• Save
Isaca houston presentation 12 4 12
Upcoming SlideShare
Loading in...5
×
 

Isaca houston presentation 12 4 12

on

  • 332 views

Deconstructing the Cost of a Data Breach - What you should consider when thinking about how much it will cost if you experience a data breach

Deconstructing the Cost of a Data Breach - What you should consider when thinking about how much it will cost if you experience a data breach

Statistics

Views

Total Views
332
Views on SlideShare
331
Embed Views
1

Actions

Likes
0
Downloads
7
Comments
0

1 Embed 1

http://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Isaca houston presentation 12 4 12 Isaca houston presentation 12 4 12 Presentation Transcript

    • Risk Centric Security, Inc. www.riskcentricsecurity.com Authorized reseller of ModelRisk from Vose SoftwareRisk Centric Security, Inc. Confidential and Proprietary . Risk Analysis for the 21st Century®Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
    • Risk Centric Security offers state of the art SaaS tools and training that empower Information Security Professionals to perform credible, defensible, and reproducible risk and decision analyses, and to articulate the results and relevance of these analyses in language that business counterparts will understand. Risk Centric Security was founded by two Information Technology and Information Security veterans who have almost fifty years of combined experience providing solutions to complex problems for smaller companies as well as for companies in the Fortune 1000.Risk Centric Security, Inc. Confidential and Proprietary .Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
    • Deconstructing the cost of a data breach: Data breaches can involve many types of data. Data breaches can involve many types of costs. The costs of a data breach can range from zero to more than $170 million. There may be patterns and correlations in the data that will help us predict the impact of a data breach.Q&A Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
    • Operational Data Intellectual Property Financial Information Personally Identifiable Information (PII) Protected Health Information (PHI)Risk Centric Security, Inc. Confidential and Proprietary .Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
    • Personally Identifiable Information (PII): According to the OMB, it is not always the case that PII is "sensitive", and context may be taken into account in deciding whether certain PII is or is not sensitive. Geo-location data? Was the Epsilon breach a “breach”? Have there been other “non-breach” breaches? Given the powerful correlations that can be made, are these definitions too narrow? Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
    • Costs that we should be able to discover and/or estimate: Lost productivity Incident response and forensics costs Costs of replacing lost or damaged hardware, software, or information Public relations costs Legal costs Costs of sending letters to notify customers and business partners Costs of providing credit monitoring Fines from governmental action (HIPAA/HITECH, FTC, State Attorneys General, etc.)
    • Ponemon Institute 2011 Cost of Data Breach Study:United States 49 Companies surveyed – multiple people per company. Breach sizes ranged from 5K – 100K exposed records. Participants estimated the minimum and maximum amounts for a number of costs, from which the mid-point value was selected. According to some legal experts, Ponemon Institute numbers are the “gold” standard in the Federal Courts. The raw data are published in the report appendix. Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
    • In the 2011 report: Overall weighted average per record = $194 (down from $214 in 2010) Overall average total = $5.5 M (down from $7.2M in 2011) Minimum total cost = $566 K Median total cost = $4.5 M Maximum total cost = $20.9 M Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
    • Risk Centric Security, Inc. Confidential and Proprietary .Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
    • Risk Centric Security, Inc. Confidential and Proprietary .Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
    • Ponemon Institute 2012 Cost of Cyber Crime Study:United States 56 Organizations Companies surveyed, > 1,000 seats Costs were due to cyber crime – no errors or accidental exposures 4 week study period extrapolated to 52 weeks. The 56 organizations in the study experienced 102 cyber attacks per week; 1.8 attacks each per week. Annualized costs per company ranged from $1.4M to $46M, with the average = $8.9M and the median = $6.2M Average attack took 24 days to resolve and cost $592K Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
    • Net Diligence 2012 Cyber Liability & Data BreachInsurance Claims study 137 events between 2009 and 2011 – claims data were provided by underwriters Average cost per breach = $3.7 million Payouts were net of deductibles/retentions, which ranged from $50K to $1M Report breaks out many types of costs: Crisis services, Legal Defense, Legal Settlements Cyber insurance does not reimburse for “soft” costs like lost customers, brand damage, and lost stock value. Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
    • Measured on a per record basis, the cost per record declines as the size of the breach increases Measured on a total cost basis, the total cost increases as the number of exposed records increases Both of these correlations are weakRisk Centric Security, Inc. Confidential and Proprietary .Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
    • Risk Centric Security, Inc. Confidential and Proprietary .Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
    • Risk Centric Security, Inc. Confidential and Proprietary .Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
    • Risk Centric Security, Inc. Confidential and Proprietary .Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
    • Risk Centric Security, Inc. Confidential and Proprietary .Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
    • Risk Centric Security, Inc. Confidential and Proprietary .Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
    • Risk Centric Security, Inc. Confidential and Proprietary .Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
    • Risk Centric Security, Inc. Confidential and Proprietary .Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
    • Normal Copula Correlation: Variable 1 = records, Variable 2 = Total CostRisk Centric Security, Inc. Confidential and Proprietary .Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
    • Risk Centric Security, Inc. Confidential and Proprietary .Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
    • Risk Centric Security, Inc. Confidential and Proprietary .Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
    • Risk Centric Security, Inc. Confidential and Proprietary .Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
    • Risk Centric Security, Inc. Confidential and Proprietary .Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
    • Risk Centric Security, Inc. Confidential and Proprietary .Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
    • Risk Centric Security, Inc. Confidential and Proprietary .Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
    • Model breach cost by size of breach, using a scale that islogarithmic (mostly): <5K records 5K – 100K records 100K – 1M records 1M – 10M records 10M – 100M records >100M records Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
    • We have covered many topics today. To summarize: Breaches can involve many types of data: To date, most reported breaches deal with PII, PHI, and credit card data. For many of these breaches, the number of records exposed is not reported, often because the number is unknown. Intellectual property breaches are seldom reported, possibly because they are so difficult to detect. Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
    • Breaches involve many types of costs: In the largest credit card breaches, the majority of costs are due to settlements with the card brands. A PHI breach may result in fines that seem disproportionate to the number of records exposed. Per-record metrics are appropriate for some types of breaches (PII, PHI, CCard), but not others (IP). Brand damage and loss of stock value are difficult to measure, and, in some cases, do not appear to exist. Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
    • The costs of a data breach can range from nothing to over$170 million. Breaches that are never detected cost nothing – nothing that can be measured, at least. Per the numbers from the 2011 Ponemon Institute Cost of Breach study, there is a wide variation in total breach cost: from $500K to over $20 million. For breaches that expose more than 1 million records, the reported costs per record vary greatly, ranging from as little as $0.90 (HPS) per record to as much as $80 per record (GP). Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
    • There may be patterns in the data that can help us predictthe cost of a breach, should it happen to us: The numbers of records exposed in reported breaches appear to follow a lognormal distribution. Although the correlations are not strong, total costs increase and per-record costs decrease as the number of exposed records increases. As breach size increases, some costs appear to scale more than others: forensics = less, notifications = more, credit monitoring = more, fines & judgments = more, customer loss = unknown Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
    • Operational Data: Unpublished phone numbers Private email addresses HR data about employees Passwords and login credentials Certificates Encryption keys Tokenization data Network and infrastructure data Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
    • Intellectual Property: Company confidential information Financial information Merger, acquisition, divestiture, marketing, and other plans Product designs, plans, formulas, recipes Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
    • Financial information: Credit / debit card data Bank account and transit routing data Financial trading account data ACH credentials and data Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
    • Personally Identifiable Information (PII):A term similar to PII, "personal data" is defined in EU directive95/46/EC, for the purposes of the directive:[4] Article 2a: personal data shall mean any information relating to an identified or identifiable natural person (data subject); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;from wikipedia.com Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
    • PHI that is linked based on the following list of 18identifiers must be treated with special care according toHIPAA: Names All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000 Dates (other than year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older Phone numbers Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
    • Protected Health Information (PHI): Fax numbers Electronic mail addresses Social Security numbers Medical record numbers Health plan beneficiary numbers Account numbers Certificate/license numbers Vehicle identifiers and serial numbers, including license plate numbers; Device identifiers and serial numbers; Web Uniform Resource Locators (URLs) Internet Protocol (IP) address numbers Biometric identifiers, including finger, retinal and voice prints Full face photographic images and any comparable images Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data) Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
    • How to value? Fair Market Value Cost to Create Historical ValueMethodologies: Cost Approach: Reproduction or Replacement Market Approach Income Approach Relief from Royalty Approach Technology Factor Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
    • Thank you ! Heather Goodnight President and Co-founder 214.405.5789 Risk Analysis for the 21st Century ® Patrick Florer CTO and Co-founder Risk Centric Security, Inc patrick@riskcentricsecurity.com 214.828.1172 Authorized reseller of ModelRisk from Vose SoftwareRisk Centric Security, Inc. Confidential and Proprietary.Copyright © 2012 Risk Centric Security, Inc . All rights reserved.