global ciso forum 2017: how to measure anything in cybersecurity risk
TRANSCRIPT
Richard Seiersen: VP Trust & CISO Twilio
Forecasting BreachPerspectives and Code from HTMA Cyber
?
Agenda:
Forecasting breach, what’s that!?
What are the challenges?
Why would you want to?
The Security Analytics Framework
The Security Analytics Framework
Our Focus
Forecasting breach, what’s that!?
What are the challenges?
Why would you want to?
The Security Analytics Framework
Internal Use Only
Forecasting Breach, What’s That!?
2017-2019 Breach Forecast
16% chance of losing $20M+
1% chance of losing $70M+
Who else uses these methods?Actuaries, big-pharma, military logisticians, nuclear engineers, epidemiologists, meteorologist, project managers, movie producers etc…anyone making forecasts with seemingly irriducible uncertainty.
It’s Tolerance Based: This one has an imagined insurance threshold
It’s Capability Based: We model security capability improvement over time
It’s Risk As A Curve!: We build a model that relates impact (money) and likelihood.
It Uses Probabilities: We only use probabilities and dollars – no Red, Yellow, Green or High, Medium, Low.
It’s Time Based: We make multi-year forecasts to help drive strategy.
…. but if correct, it has a similar structure to the territory, which accounts for its usefulness. — Alfred Korzybski in Science & SanityA map is not the territory
Data For Demo Purposes Only
Internal Use Only
Key Question: Is a ~16% chance of losing $20M or more, at least once in 3 years, OK? Can it be benchmarked in some way?
Fortune 500 Healthcare• Yearly Avg Rate: 3.85%• 3 Year Avg Rate: 11%
Fortune 500 Finance• Yearly Avg Rate: 2.46%• 3 Year Avg Rate: 7.2%
Fortune 500 Retail• Yearly Avg Rate: 2.02%• 3 Year Avg Rate: 5.9%
*Research conducted by Hubbard Decision Research Inc.
• Public disclosed data breaches from 2014-2015
• Outcomes are uncertain, but update our beliefs
• We will show you how to predict like this with marbles shortly!
Observations
Forecasting Breach, What’s That!?
Forecasting breach, what’s that!?
What are the challenges?
Why would you want to?
The Security Analytics Framework
Challenge #1: The Concept or Misconception Of Measurement
Challenge #2: Probabilities
Challenge #2: Probabilities & Breach
WhatproportionisRed?
Assumeyoudon’tknow…….total
• F500 2014-2015 healthcare breach forecast
• We can update as we get more info, be it red
or blue marbles.
Challenge #3: Forecasting Financial Impact
Win $1000 if you guess the average weight in tons of an adult male African
elephant?
=
100lbs. 1000Tons
It’s Demo Time!
Forecasting the
value of “security
capabilities” in
reducing the
likelihood and
impact of breach
Forecasting breach, what’s that!?
What are the challenges?
Why would you want to?
The Security Analytics Framework
Why would you want to
do this?
Thank You!
http://www.howtomeasureanything.com/cybersecurity/#downloads