Data Hemorrhages and Medical Identity Theft
In this project, we are examining the business risks of different types of disclosures including inadvertent web posting, social networks, blogs, and peer-to-peer file sharing networks.
Inadvertent disclosure of sensitive business information represents one the largest classes of recent security failures. With each new story, firms come under increased pressure to harden their networks and take a more aggressive security posture. However, it is often not clear what security initiatives offer firms the greatest improvement.In this project, we are examining different types of disclosures including lost mass storage devices, inadvertent web posting, social networks, blogs, and peer-to-peer file sharing networks. In each case, the disclosures are the same: sensitive information inadvertently leaked creating embarrassment, vulnerabilities, and financial losses for the firm, its investors, and customers. We show how confidential and potentially damaging documents have made their way onto public networks.
The research also shows that criminals actively search hoping to find information that they can exploit. We show how information is exploited including fraud and identity theft. Ongoing work is examining the extent of the leakage problem in different industries including US Banking and healthcare.
- Healthcare Data Hemorrhages and Medical Identity Theft: Confidential data hemorrhaging from health-care providers pose financial risks to firms and medical risks to patients. In this project, we are examining the consequences of data hemorrhages including privacy violations, medical fraud, financial identity theft, and medical identity theft. We also exploring the types and sources of data hemorrhages. Research findings presented at HICSS 2011. PDF IEEE Symposium on Security and Privacy 2010. PDF Financial Cryptography and Data Security 2009. PDF CIST2009
- Inadvertent Disclosures Amoung Top US Banks: In this project, we characterize the extent of the security risk for a group of large financial institutions using a direct analysis of leaked documents. We also characterize the threat of loss by examining search patterns in peer-to-peer networks. Our analysis demonstrates both a substantial threat and vulnerability for large financial firms. We find a statistically significant link between leakage and leak sources including the firm employment base and the number of retail accounts. We also find a link between firm visibility and threat activity. Finally, we find that firms with more leaks also experience increased threat. Research findings in Journal of Management Information Systems. PDF (650KB)
- Consumer Risks of Inadvertent Disclosure: Peer-to-peer (P2P) software clients have become part of the standard suite of PC applications for many users. With millions of users worldwide sharing music, video, software, and pictures, file movement on these networks represent a significant percentage of internet traffic. Through honey-pot experiments that expose personal financial information, we graphically show the risks consumer faces. Research findings in Communications of the ACM. PDF (746KB)
- Usability Failures and Data Hemorrhages: Usability failures, of both systems and embedded security, lead to user workarounds and security failures. In many areas of healthcare, workarounds are epidemic. Through field research, we are examining how usability failures lead to such hemorrhages and how organizations can stem the losses. IEEE April 2011 PDF (1.11MB)
- Breaches and Security Investment: Organizations often reactively invest in security either because they suffer a breach or are forced by government regulation. This research examines the effectiveness of proactive vs. reactive investment. Our initial results show that proactive investment is more effective in reducing future breaches than reactive investment. An Organizational Learning Perspective on Proactive vs Reactive Investment in Information Security, 2011.