BOX 5.1 Risk Assessment

In conducting a risk assessment, organizations consider the following:

  • The value of the assets being protected.
  • The vulnerabilities of the system: possible types of compromise, including the vulnerability of users as well as systems. What damage can the person in front of the machine do? What about the person behind it?
  • Threats: do adversaries exist to exploit these vulnerabilities? Do they have a motive, that is, something to gain? How likely is attack in each case?
  • Risks: the costs of failure and recovery What is the worst credible kind of failure? Possibilities are death, injury, loss of privacy, fraud.
  • The organization's degree of risk aversion.

These considerations must be balanced against:

  • Available countermeasures (both technical and nontechnical); and
  • Their direct costs and (indirect costs of implementation).

SOURCE: Computer Science and Telecommunications Board, National Research Council. 1991. Computers at Risk: Safe Computing in the Information Age. National Academy Press, Washington, D.C., adapted from pp 59-60

als, committees, or departments for developing specific procedures and mechanisms by which the policy is to be implemented (see Chapter 4)

Confidentiality Policies

Confidentiality policies describe the overall approach to be taken in balancing access to information against protection of information They may also provide details about the organization's risk assessment so that readers can understand why certain behaviors and procedures are important.

Organizations often have a number of datasets that management considers confidential: individual health information, financial data, business plans, employee files, outcomes research, and so on. Each of these datasets may be considered corporate assets and their disclosure may result in a financial disadvantage or loss to the organization. Although this perspective can provide strong incentives for protecting health information, health data are qualitatively different from proprietary corporate information and entail unique risks and liabilities Confidentiality poli-

The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement