4 b. thomas whipp presentationPresentation Transcript
Achieving Durable Security :Being Honest About What You Can Really Do.Thomas Whipp MSc MEng CISSP CPP CBCIHead of RiskOval Ltd
Presentation Overview What are the Thinking Where are the Where are you real costs of differently risks? starting from? your strategy? about security
Where are you starting from?
Your Information? PrintersMobile ExcelPhones SQL Emails Memory Sticks Scanned Images
Your Business CapitalWill it really Who’s Value for Incident Politics Costs Vs. Displacement Prevention Detection Will it work?be spent? budget? Response Money? Revenue
Where are the risks?
Who is out there?Technical Industrial Script State Social Hacktavists Criminals Attacks Sponsored Espionage Kiddies Engineering
Thinking Differently AboutSecurity
Rational Choice TheoryEvaluation of risk and return ? How much will I get ? How likely am I to be caught Uses ? How large is the punishment A good model for planned offences Typically acquisitive in nature Largely fails to explain expressive offences
Routine activity theory Can be used to Lack of a explain Motivated capable offender everyday type guardian crimes
Situational Prevention Ronald v Clarke Examples: Crimenot Near not Increasethe Reduce the 5 Main Remove ReduceKey ConcernsHow not whyEvent drivendistant cause criminality provocations excuses mechanisms rewards effort risk
Defensible Space Oscar Newman Thinking point: Territoriality NaturalKey Points (key behaviour to surveillance Image Milieu Is it worth allowing encourage) personalisation at the desktop? some
DisplacementA key criteria used to assess physical security initiatives Putting in a control May not reduce offending May simply move it elsewhere
Disinhibition Key challenge Leads to Strong sense of for InfoSec anonymity significant Lack of a sense of consequence awareness but changes in also situational Disassociation behaviour from the ‘real controls world’
What are the real costs of yourstrategy?
Covering your bases...Spreading the costs Prevention Response Residual Detection
Choosing a Strategy... What are the options?Process Any option canProduct deliver an effective control if implemented properlyService Architecture
Risks to Strategy...
Choosing a Strategy... Controls and their true costs100%90%80%70%60% Political Effort50% Revenue Capital40%30%20%10% 0% Process Product Service Architecture
Tom Whipp MSc MEng CISSP CPP CBCIHead of Risk, Oval LtdTel: 01924 433081Mbl: 07500 796391Email: firstname.lastname@example.org