Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Social-Engineer
Your Security Budget
Vlad Styran
Good afternoon. I’m Vlad
Plan
1. Rationale
2. Economics
3. Social
Engineering
4. Influence
Part 1
Rationale for security budget
Ra#onale for security budget
Expectations
Corporate governance
Risk management
Market and government
regulations
Rationale for security budget
Reality
Audit reports
Security incidents
Vendor pitches
”CEO have read a book” ©
IT (security) budge1ng process
Expectations
1. Conduct a risk assessment
2. Quantify expected losses
3. Agree on risk appe...
IT (security) budgeting process
Reality
1. Plan the budget
2. Present the budget
3. Divide the budget in half
4. Defend th...
Why IT budgets are cut?
But if it only worked…
Expecta(ons
Corporate governance
Risk management
Market and government
regulations
Reality
Industri...
Part 2
Cyber security economics
Cyber security economics
Market challenges:
Information asymmetry*
Invisibility of prevented loss
Lack of incidents disclo...
Why corporate security (normally) sucks
“Best prac+ce” driven
determinis+c approach
The promised land of
“Management commi...
“Best practice” vs Real security
“Best prac+ce” security:
Determinis+c & control-centric
“When in doubt, look into the
sta...
“Best practice” vs Real security
The Real security:
Direct business impact
Security for business
Indirect business impact
...
Management commitment
Expecta(on
ISO-IEC 27001 – 5.1 Management
commitment
Management shall provide evidence of its
commit...
Management commitment
Expectation
ISO-IEC 27001 – 5.1 Management
commitment
Management shall provide evidence of its
commi...
Obsession with authority
Expectation
CISO reports to CEO or directly
to the Board of Directors
ImagecourtesyofUSANetwork
Obsession with authority
Reality
“CISO” reports to the highest-
ranking executive who knows
what is the difference between...
Cyber security business
Paper tigers
Blinking boxes
Feynman threat
Do it yourself attitude
Evolution of “fair price”
Part 3
Social engineering
Social Engineering
vs Human Hacking, Neurohacking and other bullsh1t
How it works
How it works
How it works
Plan A: let’s save 200 people!
• All 600 will survive with P=33%
• None will survive with P=66%
Plan B: 400 people will di...
Part 4
Influence strategy, tactics and ops
Influence strategy
Formal power
Expert power
Social power
Formal power
Expert power
An expert is a man who has made all the mistakes which can be made,
in a narrow field.
--Niels Bohr
Expert power
An expert is a human who has made all the mistakes which can be
made, in a narrow field.
--Niels Bohr
Expert power
Open Design
Least Privilege
Fail-Safe Defaults
Defense in Depth
Complete Mediation
Separation of Privilege
Ec...
Social power
University of Michigan – Influencing People
Social power
University of Michigan – Influencing People
Social power
Cultivating Compassionate Tech Communities - April Wensel - AnxietyTech 2018
Influence tactics
Behavioral economics
Social psychology
Neuroscience
Robert Cialdini – Influence
Influence ops
Oren Klaff – Pitch Anything
Step 1: Introduction of self
Define yourself via your background and brief history
Name top-3 or top-2 cool things you did ...
Step 2: The “Why now?” frame
Recent changes by economic, social, and technological forces: factual
and external to the com...
Step 3: Idea introduc1on pa2ern
“For [the beneficiary],
Who are dissatisfied with [the current situation],
My proposed ide...
Good evening. I’m Vlad
I spent 16 years in IT infrastructure,
Information Security Management,
IT Audit, Application Security, and
Security consu...
I am one of the ”founding fathers” of UISG,
co-founder of OWASP Kyiv, NoNameCon security conference,
and my own consulCng ...
Today I am here to help you
secure adequate budget
for your cyber security program.
All of you are aware of
1. increase in frequency and financial impact of cyber attacks,
2. strengthening of government and...
For your security organiza0on,
that is poorly funded in line with “tradi0onal” corporate
budge0ng process that creates a d...
My proposed method uses current body of knowledge in
psychology, social sciences, and cyber security economics to
help sec...
How to find me
sapran@pm.me
https://fb.me/vstyran
@arunninghacker
References
George Akerlof - The Market for Lemons
Del6 University of Technology – Cyber Security Economics 101
Ross Anders...
Recommendations
Introduction to Psychology, University of Toronto
Christopher Hadnagy, Social Engineering: The Art of Huma...
Social-Engineer Your Security Budget
Social-Engineer Your Security Budget
Social-Engineer Your Security Budget
Upcoming SlideShare
Loading in …5
×

Social-Engineer Your Security Budget

452 views

Published on

My slides from UISGCON14 talk. Original video in Ukrainian: https://www.youtube.com/watch?v=7Mvhf_eAQks

Published in: Spiritual
  • Be the first to comment

Social-Engineer Your Security Budget

  1. 1. Social-Engineer Your Security Budget Vlad Styran
  2. 2. Good afternoon. I’m Vlad
  3. 3. Plan 1. Rationale 2. Economics 3. Social Engineering 4. Influence
  4. 4. Part 1 Rationale for security budget
  5. 5. Ra#onale for security budget Expectations Corporate governance Risk management Market and government regulations
  6. 6. Rationale for security budget Reality Audit reports Security incidents Vendor pitches ”CEO have read a book” ©
  7. 7. IT (security) budge1ng process Expectations 1. Conduct a risk assessment 2. Quantify expected losses 3. Agree on risk appetite 4. Plan the controls 5. Implement the controls 6. Maintain the controls 7. Measure the controls
  8. 8. IT (security) budgeting process Reality 1. Plan the budget 2. Present the budget 3. Divide the budget in half 4. Defend the budget 5. Divide the budget in half 6. Get the budget approval 7. Try not to cry in public
  9. 9. Why IT budgets are cut?
  10. 10. But if it only worked… Expecta(ons Corporate governance Risk management Market and government regulations Reality IndustrialControlSystemsHealthcheck
  11. 11. Part 2 Cyber security economics
  12. 12. Cyber security economics Market challenges: Information asymmetry* Invisibility of prevented loss Lack of incidents disclosure Poor regulation _ * George Akerlof - The Market for Lemons
  13. 13. Why corporate security (normally) sucks “Best prac+ce” driven determinis+c approach The promised land of “Management commitment” Obsession with formal authority
  14. 14. “Best practice” vs Real security “Best prac+ce” security: Determinis+c & control-centric “When in doubt, look into the standard” © Security against liability Compliance ❤"#$ Delft University of Technology – Cyber Security Economics 101
  15. 15. “Best practice” vs Real security The Real security: Direct business impact Security for business Indirect business impact Security for customers Support of business strategy Security against customers Delft University of Technology – Cyber Security Economics 101
  16. 16. Management commitment Expecta(on ISO-IEC 27001 – 5.1 Management commitment Management shall provide evidence of its commitment to the establishment, implementation, operation, monitoring, review, maintenance and improvement of the ISMS by: … d) communicating to the organization the importance of …; e) providing sufficient resources to …; …
  17. 17. Management commitment Expectation ISO-IEC 27001 – 5.1 Management commitment Management shall provide evidence of its commitment to the establishment, implementation, operation, monitoring, review, maintenance and improvement of the ISMS by: … d) communicating to the organization the importance of …; e) providing sufficient resources to …; … Reality
  18. 18. Obsession with authority Expectation CISO reports to CEO or directly to the Board of Directors ImagecourtesyofUSANetwork
  19. 19. Obsession with authority Reality “CISO” reports to the highest- ranking executive who knows what is the difference between a firewall and an antivirus ImagecourtesyofSca?Adamsh?p://dilbert.com
  20. 20. Cyber security business Paper tigers Blinking boxes Feynman threat Do it yourself attitude Evolution of “fair price”
  21. 21. Part 3 Social engineering
  22. 22. Social Engineering vs Human Hacking, Neurohacking and other bullsh1t
  23. 23. How it works
  24. 24. How it works
  25. 25. How it works
  26. 26. Plan A: let’s save 200 people! • All 600 will survive with P=33% • None will survive with P=66% Plan B: 400 people will die… • No one will die with P=33% • Everyone will die with P=66% Scenario: a virus outbreak is expected to kill 600 people. We have two treatment plans to choose from. Tversky, Amos; Kahneman, Daniel (1981). "The Framing of decisions and the psychology of choice". Science 211 (4481): 453–458. How it works 78% 22%
  27. 27. Part 4 Influence strategy, tactics and ops
  28. 28. Influence strategy Formal power Expert power Social power
  29. 29. Formal power
  30. 30. Expert power An expert is a man who has made all the mistakes which can be made, in a narrow field. --Niels Bohr
  31. 31. Expert power An expert is a human who has made all the mistakes which can be made, in a narrow field. --Niels Bohr
  32. 32. Expert power Open Design Least Privilege Fail-Safe Defaults Defense in Depth Complete Mediation Separation of Privilege Economy of Mechanism Secure Weakest Link First Psychological Acceptability Least Common Mechanism Ross Anderson – Security Engineering
  33. 33. Social power University of Michigan – Influencing People
  34. 34. Social power University of Michigan – Influencing People
  35. 35. Social power Cultivating Compassionate Tech Communities - April Wensel - AnxietyTech 2018
  36. 36. Influence tactics Behavioral economics Social psychology Neuroscience Robert Cialdini – Influence
  37. 37. Influence ops Oren Klaff – Pitch Anything
  38. 38. Step 1: Introduction of self Define yourself via your background and brief history Name top-3 or top-2 cool things you did professionally State the purpose of your pitch
  39. 39. Step 2: The “Why now?” frame Recent changes by economic, social, and technological forces: factual and external to the company Backstory of the idea: important changes in the business, forecast of trends, impact on cost and demand, and the opening window of opportunity
  40. 40. Step 3: Idea introduc1on pa2ern “For [the beneficiary], Who are dissatisfied with [the current situation], My proposed idea/product/project is a [new thing], That provides [key problem-solving solution], Unlike [the alternative(s)]. My idea/product/project/solution is: [describe key features]”
  41. 41. Good evening. I’m Vlad
  42. 42. I spent 16 years in IT infrastructure, Information Security Management, IT Audit, Application Security, and Security consulting for the largest banking, telecom, software development and professional services companies in Ukraine.
  43. 43. I am one of the ”founding fathers” of UISG, co-founder of OWASP Kyiv, NoNameCon security conference, and my own consulCng company Berezha Security.
  44. 44. Today I am here to help you secure adequate budget for your cyber security program.
  45. 45. All of you are aware of 1. increase in frequency and financial impact of cyber attacks, 2. strengthening of government and market regulations, 3. and inability of traditional IT security solutions to thwart the permanent threat of state-sponsored hacking backed by Russia. In the face of 1. poor InfoSec market conditions that will not improve in the nearest future, 2. and the inevitable period of increased geopolitical tension caused by the upcoming presidential elections; You shall not miss the opportunity to secure the funding required to implement adequate safeguards as soon as possible.
  46. 46. For your security organiza0on, that is poorly funded in line with “tradi0onal” corporate budge0ng process that creates a disbalance of es0mated goals and assigned costs, my proposed method is a tool for leveraging natural human features, beliefs, and aspira0ons, that provides tangible percep0on of “fair amount” of cyber security spending to all stakeholders, unlike the tradi0onal “risk assessment” approach that is inherently prone to error and doesn’t fully cover the ever- changing threat landscape.
  47. 47. My proposed method uses current body of knowledge in psychology, social sciences, and cyber security economics to help security leaders • obtain necessary resources, • deal with cyber security market challenges, • build and maintain influence power in the organization, • and take well-deserved place in the business hierarchy.
  48. 48. How to find me sapran@pm.me https://fb.me/vstyran @arunninghacker
  49. 49. References George Akerlof - The Market for Lemons Del6 University of Technology – Cyber Security Economics 101 Ross Anderson – Security Engineering University of Michigan – Influencing People Robert Cialdini – Influence Oren Klaff – Pitch Anything CulMvaMng Compassionate Tech CommuniMes - April Wensel - AnxietyTech 2018
  50. 50. Recommendations Introduction to Psychology, University of Toronto Christopher Hadnagy, Social Engineering: The Art of Human Hacking 1st Edition Robert B. Cialdini, Influence: The Psychology of Persuasion, Revised Edition Dan Arieli, Predictably Irrational, Revised and Expanded Edition: The Hidden Forces That Shape Our Decisions Social Engineer Podcast

×