SlideShare a Scribd company logo

Peer Risk Model for Cyber Security Risk

T
Thomas Lee

Quantifies in dollars, the cyber risk for an enterprise, based upon historical industry data and rigorous statistical models. Risk is calculated for custodial data (PII, PFI, CHD & PHI), based upon a peer company of the same size and industry, with the same value at risk.

Business
1 of 11
Download to read offline
VivoSecurity Inc.,  Los  Altos,  CA.  Email:  ThomasL@VivoSecurity.com George  Box,  British  Mathematician  and  champion  of  Bayesian  Inference A  PEER  RISK  MODEL Calculate  Custodial  Data  Risk,    Compare  with  Industry  Peers Calculate  residual  risk  in  dollars  to  PII,  PFI,  PHI  and  CHD  using  historical  industry  data.   Calculate  ROI  and  prioritize  controls,  estimate  insurance  needs  and  the  value  of  incident   response,  communicate  risk  to  senior  management  and  objectively  set  risk  appetite. Prior  Beliefs EvidencePosterior  Beliefs
More  effectively   mitigate  risk Manage  black-­swan   events Measure  reduction   in  risk Focus  where  risk  is   highest Adopt  a  strategic   approach Manage  risk   in  business  terms Communicate  risk  in   dollars Justify  security   investments Weigh  risk  against   business  priorities Right-­size  cyber   insurance Manage  Cyber  Risk  in  Business  Terms A Peer Risk Model allows senior management to compare cyber risk to their peers – in dollars. A rigorous statistical model that is trained on historical industry data gives a risk assessment credibility and senior management the confidence to manage cyber risk in business terms. It allows consideration of the ROI of new security controls, helps demonstrate insurance adequacy and allows an objective consideration of risk appetite. A Peer Risk Model can give the board of directors a clear understanding of risk and demonstrate a strong risk management culture.
What  is  a  Peer  Risk  Model? A Peer Risk Model is a statistical model built upon historical industry data, that can calculate the residual risk for the average company of a particular size and industry. Information about a companies past breach rate can be added to estimate how a company differs from industry averages (i.e. their peers). The model is “trained” on historical industry data using standard statistical (actuarial) techniques such as linear regression and Bayesian Model Averaging (see George Box on cover). Modeling techniques are rigorous and comply with the standards put forth by the Federal Reserve for model management (SR 11-­‐7). A rigorous modeling process provides credibility, since the process discovers factors that are predictive of the cost and the probability of a data breach. A model is no better than it’s data and our historical industry data comes from credible and comprehensive sources such as State Attorney Generals, Heath and Human Services (HHS), US Census data and 10K filings from public companies. The Peer Risk Model actually integrates four models: 1) a model for the probability of lawsuits, 2) a model for the cost distribution of a given breach, 3) a breach size vs frequency model, and 4) a model that characterizes incident rate by industry. The Peer Risk Model can be deployed in an easy to use Excel Spreadsheet which requires a small number of variable inputs that have been found to be predictive of cost.
Investigation Notification Call  center Remediation o Business  Loss o Damage  to  personal  credit o Theft  of  money  &  goods o Credit  card  replacement  costs Business  loss;  theft  of   money  &  goods Credit  monitoring  &   privacy  insurance. Fines &  settlements Public  &  Other  BusinessesBreach  Company Total  costs Mitigate Transfer   via  suits Data  Breach  Costs  Covered  by  the  Peer  Risk  Model   Response  CostsDamage  costs Term Meaning Investigation Cost of investigating what happened in a data breach including data that was exposed. Costs of updating agencies of investigation progress. Remediation Cost to preventing future data breach. Notification Legal costs of notifying federal agencies and states attorney general. Call  Center Cost of hiring or expanding call centers to handle calls from people affected by data breach. Business  Loss,  theft   of  money  &  goods Loss of business and customers, fraud costs, cost of goods pur chased with stolen cards Credit  Monitoring  &   Privacy  Insurance Cost of providing credit monitoring such as Experian, insurance to cover personal loss by people affected by the data breach. Fines  &  Settlements Government fines, lawsuit awards and settlements, defense costs. Glossary The Peer Risk Model calculates risk to custodial data. Custodial data is any PII data which triggers reporting requirements of various government agencies (also known as risk to confidentiality, in AppSec parlance). The model calculates Total Costs; below is a graphical breakdown of costs included in Total Costs.
6 Model  Outputs The  following  graphs  are  example  ways  that  risk  can  be  summarized  by  the   model.  Examples  are  for  hypothetical  companies.
0% 20% 40% 60% 80% 100% 0 >0 1 2 3 4 5 Probability Number  of  Lawsuits $0 $5 $10 $15 $20 $25 Likelihood Breach  Cost Millions $19.8M 80%  Confidence  Interval Model  Outputs:  Maximum  Data  Breach  Cost;  Probability  of  Lawsuit Modeling  of  historical  industry  data  finds  a  distribution  of  costs  for  any  particular  breach  size  and   type,  with  a  small  percentage  of  companies  experiencing  very  large  costs.  The  model  shows  this  as   a  probability  distribution  for  the  cost.  Confidence  intervals  are  indicated  for  the  maximum  breach   costs  as  well  as  the  value  of  incident  response  activities  to  reduce  the  confidence  interval.   Confidence  intervals  are  valuable  for  estimating  insurance  needs. When  they  occur,  lawsuits  are  an  important  component  of  the  cost.  One  focus  of  incident  response   is  to  prevent  lawsuits.  The  model  also  calculates  and  graphs  the  probability  for  lawsuits  to  help   guide  incident  response  decisions.   Value  of  Incident   Response  Controls   Less  than  10%  chance   of  a  lawsuit  in  the   largest  data  breach. Most  companies  would   experience  a  cost  of   under  $5M.
0.001 0.010 0.100 1.000 10.000 100.000 1,000.000 10   100   1,000   10,000   CostMillions Years All  Other  Incidents Malicious  Outsider Dominant  Cause Model  Outputs:  Loss  Exceedance  Curve Commonly  used  in  catastrophe  modeling,  the  loss  exceedance  curve  considers  the  most  likely   cost  from  all  incident  types,  and  includes  the  possibility  of  extraordinary  data  breach  costs   (tail  risk).  This  curve  is  valuable  for  setting  a  companies  risk  appetite  and  insurance  coverage. Example:  $1M  insurance  covers  a   once  in  100  year  (or  once  in  100   companies,  each  year)  event.
Model  Outputs:  Residual  Risk  by  Incident  Type  and  Breach  Size Residual  risk  can  be  broken  down  and  graphed  in  various  ways  including  Incident  Type  and  breach   size.  Such  graphs  are  valuable  for  understanding  and  communicating  the  major  sources  of  risk,   weighing  business  priorities  against  cyber  risk  and  for  resource  allocation. $0.00 $100.00 $200.00 $300.00 $400.00 $500.00 $600.00 $700.00 $800.00 $900.00 $1,000.00 Malicious  Outsider Accident Lost,  Stolen Malicious  Insider Thousands 5  Year  Period,  80%  Confidence Small  (<500) Medium  (500  to  10,000) Large  (10,000  to  1  million) Huge  (1  million  to  100  million) Largest  risk  reduction  would   be  obtained  by  focusing  on   reduction  of  small   accidents.
$0 $50 $100 $150 $200 $250 $300 $350 $400 $450 $500 Thousands Value  of  Additional  Controls 5  year  period,  80%  Confidence  Interval Model  Outputs:  Value  of  Additional  Controls The  value  of  a  control  is  calculated  based  upon  residual  industry  risk,  and  the  degree  to  which   a  control  reduces  the  frequency  of  incidents.  When  the  value  of  a  control  is  combined  with   the  cost,  it  is  possible  to  prioritize  resources  based  upon  ROI,  thus  achieving  a  greater   reduction  in  risk.  Understanding  the  value  of  a  control  and  ROI  in  dollars  helps  to   communicate  the  need  and  justify  the  investment. Largest  risk  reduction  would   be  from  Data  Loss   Prevention
Gather  Data Company information is gathered as part of a standard security audit, including: 1) the number of customers for which records are not sequestered, 2) types of PII data, NAICS industry code, number of employees and past incidents. Data  into  Model Data is entered into the model and the residual risk is automatically calculated based upon historical industry data and broken down by incident and data types, size vs frequency, probability for lawsuits and cost distributions for all possible breach sizes. Risk is further broken down into quadrants for the purposeofevaluating additional (new) controls. Incident  Response Additional  Controls The security expert sets confidence intervals based upon an evaluation of the companies incident response as compared with peers, including written response plan, training and rehearsals, instrumenting theenterprise, and engaging an experienced security company and law firm. A security expert assigns additional (new) controls to risk quadrants and assigns percent effectiveness based upon experience, industry reports, and implementation. The model automatically calculates thedollar valuefor each control. ROI The cost of additional (new) controls is entered from external sources, the calculation interval is adjusted according to the cost amortization period for controls and the model automatically estimates ROI. Report Controls are ordered by ROI and graphed. Other graphs which summarized risk are copied from the model and used to generate a report. The report can be presented to senior management to set risk appetite, justify and prioritizeinvestments and guideinsurancepurchases. Use  Case Thediagram below shows theprocess by which a typical company an use the Peer Risk Model to evaluate residual risk in dollars and calculatea dollar based ROI for additional (new) controls. Much oftheinformation needed is gathered as part ofa standard security audit.
About  VivoSecurity VivoSecurity  Inc,  1247  Russell  Ave,  Los  Altos  California;   Contact:   ThomasL@VivoSecurity.com,   (650)  919-­‐3050 VivoSecurity provides data analytics and statistical modeling to companies in the financial and high tech industries. We are a Silicon Valley Startup since 2012, with PhD level scientists and statisticians. We use advanced data analytic techniques to model the probability and cost of cybersecurity events. We have strong cybersecurity domain knowledge, strong knowledge of software applications, strong knowledge of operating systems and hardware and a strong understanding of enterprise operations. Model Description Cyber-­‐Loss  Model Calculates  the  maximum cost  of  a  data  breach  of   custodial  data. Probability  for  Fraud, personal  customers Calculates  probability  for  a  cyber  attach  that  leads  to   fraud. Probability  for  Fraud,  corporate  customers Calculates  probability  for  a  cyber  attach  that  leads  to   fraud. 3rd party  (vendor)  Risk Calculates  risk  in  dollars  posed  by  3rd party  partners. Additional  Offerings

Recommended

Cyber Op Risk Model, banks v7p4
Cyber Op Risk Model, banks v7p4Cyber Op Risk Model, banks v7p4
Cyber Op Risk Model, banks v7p4
Thomas Lee
 
Advantages of Regression Models Over Expert Judgement for Characterizing Cybe...
Advantages of Regression Models Over Expert Judgement for Characterizing Cybe...Advantages of Regression Models Over Expert Judgement for Characterizing Cybe...
Advantages of Regression Models Over Expert Judgement for Characterizing Cybe...
Thomas Lee
 
Cyber Loss Model for the cost of a data breach.
Cyber Loss Model for the cost of a data breach.Cyber Loss Model for the cost of a data breach.
Cyber Loss Model for the cost of a data breach.
Thomas Lee
 
How to Use a Cyber Loss Model within a Retail Bank
How to Use a Cyber Loss Model within a Retail BankHow to Use a Cyber Loss Model within a Retail Bank
How to Use a Cyber Loss Model within a Retail Bank
Thomas Lee
 
Streamlining Submission Intake in Commercial Underwriting for Middle Market S...
Streamlining Submission Intake in Commercial Underwriting for Middle Market S...Streamlining Submission Intake in Commercial Underwriting for Middle Market S...
Streamlining Submission Intake in Commercial Underwriting for Middle Market S...
Cognizant
 
Half the Picture
Half the PictureHalf the Picture
Half the Picture
Thomas Lee
 
2017 global-cyber-risk-transfer-report-final
2017 global-cyber-risk-transfer-report-final2017 global-cyber-risk-transfer-report-final
2017 global-cyber-risk-transfer-report-final
Δρ. Γιώργος K. Κασάπης
 
Performing Strategic Risk Management with simulation models
Performing Strategic Risk Management with simulation modelsPerforming Strategic Risk Management with simulation models
Performing Strategic Risk Management with simulation models
Weibull AS
 

Recommended

Cyber Op Risk Model, banks v7p4
Cyber Op Risk Model, banks v7p4Cyber Op Risk Model, banks v7p4
Cyber Op Risk Model, banks v7p4
Thomas Lee
 
Advantages of Regression Models Over Expert Judgement for Characterizing Cybe...
Advantages of Regression Models Over Expert Judgement for Characterizing Cybe...Advantages of Regression Models Over Expert Judgement for Characterizing Cybe...
Advantages of Regression Models Over Expert Judgement for Characterizing Cybe...
Thomas Lee
 
Cyber Loss Model for the cost of a data breach.
Cyber Loss Model for the cost of a data breach.Cyber Loss Model for the cost of a data breach.
Cyber Loss Model for the cost of a data breach.
Thomas Lee
 
How to Use a Cyber Loss Model within a Retail Bank
How to Use a Cyber Loss Model within a Retail BankHow to Use a Cyber Loss Model within a Retail Bank
How to Use a Cyber Loss Model within a Retail Bank
Thomas Lee
 
Streamlining Submission Intake in Commercial Underwriting for Middle Market S...
Streamlining Submission Intake in Commercial Underwriting for Middle Market S...Streamlining Submission Intake in Commercial Underwriting for Middle Market S...
Streamlining Submission Intake in Commercial Underwriting for Middle Market S...
Cognizant
 
Half the Picture
Half the PictureHalf the Picture
Half the Picture
Thomas Lee
 
2017 global-cyber-risk-transfer-report-final
2017 global-cyber-risk-transfer-report-final2017 global-cyber-risk-transfer-report-final
2017 global-cyber-risk-transfer-report-final
Δρ. Γιώργος K. Κασάπης
 
Performing Strategic Risk Management with simulation models
Performing Strategic Risk Management with simulation modelsPerforming Strategic Risk Management with simulation models
Performing Strategic Risk Management with simulation models
Weibull AS
 
Mind the Gaps: AML and Fraud Global Benchmark Survey
Mind the Gaps: AML and Fraud Global Benchmark Survey Mind the Gaps: AML and Fraud Global Benchmark Survey
Mind the Gaps: AML and Fraud Global Benchmark Survey
Paul Hamilton
 
HSN Risk Assessment Report
HSN Risk Assessment ReportHSN Risk Assessment Report
HSN Risk Assessment Report
Belinda Edwards
 
Cyber Risks - Maligec and Eskins
Cyber Risks - Maligec and EskinsCyber Risks - Maligec and Eskins
Cyber Risks - Maligec and Eskins
Christine Maligec, CRM-E, CRIS
 
200606_NWC_Strategic Security
200606_NWC_Strategic Security200606_NWC_Strategic Security
200606_NWC_Strategic Security
Chad Korosec
 
How to prevent data breach risk from impacting capital ratios
How to prevent data breach risk from impacting capital ratiosHow to prevent data breach risk from impacting capital ratios
How to prevent data breach risk from impacting capital ratios
Thomas Lee
 
Combating Fraud: Six Principles for Security
Combating Fraud: Six Principles for Security Combating Fraud: Six Principles for Security
Combating Fraud: Six Principles for Security
Strategic Treasurer
 
Financial Risk Management: Integrated Solutions to Help Financial Institution...
Financial Risk Management: Integrated Solutions to Help Financial Institution...Financial Risk Management: Integrated Solutions to Help Financial Institution...
Financial Risk Management: Integrated Solutions to Help Financial Institution...
IBM Banking
 
How to Create a Risk Profile for Your Organization: 10 Essential Steps
How to Create a Risk Profile for Your Organization: 10 Essential StepsHow to Create a Risk Profile for Your Organization: 10 Essential Steps
How to Create a Risk Profile for Your Organization: 10 Essential Steps
Case IQ
 
Convergence-based Approach for Managing Operational Risk and Security In Toda...
Convergence-based Approach for Managing Operational Risk and Security In Toda...Convergence-based Approach for Managing Operational Risk and Security In Toda...
Convergence-based Approach for Managing Operational Risk and Security In Toda...
Marc S. Sokol
 
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONQUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
IJNSA Journal
 
CEP: Event-Decision Architecture for PredictiveBusiness, July 2006
CEP: Event-Decision Architecture for PredictiveBusiness, July 2006CEP: Event-Decision Architecture for PredictiveBusiness, July 2006
CEP: Event-Decision Architecture for PredictiveBusiness, July 2006
Tim Bass
 
The Role of the Chief Risk Officer Why You are the Most Important Person in Y...
The Role of the Chief Risk Officer Why You are the Most Important Person in Y...The Role of the Chief Risk Officer Why You are the Most Important Person in Y...
The Role of the Chief Risk Officer Why You are the Most Important Person in Y...
WolfPAC - Integrated Risk Management
 
Hedge Fund case study solution - Credit default swaps execution system and Gr...
Hedge Fund case study solution - Credit default swaps execution system and Gr...Hedge Fund case study solution - Credit default swaps execution system and Gr...
Hedge Fund case study solution - Credit default swaps execution system and Gr...
Naveen Kumar
 
2015 LOMA Conference - Third party risk management - Session 20
2015 LOMA Conference - Third party risk management - Session 202015 LOMA Conference - Third party risk management - Session 20
2015 LOMA Conference - Third party risk management - Session 20
Marc S. Sokol
 
8 rajib chakravorty risk
8 rajib chakravorty risk8 rajib chakravorty risk
8 rajib chakravorty risk
CCR-interactive
 
MITIGATING OPERATIONAL RISK: RISK TRANSFER SOLUTIONS
MITIGATING OPERATIONAL RISK: RISK TRANSFER SOLUTIONSMITIGATING OPERATIONAL RISK: RISK TRANSFER SOLUTIONS
MITIGATING OPERATIONAL RISK: RISK TRANSFER SOLUTIONS
Michel Rochette
 
Cyber Management vfd
Cyber Management vfdCyber Management vfd
Cyber Management vfd
Ladd Muzzy
 
Datashop Alchemy
Datashop AlchemyDatashop Alchemy
Datashop Alchemy
InnovAccer
 
The 4 Challenges of Managing Privacy Incident Response
The 4 Challenges of Managing Privacy Incident ResponseThe 4 Challenges of Managing Privacy Incident Response
The 4 Challenges of Managing Privacy Incident Response
Elizabeth Dimit
 
Cyber loss model for all industries
Cyber loss model for all industriesCyber loss model for all industries
Cyber loss model for all industries
Thomas Lee
 
Cost of Cybercrime 2017
Cost of Cybercrime 2017Cost of Cybercrime 2017
Cost of Cybercrime 2017
Paperjam_redaction
 
2017 cost of cyber crime study accenture
2017 cost of cyber crime study accenture2017 cost of cyber crime study accenture
2017 cost of cyber crime study accenture
job Titri company
 

More Related Content

What's hot

200606_NWC_Strategic Security
200606_NWC_Strategic Security200606_NWC_Strategic Security
200606_NWC_Strategic Security
Chad Korosec
 
Financial Risk Management: Integrated Solutions to Help Financial Institution...
Financial Risk Management: Integrated Solutions to Help Financial Institution...Financial Risk Management: Integrated Solutions to Help Financial Institution...
Financial Risk Management: Integrated Solutions to Help Financial Institution...
IBM Banking
 
How to Create a Risk Profile for Your Organization: 10 Essential Steps
How to Create a Risk Profile for Your Organization: 10 Essential StepsHow to Create a Risk Profile for Your Organization: 10 Essential Steps
How to Create a Risk Profile for Your Organization: 10 Essential Steps
Case IQ
 
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONQUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
IJNSA Journal
 
Cyber Management vfd
Cyber Management vfdCyber Management vfd
Cyber Management vfd
Ladd Muzzy
 

What's hot (19)

Mind the Gaps: AML and Fraud Global Benchmark Survey
Mind the Gaps: AML and Fraud Global Benchmark Survey Mind the Gaps: AML and Fraud Global Benchmark Survey
Mind the Gaps: AML and Fraud Global Benchmark Survey
 
HSN Risk Assessment Report
HSN Risk Assessment ReportHSN Risk Assessment Report
HSN Risk Assessment Report
 
Cyber Risks - Maligec and Eskins
Cyber Risks - Maligec and EskinsCyber Risks - Maligec and Eskins
Cyber Risks - Maligec and Eskins
 
200606_NWC_Strategic Security
200606_NWC_Strategic Security200606_NWC_Strategic Security
200606_NWC_Strategic Security
 
How to prevent data breach risk from impacting capital ratios
How to prevent data breach risk from impacting capital ratiosHow to prevent data breach risk from impacting capital ratios
How to prevent data breach risk from impacting capital ratios
 
Combating Fraud: Six Principles for Security
Combating Fraud: Six Principles for Security Combating Fraud: Six Principles for Security
Combating Fraud: Six Principles for Security
 
Financial Risk Management: Integrated Solutions to Help Financial Institution...
Financial Risk Management: Integrated Solutions to Help Financial Institution...Financial Risk Management: Integrated Solutions to Help Financial Institution...
Financial Risk Management: Integrated Solutions to Help Financial Institution...
 
How to Create a Risk Profile for Your Organization: 10 Essential Steps
How to Create a Risk Profile for Your Organization: 10 Essential StepsHow to Create a Risk Profile for Your Organization: 10 Essential Steps
How to Create a Risk Profile for Your Organization: 10 Essential Steps
 
Convergence-based Approach for Managing Operational Risk and Security In Toda...
Convergence-based Approach for Managing Operational Risk and Security In Toda...Convergence-based Approach for Managing Operational Risk and Security In Toda...
Convergence-based Approach for Managing Operational Risk and Security In Toda...
 
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATIONQUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
QUALITY ASSESSMENT OF ACCESS SECURITY CONTROLS OVER FINANCIAL INFORMATION
 
CEP: Event-Decision Architecture for PredictiveBusiness, July 2006
CEP: Event-Decision Architecture for PredictiveBusiness, July 2006CEP: Event-Decision Architecture for PredictiveBusiness, July 2006
CEP: Event-Decision Architecture for PredictiveBusiness, July 2006
 
The Role of the Chief Risk Officer Why You are the Most Important Person in Y...
The Role of the Chief Risk Officer Why You are the Most Important Person in Y...The Role of the Chief Risk Officer Why You are the Most Important Person in Y...
The Role of the Chief Risk Officer Why You are the Most Important Person in Y...
 
Hedge Fund case study solution - Credit default swaps execution system and Gr...
Hedge Fund case study solution - Credit default swaps execution system and Gr...Hedge Fund case study solution - Credit default swaps execution system and Gr...
Hedge Fund case study solution - Credit default swaps execution system and Gr...
 
2015 LOMA Conference - Third party risk management - Session 20
2015 LOMA Conference - Third party risk management - Session 202015 LOMA Conference - Third party risk management - Session 20
2015 LOMA Conference - Third party risk management - Session 20
 
8 rajib chakravorty risk
8 rajib chakravorty risk8 rajib chakravorty risk
8 rajib chakravorty risk
 
MITIGATING OPERATIONAL RISK: RISK TRANSFER SOLUTIONS
MITIGATING OPERATIONAL RISK: RISK TRANSFER SOLUTIONSMITIGATING OPERATIONAL RISK: RISK TRANSFER SOLUTIONS
MITIGATING OPERATIONAL RISK: RISK TRANSFER SOLUTIONS
 
Cyber Management vfd
Cyber Management vfdCyber Management vfd
Cyber Management vfd
 
Datashop Alchemy
Datashop AlchemyDatashop Alchemy
Datashop Alchemy
 
The 4 Challenges of Managing Privacy Incident Response
The 4 Challenges of Managing Privacy Incident ResponseThe 4 Challenges of Managing Privacy Incident Response
The 4 Challenges of Managing Privacy Incident Response
 

Similar to Peer Risk Model for Cyber Security Risk

managed-security-for-a-not-so-secure-world-wp090991
managed-security-for-a-not-so-secure-world-wp090991managed-security-for-a-not-so-secure-world-wp090991
managed-security-for-a-not-so-secure-world-wp090991
Jim Romeo
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity Essay
Michael Solomon
 
CIA Quebec 11 Sept 2015 Presentation C Louis Final
CIA Quebec 11 Sept 2015 Presentation C Louis FinalCIA Quebec 11 Sept 2015 Presentation C Louis Final
CIA Quebec 11 Sept 2015 Presentation C Louis Final
Claire Louis
 
Five principles for improving your cyber security
Five principles for improving your cyber securityFive principles for improving your cyber security
Five principles for improving your cyber security
WGroup
 
Predictive analytics-white-paper
Predictive analytics-white-paperPredictive analytics-white-paper
Predictive analytics-white-paper
Shubhashish Biswas
 
Contents lists available at ScienceDirectJournal of Accoun
Contents lists available at ScienceDirectJournal of AccounContents lists available at ScienceDirectJournal of Accoun
Contents lists available at ScienceDirectJournal of Accoun
AlleneMcclendon878
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks
- Mark - Fullbright
 
Analytics in P&C Insurance
Analytics in P&C InsuranceAnalytics in P&C Insurance
Analytics in P&C Insurance
Gregg Barrett
 
eCrime-report-2011-accessible
eCrime-report-2011-accessibleeCrime-report-2011-accessible
eCrime-report-2011-accessible
Charmaine Servado
 
Marsh Analytics - CFO com
Marsh Analytics - CFO comMarsh Analytics - CFO com
Marsh Analytics - CFO com
Peter Gold
 
Richmond reprint 20151106
Richmond reprint 20151106Richmond reprint 20151106
Richmond reprint 20151106
Ted Richmond
 

Similar to Peer Risk Model for Cyber Security Risk (20)

Cyber loss model for all industries
Cyber loss model for all industriesCyber loss model for all industries
Cyber loss model for all industries
 
Cost of Cybercrime 2017
Cost of Cybercrime 2017Cost of Cybercrime 2017
Cost of Cybercrime 2017
 
2017 cost of cyber crime study accenture
2017 cost of cyber crime study accenture2017 cost of cyber crime study accenture
2017 cost of cyber crime study accenture
 
managed-security-for-a-not-so-secure-world-wp090991
managed-security-for-a-not-so-secure-world-wp090991managed-security-for-a-not-so-secure-world-wp090991
managed-security-for-a-not-so-secure-world-wp090991
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity Essay
 
CIA Quebec 11 Sept 2015 Presentation C Louis Final
CIA Quebec 11 Sept 2015 Presentation C Louis FinalCIA Quebec 11 Sept 2015 Presentation C Louis Final
CIA Quebec 11 Sept 2015 Presentation C Louis Final
 
Five principles for improving your cyber security
Five principles for improving your cyber securityFive principles for improving your cyber security
Five principles for improving your cyber security
 
How leading enterprises will leverage defense sector data
How leading enterprises will leverage defense sector dataHow leading enterprises will leverage defense sector data
How leading enterprises will leverage defense sector data
 
Predictive analytics-white-paper
Predictive analytics-white-paperPredictive analytics-white-paper
Predictive analytics-white-paper
 
Contents lists available at ScienceDirectJournal of Accoun
Contents lists available at ScienceDirectJournal of AccounContents lists available at ScienceDirectJournal of Accoun
Contents lists available at ScienceDirectJournal of Accoun
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks
 
Analytics in P&C Insurance
Analytics in P&C InsuranceAnalytics in P&C Insurance
Analytics in P&C Insurance
 
201206 Tech Decisions: Finding Profits
201206 Tech Decisions: Finding Profits201206 Tech Decisions: Finding Profits
201206 Tech Decisions: Finding Profits
 
eCrime-report-2011-accessible
eCrime-report-2011-accessibleeCrime-report-2011-accessible
eCrime-report-2011-accessible
 
Marsh Analytics - CFO com
Marsh Analytics - CFO comMarsh Analytics - CFO com
Marsh Analytics - CFO com
 
Insurance Fraud Whitepaper
Insurance Fraud WhitepaperInsurance Fraud Whitepaper
Insurance Fraud Whitepaper
 
10844 5415 The Value Of Corporate Secrets
10844 5415 The Value Of Corporate Secrets10844 5415 The Value Of Corporate Secrets
10844 5415 The Value Of Corporate Secrets
 
Using Advanced Analytics to Combat P&C Claims Fraud
Using Advanced Analytics to Combat P&C Claims FraudUsing Advanced Analytics to Combat P&C Claims Fraud
Using Advanced Analytics to Combat P&C Claims Fraud
 
Keys to extract value from the data analytics life cycle
Keys to extract value from the data analytics life cycleKeys to extract value from the data analytics life cycle
Keys to extract value from the data analytics life cycle
 
Richmond reprint 20151106
Richmond reprint 20151106Richmond reprint 20151106
Richmond reprint 20151106
 

Recently uploaded

Mckinsey foundation level Handbook for Viewing
Mckinsey foundation level Handbook for ViewingMckinsey foundation level Handbook for Viewing
Mckinsey foundation level Handbook for Viewing
Nauman Safdar
 
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al MizharAl Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
allensay1
 
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai KuwaitThe Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
daisycvs
 
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pillsMifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Abortion pills in Kuwait Cytotec pills in Kuwait
 
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All TimeCall 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
gargpaaro
 
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabiunwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
Abortion pills in Kuwait Cytotec pills in Kuwait
 
Pre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptxPre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptx
Roofing Contractor
 

Recently uploaded (20)

Famous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st CenturyFamous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st Century
 
Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165
Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165
Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165
 
Cannabis Legalization World Map: 2024 Updated
Cannabis Legalization World Map: 2024 UpdatedCannabis Legalization World Map: 2024 Updated
Cannabis Legalization World Map: 2024 Updated
 
Mckinsey foundation level Handbook for Viewing
Mckinsey foundation level Handbook for ViewingMckinsey foundation level Handbook for Viewing
Mckinsey foundation level Handbook for Viewing
 
Katrina Personal Brand Project and portfolio 1
Katrina Personal Brand Project and portfolio 1Katrina Personal Brand Project and portfolio 1
Katrina Personal Brand Project and portfolio 1
 
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
 
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al MizharAl Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
 
Phases of Negotiation .pptx
Phases of Negotiation .pptx Phases of Negotiation .pptx
Phases of Negotiation .pptx
 
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai KuwaitThe Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
 
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pillsMifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
Mifty kit IN Salmiya (+918133066128) Abortion pills IN Salmiyah Cytotec pills
 
New 2024 Cannabis Edibles Investor Pitch Deck Template
New 2024 Cannabis Edibles Investor Pitch Deck TemplateNew 2024 Cannabis Edibles Investor Pitch Deck Template
New 2024 Cannabis Edibles Investor Pitch Deck Template
 
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All TimeCall 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
 
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabiunwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
 
Falcon's Invoice Discounting: Your Path to Prosperity
Falcon's Invoice Discounting: Your Path to ProsperityFalcon's Invoice Discounting: Your Path to Prosperity
Falcon's Invoice Discounting: Your Path to Prosperity
 
Putting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptxPutting the SPARK into Virtual Training.pptx
Putting the SPARK into Virtual Training.pptx
 
BeMetals Investor Presentation_May 3, 2024.pdf
BeMetals Investor Presentation_May 3, 2024.pdfBeMetals Investor Presentation_May 3, 2024.pdf
BeMetals Investor Presentation_May 3, 2024.pdf
 
CROSS CULTURAL NEGOTIATION BY PANMISEM NS
CROSS CULTURAL NEGOTIATION BY PANMISEM NSCROSS CULTURAL NEGOTIATION BY PANMISEM NS
CROSS CULTURAL NEGOTIATION BY PANMISEM NS
 
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
Horngren’s Cost Accounting A Managerial Emphasis, Canadian 9th edition soluti...
 
Pre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptxPre Engineered Building Manufacturers Hyderabad.pptx
Pre Engineered Building Manufacturers Hyderabad.pptx
 
TVB_The Vietnam Believer Newsletter_May 6th, 2024_ENVol. 006.pdf
TVB_The Vietnam Believer Newsletter_May 6th, 2024_ENVol. 006.pdfTVB_The Vietnam Believer Newsletter_May 6th, 2024_ENVol. 006.pdf
TVB_The Vietnam Believer Newsletter_May 6th, 2024_ENVol. 006.pdf
 

Peer Risk Model for Cyber Security Risk

  • 1. VivoSecurity Inc.,  Los  Altos,  CA.  Email:  ThomasL@VivoSecurity.com George  Box,  British  Mathematician  and  champion  of  Bayesian  Inference A  PEER  RISK  MODEL Calculate  Custodial  Data  Risk,    Compare  with  Industry  Peers Calculate  residual  risk  in  dollars  to  PII,  PFI,  PHI  and  CHD  using  historical  industry  data.   Calculate  ROI  and  prioritize  controls,  estimate  insurance  needs  and  the  value  of  incident   response,  communicate  risk  to  senior  management  and  objectively  set  risk  appetite. Prior  Beliefs EvidencePosterior  Beliefs
  • 2. More  effectively   mitigate  risk Manage  black-­swan   events Measure  reduction   in  risk Focus  where  risk  is   highest Adopt  a  strategic   approach Manage  risk   in  business  terms Communicate  risk  in   dollars Justify  security   investments Weigh  risk  against   business  priorities Right-­size  cyber   insurance Manage  Cyber  Risk  in  Business  Terms A Peer Risk Model allows senior management to compare cyber risk to their peers – in dollars. A rigorous statistical model that is trained on historical industry data gives a risk assessment credibility and senior management the confidence to manage cyber risk in business terms. It allows consideration of the ROI of new security controls, helps demonstrate insurance adequacy and allows an objective consideration of risk appetite. A Peer Risk Model can give the board of directors a clear understanding of risk and demonstrate a strong risk management culture.
  • 3. What  is  a  Peer  Risk  Model? A Peer Risk Model is a statistical model built upon historical industry data, that can calculate the residual risk for the average company of a particular size and industry. Information about a companies past breach rate can be added to estimate how a company differs from industry averages (i.e. their peers). The model is “trained” on historical industry data using standard statistical (actuarial) techniques such as linear regression and Bayesian Model Averaging (see George Box on cover). Modeling techniques are rigorous and comply with the standards put forth by the Federal Reserve for model management (SR 11-­‐7). A rigorous modeling process provides credibility, since the process discovers factors that are predictive of the cost and the probability of a data breach. A model is no better than it’s data and our historical industry data comes from credible and comprehensive sources such as State Attorney Generals, Heath and Human Services (HHS), US Census data and 10K filings from public companies. The Peer Risk Model actually integrates four models: 1) a model for the probability of lawsuits, 2) a model for the cost distribution of a given breach, 3) a breach size vs frequency model, and 4) a model that characterizes incident rate by industry. The Peer Risk Model can be deployed in an easy to use Excel Spreadsheet which requires a small number of variable inputs that have been found to be predictive of cost.
  • 4. Investigation Notification Call  center Remediation o Business  Loss o Damage  to  personal  credit o Theft  of  money  &  goods o Credit  card  replacement  costs Business  loss;  theft  of   money  &  goods Credit  monitoring  &   privacy  insurance. Fines &  settlements Public  &  Other  BusinessesBreach  Company Total  costs Mitigate Transfer   via  suits Data  Breach  Costs  Covered  by  the  Peer  Risk  Model   Response  CostsDamage  costs Term Meaning Investigation Cost of investigating what happened in a data breach including data that was exposed. Costs of updating agencies of investigation progress. Remediation Cost to preventing future data breach. Notification Legal costs of notifying federal agencies and states attorney general. Call  Center Cost of hiring or expanding call centers to handle calls from people affected by data breach. Business  Loss,  theft   of  money  &  goods Loss of business and customers, fraud costs, cost of goods pur chased with stolen cards Credit  Monitoring  &   Privacy  Insurance Cost of providing credit monitoring such as Experian, insurance to cover personal loss by people affected by the data breach. Fines  &  Settlements Government fines, lawsuit awards and settlements, defense costs. Glossary The Peer Risk Model calculates risk to custodial data. Custodial data is any PII data which triggers reporting requirements of various government agencies (also known as risk to confidentiality, in AppSec parlance). The model calculates Total Costs; below is a graphical breakdown of costs included in Total Costs.
  • 5. 6 Model  Outputs The  following  graphs  are  example  ways  that  risk  can  be  summarized  by  the   model.  Examples  are  for  hypothetical  companies.
  • 6. 0% 20% 40% 60% 80% 100% 0 >0 1 2 3 4 5 Probability Number  of  Lawsuits $0 $5 $10 $15 $20 $25 Likelihood Breach  Cost Millions $19.8M 80%  Confidence  Interval Model  Outputs:  Maximum  Data  Breach  Cost;  Probability  of  Lawsuit Modeling  of  historical  industry  data  finds  a  distribution  of  costs  for  any  particular  breach  size  and   type,  with  a  small  percentage  of  companies  experiencing  very  large  costs.  The  model  shows  this  as   a  probability  distribution  for  the  cost.  Confidence  intervals  are  indicated  for  the  maximum  breach   costs  as  well  as  the  value  of  incident  response  activities  to  reduce  the  confidence  interval.   Confidence  intervals  are  valuable  for  estimating  insurance  needs. When  they  occur,  lawsuits  are  an  important  component  of  the  cost.  One  focus  of  incident  response   is  to  prevent  lawsuits.  The  model  also  calculates  and  graphs  the  probability  for  lawsuits  to  help   guide  incident  response  decisions.   Value  of  Incident   Response  Controls   Less  than  10%  chance   of  a  lawsuit  in  the   largest  data  breach. Most  companies  would   experience  a  cost  of   under  $5M.
  • 7. 0.001 0.010 0.100 1.000 10.000 100.000 1,000.000 10   100   1,000   10,000   CostMillions Years All  Other  Incidents Malicious  Outsider Dominant  Cause Model  Outputs:  Loss  Exceedance  Curve Commonly  used  in  catastrophe  modeling,  the  loss  exceedance  curve  considers  the  most  likely   cost  from  all  incident  types,  and  includes  the  possibility  of  extraordinary  data  breach  costs   (tail  risk).  This  curve  is  valuable  for  setting  a  companies  risk  appetite  and  insurance  coverage. Example:  $1M  insurance  covers  a   once  in  100  year  (or  once  in  100   companies,  each  year)  event.
  • 8. Model  Outputs:  Residual  Risk  by  Incident  Type  and  Breach  Size Residual  risk  can  be  broken  down  and  graphed  in  various  ways  including  Incident  Type  and  breach   size.  Such  graphs  are  valuable  for  understanding  and  communicating  the  major  sources  of  risk,   weighing  business  priorities  against  cyber  risk  and  for  resource  allocation. $0.00 $100.00 $200.00 $300.00 $400.00 $500.00 $600.00 $700.00 $800.00 $900.00 $1,000.00 Malicious  Outsider Accident Lost,  Stolen Malicious  Insider Thousands 5  Year  Period,  80%  Confidence Small  (<500) Medium  (500  to  10,000) Large  (10,000  to  1  million) Huge  (1  million  to  100  million) Largest  risk  reduction  would   be  obtained  by  focusing  on   reduction  of  small   accidents.
  • 9. $0 $50 $100 $150 $200 $250 $300 $350 $400 $450 $500 Thousands Value  of  Additional  Controls 5  year  period,  80%  Confidence  Interval Model  Outputs:  Value  of  Additional  Controls The  value  of  a  control  is  calculated  based  upon  residual  industry  risk,  and  the  degree  to  which   a  control  reduces  the  frequency  of  incidents.  When  the  value  of  a  control  is  combined  with   the  cost,  it  is  possible  to  prioritize  resources  based  upon  ROI,  thus  achieving  a  greater   reduction  in  risk.  Understanding  the  value  of  a  control  and  ROI  in  dollars  helps  to   communicate  the  need  and  justify  the  investment. Largest  risk  reduction  would   be  from  Data  Loss   Prevention
  • 10. Gather  Data Company information is gathered as part of a standard security audit, including: 1) the number of customers for which records are not sequestered, 2) types of PII data, NAICS industry code, number of employees and past incidents. Data  into  Model Data is entered into the model and the residual risk is automatically calculated based upon historical industry data and broken down by incident and data types, size vs frequency, probability for lawsuits and cost distributions for all possible breach sizes. Risk is further broken down into quadrants for the purposeofevaluating additional (new) controls. Incident  Response Additional  Controls The security expert sets confidence intervals based upon an evaluation of the companies incident response as compared with peers, including written response plan, training and rehearsals, instrumenting theenterprise, and engaging an experienced security company and law firm. A security expert assigns additional (new) controls to risk quadrants and assigns percent effectiveness based upon experience, industry reports, and implementation. The model automatically calculates thedollar valuefor each control. ROI The cost of additional (new) controls is entered from external sources, the calculation interval is adjusted according to the cost amortization period for controls and the model automatically estimates ROI. Report Controls are ordered by ROI and graphed. Other graphs which summarized risk are copied from the model and used to generate a report. The report can be presented to senior management to set risk appetite, justify and prioritizeinvestments and guideinsurancepurchases. Use  Case Thediagram below shows theprocess by which a typical company an use the Peer Risk Model to evaluate residual risk in dollars and calculatea dollar based ROI for additional (new) controls. Much oftheinformation needed is gathered as part ofa standard security audit.
  • 11. About  VivoSecurity VivoSecurity  Inc,  1247  Russell  Ave,  Los  Altos  California;   Contact:   ThomasL@VivoSecurity.com,   (650)  919-­‐3050 VivoSecurity provides data analytics and statistical modeling to companies in the financial and high tech industries. We are a Silicon Valley Startup since 2012, with PhD level scientists and statisticians. We use advanced data analytic techniques to model the probability and cost of cybersecurity events. We have strong cybersecurity domain knowledge, strong knowledge of software applications, strong knowledge of operating systems and hardware and a strong understanding of enterprise operations. Model Description Cyber-­‐Loss  Model Calculates  the  maximum cost  of  a  data  breach  of   custodial  data. Probability  for  Fraud, personal  customers Calculates  probability  for  a  cyber  attach  that  leads  to   fraud. Probability  for  Fraud,  corporate  customers Calculates  probability  for  a  cyber  attach  that  leads  to   fraud. 3rd party  (vendor)  Risk Calculates  risk  in  dollars  posed  by  3rd party  partners. Additional  Offerings