• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
4 b. thomas whipp presentation

4 b. thomas whipp presentation






Total Views
Views on SlideShare
Embed Views



1 Embed 144

http://cfdgit12.wordpress.com 144


Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • Thinking about offendingThinking about controlWhy do people behave differently online?Are we going in the wrong direction sometimes?
  • evaluation of risk and returnHow much will I getHow likely am I to be caughtHow large is the punishmentUsesA good model for planned offencesTypically acquisitive in natureLargely fails to explain expressive offences
  • A good model for "drive by" actssuitable targetmotivated offenderlack of a capable guardianCan be used to explain everyday type crimes.
  • Key ConcernsCrime not criminalityEvent drivenNear not distant causeHow not why5 main mechanismsIncrease the EffortIncrease the risksReduce the rewardsReduce provocationsRemove excusesExamples: CCTVHashing of card datalogon notice stating audit log policy

4 b. thomas whipp presentation 4 b. thomas whipp presentation Presentation Transcript

  • Achieving Durable Security :Being Honest About What You Can Really Do.Thomas Whipp MSc MEng CISSP CPP CBCIHead of RiskOval Ltd
  • Presentation Overview What are the Thinking Where are the Where are you real costs of differently risks? starting from? your strategy? about security
  • Where are you starting from?
  • Your Information? PrintersMobile ExcelPhones SQL Emails Memory Sticks Scanned Images
  • Your Business CapitalWill it really Who’s Value for Incident Politics Costs Vs. Displacement Prevention Detection Will it work?be spent? budget? Response Money? Revenue
  • Where are the risks?
  • Who is out there?Technical Industrial Script State Social Hacktavists Criminals Attacks Sponsored Espionage Kiddies Engineering
  • Thinking Differently AboutSecurity
  • Rational Choice TheoryEvaluation of risk and return ? How much will I get ? How likely am I to be caught Uses ? How large is the punishment A good model for planned offences Typically acquisitive in nature Largely fails to explain expressive offences
  • Routine activity theory Can be used to Lack of a explain Motivated capable offender everyday type guardian crimes
  • Situational Prevention Ronald v Clarke Examples: Crimenot Near not Increasethe Reduce the 5 Main Remove ReduceKey ConcernsHow not whyEvent drivendistant cause criminality provocations excuses mechanisms rewards effort risk
  • Defensible Space Oscar Newman Thinking point: Territoriality NaturalKey Points (key behaviour to surveillance Image Milieu Is it worth allowing encourage) personalisation at the desktop? some
  • DisplacementA key criteria used to assess physical security initiatives Putting in a control May not reduce offending May simply move it elsewhere
  • Disinhibition Key challenge Leads to Strong sense of for InfoSec anonymity significant Lack of a sense of consequence awareness but changes in also situational Disassociation behaviour from the ‘real controls world’
  • What are the real costs of yourstrategy?
  • Covering your bases...Spreading the costs Prevention Response Residual Detection
  • Choosing a Strategy... What are the options?Process Any option canProduct deliver an effective control if implemented properlyService Architecture
  • Risks to Strategy...
  • Choosing a Strategy... Controls and their true costs100%90%80%70%60% Political Effort50% Revenue Capital40%30%20%10% 0% Process Product Service Architecture
  • Tom Whipp MSc MEng CISSP CPP CBCIHead of Risk, Oval LtdTel: 01924 433081Mbl: 07500 796391Email: tom.whipp@theovalgroup.com