The University Record, July 22, 1998

Project lays foundation for analyzing IT incident costs

By Theresa Hofer
Information Technology Division

Results were released recently from a ground-breaking study of information technology (IT)-related incidents in academic computing environments. The study, sponsored by the chief information officers of the Committee on Institutional Cooperation (CIC), provides a foundation for future research into the risks and costs associated with these incidents.

According to Project Director Virginia Rezmierski, director of the Office of Policy Development and Education, Information Technology Division, system administrators knew that IT-related incidents were occurring, but had no method for determining what the incidents were costing their universities in time, materials and resources. "If you are going to try to manage your risks," she says, "you need to understand what's happening, how much it's costing and how often it's happening. The CIC chief information officers were proactive in examining their risks."

The Incident Cost Analysis and Modeling Project (ICAMP) was designed to begin the process by developing a method for understanding the factors that influence the occurrence and costs of IT-related incidents in academic computing environments, and to provide insight into the magnitude of loss to the universities from 30 particular incidents.

Project team members included U-M graduates Stephen Deering, Amy Fazio and the late Scott Ziobro. With the cooperation of staff at the 12 CIC campuses (the Big Ten plus the University of Chicago), the team gathered detailed information from 30 incidents submitted by IT personnel at the universities. The incidents included hardware and data theft, unauthorized access by computer hackers, power outages and system crashes.

Investigators examined both direct and secondary costs of the incidents, including unquantifiable costs such as lost work opportunities, diminished reputation to the institution and the potential for legal liability. The team then developed the foundation for a model for analyzing the costs of IT-related incidents and identified factors that increase both the likelihood of an incident occurring and the cost of an incident once it has occurred.

The costs of the 30 incidents ranged from $30 to $150,000. Rezmierski notes, "Some would say that these incidents really cost nothing because the people working on them were already hired and would get paid anyway. Others would argue that the incidents cost the full amount because these employees should be doing other things."

Kathy Kimball, university computer, network and information security officer at Pennsylvania State University and a member of the ICAMP advisory board, presented the results of the study to about 150 people attending the conference of the Forum on Incident Response Teams on June 24. Attendees from North and South America, Europe and Asia expressed great interest in the results. "In the security community," Kimball said, "there's a hunger to get any data that indicates what costs are."

Researcher Fazio warned, however, that the numbers without frequency data can be misleading. "A $30 incident," she said, "could occur 60 times a month or more. Without frequency data, we simply cannot say how much these incidents are really costing universities."

George Cubberly, assistant risk manager in the Office of Risk Management and another member of the ICAMP advisory board, believes that the next major step is a study that would examine frequency data for certain types of incidents. "The numbers," he said, "may be staggering."

Rezmierski agrees and is seeking funding for such a follow-up project. "The security people believe strongly," she says, "that we have shown even less than the tip of the iceberg."

Meanwhile, Fazio notes, universities or even departments within universities that are tracking frequency data could plug their data into the ICAMP model. "We purposely structured the model so it was as accommodating as possible to all academic institutions."

Cubberly observes that the issues examined by the ICAMP study should be of concern to all University faculty and staff. "Everybody needs to be aware," he says, "that they all have some sensitive data, and part of their responsibility is to protect that for the University. Lack of security and backup costs dollars and inconveniences faculty, staff and students."

For more information about ICAMP or to obtain a copy of the report, contact Rezmierski at 647-4274 or ver@umich.edu. For questions about hardware and data loss, insurance coverage and disaster planning, contact Cubberly, 764-2200 or gpcubber@umich.edu. To report suspected IT-related incidents, contact the IT User Advocates at itua@umich.edu.