think about why someone would want to attack these devices in a
clinic or hospital,” he said. “One of the new reasons is that
cyber-attackers are beginning to discover they can make more money in
financial markets than they can by credit card fraud. And in cybersecurity
that is a big new development, just as big as the Internet of Things.

“Hackers can attack an organization in order to bet in the financial
markets that a given stock will go down after an attack and attack that
entity in a really conspicuous way,” he explained. “And when the stock
drops as the result of the attack, the attackers can invest in the stock as
the stock falls. They then can multiply an investment by hundreds of times.
There is so much money to be made that way. And that suddenly means some
health systems will need to worry about things they did not need to worry
about until now.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161123/1078269c/attachment.html>