In the previous entries of this blog series, we've been talking about the world of digital diseases. We have made some analogies related to biological diseases, and it has been great fun. If you've been following these musings, you are probably seeing why the analogies are appropriate. Even if you don’t, they're still fun to think about.
As we know, we can gather some information and perform some studies to discover ways to identify digital pathogens, which leads to the next logical step: how do we fix them or essentially cure the digital disease? As we all know this is where things tend to become a bit more complicated.
The first step is finding the issues that need attention. We did a study with EDUCAUSE that showed that vulnerabilities can be identified in great numbers in academic institutions. However, there are more obstacles once the problem is known. The next step of identifying the required assets and the necessary cure has become more challenging. It’s especially challenging in academic organizations with a staff having more freedom to pursue interesting ideas.
Second, we need the system to operate efficiently. As was mentioned in a study with the Independent College Enterprise, it's crucial to avoid false positives, leading to alert fatigue. Both these factors are essential to consider because without the ability to identify and implement a fix for an identified problem, or if the identified issues lead down a constant road of false positives, tools that identify vulnerabilities can be so burdensome that they don’t get used. The treatment shouldn't be more burdensome than the problem itself.
Then we need to procure the proper resources. If you can drastically reduce and eliminate false positives and identify the needed assets and solutions to cure the digital disease, things become more manageable. Having that knowledge allows security professionals in organizations to approach boards and resource allocation officers with specific requests to fix specific problems.
These are both preventive and remediating measures, both equally important. It's analogous to the USA's somewhat controversial health insurance industry. If one wants funding for treating illnesses, the insurance industry must be provided with specific known health issues. It will provide funding (most of the time) for courses of treatment to cure the illness.
Ah, insurance. Now things get interesting. We have cyber insurance today, but it isn't set up to work in the same way healthcare insurance operates in the USA, which is again very controversial. However, there are some things worth considering. One is that health insurance providers will adjust insurance plan premiums based on risk factors, such as smoking or other practices that may lead to the onset of illness.
Cyber insurance seems to be moving in this direction as well, but more along the lines of preexisting conditions making you ineligible for insurance. What does not seem to be a practice today is the notion of providing funding to solve identified digital problems when they happen as part of a greater digital healthcare network.
As I mentioned in a previous blog post, perhaps this will come about once the government regulatory space steps in and essentially mandates digital healthcare and reputable sources for identifying issues. How would universal digital healthcare look like in cyberspace?