Data Security Metricsa Value Based Approach


Published on

In this Security management workshop, we introduce finance and business unit managers to a value-based approach for reducing security costs and minimizing Value at Risk

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Data Security Metricsa Value Based Approach

  1. 1. Data security metrics and a value based approach Licensed under the Creative Commons Attribution License Danny Lieberman
  2. 2. Why? “I don't need data security, we outsource our IT to one of the big banks” “It's never happened to us before” “You can't estimate asset value” “We encourage risk taking” “I don't take risks” True quotes from real people
  3. 3. Agenda • Introduction and welcome • What is data security? • Anything can be measured • Why metrics? • Why quantify risk? • Measurement methods • Continuous improvement • Questions and answers
  4. 4. Introduction • Our mission today – Tools to help make your work easier – Share ideas
  5. 5. What the heck is data security? • Security – Ensure we can survive & add value • Physical, information, systems, people • Data security – Protect data directly in all realms
  6. 6. Anything can be measured All exact science is based on approximation. If a man tells you he knows a thing exactly, then you can be safe in inferring that you are speaking to an inexact man. Bertrand Russell
  7. 7. Data security metrics • Dimensions – organization, channel and content • Typical metrics – % of employees that signed the AUP – % Webmail traffic/all mail traffic – % Office files by Webmail/Employees – No. of revenue transactions – Cost of security for operational/revenue systems – Cost of security for customer service systems – Cost of security for FnA systems – Value of assets in Euro – Total value at risk of assets
  8. 8. Why do we need metrics? • Recognize this? The easy part of information security (running the appliance, discovering vulnerabilities, fixing things and producing reports) Ignores the hard stuff; quantification and Ignorance is never better than prioritization of your actions based on financial value of assets and knowledge measurement of threat impact Enrico Fermi
  9. 9. Why bother quantifying risk? • Why not qualitative metrics? When was the last time a customer paid a “qualitative price” ?
  10. 10. Quantitative risk model(*) Value at Risk Metrics =Threat Damage to Asset value, Asset x Asset Value x Threat damage to Threat Probability asset, Threat probability (*) PTA -Practical threat analysis risk model
  11. 11. Quantitative risk model benefits • Run security like you run your business – Quantify and prioritize actions in Euro/USD – Justify data security investments • Measure improvement – Reduced risk – Lower costs
  12. 12. Measurement methods • Hand sampling – Small samples of employees, routers... • The “Rule of 5” • Expert estimates – The CFO • Pros at asset valuation • Test equipment
  13. 13. Test equipment Management Provisioning Events Reporting Policies Data Document Forensics Warehouse Server Detection point Interception Received: from [] Session Decoders (-80-230-224- Message Policies ID:<437C5FDE.9080> Countermeasures “Send me more files today.
  14. 14. Continuous improvement
  15. 15. Coming attractions • Sep 10: Selecting data security technology • Sep 17: Selling data security technology • Sep 24: Write a 2 page procedure • Oct 1: Home(land) security • Oct 8: SME data security
  16. 16. Learn more • Presentation materials and resources