Threat Assessment and the Threat Management Lifecycle
The threat assessment process, which is illustrated in Figure 4-1, should provide you with a methodology for identifying threats, determining their potential impact, and identifying which steps you need to take to mitigate the risk. It’s important to note that social media threats are still evolving, so determining their real impact on corporations is hard. With more data in another year or two, we can probably better quantify the effects. These next sections cover the basic structure of the threat assessment process and introduce the Threat Management Lifecycle.
Identify and Assess
Identify and assess potential threats to the organization through social media sources:
Where can the threat attack and compromise the corporation?
What methods can the threat use to attack the company?
What risk does the company face?
What options exist to monitor against such threats?
Analyze
Based on information you have collected about the threats your organization faces, what can you determine about the organization’s ability to respond to a threat?
What are the organization’s weaknesses in collecting attack information from social media sources?
What are the actual causes of the threats?
How can the company actually identify a threat is taking place?
What resources are available to handle the threat?
Do you have a method in place for prioritizing social media threats? What is that method?
Which controls and tools are available once you have identified a threat?
Is there any current known method of remediating potential or existing threats?
Can threats be correlated to remediation processes?
Execute
The company must then respond to the threats it has identified:
1. Create an action plan approach based on how you will monitor and identify the threats.
2. Dedicate specific systems to and train specific resources in threat resolution.
3. Plan for future threats and for how the company will respond.
The basic threat management process is similar to, or even the same as, what you would use to handle typical hacking activity against IT resources. Our definition of the Threat Management Lifecycle is detailed in Table 4-1.
Table 4-1 Threat Management Lifecycle
Threat Management in Action
Following the Threat Management Lifecycle for social media is not as simple as tracking down a technology threat such as an unpatched Microsoft server. Describing a social media threat is still a challenge in terms of how the terrain is shifting through rapidly evolving technologies, behaviors, and ground rules.
For example, early in 2010, a hospital employee was “encouraged to resign” for sending a tweet identifying Governor Barbour of Mississippi as a patient, even though no confidential information was sent out.4 When the Governor tweeted, “Glad the Legislature recognizes our dire fiscal situation. Look forward to hearing their ideas on how to trim expenses,” the administrator of University Medical Center (UMC) responded with “Schedule regular medical exams like everyone else instead of paying UMC employees overtime to do it when clinics are usually closed.”
4 Julie Straw, “Woman Out of a Job After Sending Tweet to Governor Barbour” WLBT (December 21/22, 2010), http://www.wlbt.com/global/story.asp?s=11713360.
Since the employee’s tweet referenced an incident that had occurred three years prior, when the Governor had a checkup conducted at the hospital, it was deemed a violation of the Health Insurance Portability and Accountability Act, or HIPAA. Even though vague, the employee had revealed patient information. In fact, HIPAA covers a wide range of employees, not just doctors and nurses. This type of threat might simply be a result of not properly educating employees on applicable laws; however, it still poses a threat to the organization.
Step 1, “Threat Identification/Collection,” was easy to determine: it was the tweet itself. Step 2, “Risk Assessment,” was based on HIPAA violations and potential fines to the organization. Step 3, “Analysis” of the mitigating resolution was the resignation. Step 4, “Dissemination,” was the hospital notifying the proper authorities about a possible HIPAA violation; and Step 5, “Remediation and Monitoring,” was encouraging the employee to resign. But remediation could also include ongoing training for all employees.