return on security investment taz daughtrey becky neary james madison university educause security...

Return On Return On Security Security

InvestmentInvestmentTaz DaughtreyTaz Daughtrey

Becky NearyBecky Neary

James Madison UniversityJames Madison University

EDUCAUSE Security Professionals WorkshopEDUCAUSE Security Professionals Workshop

May 18, 2004May 18, 2004Copyright Taz Daughtrey 2004. This work is the intellectual property of the author. Permission is granted for this Copyright Taz Daughtrey 2004. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.otherwise or to republish requires written permission from the author.

Return On Security Return On Security InvestmentInvestment

Taz DaughtreyTaz DaughtreyAssociate DirectorAssociate Director

Becky NearyBecky NearyStudent Assistant Student Assistant

Institute for Infrastructure and Information Assurance

www.jmu.edu/iiiawww.jmu.edu/iiiaJames Madison UniversityJames Madison University

Harrisonburg, VirginiaHarrisonburg, Virginia

RReturneturn

OOnn

SSecurityecurity

IInvestmentnvestment

ASSETS

THREATS

VULNERABILITIES

COUNTERMEASURES

INVESTMENTS

EVALUATION

ASSETS

COUNTERMEASURES

THREATS

INVESTMENTS

VULNERABILITIES

EVALUATION

CONFIDENTIALITY: Preserving authorized restrictions on access and disclosure.

INTEGRITY: Guarding against improper modification or destruction

AVAILABILITY: Ensuring timely and reliable access and use

FIPS PUBLICATION 199, Standards for Security Categorization of Federal Information and Information Systems

Achieving Security ObjectivesAchieving Security Objectives

A loss of confidentiality is the unauthorized disclosure of information.

A loss of integrity is the unauthorized modification or destruction of information.

A loss of availability is the disruption of access to or use of information or an information system.

FIPS PUBLICATION 199, Standards for Security Categorization of Federal Information and Information Systems

Not Achieving Security: Not Achieving Security: ConsequencesConsequences

RReturneturn RReturn eturn OOn n IInvestment = nvestment = ------------------------------


BBenefitenefitRR OO II = = ------------------------------

CCostost

““How much to spend?” How much to spend?” “Where to spend it?”“Where to spend it?”

R R eturneturn

O O nn

S S ecurityecurity

I I nvestmentnvestment

Risk ManagementRisk Management

Risk Exposure =Risk Exposure =

ProbabilityProbability of occurrence of occurrence

XX

ConsequenceConsequence of occurrence of occurrence

Risk ManagementRisk Management

Risk AvoidanceRisk Avoidance reducingreducing probability probability

of occurrenceof occurrence

Risk MitigationRisk Mitigation reducing reducing consequenceconsequence

of occurrenceof occurrence

Risk AvoidanceRisk Avoidance

XX



ProbabilityProbability of of occurrenceoccurrence

BeforeBefore Risk AvoidanceRisk Avoidance

AfterAfter Risk AvoidanceRisk Avoidance

Risk MitigationRisk Mitigation


ProbabilityProbability of occurrence of occurrence

XX


BeforeBefore Risk MitigationRisk Mitigation

AfterAfter Risk MitigationRisk Mitigation

RReturneturn RReturn eturn OOn n IInvestment = nvestment = ------------------------------


RReduction in eduction in RRisk isk EExposurexposureR O S IR O S I = ---------------------------------- = ----------------------------------

IInvestment in nvestment in CCountermeasuresountermeasures

Costs of Costs of achieving securityachieving security

COST OF SECURITYCOST OF SECURITY

Costs of Costs of notnot achieving securityachieving security

Prevention

Appraisal

Detection

Containment

Recovery

Remediation

Pay me Pay me nownow, or pay me , or pay me laterlater

"A small security review up front might cost $100,000, while an emergency response to an incident after the fact could run $350,000 to $500,000."

.

Return on Security Return on Security InvestmentInvestment

breaches


exploited

vulnerability


known vulnerabilities

exploited



unexploitedexploited



= 2437exploited

According to one study,

last year …

= 50

2%



= 4200exploited

According to another source …

= 16

Less than half of 1%

““How much to spend?” How much to spend?” “Where to spend it?”“Where to spend it?”

R R eturneturn

O O nn

S S ecurityecurity

I I nvestmentnvestment

ConclusionConclusion

We all face a real and growing threat We all face a real and growing threat to our critical infrastructuresto our critical infrastructures

Best defensive approaches combine Best defensive approaches combine attention to cyber and physical attention to cyber and physical aspectsaspects

Significant achievements can be Significant achievements can be orchestrated through collaborationsorchestrated through collaborations

Return On Security Return On Security InvestmentInvestment

Taz DaughtreyTaz DaughtreyJames Madison UniversityJames Madison University

540 568 2778540 568 2778

[email protected]@jmu.edu

return on security investment taz daughtrey becky neary james madison university educause security...

Documents

risk avoidance slide

risk mitigation slide

virginia slide

cost cost slide

return return return

risk mitigation risk

occurrence risk mitigation

risk management risk