Describe five vulnerabilities associated with the IT system as described and before security controls are implemented.
(a) Based on possible Threat Actors, briefly describe a risk associated with each of these vulnerabilities; using a scale of 1 – 5, assign a Probability of Occurrence and Consequence of Occurrence to each risk.
(b) For each of these risks, identify a feasible risk treatment (risk reduction, transference, avoidance, or acceptance) with a short rationale for each.
(c) Assume a risk has been identified resulting from a vulnerability in the system that manages the Patient Information Database. The estimated cost to restore the database if it is entirely lost or corrupted is assessed as $1M, and the economic damage due to patients and doctors moving to other hospitals is estimated to be an additional $1M. Based on published information on cyber attacks in the health care industry, the estimated number of successful attacks based on exploitation of the vulnerability is four (4) per year, and each successful attack is estimated to cost the hospital 5% of the estimated total potential loss. Further assume that a commercial product has been identified that will reduce the loss from a breach by a factor of ten (10) to 0.5% of the total. What is the maximum annual total cost for this product to achieve a positive return on the investment to procure it (i.e., a positive Control Value)?