Improving residual risk management through the use of security metrics

Introduction Reported security breaches over the last 3 years suggest that a large number of security procedures are not currently operating at full effectiveness. Security breaches have ranged from the loss of personal details of 25 million UK citizens to the disclosure of national security information assets. It is highly likely that the organisations involved in these security breaches performed risk assessments for their information assets and implemented a range of security controls to manage these risks, leading to the resulting residual risks being within acceptable risk appetites. But as investigations into security breaches have shown, these controls are often ignored, bypassed or incorrectly implemented [ICO07]. Organisations may not currently understand how ineffectively their security controls are being managed, resulting in higher levels of risk exposure through controls operating at below optimal effectiveness. By introducing real world effectiveness measurements into an organisation’s risk management activities, organisations can improve their understanding of their current risk exposure. Research We have found that a number of organisational issues exist with the use of security metrics in measuring control effectiveness, which can be summarised as follows: * Metrics that measure effectiveness can be difficult to define. * Resulting measurements can be difficult to interpret by non-security professionals. * Effectiveness metrics cannot be easily compared to allow benchmarking of an organisation’s performance. Our research has concluded that there is a gap in current IT governance models and management best practices for the definition of how to measure the effectiveness of security controls. While these standards do recognise the requirement for continual assessment of operational effectiveness, the definition of these measurements and how to interpret the results are left to the organisation. Information Security Effectiveness Framework (ISEF) This project introduces ISEF, a framework that assists organisations in defining, visualising and comparing security metrics. The framework uses the concept of grouping controls based on their implementation type and temporal objectives to present common characteristics that can be measured. The framework uses the relationship between controls and risks to align security metrics against organisational risk, and visualises these to support the direction of remedial efforts. The ISEF is designed to complement current IT governance models and standards such as COBIT and ISO27002. This is provided by its alignment with these ‘what’ should be done models and standards by providing the ‘how’. The ISEF provides a method of comparing security metrics based on the financial stock markets indices. This allows the comparison of security control management between organisations and allows the organisations to benchmark themselves against peers without revealing specific security control information. Conclusion A case study using ISEF has shown that the framework provides a method for defining metrics in order to obtain real world data to modify current residual risk levels. For organisations with a risk management approach, the framework can visualise effectiveness in the context of risk allowing resources to be focused on improving security management where it will make the greatest risk reduction

Adjunctive rifampicin for Staphylococcus aureus bacteraemia (ARREST): a multicentre, randomised, double-blind, placebo-controlled trial.

BACKGROUND: Staphylococcus aureus bacteraemia is a common cause of severe community-acquired and hospital-acquired infection worldwide. We tested the hypothesis that adjunctive rifampicin would reduce bacteriologically confirmed treatment failure or disease recurrence, or death, by enhancing early S aureus killing, sterilising infected foci and blood faster, and reducing risks of dissemination and metastatic infection. METHODS: In this multicentre, randomised, double-blind, placebo-controlled trial, adults (≥18 years) with S aureus bacteraemia who had received ≤96 h of active antibiotic therapy were recruited from 29 UK hospitals. Patients were randomly assigned (1:1) via a computer-generated sequential randomisation list to receive 2 weeks of adjunctive rifampicin (600 mg or 900 mg per day according to weight, oral or intravenous) versus identical placebo, together with standard antibiotic therapy. Randomisation was stratified by centre. Patients, investigators, and those caring for the patients were masked to group allocation. The primary outcome was time to bacteriologically confirmed treatment failure or disease recurrence, or death (all-cause), from randomisation to 12 weeks, adjudicated by an independent review committee masked to the treatment. Analysis was intention to treat. This trial was registered, number ISRCTN37666216, and is closed to new participants. FINDINGS: Between Dec 10, 2012, and Oct 25, 2016, 758 eligible participants were randomly assigned: 370 to rifampicin and 388 to placebo. 485 (64%) participants had community-acquired S aureus infections, and 132 (17%) had nosocomial S aureus infections. 47 (6%) had meticillin-resistant infections. 301 (40%) participants had an initial deep infection focus. Standard antibiotics were given for 29 (IQR 18-45) days; 619 (82%) participants received flucloxacillin. By week 12, 62 (17%) of participants who received rifampicin versus 71 (18%) who received placebo experienced treatment failure or disease recurrence, or died (absolute risk difference -1·4%, 95% CI -7·0 to 4·3; hazard ratio 0·96, 0·68-1·35, p=0·81). From randomisation to 12 weeks, no evidence of differences in serious (p=0·17) or grade 3-4 (p=0·36) adverse events were observed; however, 63 (17%) participants in the rifampicin group versus 39 (10%) in the placebo group had antibiotic or trial drug-modifying adverse events (p=0·004), and 24 (6%) versus six (2%) had drug interactions (p=0·0005). INTERPRETATION: Adjunctive rifampicin provided no overall benefit over standard antibiotic therapy in adults with S aureus bacteraemia. FUNDING: UK National Institute for Health Research Health Technology Assessment

Dimethyl fumarate in patients admitted to hospital with COVID-19 (RECOVERY): a randomised, controlled, open-label, platform trial

Dimethyl fumarate (DMF) inhibits inflammasome-mediated inflammation and has been proposed as a treatment for patients hospitalised with COVID-19. This randomised, controlled, open-label platform trial (Randomised Evaluation of COVID-19 Therapy [RECOVERY]), is assessing multiple treatments in patients hospitalised for COVID-19 (NCT04381936, ISRCTN50189673). In this assessment of DMF performed at 27 UK hospitals, adults were randomly allocated (1:1) to either usual standard of care alone or usual standard of care plus DMF. The primary outcome was clinical status on day 5 measured on a seven-point ordinal scale. Secondary outcomes were time to sustained improvement in clinical status, time to discharge, day 5 peripheral blood oxygenation, day 5 C-reactive protein, and improvement in day 10 clinical status. Between 2 March 2021 and 18 November 2021, 713 patients were enroled in the DMF evaluation, of whom 356 were randomly allocated to receive usual care plus DMF, and 357 to usual care alone. 95% of patients received corticosteroids as part of routine care. There was no evidence of a beneficial effect of DMF on clinical status at day 5 (common odds ratio of unfavourable outcome 1.12; 95% CI 0.86-1.47; p = 0.40). There was no significant effect of DMF on any secondary outcome

Effect of Noninvasive Respiratory Strategies on Intubation or Mortality Among Patients With Acute Hypoxemic Respiratory Failure and COVID-19: The RECOVERY-RS Randomized Clinical Trial.

Importance Continuous positive airway pressure (CPAP) and high-flow nasal oxygen (HFNO) have been recommended for acute hypoxemic respiratory failure in patients with COVID-19. Uncertainty exists regarding the effectiveness and safety of these noninvasive respiratory strategies. Objective To determine whether either CPAP or HFNO, compared with conventional oxygen therapy, improves clinical outcomes in hospitalized patients with COVID-19-related acute hypoxemic respiratory failure. Design, Setting, and Participants A parallel group, adaptive, randomized clinical trial of 1273 hospitalized adults with COVID-19-related acute hypoxemic respiratory failure. The trial was conducted between April 6, 2020, and May 3, 2021, across 48 acute care hospitals in the UK and Jersey. Final follow-up occurred on June 20, 2021. Interventions Adult patients were randomized to receive CPAP (n = 380), HFNO (n = 418), or conventional oxygen therapy (n = 475). Main Outcomes and Measures The primary outcome was a composite of tracheal intubation or mortality within 30 days. Results The trial was stopped prematurely due to declining COVID-19 case numbers in the UK and the end of the funded recruitment period. Of the 1273 randomized patients (mean age, 57.4 [95% CI, 56.7 to 58.1] years; 66% male; 65% White race), primary outcome data were available for 1260. Crossover between interventions occurred in 17.1% of participants (15.3% in the CPAP group, 11.5% in the HFNO group, and 23.6% in the conventional oxygen therapy group). The requirement for tracheal intubation or mortality within 30 days was significantly lower with CPAP (36.3%; 137 of 377 participants) vs conventional oxygen therapy (44.4%; 158 of 356 participants) (absolute difference, -8% [95% CI, -15% to -1%], P = .03), but was not significantly different with HFNO (44.3%; 184 of 415 participants) vs conventional oxygen therapy (45.1%; 166 of 368 participants) (absolute difference, -1% [95% CI, -8% to 6%], P = .83). Adverse events occurred in 34.2% (130/380) of participants in the CPAP group, 20.6% (86/418) in the HFNO group, and 13.9% (66/475) in the conventional oxygen therapy group. Conclusions and Relevance Among patients with acute hypoxemic respiratory failure due to COVID-19, an initial strategy of CPAP significantly reduced the risk of tracheal intubation or mortality compared with conventional oxygen therapy, but there was no significant difference between an initial strategy of HFNO compared with conventional oxygen therapy. The study may have been underpowered for the comparison of HFNO vs conventional oxygen therapy, and early study termination and crossover among the groups should be considered when interpreting the findings. Trial Registration isrctn.org Identifier: ISRCTN16912075