ntxissacsc3 - fundamentals matter - a brief introduction to risk analysis for information security...
TRANSCRIPT
Fundamentals Matter – A Brief Introduction to Risk Analysis for
Information Security
Heather Goodnight, PartnerPatrick Florer, Partner
Cyber Breach Response Partners, LLCOctober 2, 2015
@NTXISSA #NTXISSACSC3
Agenda
• Introductions• Risk and the Risk Landscape• Scales of Measurement:
Qualitative vs. Quantitative• Possibility and Probability• Precision vs. Accuracy• Data – Fit For Purpose
• Use Case; Data Breach
2
@NTXISSA #NTXISSACSC3 3
Headquartered in Dallas, TX◦ Risk Centric Security Founded in 2009◦ Cyber Breach Response Founded in 2015
Experienced Leadership Team◦ Ponemon Institute RIM Council
◦ Distinguished Fellow, Ponemon Institute ◦ Director of Education, Society of Information Risk Analysts
(SIRA)◦ Guest Lecturer SMU School of Engineering
◦ 20-35+ Years of Experience Diverse Customer and Partner Community
◦ Multiple Vertical Markets•
The Current State of Confusion ….
Cyber Breach Response Partners, LLC. Confidential and Proprietary . Copyright © Cyber Breach Response Partners, LLC. All rights reserved.
@NTXISSA #NTXISSACSC3 8
What Risk is (simple version)
Risk =
a frequency / likelihood of occurrence expressed quantitatively
and
an impact expressed quantitatively in $$$ or mission impairment
(ALE = SLE x ARO)
@NTXISSA #NTXISSACSC3
Qualitative Scales
10
Nominal/Categorical
IntervalOrdinal
HIGH - RedMEDIUM - OrangeLOW - Green
First, Second, Third … On a scale of …
@NTXISSA #NTXISSACSC3
Data Breaches
What is a data breach?
A data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual or group unauthorized to do so. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property.
Security Incidents vs Data Breaches?
NTX ISSA Cyber Security Conference – October 2-3, 2015 17
@NTXISSA #NTXISSACSC3
Types of Data Breaches
Intellectual Property (IP)Personally Identifiable Information (PII)Protected Health Information (PHI)Credit / Debit Card InformationOther Financial DataOther Personal InformationCorrelated Data
NTX ISSA Cyber Security Conference – October 2-3, 2015 18
@NTXISSA #NTXISSACSC3
Frequency
Edwards et al. (WEIS 2015, Belgium):Frequency and size of breaches is not increasing.ITRC sample is representative of all breachesPredictions of frequency for 2016
Ponemon Institute: Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, May, 2015:
40% of organizations had > 5 breaches in 2 years
NTX ISSA Cyber Security Conference – October 2-3, 2015 20
@NTXISSA #NTXISSACSC3
Types of Attacks
Opportunistic attacks
Targeted attacks
Accidental exposures
NTX ISSA Cyber Security Conference – October 2-3, 2015 21
@NTXISSA #NTXISSACSC3
Breach Costs
Per record costs vs total cost per breach
Correlation between number of records and per record costs – more records, lower costs per record
Correlation between number of records and total breach costs – more records, higher total costs
NTX ISSA Cyber Security Conference – October 2-3, 2015 23
@NTXISSA #NTXISSACSC3
Breach Costs
Whose costs?Breached entity?Employees?Shareholders?Insurers?Card brands?Issuing banks?Customers?Business partners?Consumers?Taxpayers (law enforcement costs)?Citizens / the public at large?
NTX ISSA Cyber Security Conference – October 2-3, 2015 24
@NTXISSA #NTXISSACSC3
Breach Costs
Which costs?Direct Costs:
Crisis response: Forensics, Credit Monitoring, Notification, Legal Guidance/Breach Coach
Legal Defense, Damages, settlementsRegulatory defense, fines, and settlementsPCI defense, fines, and settlements
Indirect Costs: Customer Churn / Brand Damage / Stock price
Cyber Insurance payouts vs Total CostsNTX ISSA Cyber Security Conference – October 2-3, 2015 25
@NTXISSA #NTXISSACSC3
Sources for Breach Costs
NetDiligence: Cyber Claims studies•Most recent report published September 30, 2015•Reports on claims paid – not the same as total data breach costs•Deductibles/retention, exclusions, limits, sub-limits, open/closed status, primary/secondary coverage all factor in
•Sample size is small -study reports approximately 5% of all claims from all insurers
•Median records = 2,300 / average records = 3.2M•Median claim amount = $77K / average claim = $674K
NTX ISSA Cyber Security Conference – October 2-3, 2015 26
@NTXISSA #NTXISSACSC3
Sources for Breach Costs
Ponemon Institute:2015 Cost of Data Breach Study (US), May 2015 (10th edition):
•Benchmark study, not just a survey•62 US companies surveyed – breaches exposed between 5K and 100K records
•Results should NOT be used for mega breaches (specific disclaimer)•$6.5M average total cost of breach•$217 per record overall average•Direct vs indirect = $74 (34%) vs $143 (66%)•Approximately 2/3 of average per record cost is in indirect costs – this has been the case in the previous 5 studies
NTX ISSA Cyber Security Conference – October 2-3, 2015 27
@NTXISSA #NTXISSACSC3
Sources for Breach Costs
Ponemon Institute:2014 Costs of Cybercrime Cyber Crime Study (US), October, 2014 (5th
edition)
•59 US companies surveyed / 544 interviews•138 attacks / 2.3 attacks per surveyed company per year•$12.7M in annualized costs
NTX ISSA Cyber Security Conference – October 2-3, 2015 28
@NTXISSA #NTXISSACSC3
Sources for Breach Costs
Ponemon Institute:Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, May, 2015
•90% of entities surveyed had at least 1 breach during previous 2 years•40% had more than 5 breaches•Average cost > $2.1M for surveyed healthcare organization; > $1M for business associates
NTX ISSA Cyber Security Conference – October 2-3, 2015 29
@NTXISSA #NTXISSACSC3
Sources for Breach Costs
Verizon DBIR•Forensics data – 70 organization contributors•Analysis of NetDiligence cyber claims data using log / log approach and confidence intervals
•Assertion that Claims paid = total cost of breach is FALSE•$0.58 per record does not pass the sniff test•Table of predicted costs by size of breach has such wide spreads as to be uninformative
NTX ISSA Cyber Security Conference – October 2-3, 2015 30
@NTXISSA #NTXISSACSC3
Thank You!
NTX ISSA Cyber Security Conference – October 2-3, 2015 32
Heather GoodnightPatrick Florer
Cyber Breach Response Partners, LLC
214.828.1172
@NTXISSA #NTXISSACSC3@NTXISSA #NTXISSACSC3
The Collin College Engineering Department
Collin College Student Chapter of the North Texas ISSA
North Texas ISSA (Information Systems Security Association)
NTX ISSA Cyber Security Conference – October 2-3, 2015 33
Thank you
@NTXISSA #NTXISSACSC3
”We don’t have enough data!” - Sources
Open Security Foundation: datalossdb and osvdbhttp://www.opensecurityfoundation.org/
Office of Inadequate Security: http://www.databreaches.net/
Identity Theft Resource Center: http://www.idtheftcenter.org/
ISACA: www.isaca.org
ISSA: www.issa.org
Cyber Breach Response Partners, LLC. Confidential and Proprietary . Copyright © Cyber Breach Response Partners, LLC. All rights reserved.
@NTXISSA #NTXISSACSC3
”We don’t have enough data!” - Sources
Mitre Corporation: www.mitre.org
OWASP: http://owasp.com/index.php/Main_Page
Privacy Rights Clearing House: http://www.privacyrights.org/
SANS: www.sans.org
The Ponemon Institute: www.ponemon.org
Cyber Breach Response Partners, LLC. Confidential and Proprietary . Copyright © Cyber Breach Response Partners, LLC. All rights reserved.
@NTXISSA #NTXISSACSC3
”We don’t have enough data!” - Sources
Conference procedings: Black Hat, RSA, Source Conferences, BSides
Internet tools:
Search engines: Google, Bing, Yahoo, Ask.com
Trend Analyzers:
Google trends: http://www.google.com/trends
Twitter Trends: www.trendistic.com
Amazon: http://www.metricjunkie.com/
Cyber Breach Response Partners, LLC. Confidential and Proprietary . Copyright © Cyber Breach Response Partners, LLC. All rights reserved.
@NTXISSA #NTXISSACSC3
”We don’t have enough data!” - Sources
Securitymetrics.org – mailing list
Society of Information Risk Analysts (SIRA)
Books:How to Measure Anything – HubbardThe Failure of Risk Management – HubbardRisk Analysis: A Quantitative Guide – VoseClinical Epidemiology and Biostatistics – KramerData-Driven Security: Analysis, Visualization and Dashboards – Jacobs and Rudis
Cyber Breach Response Partners, LLC. Confidential and Proprietary . Copyright © Cyber Breach Response Partners, LLC. All rights reserved.
@NTXISSA #NTXISSACSC3
How much data is enough data?
How do I get to the mall?
How do we build this?
vs.
Cyber Breach Response Partners, LLC. Confidential and Proprietary . Copyright © Cyber Breach Response Partners, LLC. All rights reserved.
@NTXISSA #NTXISSACSC3
Data from Calibrated Estimates
More often than you might think, the data we have to work with comes from Subject Matter Experts (SME’s).
How can we improve the accuracy of these SME’s – to a 90% confidence level?
With calibration.
Example: How much does an iPhone 5s weigh?
Cyber Breach Response Partners, LLC. Confidential and Proprietary . Copyright © Cyber Breach Response Partners, LLC. All rights reserved.
@NTXISSA #NTXISSACSC3
Monte Carlo SimulationThe average = $12,500
$2,500 $12,500 $32,000
The range is:
The distributions are:
Cyber Breach Response Partners, LLC. Confidential and Proprietary . Copyright © Cyber Breach Response Partners, LLC. All rights reserved.
@NTXISSA #NTXISSACSC3
Monte Carlo Simulation
Cyber Breach Response Partners, LLC. Confidential and Proprietary . Copyright © Cyber Breach Response Partners, LLC. All rights reserved.
@NTXISSA #NTXISSACSC3
The Beta Pert Calculator
Minimum:
What is the least or lowest (best or worst) numerical estimate that you believe to be reasonable? This will be the smallest number you come up with.
Most Likely:
What is the most likely or most probable numerical estimate in your opinion? This number must fall between the minimum and maximum. It may equal either the minimum or the maximum, but should not equal both
Cyber Breach Response Partners, LLC. Confidential and Proprietary . Copyright © Cyber Breach Response Partners, LLC. All rights reserved.
@NTXISSA #NTXISSACSC3
The Beta Pert CalculatorMaximum:
What is the greatest or highest (best or worst) numerical estimate that you believe to be reasonable?
Note that “best” or “worst” case estimates could be either minimum or maximum values, depending upon the scenario.
In a risk / loss exposure scenario, lower is better, so the minimum represents the lowest loss, or best outcome. The maximum represents the highest loss, or worst outcome.
In a sales or opportunity scenario, it’s the reverse: lower is not better, so the minimum represents the worst case. Higher is better, so the maximum represents the best case.
Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2014 Risk Centric Security, Inc . All rights reserved.
@NTXISSA #NTXISSACSC3
The Beta Pert CalculatorConfidence:
On a scale that includes “Very Low”, “Low”, “Average”, “High”, and “Very High”, how confident are you in the accuracy of your estimates?
This parameter controls the sampling around the most likely value, and thereby also controls the height of the histogram or slope of the cumulative plot.
For most analyses, using “Average” for the confidence parameter works well. In this instance, “Average” really means having no strong feeling about the matter – being evenly divided between under-confidence and over-confidence.
Cyber Breach Response Partners, LLC. Confidential and Proprietary . Copyright © Cyber Breach Response Partners, LLC. All rights reserved.
@NTXISSA #NTXISSACSC3
The Beta Pert CalculatorPercentile Tables
Cyber Breach Response Partners, LLC. Confidential and Proprietary . Copyright © Cyber Breach Response Partners, LLC. All rights reserved.
@NTXISSA #NTXISSACSC3
The Beta Pert Calculator
Percentile Tables1% of values are <= 10,044 and 99% are > 10,04410% of values are <= 11,120 and 90% are > 11,12020% of values are <= 11,658 and 80% are > 11,65850% of values are <= 13,025 and 50% are > 13,025
The 50th percentile has another name - it’s called the Median.
The Median is the mid-point in a list of values - half of the values in the list are less and half are greater than the Median.
Cyber Breach Response Partners, LLC. Confidential and Proprietary . Copyright © Cyber Breach Response Partners, LLC. All rights reserved.
@NTXISSA #NTXISSACSC3
The Beta Pert CalculatorHistogram
Cyber Breach Response Partners, LLC. Confidential and Proprietary . Copyright © Cyber Breach Response Partners, LLC. All rights reserved.
@NTXISSA #NTXISSACSC3
The Beta Pert CalculatorCumulative Plot
Cyber Breach Response Partners, LLC. Confidential and Proprietary . Copyright © Cyber Breach Response Partners, LLC. All rights reserved.
@NTXISSA #NTXISSACSC3
The Mission of SIRA
Be a resource for practitioners who are exploring the most important management challenges facing their organizations
Help members discover how methods from other risk management disciplines can help them meet information risk challenges
Provide a forum where members can build meaningful, professional relationships that keep them at the top of their profession
@NTXISSA #NTXISSACSC3
Who is SIRA
SIRA membership is a blend of researchers, students, analysts, senior management & C-level talent in Information Security, Operational Risk, IT Risk Management, IT Audit & IT Compliance
SIRA members come from Finance, Technology, Consulting, Health Care & Higher Education from companies like Citi, RBS, Liberty Mutual, HP, EMC, KPMG, E&Y, Kaiser Health, Harvard & George Mason University
@NTXISSA #NTXISSACSC3
Participation in SIRA
563 active base members and over 30 paid members Information & sharing via mailing list:
http://lists.societyinforisk.org/mailman/listinfo/sira
Annual convention (SIRAcon)
Development of the IRMBOK (Information Risk Management Body of Knowledge)