The University Record, February 11, 1997
Project analyzes risks, costs of computer incidents
By Theresa Hofer
Information Technology Division
Financial losses due to computer crimes may run as high as $10 billion a year, according to the Feb. 3 issue of Fortune magazine. If you include the indirect costs of computer crime, the losses may be even higher.
"People tend to think about the costs as the direct costs," says Paul Moggach, director of U-M's Risk Management Office. "But there's more to it. We need to talk about the administrative costs: what goes into rebuilding a database and the other consequential things that are not direct losses. If we don't come up with a program that will help us deal with and manage these situations, we're going to be in a real bind."
To meet that need, personnel in the Risk Management Office and the Information Technology Division (ITD) have joined forces in a project---the Information Technology Risk Management, Cost Analysis and Cost Modeling Project---to analyze information technology risks and costs and develop a cost analysis model. The project is being supported by a grant of more than $55,000 from the Committee for Institutional Cooperation (CIC)/Big Ten Security Committee.
"Managers right now are trying to manage information technology without data about the risks and costs," says Virginia E. Rezmierski, assistant for policy studies in ITD and project director. "This project is designed to support managers so they can make decisions about the procedures that need to be put in place, the policies that may need to be put in place, and/or the risks that may be reasonable to live with. The Big Ten schools recognized the need for this project and supported Michigan in taking the lead on developing variables and a cost analysis model."
Traditionally, information technology risk management has focused on losses due to disasters, such as the cost of replacing computer hardware and software lost in a fire or flood and the impact of the interruption of normal business. These models often do not include other costs, such as proprietary data losses; opportunity losses; and time lost by affected faculty, students, and staff.
Last fall, Scott Ziobro, a policy analyst in ITD, started gathering and analyzing data in order to calculate the total costs for selected computer incidents at U-M. Some costs, such as the time staff takes to investigate an incident, are simple to calculate. Others are more difficult, such as the damage to a person's or department's reputation resulting from a computer incident. "How do you put a dollar amount on reputation?" Ziobro asks.
The CIC/Big Ten grant will allow Ziobro's work to expand to include computer incidents at all 13 CIC/Big Ten schools. The increased sample pool will enable Ziobro and the Risk Management Office to develop better models for analyzing and costing computer incidents. Project results will be shared with the participating schools.
"There's a real recognition that this work is needed," Rezmierski says. "We have the unanimous support of the Big Ten security steering committee and the CIOs [chief information officers]."
Moggach adds, "I'm really happy that the University of Michigan is in the center of this. Being part of the direction of this project is going to be very valuable for us."
Moggach urges University departments not to wait for the results of the project to start implementing security measures. "Somebody in your department could be in the middle of a $100,000 loss right now. There's too much at risk, so don't wait. Do what you can now."
What can a department do right now to manage its information technology risks? George Cubberly, assistant manager in Risk Management, suggests, "Get your facts before you start setting up your system so you can set it up in the best way possible. Ask first---then set up."
He also reminds departments with Web sites: "On the Web, you're not in your own little world. Even though the information you're putting on the Web may not be sensitive, if someone hacks in, they might be able to get to a site with sensitive data through your site."
People are available to discuss system security issues with your department. For technical questions, contact Dave Nesom, ITD computer security consultant, 763-0785. For questions about insurance coverage and disaster planning, contact Cubberly, 764-2200. For policy questions, contact Virginia Rezmierski or Scott Ziobro, 647-4274.
Ziobro, principal investigator for the project, wants to gather as much data as possible about computer incidents at the U-M. If a computer incident, such as a hacker intrusion, hard disk crash, database loss, or virus infection, has occurred in your department, contact Scott Ziobro at 764-2501 or send an e-mail message to firstname.lastname@example.org. He will work with you to determine total costs. All information identifying individuals and departments will be held in strict confidence.
Poor computer security: What could it cost you?
The cost of a computer security incident could be much higher than you think. Consider the following scenarios:
Scenario 1: Someone breaks into your department's research server through the network. By the time the hacker's presence is detected, he or she has tampered with important files, including crucial research data. Fortunately, your department has backed up its data regularly. Nonetheless, the server is down for more than a week while system administrators check system files, beef up security measures and reload data. Unable to access its data, one research team runs perilously close to missing a key grant deadline. Another researcher who has been collaborating with colleagues at two other universities reports that they are now hesitant to send her data for fear that unauthorized users will access it.
Scenario 2: A tenured faculty member's password is stolen and his e-mail account is used to send a highly offensive message to two dozen Usenet newsgroups. The faculty member starts receiving personal threats; the president's office is flooded with outraged phone calls demanding his resignation. The faculty member is able to prove that he could not have sent the message, and the University launches a massive---and expensive---publicity effort to get the truth out. Unfortunately, the message continues to be circulated on the Internet; the negative impact on the faculty member's and the University's reputations lasts for years.
Scenario 3: A "Trojan horse" program that steals passwords is placed on a number of public site computers. Information technology personnel spend hundreds of hours communicating with users, managing news reports and repairing tampered files. Students, faculty and staff who are victimized lose access to their accounts for several days while information technology staff work with them to assess and repair the damage.