ntxissacsc3 - fundamentals matter - a brief introduction to risk analysis for information security...

Fundamentals Matter – A Brief Introduction to Risk Analysis for

Information Security

Heather Goodnight, PartnerPatrick Florer, Partner

Cyber Breach Response Partners, LLCOctober 2, 2015

@NTXISSA #NTXISSACSC3

Agenda

• Introductions• Risk and the Risk Landscape• Scales of Measurement:

Qualitative vs. Quantitative• Possibility and Probability• Precision vs. Accuracy• Data – Fit For Purpose

• Use Case; Data Breach

2

@NTXISSA #NTXISSACSC3 3

Headquartered in Dallas, TX◦ Risk Centric Security Founded in 2009◦ Cyber Breach Response Founded in 2015

Experienced Leadership Team◦ Ponemon Institute RIM Council

◦ Distinguished Fellow, Ponemon Institute ◦ Director of Education, Society of Information Risk Analysts

(SIRA)◦ Guest Lecturer SMU School of Engineering

◦ 20-35+ Years of Experience Diverse Customer and Partner Community

◦ Multiple Vertical Markets•


What is Risk?

The Current State of Confusion ….

Cyber Breach Response Partners, LLC. Confidential and Proprietary . Copyright © Cyber Breach Response Partners, LLC. All rights reserved.


Often leads to this …

ROI IRR EPS EMV

EBITDA

≠


What Risk Isn’t!

VulnerabilityThreat


What Risk is (simple version)

Risk =

a frequency / likelihood of occurrence expressed quantitatively

and

an impact expressed quantitatively in $$$ or mission impairment

(ALE = SLE x ARO)


Scales of Measurement

9

Qualitative Quantitative


Qualitative Scales

10

Nominal/Categorical

IntervalOrdinal

HIGH - RedMEDIUM - OrangeLOW - Green

First, Second, Third … On a scale of …


Quantitative/Ratio Scales

11

1, 2, 3, 4, 5, 6, … n


Possibility and Probability: Possibility

12


Possibility and Probability: Probability

13


Precision and Accuracy

14


Data

15

Good Data Bad Data

Big Data

Little Data

Data Fit For PurposeUse Case: Data Breach

Sources: WEIS; Net Diligence; Ponemon; Verizon


Data Breaches

What is a data breach?

A data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual or group unauthorized to do so. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property.

Security Incidents vs Data Breaches?

NTX ISSA Cyber Security Conference – October 2-3, 2015 17

http://searchfinancialsecurity.techtarget.com/definition/personally-identifiable-information


Types of Data Breaches

Intellectual Property (IP)Personally Identifiable Information (PII)Protected Health Information (PHI)Credit / Debit Card InformationOther Financial DataOther Personal InformationCorrelated Data



Risk = Frequency x Impact

Frequency

Risk


Frequency

Edwards et al. (WEIS 2015, Belgium):Frequency and size of breaches is not increasing.ITRC sample is representative of all breachesPredictions of frequency for 2016

Ponemon Institute: Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, May, 2015:

40% of organizations had > 5 breaches in 2 years



Types of Attacks

Opportunistic attacks

Targeted attacks

Accidental exposures




Impact

Risk


Breach Costs

Per record costs vs total cost per breach

Correlation between number of records and per record costs – more records, lower costs per record

Correlation between number of records and total breach costs – more records, higher total costs



Breach Costs

Whose costs?Breached entity?Employees?Shareholders?Insurers?Card brands?Issuing banks?Customers?Business partners?Consumers?Taxpayers (law enforcement costs)?Citizens / the public at large?



Breach Costs

Which costs?Direct Costs:

Crisis response: Forensics, Credit Monitoring, Notification, Legal Guidance/Breach Coach

Legal Defense, Damages, settlementsRegulatory defense, fines, and settlementsPCI defense, fines, and settlements

Indirect Costs: Customer Churn / Brand Damage / Stock price

Cyber Insurance payouts vs Total CostsNTX ISSA Cyber Security Conference – October 2-3, 2015 25


Sources for Breach Costs

NetDiligence: Cyber Claims studies•Most recent report published September 30, 2015•Reports on claims paid – not the same as total data breach costs•Deductibles/retention, exclusions, limits, sub-limits, open/closed status, primary/secondary coverage all factor in

•Sample size is small -study reports approximately 5% of all claims from all insurers

•Median records = 2,300 / average records = 3.2M•Median claim amount = $77K / average claim = $674K




Ponemon Institute:2015 Cost of Data Breach Study (US), May 2015 (10th edition):

•Benchmark study, not just a survey•62 US companies surveyed – breaches exposed between 5K and 100K records

•Results should NOT be used for mega breaches (specific disclaimer)•$6.5M average total cost of breach•$217 per record overall average•Direct vs indirect = $74 (34%) vs $143 (66%)•Approximately 2/3 of average per record cost is in indirect costs – this has been the case in the previous 5 studies




Ponemon Institute:2014 Costs of Cybercrime Cyber Crime Study (US), October, 2014 (5th

edition)

•59 US companies surveyed / 544 interviews•138 attacks / 2.3 attacks per surveyed company per year•$12.7M in annualized costs




Ponemon Institute:Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, May, 2015

•90% of entities surveyed had at least 1 breach during previous 2 years•40% had more than 5 breaches•Average cost > $2.1M for surveyed healthcare organization; > $1M for business associates




Verizon DBIR•Forensics data – 70 organization contributors•Analysis of NetDiligence cyber claims data using log / log approach and confidence intervals

•Assertion that Claims paid = total cost of breach is FALSE•$0.58 per record does not pass the sniff test•Table of predicted costs by size of breach has such wide spreads as to be uninformative




Frequency

Impact

Risk


Thank You!


Heather GoodnightPatrick Florer

Cyber Breach Response Partners, LLC

[email protected]

214.828.1172

mailto:[email protected]

@NTXISSA #NTXISSACSC3@NTXISSA #NTXISSACSC3

The Collin College Engineering Department

Collin College Student Chapter of the North Texas ISSA

North Texas ISSA (Information Systems Security Association)


Thank you


Appendix



”We don’t have enough data!” - Sources

Open Security Foundation: datalossdb and osvdbhttp://www.opensecurityfoundation.org/

Office of Inadequate Security: http://www.databreaches.net/

Identity Theft Resource Center: http://www.idtheftcenter.org/

ISACA: www.isaca.org

ISSA: www.issa.org


http://www.opensecurityfoundation.org/

http://www.databreaches.net/

http://www.idtheftcenter.org/

http://www.isaca.org/

http://www.issa.org/



Mitre Corporation: www.mitre.org

OWASP: http://owasp.com/index.php/Main_Page

Privacy Rights Clearing House: http://www.privacyrights.org/

SANS: www.sans.org

The Ponemon Institute: www.ponemon.org


http://www.mitre.org/

http://owasp.com/index.php/Main_Page

http://www.privacyrights.org/

http://www.sans.org/

http://www.ponemon.org/



Conference procedings: Black Hat, RSA, Source Conferences, BSides

Internet tools:

Search engines: Google, Bing, Yahoo, Ask.com

Trend Analyzers:

Google trends: http://www.google.com/trends

Twitter Trends: www.trendistic.com

Amazon: http://www.metricjunkie.com/


http://www.google.com/trends

http://www.trendistic.com/

http://www.metricjunkie.com/



Securitymetrics.org – mailing list

Society of Information Risk Analysts (SIRA)

Books:How to Measure Anything – HubbardThe Failure of Risk Management – HubbardRisk Analysis: A Quantitative Guide – VoseClinical Epidemiology and Biostatistics – KramerData-Driven Security: Analysis, Visualization and Dashboards – Jacobs and Rudis



How much data is enough data?

How do I get to the mall?

How do we build this?

vs.



Data from Calibrated Estimates

More often than you might think, the data we have to work with comes from Subject Matter Experts (SME’s).

How can we improve the accuracy of these SME’s – to a 90% confidence level?

With calibration.

Example: How much does an iPhone 5s weigh?



Monte Carlo SimulationThe average = $12,500

$2,500 $12,500 $32,000

The range is:

The distributions are:



Monte Carlo Simulation



The Beta Pert Calculator

Minimum:

What is the least or lowest (best or worst) numerical estimate that you believe to be reasonable? This will be the smallest number you come up with.

Most Likely:

What is the most likely or most probable numerical estimate in your opinion? This number must fall between the minimum and maximum. It may equal either the minimum or the maximum, but should not equal both



The Beta Pert CalculatorMaximum:

What is the greatest or highest (best or worst) numerical estimate that you believe to be reasonable?

Note that “best” or “worst” case estimates could be either minimum or maximum values, depending upon the scenario.

In a risk / loss exposure scenario, lower is better, so the minimum represents the lowest loss, or best outcome. The maximum represents the highest loss, or worst outcome.

In a sales or opportunity scenario, it’s the reverse: lower is not better, so the minimum represents the worst case. Higher is better, so the maximum represents the best case.

Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2014 Risk Centric Security, Inc . All rights reserved.


The Beta Pert CalculatorConfidence:

On a scale that includes “Very Low”, “Low”, “Average”, “High”, and “Very High”, how confident are you in the accuracy of your estimates?

This parameter controls the sampling around the most likely value, and thereby also controls the height of the histogram or slope of the cumulative plot.

For most analyses, using “Average” for the confidence parameter works well. In this instance, “Average” really means having no strong feeling about the matter – being evenly divided between under-confidence and over-confidence.



The Beta Pert CalculatorPercentile Tables



The Beta Pert Calculator

Percentile Tables1% of values are <= 10,044 and 99% are > 10,04410% of values are <= 11,120 and 90% are > 11,12020% of values are <= 11,658 and 80% are > 11,65850% of values are <= 13,025 and 50% are > 13,025

The 50th percentile has another name - it’s called the Median.

The Median is the mid-point in a list of values - half of the values in the list are less and half are greater than the Median.



The Beta Pert CalculatorHistogram



The Beta Pert CalculatorCumulative Plot


SIRA

The Society of Information Risk Analystssocietyinforisk.org@societyinforisk


The Mission of SIRA

Be a resource for practitioners who are exploring the most important management challenges facing their organizations

Help members discover how methods from other risk management disciplines can help them meet information risk challenges

Provide a forum where members can build meaningful, professional relationships that keep them at the top of their profession


Who is SIRA

SIRA membership is a blend of researchers, students, analysts, senior management & C-level talent in Information Security, Operational Risk, IT Risk Management, IT Audit & IT Compliance

SIRA members come from Finance, Technology, Consulting, Health Care & Higher Education from companies like Citi, RBS, Liberty Mutual, HP, EMC, KPMG, E&Y, Kaiser Health, Harvard & George Mason University


Participation in SIRA

563 active base members and over 30 paid members Information & sharing via mailing list:

http://lists.societyinforisk.org/mailman/listinfo/sira

Annual convention (SIRAcon)

Development of the IRMBOK (Information Risk Management Body of Knowledge)

http://lists.societyinforisk.org/mailman/listinfo/sira