4 b. thomas whipp presentation


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Thinking about offendingThinking about controlWhy do people behave differently online?Are we going in the wrong direction sometimes?
  • evaluation of risk and returnHow much will I getHow likely am I to be caughtHow large is the punishmentUsesA good model for planned offencesTypically acquisitive in natureLargely fails to explain expressive offences
  • A good model for "drive by" actssuitable targetmotivated offenderlack of a capable guardianCan be used to explain everyday type crimes.
  • Key ConcernsCrime not criminalityEvent drivenNear not distant causeHow not why5 main mechanismsIncrease the EffortIncrease the risksReduce the rewardsReduce provocationsRemove excusesExamples: CCTVHashing of card datalogon notice stating audit log policy
  • 4 b. thomas whipp presentation

    1. 1. Achieving Durable Security :Being Honest About What You Can Really Do.Thomas Whipp MSc MEng CISSP CPP CBCIHead of RiskOval Ltd
    2. 2. Presentation Overview What are the Thinking Where are the Where are you real costs of differently risks? starting from? your strategy? about security
    3. 3. Where are you starting from?
    4. 4. Your Information? PrintersMobile ExcelPhones SQL Emails Memory Sticks Scanned Images
    5. 5. Your Business CapitalWill it really Who’s Value for Incident Politics Costs Vs. Displacement Prevention Detection Will it work?be spent? budget? Response Money? Revenue
    6. 6. Where are the risks?
    7. 7. Who is out there?Technical Industrial Script State Social Hacktavists Criminals Attacks Sponsored Espionage Kiddies Engineering
    8. 8. Thinking Differently AboutSecurity
    9. 9. Rational Choice TheoryEvaluation of risk and return ? How much will I get ? How likely am I to be caught Uses ? How large is the punishment A good model for planned offences Typically acquisitive in nature Largely fails to explain expressive offences
    10. 10. Routine activity theory Can be used to Lack of a explain Motivated capable offender everyday type guardian crimes
    11. 11. Situational Prevention Ronald v Clarke Examples: Crimenot Near not Increasethe Reduce the 5 Main Remove ReduceKey ConcernsHow not whyEvent drivendistant cause criminality provocations excuses mechanisms rewards effort risk
    12. 12. Defensible Space Oscar Newman Thinking point: Territoriality NaturalKey Points (key behaviour to surveillance Image Milieu Is it worth allowing encourage) personalisation at the desktop? some
    13. 13. DisplacementA key criteria used to assess physical security initiatives Putting in a control May not reduce offending May simply move it elsewhere
    14. 14. Disinhibition Key challenge Leads to Strong sense of for InfoSec anonymity significant Lack of a sense of consequence awareness but changes in also situational Disassociation behaviour from the ‘real controls world’
    15. 15. What are the real costs of yourstrategy?
    16. 16. Covering your bases...Spreading the costs Prevention Response Residual Detection
    17. 17. Choosing a Strategy... What are the options?Process Any option canProduct deliver an effective control if implemented properlyService Architecture
    18. 18. Risks to Strategy...
    19. 19. Choosing a Strategy... Controls and their true costs100%90%80%70%60% Political Effort50% Revenue Capital40%30%20%10% 0% Process Product Service Architecture
    20. 20. Tom Whipp MSc MEng CISSP CPP CBCIHead of Risk, Oval LtdTel: 01924 433081Mbl: 07500 796391Email: tom.whipp@theovalgroup.com