Information Security Protection –    Is It Worth it?    Martin Lee CISSP CEng    Senior AnalystInformation Security Protec...
EU Information Security Market                                                                                      For th...
Which means -Spent on Information Security in Europe:                   ~750 EUR per company per year                   ~7...
Why Spend Money on Information Security?- Compliance Legal requirement                   Data Protection Directive (95/46/...
Why Spend Money on Information Security?- Threat Protection                                     Accidental                ...
Risk Analysis                        Conducts                         Exploits                     Causes          Threat ...
Role of Information Security    Threat                         Educate / deter    source    Threat                        ...
Information Security Benefit    Threat                                                  How much does protection cost?    ...
What is malware?  Viruses – self replicating code.  Worms – replicates over network by exploiting vulnerabilities.  Trojan...
So What?                     So What?Information Security Protection.   10
Will You Get Infected?        14% believe they will never be                                                              ...
I Got a Virus!Teenage daughter downloaded virus to my home computer.              2 days of my free time to remove it. ~ 8...
SpammingIP black listing – you can’t send legitimate mail.Spam content – law firm sending out porn.Consequent loss to repu...
Spamming                                                 How much did this cost to                                        ...
How Much Might it Cost?      Ponemon Cost of a Data Breach Survey .                    UK - $3.1 million total cost averag...
Cost FrameworkIncident Cost Analysis and Modeling Project II (I-CAMP II).              Time spent cleaning up incident, re...
Costs Example      City Council - Conficker      Large incident, local government.                     £600 000 IT consult...
Expanded Framework      Items to consider:                    Repair cost                    Lost productivity            ...
Data Loss Costs                                                        How much did this cost?                            ...
Market Costs      1% - 2% loss of market capitalisation following data breaches.                                          ...
Monetary Penalties           How could this have been prevented?           How much would have prevention cost?Source : In...
What It Means For You?Information Security Protection.   22
Model Your ExposureMinor incidents.              ~ £ 100 - check logs – many times per day.Major incidents.              c...
Justification – Annual Loss Expectancy.                                   Leads to            Associated with             ...
Council ExampleCost          = £80 000 fine + ~£80 000 other costs.              = £160 000DLP           = £ 10 000       ...
Council ExampleSaving = ( 0.95 x 160 000 ) – 10 000 = £142 000Expectancy of risk is 1:5 yearsALE = (0.95 x 160 000 ) / 5 =...
ExamplesInformation Security Protection.   27
Protect YourselfInformation Security Protection.   28
Know Your Assets, Know Attack VectorsInformation Security Protection.        29
Layers of Protection Provide Maximum DetectionInformation Security Protection.        30
Conclusion Know what it is that you are protecting. Know the types and frequency of attacks. Model your exposure. Choose &...
Thank you!    Martin Lee    martin_lee@symantec.com    +44 7775 823 278    Copyright © 2010 Symantec Corporation. All righ...
Upcoming SlideShare
Loading in …5
×

Is Information Security Worth It?

576 views

Published on

Talk given at University of Gloucestershire, March 2012

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
576
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • This is a sample Pie Chart slide, ideal for communicating product or market segmentation information.To Change Font Color/Size: Select text, right-click and adjust the font setting on the Mini toolbar. Select desired attributes to change: font, size, boldness, color, etc. Note: many of the same commands can also be accessed from the Font group of the Home tab.Edit Chart:Click the chart to edit and select the Chart Tools Design tab (or double-click on the chart). Click the Edit Data button to access the underlying Excel 2007 spreadsheet.Copying Data From a Separate Excel Spreadsheet:From an existing Excel spreadsheet, select the range of cells to be copied, select copy (Ctrl C).In PowerPoint, click the chart to edit and select the Chart Tools Design tab (or double-click on the chart.) Click the Edit Data button to open the spreadsheet for editing.Select all the data in the Chart in Microsoft Office PowerPoint spreadsheet by clicking the top left corner cell, right-click and select DeleteClick in the first empty cell of the spreadsheet and paste (Ctrl V) to place the data copied from the other Excel file. Change Orientation:Click the chart to edit and select the Chart Tools Design tab (or double-click on the chart.) Click the Switch Row/Column button. If the Switch Row/Column button is disabled, click the Select Data button and then click the Switch Row/Column button from within the Select Data Source dialog box, click OK.
  • Sources : “The Effect of Internet Security Breach Announcements on Market Value of Breached Firms and Internet Security Developers”. Cavusoglu, H., Mishra B.K., and Raghunathan S., International Journal of Electronic Commerce, v.8 p.4 (2004) http://portal.acm.org/citation.cfm?id=1278168.1278173&coll=GUIDE&dl=GUIDE “Estimating the market impact of security breach announcements on firm values ”,Goel, S., Shawky, H.A., Information & Management v.46 p.404 (2009). http://dx.doi.org/10.1016/j.im.2009.06.005
  • Sources : “The Effect of Internet Security Breach Announcements on Market Value of Breached Firms and Internet Security Developers”. Cavusoglu, H., Mishra B.K., and Raghunathan S., International Journal of Electronic Commerce, v.8 p.4 (2004) http://portal.acm.org/citation.cfm?id=1278168.1278173&coll=GUIDE&dl=GUIDE “Estimating the market impact of security breach announcements on firm values ”,Goel, S., Shawky, H.A., Information & Management v.46 p.404 (2009). http://dx.doi.org/10.1016/j.im.2009.06.005
  • Is Information Security Worth It?

    1. 1. Information Security Protection – Is It Worth it? Martin Lee CISSP CEng Senior AnalystInformation Security Protection. 1
    2. 2. EU Information Security Market For the EU: 15.5 Bil. EUR InfoSec Market size 20.8 million companies 216.4 million workersSources:The European Network and Information Security Market Scenario, Trends and Challenges. DG Information Society & Media.Annual Report on EU Small and Medium sized Enterprises 2010/2011. DG Enterprise.European Union Labour Force Survey – Annul Results 2010. Eurostat. Information Security Protection. 2
    3. 3. Which means -Spent on Information Security in Europe: ~750 EUR per company per year ~70 EUR per worker per year Is this too little or too much? How would we know?Information Security Protection. 3
    4. 4. Why Spend Money on Information Security?- Compliance Legal requirement Data Protection Directive (95/46/EC) e-Privacy Directive (2002/58/EC) Data Retention Directive (2006/24/EC) Industry requirement Payment Card Industry – Data Security Standard Customer requirement ISO 27002Information Security Protection. 4
    5. 5. Why Spend Money on Information Security?- Threat Protection Accidental Malicious Malware Receiving data Outsider Denial of Service Attacks Corrupting data Hacking Deleting data Stealing data Insider Transmitting data Destroying data Losing devices Altering data Think CIA – Confidentiality, Integrity, Availability of systems and data.Information Security Protection. 5
    6. 6. Risk Analysis Conducts Exploits Causes Threat Threat Vulnerability Impact source action Hacking collective Hacks Unpatched server Defaces website Employee Emails data No address verification Breach of dataSource: Risk Management Guide for Information Technology Systems. NIST SP 800-30 Information Security Protection. 6
    7. 7. Role of Information Security Threat Educate / deter source Threat Detect / neutralise actionVulnerability Remove / mitigate Impact ReduceInformation Security Protection. 7
    8. 8. Information Security Benefit Threat How much does protection cost? source Threat action How effective at neutralising the threat? How likely to occur is the threat?Vulnerability Impact Monetary loss due to harm?Information Security Protection. 8
    9. 9. What is malware? Viruses – self replicating code. Worms – replicates over network by exploiting vulnerabilities. Trojan – malicious code that does not replicate (may appear non-malicious) Rootkit – executable code hidden from the operating system Spyware – FakeAV – Malware – code that is detrimental to the interests of the person running it.Information Security Protection. 9
    10. 10. So What? So What?Information Security Protection. 10
    11. 11. Will You Get Infected? 14% believe they will never be 12% infected by a virus. 8% 37%29% believe it is very unlikely that they will be infected. 14% Neutral Not Very Likely Not at All Likely 29% Extremely Likely Very LikelySource : “A Look at Consumers Awareness of Email Security and Practices”, July 2009, pub. MAAWGhttp://www.maawg.org/about/publishedDocuments/2009_MAAWG-Consumer_Survey-Part2.pdf Information Security Protection. 11
    12. 12. I Got a Virus!Teenage daughter downloaded virus to my home computer. 2 days of my free time to remove it. ~ 8 hours. 1 week internet ban for daughter.Implications for business: Time to restore computer. ~2 hours => £ 100 Further consequences?Information Security Protection. 12
    13. 13. SpammingIP black listing – you can’t send legitimate mail.Spam content – law firm sending out porn.Consequent loss to reputation.Financial loss?Information Security Protection. 13
    14. 14. Spamming How much did this cost to the reputation of the individual involved?Source: http://news.bbc.co.uk/1/hi/7908498.stmInformation Security Protection. 14
    15. 15. How Much Might it Cost? Ponemon Cost of a Data Breach Survey . UK - $3.1 million total cost average per breach. US - $7.2 million total cost average per breach. Information Breaches Survey. Large companies averaged 45 incidents / yr, Small companies 14 incidents / yr. Cost of worst incident: Small companies £27 500 - £55 000 Large companies £280 000 - £690 000Sources : “2010 Annual Study: global Cost of a Data Breach”, Ponemon Inst,http://www.symantec.com/content/en/us/about/media/pdfs/symantec_cost_of_data_breach_global_2010.pdf“Information Security Breaches Survey 2010” , Infosecurity Europe. http://www.infosec.co.uk/files/isbs_2010_technical_report_single_pages.pdf Information Security Protection. 15
    16. 16. Cost FrameworkIncident Cost Analysis and Modeling Project II (I-CAMP II). Time spent cleaning up incident, restoring systems. Lost productivity due to down time.US Code § 1030 Fraud and related activity in connection with computers. the term “loss” means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of serviceInformation Security Protection. 16
    17. 17. Costs Example City Council - Conficker Large incident, local government. £600 000 IT consultancy costs. £600 000 other direct IT costs. £178 000 staff over time costs. £43 000 in cancelled traffic fines. £169 000 to clear backlog of benefit claims and unpaid tax. Total ~ £1.5 MillionSources : “Bus lane fines axed over bug”, 2009, Manchester EveningNews, http://www.manchestereveningnews.co.uk/news/s/1121846_bus_lane_fines_axed_over_bug“Manchester City Council Report for Resolution”, 2009, http://www.manchester.gov.uk/egov_downloads/Item_11.pdf Information Security Protection. 17
    18. 18. Expanded Framework Items to consider: Repair cost Lost productivity Revenue loss Cost of data loss Cost of confidentiality breach Cost of reputationSource :“Damages From Internet Security Incidents. A framework and toolkit for assessing the economic costs of security breaches”, Feb 2009,pub. Delft University of Technology. http://www.opta.nl/nl/download/publicatie/?id=3083 Information Security Protection. 18
    19. 19. Data Loss Costs How much did this cost? How would we calculate it? How much would have prevention cost?Source: http://www.bbc.co.uk/news/technology-13256817 Information Security Protection. 19
    20. 20. Market Costs 1% - 2% loss of market capitalisation following data breaches. Payment System Breach Drop in market cap $572.27 million Other costs $140 millionSources : “Estimating the market impact of security breach announcements on firm values ”,Goel, S., Shawky, H.A., Information &Management v.46 p.404 (2009). http://dx.doi.org/10.1016/j.im.2009.06.005 Information Security Protection. 20
    21. 21. Monetary Penalties How could this have been prevented? How much would have prevention cost?Source : Information Commisioner’s Office, News Release 28/11/2011http://www.ico.gov.uk/news/latest_news/2011/monetary-penalties-served-to-councils-for-serious-email-errors-28112011.aspx Information Security Protection. 21
    22. 22. What It Means For You?Information Security Protection. 22
    23. 23. Model Your ExposureMinor incidents. ~ £ 100 - check logs – many times per day.Major incidents. cost depends on your business - once / yearSevere incidents. compromised data / financial systems – less than once / year high cost.Information Security Protection. 23
    24. 24. Justification – Annual Loss Expectancy. Leads to Associated with Consequence Risk X Cost Z Y We expect this n times per year. Annual loss expectancy = n x Z Mitigation costs a per year Will reduce probability of Y by bInformation Security Protection. 24
    25. 25. Council ExampleCost = £80 000 fine + ~£80 000 other costs. = £160 000DLP = £ 10 000 if email marked ‘confidential’ and sent to external address, route to admin for review. 95% success rate.Information Security Protection. 25
    26. 26. Council ExampleSaving = ( 0.95 x 160 000 ) – 10 000 = £142 000Expectancy of risk is 1:5 yearsALE = (0.95 x 160 000 ) / 5 = 30 400We can spend £30 000 per year on this problem and still save money!Information Security Protection. 26
    27. 27. ExamplesInformation Security Protection. 27
    28. 28. Protect YourselfInformation Security Protection. 28
    29. 29. Know Your Assets, Know Attack VectorsInformation Security Protection. 29
    30. 30. Layers of Protection Provide Maximum DetectionInformation Security Protection. 30
    31. 31. Conclusion Know what it is that you are protecting. Know the types and frequency of attacks. Model your exposure. Choose & justify appropriate protection.Information Security Protection. 31
    32. 32. Thank you! Martin Lee martin_lee@symantec.com +44 7775 823 278 Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.Information Security Protection. 32

    ×