On the application of Nash’s Equilibrium to Healthcare Information Risk Management

Track: Privacy, security, confidentiality and protection of healthcare information

Marc-André Léger, DESS, MScA (MIS),
Université de Sherbrooke, Sherbrooke, Québec, Canada, marcandre@leger.ca

Through a case scenario approach, this article seeks to demonstrate the inadequacies of current Risk Assessment Methodologies used today. In particular, Risk Assessment Methodologies used in a Healthcare setting fail to adequatly weigh the value of ethical and public health. Therefore different approaches, relying on different paradigms, could be used. Two possible candidates are proposed, Prospect Theory and Nash’s Equilibrium.


Health, information, Security, Risk, Management

1. Introduction

Healthcare professionals and organisations need information. Evidence based medicine; healthcare system administration and medical research all rely on data produced throughout the system. Information systems are increasingly present in all aspects of clinical practice, in administrative functions and in many other areas. The emerging importance of the Electronic Health Record (EHR) as well as the increase in the use of information technology (IT) in healthcare activities is progressively providing access to large quantities of data concerning patients, health care delivery and research [1] [2] [3]. Because of this reliance on information and because information needs various technologies to carry it, information security has become an issue. Healthcare organizations, to perform optimally, with regularity, over time, need to identify the predictable [4], they need to manage risks associated to its need for information. This is what we call Healthcare Informational Risk Management or HIRM.

There are many additional factors that justify the need for HIRM. The limited availability of financial and human resources, motivates organizations to be very careful about how it allocates them.  Because Information Technology can be expensive to acquire and maintain and require specialized resources, HIRM can be used as part of the solution to keep their costs under control. For some organisations, laws and regulations impose specific requirements as to the preservation of privacy and confidentiality. The nature of Healthcare imposes requirements for availability, for example that availability of a patient’s bedside chart during rounds. Integrity of information can also be a sensitive issue, for example between the blood types A and B there is a single bit difference but if that bit is changed inadvertently, it can have severe consequence for a patient receiving the wrong blood. All of these reasons and others require Healthcare organisations to implement a Risk Management program.  For others, contractual requirements are a catalyst. Managing risks is paramount to accurate financial reporting and optimal decision-making [5]. For these and other motivation, there has been significant interest in the Québec Healthcare system to find a HIRM solution, expressed through Request for Proposals (RFP) published in the last year. As well, many regional jurisdictions in Canada, the Federal Government and Canada Health Infoway have shown interest in HIRM. In this article, we look at HIRM through an example in our specific local context, we therefore present an overview of the Québec Healthcare system.

2. Methodology

This discussion paper presents a research hypothesis that has emerged from on-going research being performed as a requirement for the obtention of a Doctorate degree in Clinical Sciences at the Faculty of Medecine of the University of Sherbrooke. The article uses a case scenario approach to illustrate a research problem that has evolved into a hypothesis.

3. Case scenario

3.1 Brief overview of the Québec Healthcare system

Since 1971, the Québec Health and Social Services Agency, known as the MSSS (Ministered de la Santé et de Services Socaux), has been the sole provider of Healthcare in the Province of Québec, where approximately 25% of the population of Canada reside. In 2005 it employed 269 600 individuals in 1786 worksites, representing 6.7% of the active population of Québec [6]. At the local level, 95 Health and Social Services Centers (CSSS) and associated Local Services Network (RLS) offer health and social services to a given population. In December 2004, the Act respecting local health and social services network development agencies (Bill 25) created CSSS by merging local community health centres (CLSCs), residential and long-term care centres (CHSLDs) and general and specialized hospital centres (CHSGSs). The objectives of health and social services centres are the following:

  • To promote health and well-being
  • To bring together the services offered to the public
  • To offer more accessible, better coordinated and seamless services
  • To make it easier for people to move through the health and social services network
  • To ensure better patient management, particularly of the most vulnerable users

All CSSS and RLS are connected to a province wide Healthcare network, known as the RTSS [26]. This private network implements a top down infrastructure with a national datacenter (TCN) linking several regional datacenters (TCR). Local CSSS and Healthcare establishments have Local Area Networks that are connected to the TCR of their region. Typical Information management services, like email or word processing, are provided at the establishment level. In some cases, databases are supported by database management systems shared (s-DBMS) among multiple establishments within a TCR. Internet access is provided through firewalls located at the TCN level.

3.2. Our scenario

To illustrate the problem we find in HIRM, we present a simple scenario. A resident of the Province of Québec, in the city of Montréal, accesses the RLS through a nearby community health center (CLSC) for the flu. He is very worried because he watches the news and fears that he may have Bird flu (H5N1). Arriving at the reception, his identity is verified as he presents his Québec Medicare card. At this point the resident is considered a patient (P) and goes to an isolated waiting room while his Health Record (HR) is retrieved and until the appropriate Healthcare Professional (HP) becomes available. In the CLSC, the patient’s HR is in part on a paper support (covering pre-1998 visits by the patient) and electronic format (eHR). Due to the RTSS, part of the eHR is retrieved from a local database and another portion from the s-DBMS located in the Montreal TCR. Once P has met with the HP, in this case a General Practitioner MD, blood tests are ordered, the eHR is amended to include the new information and P leaves with a recommendation for rest and hydration. The HR suspects P has a common cold and may suffer from an anixiety related disorder. Once the laboratory results are returned, a few hours later, the patient is informed via phone by the CLSC that he has a simple cold. We will expand on this scenario through the remainder of this article to illustrate our hypothesis.

4. What is Risk?

The word risk finds it’s origins in the middle-age Italian word risco, meaning sharp rock. In the 17th century, as the early insurance companies where involved in maritime shipping, risk evolved from the sharp rocks that where a source of danger for ships [11]. Since the introduction of probabilities by Pascal and the early work of Rousseau on uncertainty [11], the idea has developed that risk is something that can be studied, it is not magical nor an Act of God. The Uncertainty of the future, a condition of affairs is designated by Knight [12] in the 1920’s with the term « risk ». Later authors [13] suggest that the terms risk and uncertainty have become interchangeable, and one can often be found in the description of the other. For Browning [15], risk stems from uncertainty surrounding potential future states and the consequences of those states should they occur. The US Army [14] defines risk as the accepted result of an informed decision and terms gamble an uninformed bet or guess on a hopeful outcome. In epidemiology [16], it is most often used to express the probability that a particular outcome will occur following a particular exposure. In a healthcare setting risk is composed of the following three component parts [17]:

  • Threat: The occurrence of which will represent a trigger event which may lead to an adverse (set of) consequence(s).
  • Vulnerability: A weakness in the system and – or the overall environment, which could be exploited by a threat occurrence.
  • Impact: the (set of) consequence(s) to a healthcare unit which could arise if a threat occurrence exploited vulnerability and adversely affected one or more assets comprising the system.

4.1 Formal Risk Assessment Methodologies

In an organisational setting, risk is managed in a mixture of formal and informal processes. Formal risk management processes are what we refer to as Risk Management. ISO Guide 73(2002) defines Risk Management as the coordinated activities used by an organisation to direct and control risk. It generally includes risk assessment, risk treatment, risk acceptance and risk communication activities [7][8][9] to balance the operational and economic costs of risk mitigation measures to maximize organisational benefits by protecting assets that support their mission [10].

Formal Risk Assessment Methodologies (FRAMs), such as CRAMM [18], determine risk as the “product” of the likelihood of a security incident affecting a particular asset and the impact cost. Similar approaches are used by methodologies such as MÉHARI or OCTAVE, used in Québec. IVRI™, developped by the author, also follows this approach. All of these methodologies are in a similar qualitative paradigm. In all of them the likelihood (probabilities) of a threat and the severity of the impacts must be determined by individuals in the organisations using Likert-like scales. This makes them subject to how individuals perceive risk and its components. According to Savage [20], the very assignment of numerical probabilities, even if subjective, implies that it represents choice under risk. These probabilities are expressions of what is ultimately belief and seem more like uncertainty. Matters where, according to John Maynard Keynes [21], there is no scientific basis on which to form any calculable probability whatever. In the field, we have observed that the subjective nature of uncertainty may introduce internal validity problems with FRAMs. We have observed noticable differences with individual determination of likelyhood or impact in vivo. We believe that this subjectivity is a potential source of error in risk assessment since there is little evidence of internal validity controls, similar to what is used in research methodologies (e.g. triangulation), in FARMs.

4.2. Validity issues in FRAMs

In a non-exaustive empirical analisys of risk assessment methodologies used in Québec organisations, we found little evidence of internal validy controls or that internal validity controls had been validated by the creators of these methodologies. Using validity criterias used in Clinical Research presented in Whittemore [27], illustrated on the table below, we believe that there is evidence that some criterias are not addressed.

Table 1: Primary and Secondary Criteria of Validity in Qualitative research [27]

Criteria Assessment
Primary criteria
Credibility Do the results of the research reflect the experience of participants or the context in a believable way?
Authenticity Does a representation of the emic perspective exhibit awareness to the subtle differences in the voices of all participants?
Criticality Does the research process demonstrate evidence of critical appraisal?
Integrity Does the research reflect recursive and repetitive checks of validity as well as a humble presentation of findings?
Secondary criteria
Explicitness Have methodological decisions, interpretations, and investigator biases been addressed?
Vividness Have thick and faithful descriptions been portrayed with artfulness and clarity?
Creativity Have imaginative ways of organizing, presenting, and analyzing data been incorporated?
Thoroughness Do the findings convincingly address the questions posed through completeness and saturation?
Congruence Are the process and the findings congruent?
Do all the themes fit together?
Do findings fit into a context outside the study situation?
Sensitivity Has the investigation been implemented in ways that are sensitive to the nature of human, cultural, and social contexts?

In particular we believe that criterias of Authenticity, Integrity, Vividness, Thoroughness, Congruence and Sensitivity appear problematic in relation to FRAMs we have examined. These should warrant empirical investigation to verify. We therefore believe that it is therefore necessary to look at decions about risk are made to try to understand how this source of error can be better understood.

4.3. Decisions about risk

Models of individual preferences about risk have their historical roots in the school of social philosophy known as Utilitarianism [22], proposed in the late 18th century. In Utilitarianism, the goal of all actions is to maximize general utility, with utility defined as any quantitative index of happiness satisfying certain basic properties. Utilitarian theory, neoclassical economic theory and game theory are the basic principals of rational choice theory or RCT [23]. The fundamental core of RCT is that social interaction is basically an economic transaction that is guided in its course by the actor’s rational choices among alternative outcomes. Decisions are taken only after its benefits and costs have been weighed, considering prices, probabilities and indivual preferences. The unit of analysis is the individual decision made by an individual decision maker. RCT defines rational actions of rational individuals as occurring under several constraints:

  • Scarcity of resources
  • Opportunity costs
  • Institutional norms
  • Information

In an organisational setting, with the classic top-down management structure, the sum of these individual decisions, with different weights in respect to the position of the decision taker, are what make it function. These individuals in a social, while using RCT to maximise utility, are affected by the above mentionned constraints and by other influence of a psychological and cultural nature as well as by external pressures. Risk Assessment Methodologies mentionned previously all implement processes to account for the consideration of the abovementionned constraints of RCT in risk assessment. In short, Rational Choice Theory is the theoritical model behind these methodologies. While we believe this is more due to historial and cultural reasons rather than on epistemological positionning, it appears to be supported by empirical evidence.

5. Application of RCT to our risk scenario

In this section of our article, we present an example of HIRM using Rational Choice Theory. This expands on the scenario presented earlier. In the scenaro we presented before there are several stakeholders. The most obvious ones are the Patient (P) and CLSC Staff. As well, TCR staff that manage the s-DBMS and MSSS staff that manage the Quebec Healthcare system are also stakeholders in our scenario. The informational assests that are involved are:

  • Québec Medicare card;
  • Health Record (HR) and electronic support (eHR);
  • The RTSS network;
  • A local database;
  • A s-DBMS located in the Montreal TCR;
  • Blood;
  • The laboratory results;

To illustrate the expected utility for each of the stakeholder category in relation to the relative value of the information assets, se we have build the table presented below. For this purpose we have made an informed guess at the relative value using data from a previous study [24] in a scenario where the informaiton asset was divulged or destroyed (high impact). We present only the most relevant results in table 1 for convinience.

Table 2: Relative value of information assets by stakeholder category.

  Medicare card HR RTSS Local Database s-DBMS
Patient Low High Low Low Low
Staff Low Replacement cost Low Replacement cost and data recovery Low
TCR staff Low Replacement cost High Low High
MSSS staff Replacement cost and misuse cost Replacement cost and potential privacy law suits Replacement cost Low Replacement cost

Let’s limit our scope to the eHR information asset. What is, in our scenario, the risk associated with the eHR. Risk, as we cited from Smith [17], consist of Threat, Vulnerability and Impact. If we consider the threat as the divulgation or destruction of the eHR and the Vulnerability as being use of the RTSS network to gain internet access to the eHR we can propose the following table.

Table 3: Impact of the divulgation of the eHR and Risk by stakeholder category

Stakeholder Impact of the divulgation of the eHR Risk
Patient Loss of privacy, a basic human right protected in Québec, potential for anxiety and financial loss. Loss of confidence in the Healthcare system. Potentially High
Staff May need to retype data retrieved from paper form (time) or restore backups (time) if available, possible sanctions by employer (generally minor unless criminal intent) Low
TCR staff May need to restore backups if available (time), sanctions by employer if there is direct responsibility (generally minor unless criminal intent). Low
MSSS staff 1000$ per incident in case of law suits for loss of privacy. Loss of reputation if the situation is made public, possible sanctions from a letter of reprimand to loss of employement or demotion (generally minor unless criminal intent) if a responsibility can be established. Low

In such a scenario, where the Threat to materialise, the risk would be a function of the impact. Comparing the impact of the realisation with the non-divulgation state we are in before we added the Threat, we would estimate the risk from each stakeholder’s point of view as has indicated in the last column of the previous table. If, as we cited previuosly, the objective of Risk Management is to balance the operational and economic costs of risk mitigation measures to maximize benefits by protecting the eHR, then from the point of view of each stakeholder the justification is for low risk mitigation expenditures, with the exception of the Patient. In the case MSSS, because the aggregate the combined risk of the 7 million residents of Québec, the combined risk cand be perceived as more significant. Using RCT to maximise utility, we would expect the MSSS and the patient to give more value to protecting the eHR, while it would have less value for other stakeholders. In the field and in previous empirical research [24], we have noticed that TCR staff, when given a choice, allocated more ressources to operating performance than to Risk Management activities. At the MSSS level, the suggested high aggegated risk may supported by reality, as significant effort is devoted to ensure that the link between the TCN and the InterNet is secure.The Patients, while concerned, have little say in HIRM..

5.1. Application of a Formal Risk Assement Methodology to our risk scenario

We performed a Formal Risk Assessment, in our scenario making basic assumptions based on our knowledge of the Québec Healthcare system from a previus study [24]. This was done using IVRI™. This methodology was choosen necause it was created by the author of this article and because it is available at no cost on the Internet (www.leger.ca) so this risk assessment scenario may be duplicated. It was published in french [8] in 2003 and uses a Spreadsheet to assist the Risk Assessment, which produces the graphic presented below. The IVRI Risk Index (IRi) was 1570 with a baseline (IB) at 727.

Figure 1 Estimated Risk by Threat category with IVRI™

By comparing the results obtained using the FRAM with the resultus of the application of RCT to our scenario, we believe that there is the appearance of congruance. A possible explanation for this is that FRAMs, such as IVRI, implements a form of RCT. This needs to be confirmed through empirical investigation. Our hypothesis is that FRAMs available today in Québec implement a form of Rational Choice Theory.

5.2. Where is the problem?

The problem that we see, having done research in the field of Healthcare Informatics, has to do with Ethics. In Healthcare, a long Ethical tradition, first expressed through the Hypocratical oath and reenforced by experice of the Nuremburg Code, has evolved to be suppported by law, Charters of rights and Codes of Deontology. The rights to privacy and confidentiality are intimately connected with the right to respect for one’s dignity, integrity and autonomy are constitutionally enshrined in the Canadian Charter of Rights and Freedoms and Quebec’s Charter of Human Rights and Freedoms [25]. They are the principal drivers of the requirement for adequate treatment of risk in healthcare organisations [26]. In assessing risk in an HIRM setting it is necessary to value Ethical considerations as well as the expected utility provided by RCT. In our previous scenario, Ethical considerations, such as loss of privacy if a single patient’s information is divulged, has a relatively low Risk for the MSSS, but has a high potential of Risk for the patient, as we illustrated in Table 3.

In a review of litterature, we have identified that there are several components to risk in a Healthceare setting [27][28][29][30][31][32][33][34]:

  • A requirement for formal Policies, Documentation and training;
  • Privacy;
  • Confidentiality;
  • Integrity;
  • Availability;
  • The presence of appropriate Safeguards;
  • Limiting Collection;
  • Processes to enable Challenging Compliance;
  • De-identification of data;
  • Secure transmission of data;
  • Management controls;
  • Accountability;
  • A requirement for Openness;
  • Informed consent;
  • Identifying Purposes of data collection;
  • Access to information by patients
  • right to withhold,
  • segregate;
  • amend; and
  • copy;
  • Limiting Use, Disclosure, and Retention;
  • Full disclosure (No secret databases shall exist);
  • Non-commercial use (No medical record shall be sold, utilized for marketing purposes without the prior informed consent of the individual).

In the context of the scenario we have presented, most of these components could be applicable. Either because of the leal obligations that affect the eHR, described in [35] or the ethical requirements of the Declaration of Helsinki [29], in an ideal scenario of Risk Assessment, all of these could have an influence of the potential for Risk. Of all of the components of Risk, many may not be easily assigned a value. How much value can be given to the quality of the informed consent? Perhaps a value can be put on Pivacy by refering to Jurisprudence, but it is likely to be always too low for the indivual victime and always too high for the responsible party. If we look at informed consent, we find that it may be difficult to determine, in HIRM activities, the quality of that consent. In many of these ethical issues our intuition suggests that there is no linearity between Threat and Impact but rather the Risk likely increases by increments, like a stairway with uneven steps. Because it is difficult to assign a value to these components of risk, any FRAM that use financial or replacement costs in the calculation of the Impact as a principal component of risk will necessarely undervalue all of the intangible components, components with little monetary value or difficult to perceive as an expected utility expressed in menetary terms. We believe there is a link between this problem and the validity issues mentionned earlier. We therefore make the hypothesis that FRAMs are, at best, of an undetermined acuracy.

6. Why not look at different approaches?

Throught a litterature review we have performed for an ongoing research project, we have identified areas of litterature that where not covered in the tradition fields of Healthcare or Information technology. This has led us to look at different theories that can be used to understand Risk Management. Looking to the field of econometric and epidemiology, we have seen evidence that there are risk assessment models that have been developped in other fields which could be applied to HIRM. We have not found any evidence that this possibility has been evaluted in the IT security litterature or in the Healthcare litterature. In our revue of litterature on risk, we have found that there are different theories that have been developped. We have also seen evidence that Game Theory is used in the field of insurance for risk calculation. So we are proposing the hypothesis that perhaps a different approach could be used to estimate HIRM. Looking in litterature, we suggest two possible condidates to replace RCT as the basis for risk assessment in FRAMs.

6.1. Possible candidate 1: Prospect Theory

According to Edwards [36], Prospect theory was formulated first by Kahneman and Tversky in 1979 as an alternative method of explaining choices made by individuals under conditions of risk, as a substitute for expected utility theory. Kahneman and Tversky realized the fact that the expected utility theory model did not fully describe the manner in which individuals make decisions in risky situations and that therefore, there were instances in which a decisionmaker’s choice could not be predicted. For example, they point out that Expected Utility does not explain the manner in which framing can change the decision of the individual, nor does it explain why individuals exhibit risk-seeking behavior in some instances and risk-averse behavior in others. Kahneman and Tversky [37] demonstrate that subjects’ choices of lotteries exhibit a wide range of anomalies that violate expected utility theory. Most importantly, they show that predictable and dramatic shifts in preference can be generated by changing the ways in which options are framed. Unlike traditional economic theories, which deduce implications from normative preferences, prospect theory takes an inductive and descriptive approach. Prospect theory can be viewed [36] as a parsimonious summary of most of the important risky choice anomalies. A HIRM approach based on Prospect Theory in wich Risk takes into account framing could be used, at least it could be possible. Futher study is required to explore this, but it shows a possibility to view risk in a different light than it is possible to do with Expected Utility. So we contend that there is at least one theory than can be used to identify risk and model decisions about risk.

6.2. Possible candidate 2: Nash’s Equilibrium

John Forbes Nash, made famous by Russel Crowe in the movie A beautifull mind, suggested that Expeted Utility may not be the best way to describe how individuals make risky decisions. ‘Adam Smith needs revision’, as is quoted in the movie. Nash [38] formally defined an equilibrium of a noncooperative game to be a profile of strategies, one for each player in the game, such that each player’s strategy maximizes his expected utility payoff against the given strategies of the other players. If the behavior of all the players in such a game can be predicted, then the prediction must be a Nash equilibrium, or else it would violate this assumption of intelligent rational individual behavior. Should the predicted behavior not satisfy the conditions for Nash equilibrium, then there must be at least one individual whose expected welfare could be improved by educating him to more effectively pursue his own best interests, without any other change [38]. It would appear that a Nash’s Equilibrium could better account for non monetary impacts of risk in Healtcare Information Systems, such as divulgation of private information, loss of live or other Ethical violations because it approaches the problem as one of strategy rather than as one of uncertainty. Rather than viewing risk as a function of threats, probability of realisation and impact, it could view risk as a variance from a dominant strategy in a non-cooperative game between an organisation (with information to protect), an environnement (wich may can dammage to the information systems) and a third player (competitors, hackers or malitious employees). Approaches based on Nash’s Equilibrium have been used in Econometrics to create mathematical models of economies, in other fields to develop models to assess insurance risk and in other fields. We believe that empirical research should be done to explore this possibility in HIRM. Such an approach could integrate the various monetary, non-monetary and ethical concerns of Healthcare organisations.

7. Conclusion

We are suggesting that different approaches to the HIRM problem should be considered. We believe that using a case scenario approach as we did in this article, we are able to demonstrate the likelyhood that the current approach is limited. It is our pretention that Nash’s Equilibrium could better account for non monetary impacts of risk in Healtcare Information Systems, such as divulgation of private information, loss of live or other Ethical violations. While we believe that empirical research should be done to explore this possibility, it is currently impossible to persue this hypothesis due, principally, to lack of funding. This paper intends to demonstrate, by a review of litterature, examples from different fields and discussion, that this idea has merit. Should this be proved, it could eventually significantly affect how IT Risk Management is done. Unfortunatly at this time there is no reserch funding available to persue this idea or ideas of this type in Healtcare Informatics Research or in the Information Technology feld. Because there are no economic incentives to do the kind of fundamental research needed to develop such an idea, private entreprise can’t persue this. We believe that this situation should be corrected.


[1] Anderson JG. Security of the distributed electronic patient record: a case-based approach to identifying policy issues, International Journal of Medical Informatics, 2002, pages 111–118

[2]  Safran, C., Goldberg, H., Electronic patient records and the impact of the Internet, International Journal of Medical Informatics, 2000, pages 77–83

[3]  Sujansky, W., Heterogeneous Database Integration in Biomedicine, Journal of Biomedical Informatics, 2001, pages 285–298

[4]  Watkins, M.D., Bazerman, M.H., Predictable Surprises: The Disasters You Should Have Seen Coming, Harvard Business review Online, 2003

[5]  Stoneburner, G., Goguen, A., Feringa, A., NIST Special Publication 800-30 Risk Management Guide for Information Technology Systems, Recommendations of the National Institute of Standards and Technology, July 2002

[6] Ministère de la Santé et de la Sécurité Sociale du Québec: www.msss.gouv.qc.ca

[7] Hancock, Bill, COMMON SENSE GUIDE FOR SENIOR MANAGERS, Top Ten Recommended Information Security Practices, 1st Edition, July 2002

[8] Léger, Marc-André, Méthodologie IVRI de gestion du risque en matière de sécurité de l’information, Éditions Fortier Communications, Montréal, Septembre 2003

[9] Schumacher, H. J., Ghosh, S., A fundamental framework for network security, Journal of Network and Computer Applications, 1997, pages 305–322

[10] Myerson, Judith, Risk Management, INTERNATIONAL JOURNAL OF NETWORK MANAGEMENT, 1999, pages 305-308

[11] Beucher, S., Reghezza, M., (2004) Les risques (CAPES Agrégation), Bréal

[12] Knight, Frank H. (1921) Risk, Uncertainty, and Profit, Boston, MA: Hart, Schaffner & Marx; Houghton Mifflin Company, 1921. [Online] available fromhttp://www.econlib.org/library/Knight/knRUP1.html ; accessed 11 December 2005

[13] Beck, Ulrich (1986) Risk Society: Towards a New Modernity, Sage Publications

[14] US Army (1998) US Army tarining manual FM100-14

[15] Browning, T. R. (1999) Sources of Schedule Risk in Complex System Development, Lean Aerospace Initiative at Massachusetts Institute of Technology, John Wiley & Sons

[16] Last JM, (2001) A dictionary of epidemiology. 4th edition. New York: Oxford University Press

[17] Smith, E., Eloff, J.H.P. (1999) Security in health-care information systems—current trends, International Journal of Medical Informatics, vol. 54, pp.39–54

[18] Jøsang, A., Bradley_, D.,  Knapsko, S. J. (2004) Belief-Based Risk Analysis, Australasian Information Security Workshop 2004 (AISW 2004), Dunedin, New Zealand. Conferences in Research and Practice in Information Technology, Vol. 32

[19] Cusson, R. (2002), Étude comparative des méthodologies d’analyse de risque, Conseil du Trésor du Québec

[20] Savage, L. (1954). The Foundations of Statistics. Dover, New York.

[21] Keynes, J.M. (1937) The General Theory of Empoyment, QJE

[22] Lo, A. W. (1999) The Three P’s of Total Risk Management, Financial Analysts Journal, January/February 1999, pp.13-26

[23] Levi, M. and als. (1990), The Limits of Rationality, University of Chicago Press, Chicago, Illinois in Zey, M. (1998) Rational Choice Theory and Organizational Theory: A Critique, Sage Publishing, February 1998

[24] Léger, Marc-André, Un processus d’analyse des vulnérabilités technologiques comme mesure de protection contre les cyber-attaques, Rapport d’activité de synthèse, Maîtrise en Informatique de Gestion, UQAM, Juin 2003, 110 pages

[25] CIHR (Canadian Institutesof Health Research), Secondary use of personal information in health research: Case studies, Canadian Institute of Health Research, November 2002

[26] MSSS, Ministère de la Santé du Québec, Le réseau RTSS C’est, site internet du MSSS, http://www.msss.gouv.qc.ca/rtss/, 2003

[27] Whittemore, R., Validity in qualitative research, Qualitative Health Research, vol 11, no 4, july 2001, pages 522-537.

[28] Belmont Report, Ethical Principles and Guidelines for the Protection of Human Subjects of Research, The National Commission for the Protection of Human Subjects of Biomedical andBehavioral Research, April 18, 1979

[29] WORLD MEDICAL ASSOCIATION, DECLARATION OF HELSINKI, Ethical Principles for Medical Research Involving Human Subjects, Helsinki, Finland, June 1964

[30] Nuremberg code, Directives for Human Experimentation, 1947

[31] Harkness, J., Lederer, S.E., Wikler, D., Laying ethical foundations for clinical research, Bulletin of the World Health Organization, 2001

[32] CSA (Canadian Standards Association), Model Code for the Protection of Personal Information (Q830-96) , 2003,http://www.csa.ca/standards/privacy/code/Default.asp?language=english

[33] CIHR (Canadian  Institutes of Health Research), Guidelines for Protecting Privacy and Confidentiality in the Design, Conduct and Evaluation of Health Research: BEST PRACTICES, CONSULTATION DRAFT, April 2004

 [34] Buckovich, Suzy A. et als, Driving Toward Guiding Principles: A Goal for Privacy, Confidentiality, and Security of Health Information, Journal of the American Medical Informatics Association Volume 6 Number 2 Mar / Apr 1999, Pages 122-133

[35] Boudreau, Christian et la CAI, Étude sur l’inforoute de la santé au Québec : Enjeux techniques, éthiques et légaux, document de réflexion, octobre 2001

[36] Edwards, K., Prospect Theory: A Literature Review, International Review of Financial Analysis, Vol. 5, No. 1, 1996, pages 19-38

[37] Laibson D., Zeckhauser, R. (1998) Amos Tversky and the Ascent of Behavioral Economics, Journal of Risk and Uncertainty, pp 7–47

[38] Myerson, Roger B. (1996) NASH EQUILIBRIUM AND THE HISTORY OF ECONOMIC THEORY, Journal of Economic Literature 36:1067-1082 (1999), revised, March 1999, accessed online on March 8th, 2006, http://home.uchicago.edu/~rmyerson/

The author wishes to thank Professor Andrew Grant of the Faculty of medicine of the University of Sherbrooke and, the CIHR Health Informatics PhD/Postdoc Strategic Training Program (Canadian Institutes of Health Research and the BC Michael Smith Foundation for Health Research) for funding and support making this article possible.

History of an international standard revision from a Canadian perspective: ISO/IEC 17799:2005

This document is intended to provide understanding of the revision process of international standards for educational purposes. This document does not present any information on voting or the results of voting other than what can be found on the Internet. Any views or opinions expressed herein are the sole responsibility of the author. At no time should they be interpreted as opinions of CAC- ITS, SC27, ISO/IEC or any organization of which the authors may participate in.


ISO/IEC 17799 is a code of practice. As such, it offers best practices, guidelines and voluntary directions for information security management. It is meant to provide a high level, general description of the areas considered important when initiating, implementing or maintaining information security in an organization. The document recently underwent a thorough revision which started in April 2001 and ended in June 2005 with the release of version 2005. The jISOt editors for this revision are Dr. Oliver Weissman from Germany, and Dr. Angelika Plate from the United Kingdom, two experienced and skilled IT security experts. This document presents a historical review of this revision from the internal and Canadian perspectives. This was done for educational purposes, as it serves as a good example of the standards maintenance process for a well known international standard.

What is ISO 17799?

ISO/IEC 17799:2000 addresses topics in terms of policies and general good practices. The document specifically identifies itself as a starting point for developing organization specific guidance. It states that not all of the guidance and controls it contains may be applicable and that additional controls not contained may be required. It is not intended to give definitive details or how-to’s. Given such caveats, the document briefly addresses the following major topics:

  • Establishing organizational security policy,
  • Organizational security infrastructure,
  • Asset classification and control,
  • Personnel security,
  • Physical and environmental security,
  • Communications and operations management,
  • Access control,
  • Systems development and maintenance,
  • Business continuity management, and
  • Compliance.

ISO/IEC 17799:2000 does not provide definitive or specific material on any security topic. It provides general guidance on the wide variety of topics listed above, but typically does not go into depth. ISO/IEC 17799 does not provide detailed conformance specifications necessary for an organizational information security management program. It does not provide enough information to support an in- depth organizational information security review, or to support a certification program like the ISO/IEC 9000 process quality certification program. Appropriately revised, ISO/IEC 17799 could be useful as a high level overview of information security topics that could help senior management to understand the basic issues involved in each of the topic areas. ISO/IEC 17799 should be augmented by more technical guidance in order to be used effectively for a security review.


The origin of ISO/IEC 17799 goes back to the days of the United Kingdom’s Department of Trade and Industry’s (DTI) Commercial Computer Security Centre (CCSC). Founded in May 1987, the CCSC had two major tasks. The first was to help vendors of IT security products by establishing a set of internationally recognized security evaluation criteria and an associated evaluation and certification scheme. This ultimately gave rise to the ITSEC and the establishment of the UK ITSEC Scheme. The second task was to help users by producing a code of good security practice and resulted in a « Users Code of Practice » that was published in 1989. This was further developed by the National Computing Centre (NCC), and later a consortium of users, primarily drawn from British Industry, to ensure that the Code was both meaningful and practical from a user’s pISOt of view. The final result was first published as a British Standard’s guidance document PD 0003: A code of practice for information security management, and following a period of further public consultation became British Standard BS7799:1995.

A second part BS7799-2:1998 was added in February 1998. An extensive revision and public consultation period began in November 1997. In April 1999 a major revision of the standard was published. Accreditation and certification schemes were also launched, and these helped increase the momentum.

Part 1 of the standard was proposed as an ISO/IEC standard via the « Fast Track » mechanism in October 1999 and published with minor amendments as ISO/IEC 17799:2000 on 1st December 2000. BS 7799- 2:2002 a second part, which covered ISMS and helped bridge the gap with ISO/IEC 9000, was officially launched on 5th September 2002. It has become ISO/IEC 24743:2005 in April 2005 following a fast- track ballot.

Who works on 17799

ISO/IEC (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National Bodies that are members of ISO/IEC or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO/IEC and IEC technical committees collaborate in fields of mutual interest. Other international organizations, government and non-governmental, in liaison with ISO/IEC and IEC, also take part in the work.

In the field of information technology, ISO/IEC and IEC have established a JISOt Technical Committee 1 (ISO/IEC JTC 1) in 1987. In 1988, Sub-Committee 27 was created as a subcommittee of this jISOt technical committee (JTC1). Its title is « Security techniques ». Its area of work is standardization of generic methods and techniques for IT Security.National Bodies (NB) of ISO/IEC IEC JTC1 SC27 participate in it’s activities. In Canada, the NB for JTC1- SC27 is the Canadian Advisory Committee on Information technology Security (CAC-ITS), it was formed in the fall of 1988, in Toronto.

ISO’s JTC1, sub-committee (SC) 27, IT Security Techniques, was assigned ISO/IEC 17799. Its chairman is Dr Walter Fumy, from Germany a recognized and published expert in the field of IT security. The secretariat for this committee is managed by the German Standards group DIN.

JTC1 SC27’s area of work covers standardization of generic methods and techniques for IT security. This includes:

  • Identification of generic requirements for IT system security services;
  • Development of security techniques and mechanisms;
  • Development of security guidelines; and
  • Development of management support documentation and standards.

Standards developed by SC27 in the past include are listed on the web.

It has five Working Groups (WG1 to WG5). ISO 17799 is in Working Group 1 (WG1). The WG1 Chairperson (called Convenor) is Ted Humpreys, from the United Kingdom. Mr Humpreys is a world renown IT security expert, chairperson of the ISMS International Users Group and has been associated with ISO 17799 from its inception.

The latest revision round, from April 2001 to April 2005
The start of the revisions process, at least from the Canadian perspective, was the production, by members of CAC-ITS of a defects report in 2000.

Oslo, Norway

At the ISO/IEC JTC1 SC27 WG meeting, held in Oslo, Norway, from April 23rd to the 27th, 2001, it was agreed, by a majority vote of the participants, to begin revision of ISO/IEC 17799. The WG1 Convenor, Mr Ted Humphries, noted that this was in accordance with resolutions of the Tokyo meeting (16 – 25 October 2000) and with the SC27 2001 Business Plan, which stated that revision of 17799 would be given highest priority. We are here at Stage 3: Committee stage. Discussion of ISO/IEC 17799 began in the morning of April 25 2001. At this stage the current version of the document ISO/IEC 17799:2000 becomes the starting pISOt for discussions by the international experts in plenary sessions.

It was agreed to send out a call to NBs for contributions and nominations for Project Editor. On April 27 2001, at the WG1 final plenary meeting, two resolutions were voted. The first, to revise ISO/IEC 17799 and, at the same time, to investigate and report on mechanisms for accreditation against ISO/IEC 17799. The second, the nomination of an Acting Project Editor to begin revision immediately, was approved. Dr. Oliver Weissman became Acting Project Editor of ISO/IEC 17799.

Seoul, Republic of Korea

On October 15th to the 24th 2001 an ISO/IEC JTC1 SC27 WG meeting was held in Seoul, Republic of Korea. At this meeting, under the chairmanship of Acting Project Editor, Dr. Oliver Weissman, two days of WG1 were devoted to the editorial group meeting on comments and NBs contributions. Good progress was made at this editing meeting, and attendees expressed their satisfaction. Ten countries where represented.

Two Project Editors (PE) for ISO/IEC 17799 where appointed jointly, Dr. Oliver Weissman (Germany) and Dr. Angelika Plate (U.K.), this was unanimously accepted. Following the meeting, the PE prepared what became the 1st committee draft of the ISO/IEC 17799 revision.


An ISO/IEC JTC 1 SC 27 Working Group Meeting was held in Berlin, Germany from april 22nd to the 26th, 2002. The editing meeting for ISO/IEC 17799 took place over the three days of April 23rd to the 25th, as well as the evening of April 23rd . More than 30 delegates participated. The editors had received over 750 comments on ISO/IEC 17799, which the editors had organized into categories, such as structural, major technical, sectional and editorial. There was, of course, discussion among the experts present on the comments. The editing group worked together to make progress and achieve consensus-building. Consequently, a majority of the comments where addressed.

Two informal votes were taken in favour of:

  • the use of guideline-style language (should), as opposed to mandatory language (must, shall),
  • not bringing certification into ISO/IEC 17799, nor producing a separate certification standard.

October 2002

Prompted by growing interest in ISO/IEC 17799 in Canada, in October 2002, CAC- ITS produced and released a document titled: STATEMENT RELATED TO ISO/IEC 17799 USE IN CANADA. It stated:

Warsaw, Poland

Another ISO/IEC JTC1 SC27 Working Group meeting was held on October 7- 15, 2002, in Warsaw, Poland. At this meeting ISO/IEC 17799 was again on the agenda. Because of the volume of comments, more than 600, the editing committee was only able to address about one-third of them. Participants agreed to hold an ad hoc meeting to try to get through them all. Unfortunately, too many of the National Board representatives indicated that they would not be able to travel to an ad hoc meeting (no matter where it might have been held), and the participants determined that it was likely that there would be no quorum, rendering the meeting null. It was decided, therefore, to hold an ad hoc three- day meeting, immediately preceding the next meetings in Quebec City in April 2003.

Quebec city

On may 5th to 6th 2003, a SC27 meeting was held in Quebec City. Following that meeting, the resulting version of ISO/IEC 17799 was registered as the 1st committee draft. Following this registration it was circulated for a 3 month ballot ending September 6th, 2003. It was approved.

Paris 2003

On the 20th to the 24th of October 2003, in Paris, France, an ISO/IEC JTC1 SC27 meeting was held. 32 P- members of SC 27 where represented. Working Group 1 allocated two and one half days of the meeting to revise the 1st Committee Draft (CD) of ISO/IEC 17799. More than 212 pages of Comments, 480 technical comments, had been received. At this pISOt the document, an existing international standard being revised, we are still here at Stage 3: Committee stage of the ISO/IEC standard process, where the document must go through a thorough review process.

The outcome of the meeting was a Work Plan for the resolution of remaining comments, which was considered at some length at the WG1 Plenary on October 24th and after some revision, based on the plenary discussion, was approved and has been issued. In summary, it was agreed that:

The co-editors would develop a proposed disposition of all remaining comments and circulate this to the editing group participants. Based on input received back from the editing group participants, the co- editors would then prepare a complete draft containing the proposed resolutions, again for distribution to the editing group participants. This was to be completed by January 20, 2004.

If the second set of feedback comments is unsatisfactory that is, there is failure to achieve consensus on the resolution of the comments then an Ad Hoc meeting was to be held, February 16- 18, 2004, in Berlin.

Following that meeting, the current version of ISO/IEC 17799 was registered as the 2nd committee draft and submitted to a 3 month ballot closing may 19th 2004. It was approved.

Singapore 2004

On the 19th to the 23rd of April 2004, a ISO/IEC JTC1 SC27 Meeting was held in Singapore. At this meeting where present 50 delegates representing 22 P members and one O member countries.

Ten countries send comments regarding ISO/IEC 17799 before this meeting. 694 comments in total where made, 303 technical and 391 editorial. Most of the technical comments where addresses at the meeting. In the end it was decided to have an Ad- hoc Group meeting of three days on 7th to 9th June 2004, in Berlin. This in order to finish the revision of the comments and addressed the new received comments. National bodies had until May 19th to send theirs comments on the last version.

Following the meeting, the version of ISO/IEC 17799 was submitted to a 4 month FCD ballot, ending October 1st, 2004. It was approved.

Berlin 2004

On the 6th to the 9th of June 2004 was held an ISO/IEC JTC1 SC27 WG1 Ad- Hoc Meeting ISO/IEC 17799 in Berlin, Germany. This special meeting was held to address issues with ISO/IEC 17799 to ensure that it was gISOg to progress on schedule. This was considered necessary in the previous Singapore meeting, where all the comments could not be addressed in the allotted timeframe. At that meeting there where delegates from 17 countries.

The objective was the review of 315 technical comments or editorial comments not reviewed at the previous Singapore meeting. As a result of this meeting the editors produced in June 2004:

  • revised text (FCD) of the 2nd CD ISO/IEC 17799;
  • dispositions of Comments of 2nd CD ISO/IEC 17799.

At the end of the meeting the group exercised a vote to assess whether there was sufficient support for progressing the document from Final Committee Draft (FCD) to Step 4, Draft International Standard (DIS). The result from those present who had provided contributions and those that gave proxies was 100% approval. The revised document, the Dispositions of Comments and the voting result where sent to the SC27 Secretariat for further action and processing within SC27.

Brazil 2004

From the 18th to the 22nd of October 2004, an ISO/IEC JTC1 SC27 meeting was held in Fortaleza, Brazil. For this meeting 270 comments had been received and where addressed. Following that, the document was approved by acclamation (no disapproval or abstention) to progress to Step 5: Final Draft International Standard (FDIS).

In April 2005, at the ISO/IEC meeting in Vienna, Austria ISO/IEC 17799 reached Stage 6: Publication. It was published on June 10th 2005. In 2007 it was renumbered as ISO 27002 to better fit within the ISO27000 Management System.