Title: Jason Zeigler
1Group 1
- Jason Zeigler
- Cherelyn Green
- Brian Eddy
- Aaron Phillips
2Introduction
- Objectives
- Use risk assessment methods to estimate security
investments. - Categorize risks in the Risk Assessment Cube
- Calculate an expected loss
- Optimize return on investment for security
- Creating a complete organizational profile.
3Importance of Risk Assessment
- What is Risk Assessment?
- - A step in the risk management process that
identifies risk factors in order to avoid
incidents. - Gets attention of management officials
- A Basic Requirement of ISO 17799
- - The ISO17799 is an international standard for
the best practices in information security.
4Importance of Risk Assessment
- Raises the Status of Information Security Budgets
- - Difficult to get funding (competing business
priorities) - - Application of Risk Management techniques
to IT investments (expensive servers, software,
etc.) -
5Importance of Risk Assessment
- Assess the Expected Average Cost of a Loss
- - Expected value concept helps make decisions
about the financial impact of an outcome (theft
of trade secrets, network intrusion) - Expected Cost
- - Model used to assess and justify
investments in digital security. - Marginal Cost
- - Estimates investment in security investments.
6Risk Assessment Cube
- Cube that provides structure for categorizing
risks along three dimensions - 1) The Probability of an Incident
- (0-100, rare to common)
- 2) Severity of the Outcome or Loss
- (direct and indirect financial impacts,
range from low to high) - 3) Duration of Impact
- (incidents contained, extends over time)
-
7EXPECTED LOSS VALUE ESTIMATIONS
8Expected Loss Computation
- Expected value of either a gain or a loss is used
extensively to evaluate the consequences of
business decisions during particular time
segment, which is usually one year. - Expected loss (Amount of loss) (Probability
of loss) - Two incidents on pg. 68
- A benefit of the expected loss method is the
ability to standardize the costs of incidents for
comparison purposes. - Businesses commonly apply this expectation
principle when they invest in door locks, alarm
systems, and safety devices to protect against
loss of break-in, fire, casualty, and legal
liability.
9Marginal Cost-Benefit Analysis-An Application of
Expected Value
- The issue of industry standards and defenses
against negligence was addressed by Judge Learned
Hand in 1947. He outlined his standard for
negligence and liability based on economic model
of marginal cost-benefit analysis in his decision
in US vs Carroll Towing Company (2d Cir. 1947). - According to marginal analysis, the firm is
negligent if and only if the marginal costs of
safeguards are greater than the marginal benefits
of those safeguards. - Expected value method is used to calculate
expected costs and benefits. - Expected costs benefits (Probability of a
security breach) (Avg. expected loss or
benefit)
10Balancing Expected Loss with the Cost of Security
Defenses
- Expected losses from an incident can be a
benchmark for investments in defenses to defend
against them. There are several standard methods
for managing business risk. - Three common approaches
- Try to mitigate the loss by implementing
preventative measures - Transfer the risk to another party by outsourcing
the secure management of a network,
mission-critical databases, or ecommerce
application - Transfer the remaining risk using insurance
11CHALLENGES IN ESTIMATING LOSS OF DIGITAL ASSETS
12Intangible Assets
- Digital assets are intangible, so their value may
only become fully understood in the actual event
of loss. - Example one of the most valuable business assets
is information maintained in the customer
database
13Replication Increases Exposure and Probability of
a Loss
- Physical assets tend to exist in only one place
and therefore must only be protected in one
instance. - Ironically, one of the ways in which to protect
digital assets is to retain multiple backup
copies. - The adoption of client-server and distributed
computing architectures has created an
environment in which documents are stored on many
networked devices.
14Outsourcing Places Data and Documents Out of
Control
- If business operations are outsourced or
conducted in cooperation with a business partner,
valuable information often must reside on
networks that lie outside of organizational
control. - This creates a situation in which one is reliant
on the efforts of that partner to protect the
shared asset. This practice is very widespread.
15Knowledge Assets are Difficult to Replace
- Digital assets may have direct monetary value,
like a bank account balance, or indirect value,
derived from their associated knowledge or
goodwill. - The information most commonly resident on
computers and networks is structured data.
Structured data is expressed as numbers with
defined attributes. Figure 5.4 pg. 71 - It is now common to capture and store
unstructured information through the use of what
is known as Knowledge Management (KM). - KM assets are much harder to identify, inventory,
and replace if lost.
16Mission-Critical Software Applications
- Beyond data and knowledge, customized software
can have significant value. - If a business has made a major investment in a
proprietary customer contact application, that
asset could be exposed in two ways. - It provides a competitive advantage
- An employee or hacker could disable it
- Therefore, such an asset has value not only from
the point of view of development costs but also
from the expected loss of revenue if it was
sabotaged.
17Denial of Service Risk
- Often the most direct economic impact of a
digital attack is the significant loss of
productivity that can result from even the more
benign forms of malware. - Worms like Code Red did not actually destroy
data, rather they paralyzed networks and services
through self-replication, creating enormous
network traffic jams that made it impossible
for legitimate traffic to get through.
18Valuation of Digital Assets and Risks
19Valuation of Digital Assets and Risks
- There are two main ways to assign economic value
to digital assets impact on revenue and loss
prevention - Software Assets - The main risk is not the loss
of software but the loss of usage as the software
is restored. The potential loss is estimated by
tracking the average revenue generated by the
Website per hour. The average is then multiplied
by downtime. Other software products are designed
to enhanced productivity. Expected loss is
calculated by taking the percentage of production
increase over the downtime
20Digital Assets, cont.
- Knowledge Assets It is the unique knowledge and
data within an organization that creates value at
risk. The danger lies in what the attackers do
with the information, as the information lost may
include trade secrets, customer lists, or theft
or sensitive partner data. The knowledge may be
used by competitors or as the basis for
litigation - Goodwill goodwill is the accumulation of
knowledge, experience, public image, and the body
of customer relationships the firm has developed
over its lifetime. The more reliant the firm is
on technology to manage its knowledge and face
its markets, the more vulnerable goodwill is to
digital assault. Goodwill is important for
customer peace of mind, therefore it should
figure into the DLM investment model
21Sources of Information for Risk Estimations
- Research and Consulting firms Firms such as
CSI, the FBI, and CERT release information,
reports, and surveys with detailed breakdowns of
industries, types of attack, magnitude of loss,
and other important information. - Infragard An alliance of the public and private
sectors of the formed by the FBI to share
knowledge and coordinate defenses against cyber
terror.
22Sources of Information for Risk Estimations
- Technical Tools Firewalls, intrusion detection
technology, and network administration tools keep
detailed logs of activity. Analysis of these logs
can provide insight into frequency and nature of
attacks. - Business Partners and Industry Groups Business
Partners may provide their experience and
expertise in an attempt to coordinate security
around common data and processes.
23Symantecs Internet Security Threat Report
- According to Symantecs Internet Security Threat
Report, banking and utilities are the most
at-risk sectors for threat of attack by malicious
code. Both industries have the finances to
protect their systems, and the most to lose if
they dont. - Symantec recorded an average of 987 attacks per
company in the power and energy sector Nonprofit
organizations had an average of 869 attacks per
company telecoms had 845 high-tech had 753
banking and finance had 689 - In terms of severity the top three were power and
energy, banking and finance, and nonprofit
24Overall Risk Evaluation
25Overall Risk Evaluation
- Assess The Current Situation
- Digital Liability Model
- People, Process, Security Policies Vs.
Technology - Key to Success
- Policy And Process Perspective
- The effectiveness of the policy and auditing
tools for managing and migrating risk need to be
tested. All policy documents related to
information security, such as AUP, should be
examined for completeness, clarity, and
compliance as part of the audit. Audit results
can make the policy far more defensible if it
becomes evidence in a legal action. Other
policies that are usually included pertain to
privacy, outsourcing of processes that involve
sensitive data, password maintenance, and remote
access to company networks. - Testing awareness
- Gauges effectiveness of current training and
documentation efforts - Strong policies combination of weak readers
viruses
26Overall Risk Evaluation
- Organizational Perspective
- Assigning responsibility for DLM-related issues
is also a part of the picture. This can be a
problem issue in larger firms where this
responsibility has become fragmented. Not
uncommon to have a network administrator and a
network security administrator, with the latter
reporting to the former. Aligns well, but weakens
DLM responsibilities - Regardless of whether or not responsibility for
network security and physical security is
combined in the organization, the two are
interrelated and should be assessed together. - Example Microsoft servers pg 77 gray area.
27Overall Risk Evaluation
- Audits w/ Trading Partners/Cusomers
- If business operations demand network connections
to partners and customers, then their levels of
information security are equally important. Some
larger concerns may require and subsidize an
audit and enhancements to the security
infrastructure to meet their standards. - A proper assessment can only come with the help
of a complete audit of the current security
infrastructure using a reputable an qualified
third party. So why the third party? - Some companies stage an unannounced attack using
known hacker methods or white hat hackers hired
for the purpose. White hat hackers are ethical
hackers who search for weakness in the computer
systems or business applications. May include
introduction of malware, such as backdoors or
benign viruses, to test whether they were
detected by the defensive technology.
28Summary
- Security needs to be managed
- Reasons security programs are under funded
because most enterprises do not know what they
have to lose and do not appreciate all the way
they can lose it - Key is to properly identify and quantify all
value at risk by creating a risk exposure profile - An estimate of loss can be made on the basis of a
justifiable DLM budget - Awareness on the part of IT people, can optimize
the return of security investments - Overall security depends on the balancing cost
and risk through the appropriate use of both
technology and policy
29QUESTIONS??