Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Social Media Risk Metrics


Published on

Risk metric frameworks cover most of the elements that organizations deal with from an operational perspective. We have identified a gap in those, in which social media activities are not represented well (albeit being the highest growing attack vector). In this talk we’ll present a social media risk metric framework that allows organizations to measure and track both individuals as well as 3rd party entities risk to the organization.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Social Media Risk Metrics

  1. 1. The Newest Element of Risk Metrics: Social Media Ian Amit @iiamit
  2. 2. Spot the problem
  3. 3. Basic Motivation - hottest/easiest vector! • “… in previous years, we saw phishing messages come and go and reported that the overall effectiveness of phishing campaigns was between 10 and 20%. This year, we noted that some of these stats went higher, with 23% of recipients now opening phishing messages and 11% clicking on attachments. Some stats were lower, though, with a slight decline in users actually going to phishing sites and giving up passwords.” • “For two years, more than two-thirds of incidents that comprise the Cyber-Espionage pattern have featured phishing.” • 2015 DBIR
  4. 4. Why do I want this? (1)
  5. 5. Why do I want this? (1)
  6. 6. Why do I want this? (2)
  7. 7. Why do I want this? (3) • Are you engaged in a “controversial” practice? Financial Services DIB Healthcare Pharma Agribusiness LEA Energy
  8. 8. Coming up with a solution…
  9. 9. Let’s create a framework!
  10. 10. The solution should provide:
  11. 11. How feasible is it? Sentiment Analysis and German Elections “Twitter can be seen as a valid real- time indicator of political sentiment.”
  12. 12.
  13. 13. Goal, Question, Metric Victor Basili Goals establish what we want to accomplish. Questions help us understand how to meet the goal. They address context. Metrics identify the measurements that are needed to answer the questions. Goal 1 Goal 2 Q1 Q2 Q3 Q4 Q5 M1 M2 M3 M4 M5 M6 M7
  14. 14. GQM Example: Patch Management Patching Scorecard Goal 1: Comprehensive Goal 2: Timely Goal 3: Cost Efficient
  15. 15. Goal 1: Comprehensive %Coverage by Asset category %Coverage by Risk Unix Windows Server Desktop OS Compo Likelihood Impact By Asset Category By Location (DMZ, Se By Business Unit By Asset Category By Location (DMZ, Semi-
  16. 16. Goal 2: Timely What should our Priorities be for timeliness? What is Policy for timeliness? What other Considerations for Timeliness? What is time to patc What is time to pat What % are Late by What are our Repeat Offende likelih Impac
  17. 17. corecard Goal 2: Timely Goal 3: Cost Efficient Cost Risk Reduction Hour per Asset spent Patching By Asset Category By Location (DMZ, Semi-Pub, Internal) By Cost Per Hour Hour per Asset, by ALE per Hour Hour per asset category
  18. 18. GQM for SMRM • Goal: Provide a social media risk scorecard for a person/ organization. • Questions: How would one’s OA affect the likelihood of a threat? How would one’s OA affects the impact of a threat, and the areas of impact? How does unsanctioned presence of someone affect said threats? • Metrics: Provide a qualitative* approach to measuring the overall risk, as well as specific aspects of the social media presence. *And when we say qualitative we lie a little bit…
  19. 19. More Goals! • Provide a measurable way to quantify risk associated with online activity of the organization and it's employees. • Provide another measure for quantifying risk of working with 3rd parties and contractors. • Create a score for executives to measure their social media exposure (from an exec protection perspective, insider trading, etc...) • Create a score for measuring and comparing intra and extra industry social media risk ratings • Be able to quantify the effect of changing controls, processes and policies on the risk associated with social media.
  20. 20. Enter, SMRM!
  21. 21. Is the individual risky?
  22. 22. Is the individual risky?
  23. 23. Is the individual risky?
  24. 24. Is the individual risky?
  25. 25. Scorecard Development • Started with the basics, comparative measurements… • Qualitative approach dictates trying to leave quantitative elements out (which we kind’a try to). So the compromise was to provide a fairly detailed breakdown of elements, and instead of measuring them on a scale, only indicate presence (1 or 0). • Aggregation didn't work (per-se), Averaging would not take into account the full magnitude of the largest elements, MAX() would not factor in contribution from smaller ones. We have to provide more accurate weights…
  26. 26. Scoring Approach • Ended up with providing a weighting system for the major elements and their importance to the organization (context?!). • Given X points to distribute between Y elements. Weight = Y’/X where Y’ is the number of points given to each element. • Sum(Y’…Y’’)=1 • Apply weighting to the scorecard to get weighted risk score. (where weights are appropriate for the organization’s operational context).
  27. 27. Scorecard Status Likelihood Manifestation Impact # online threats
  28. 28. Personal Scorecard Status Likelihood Manifestation Impact # online threats Likelihood Manifestation Impact # online threats Corporate Malicious Content Negative Sentiment Information Leaks
  29. 29. What Data do I Need? Size # of monitored assets Geography Chatter Impersonations Sentiment
  30. 30. How can you do it?
  31. 31. Step 1 None at all None but public information Volitional Enforced
  32. 32. Step 2
  33. 33. Step 3
  34. 34. Step 4 Collect <ALL> the data E T L
  35. 35. Scraping Twitter Scraping: bit-of-web-scraping/ <link rel="alternate" type="application/json+oembed" href="https://" title="Guy Fieri, CISO on Twitter: &quot;Which is more dangerous @nudehaberdasher, @0xcharlie, @a_greenberg stunt in the wild, or Nationalist Attribution Rhetoric from @taosecurity?&quot;">
  36. 36. Step 5 Store the data MARCUS SAYS 
  37. 37. Step 6 Analysis
  38. 38. Example of Using SA for Subjective Rating Warning - subjectivity ahead!
  39. 39. Step 6b Big data magic
  40. 40. Step 7 Scorecard
  41. 41. DEMO
  42. 42. Where can you get it? • The Society of Information Risk Analysts • • As well as on the SMRM site: •
  43. 43. Take-away 1. Check what is your current social media security policy (if you have one). 2. Do you have a current risk model that incorporates social media as part of it (attack surface / information leak / intelligence) 3. Measure your current social media risk posture for key individuals in your organization. • And then in 2-3 months - measure again to see whether any changes you have implemented in light of the initial measurement had the right impact.
  44. 44. Thank you! Questions? @iiamit
  45. 45. References Sentiment analysis and german elections: 1441/1852 Analyze tone of text: Analyze personality based on text: Sentiment analysis (list from sentiment-analysis-tools/) Python NLTK (Natural Language Toolkit),, but see also sentiment/ R, TM (text mining) module,, including tm.plugin.sentiment. RapidMiner, GATE, te General Architecture for Text Engineering, Apache UIMA is the Unstructured Information Management Architecture, — also sentiment classifiers for the WEKA data-mining workbench, See diracad/einternacional/Weka.pdf for one example. Stanford NLP tools, LingPipe, (pseudo-open source). See