2. Conostix S.A. koen@conostix.com
• CIA and prevention/dectection/response
• Risk management and its pitfalls
• Economic incentives
• Liability/regulation/compliance
• Due care and due dilligence
• Technology
• Awareness
• Conclusion
Introduction
4. Conostix S.A. koen@conostix.com
• Identification
Identify the actual threat
• Impact factor
The possible consequences of an attack
• Frequency
The probable frequency of the occurrence of a threat
• Probability
The extent of how confident we are a threat will happen
Today’s risk management
Identification of a threat
5. Conostix S.A. koen@conostix.com
• Identification of the current risks
• The cost/benefit justification of the countermeasures
• Influences the decision making process on hardware,
etc
• Focus on security resources where they are needed
most
Today’s risk management
Risk analysis goals
6. Conostix S.A. koen@conostix.com
• Threat
• Asset
• Vulnerability
• Safeguard
• Asset value (AV)
• Exposure factor (EF), value in percentage
• Single loss expectancy (SLE), dollar figure (EFxAV)
• Annualized rate of occurrence
• Annualized loss expectancy (ALE= SLExARO)
Today’s risk management
Risk analysis – key terms
7. Conostix S.A. koen@conostix.com
• Aims to assign tangible values
• Relies on qualitative data
• Process
• Estimate potential losses to the assets
• Analyze potential threats to the assets
• Define impact and frequency levels
• Define the ALE
Today’s risk management
Risk analysis – Quantitative
8. Conostix S.A. koen@conostix.com
• Scenario oriented approach
• Rank threats on a scale to evaluate their risks, costs
and outcome
• In contrast to quantitative analysis a purely qualitative
analysis is always possible
• High guess rating
Today’s risk management
Risk analysis – Qualitative
9. Conostix S.A. koen@conostix.com
• Misunderstanding between risk and certainty
• A risk is the anticipated frequency of losses
• Certainties are occurring with high frequency
• Reliance on probability, impact and frequency
• The unknown, controls the probability, frequency
and the impact of a future incident.
Today’s risk management
Pitfalls
12. Conostix S.A. koen@conostix.com
• Due care is using reasonable care to
protect the interests of an organization
• Due diligence is practicing the activities
to maintain the due care efforts.
• Common sense security framework
Sensible defence
Due care and due diligence
13. Conostix S.A. koen@conostix.com
• Functionality vs security
• User friendly does not mean insecure
• Ease-of-Use + Common Sense = Security
• Privacy vs security
• Sacrifice privacy for security?
• Should security protect privacy or ignore it
to enhance security?
Sensible defence
Technology
14. Conostix S.A. koen@conostix.com
• Human intelligence most important
• Reduce risk without technology
• Limit damage in case of an incident
• Give users insight in values of company assets
and the usage of information systems
Sensible defence
Awareness
15. Conostix S.A. koen@conostix.com
• Sensible defence is balanced security
• Balance cost vs economic gain
• Balance liberty vs privacy
• Balance functionality vs security
• Liability, legislation and regulation
Sensible defence
security is a trade-off
16. Conostix S.A. koen@conostix.com
Q & A
Thanks to:
My colleagues
Donn Parker
Bruce Schneier
Rebecca Herolds
Sensible defence
Questions?