More Related Content
Similar to GR - Security Economics in IoT 150817- Rel.1
Similar to GR - Security Economics in IoT 150817- Rel.1 (20)
GR - Security Economics in IoT 150817- Rel.1
- 1.
Wireless Strategy & Business Development for the Connected World
Guide
Report:
Security
Economics
for
IoT
- 2. Guide
Report:
Security
Economics
for
IoT
Copyright
©
2015
RMAC
Technology
Partners,
Inc.
1
Attribution
Executive
Editor:
Clay
Melugin
Authored
by
Clay
Melugin
Contributors:
Jim
Riley,
Gary
Lizama
Quality
Assurance:
Clay
Melugin
Published
by
RMAC
Technology
Partners,
Inc.
Copyright
©
2015
RMAC
Technology
Partners,
Inc.
San
Diego,
California
92130
All
rights
reserved.
No
part
of
this
report
may
be
reproduced,
in
any
form
or
by
any
means,
without
permission
in
writing
from
the
publisher.
Printed
in
the
United
States
of
America
Disclaimer
RMAC
Technology
Partners,
Inc.
has
made
every
reasonable
effort
to
ensure
that
all
information
in
this
report
is
correct.
We
assume
no
responsibility
for
any
inadvertent
errors.
Revisions:
8/17/2015
v1.0
–
Initial
Public
Release
- 3. Guide
Report:
Security
Economics
for
IoT
Copyright
©
2015
RMAC
Technology
Partners,
Inc.
2
Table
of
Contents
1
Introduction
........................................................................................................................
3
2
Why
Security
is
important
in
IoT
.................................................................................
4
Developer
Intentions;
...................................................................................................................
4
Government
Intentions
on
IoT
Security;
................................................................................
5
3
Economics
of
Security
......................................................................................................
6
Components
of
Economic
Risk
...................................................................................................
6
Data
Breach
Liability
.....................................................................................................................
6
Damages
............................................................................................................................................
7
Company
Devaluation
or
Destruction
.....................................................................................
8
4
Calculating
the
Economic
Cost
......................................................................................
9
Calculation
Example:
..................................................................................................................
10
5
Summary
...........................................................................................................................
11
6
Learn
More
.......................................................................................................................
12
7
Credits,
Source
Links
&
Disclaimer
..........................................................................
13
- 4. Guide
Report:
Security
Economics
for
IoT
Copyright
©
2015
RMAC
Technology
Partners,
Inc.
3
1 Introduction
The
Internet
of
Things
(IoT)
ecosystem
is
a
valuable
marketplace
for
developers
of
devices
and
applications
that
increase
productivity,
efficiency
and
awareness,
but
it’s
also
a
rich
target
for
hackers
seeking
to
gain
access
to
data
and
potentially
disrupt
operations.
An
IoT
strategy
needs
to
include
a
reasonable
security
strategy
as
a
fundamental
requirement
from
concept
through
product
support,
to
appropriately
protect
and
serve
the
market.
Security
should
be
an
economic
decision
that
is
rooted
in
the
product
concept.
We
focus
on
the
value
a
product
in
the
market,
but
the
financial
risk
(liability)
of
shipping
the
product
should
also
be
part
of
decision-‐making
process.
When
the
financial
liability
is
accrued
into
product
cost,
security
technology
becomes
a
key
tool
to
reduce
the
product
cost.
You
will
learn
in
this
guide
how
to
define
a
reasonable
level
of
security
for
an
IoT
solution.
Understanding
the
financial
liability
of
security
breaches
empowers
developers
to
make
practical
and
reasonable
security
decisions
for
implementing
best
practices
to
secure
devices,
data
and
networks.
This
not
only
mitigates
costly
liabilities
from
hacking,
but
also
delivers
an
IoT
product
that
is
competitive
in
the
market.
Explained
below
are
key
definitions
to
get
everyone
on
the
same
page;
Security:
The
state
of
being
free
from
danger
or
threat.
Cyber-‐security:
The
state
of
being
protected
against
the
criminal
or
unauthorized
use
of
electronic
data,
or
the
measures
taken
to
achieve.
Cyber-‐warfare:
The
use
of
computers
to
disrupt
the
activities
of
an
enemy
country,
especially
the
deliberate
attacking
of
communication
systems
and
infrastructure.
Security
critical
system:
A
system
whose
failure
would
put
the
safety
of
people
at
risk.
Privacy:
The
ability
of
an
individual
or
group
to
seclude
themselves,
or
information
about
themselves,
and
thereby
selectively
decide
what
is
shared
publicly.
- 5. Guide
Report:
Security
Economics
for
IoT
Copyright
©
2015
RMAC
Technology
Partners,
Inc.
4
2 Why
Security
is
important
in
IoT
Developer
Intentions
In
the
beginning
of
every
product
concept,
there
is
a
vision
of
a
world
changing
product
or
device
that
enriches
the
lives
of
people
or
businesses
that
are
seeking
solutions
to
problems.
A
nefarious
motive
to
damage
or
destroy
the
lives
of
people
or
businesses
does
not
drive
the
creative
concept
of
most
developers.
What
we
sometimes
miss
is
the
fact
that
great
intentions
and
inventions
can
have
unintended
consequences
outside
the
vision
of
the
creator.
So
here
we
begin
the
process
of
making
decisions
to
keep
the
product
on
track
and
in
the
control
of
those
who
it
is
designed
to
serve.
You
never
want
to
be
in
the
situation
of
realizing
that
your
product
has
been
turned
into
a
weapon.
Even
the
most
basic
of
products
can
be
turned
against
the
consumer
infringing
on
their
privacy,
safety
and
that
of
society.
As
has
been
increasingly
reported
in
the
news.
There
are
people
and
organizations
that
exist
to
exploit
devices
to
meet
their
agenda,
be
it
theft,
invasion
of
privacy
or
even
cyber
warfare.
We
don’t
know
these
people
and
they
should
not
engage
our
creative
talents;
they
simply
need
to
be
recognized
and
addressed
by
design.
Decisions
made
in
the
concept,
design
development,
distribution
and
field
support
phases
of
a
product
life
cycle
can
reduce
the
risk
of
giving
up
access
or
control
in
a
reasonable,
balanced
and
risk-‐appropriate
manner.
Ignoring
the
security
aspects
of
any
product
can
have
devastating
unintended
consequences.
- 6. Guide
Report:
Security
Economics
for
IoT
Copyright
©
2015
RMAC
Technology
Partners,
Inc.
5
Government
Intentions
on
IoT
Security
The
US
Federal
Trade
Commission
hosted
an
industry
workshop
“Internet
of
Things
–
Privacy
&
Security
in
a
Connected
World”
in
late
2013
as
part
of
their
responsibility
to
protect
consumers
in
the
commercial
environment.
The
Workshop
participants
highlighted
the
risks
of
IoT:
“IoT
presents
a
variety
of
potential
security
risks
that
could
be
exploited
to
harm
consumers
by:
1. Enabling
unauthorized
access
and
misuse
of
personal
information
2. Facilitating
attacks
on
other
systems
3. Creating
risks
to
personal
safety
Participants
also
noted
that
privacy
risks
may
flow
from
the
collection
of
personal
information,
habits,
locations,
and
physical
conditions
over
time”
The
FTC
Staff
Report
2015
demonstrates
the
intention
of
the
FTC
to
monitor
and
control
IoT
security
not
by
direct
regulation
of
IoT,
but
through
enforcement
of
existing
regulatory
statutes,
and
education
on
existing
Fair
Information
Practice
Principles
(FIPPs)
for
companies
manufacturing
IoT
solutions
to
incorporate
“reasonable
security”
into
their
IoT
solutions
and
products.
• Fair
Information
Practice
Principles
(FIPPs)
o Data
Security
o Data
Minimization
o Notice
o Choice
• Fair
Credit
Reporting
Act
(FCRA)
• Health
Insurance
Portability
and
Accountability
Act
(HIPAA)
The
FTC
Staff
Report
2015
also
requested
legislative
action.
“Recommendation
for
Congress
to
enact
strong,
flexible,
and
technology
neutral
federal
legislation
to
strengthen
its
existing
data
security
enforcement
tools
and
to
provide
notification
to
consumers
when
there
is
a
data
breach.”
- 7. Guide
Report:
Security
Economics
for
IoT
Copyright
©
2015
RMAC
Technology
Partners,
Inc.
6
3 Economics
of
Security
Security
increases
a
products
value
to
consumers
and
simultaneously
lowers
both
liability
and
operating
expenses
for
the
Original
Equipment
Manufacturer
(OEM).
When
security
is
designed
into
IoT
solutions
as
part
of
the
new
product
concept,
the
impact
is
significant
in
effectiveness
yet
minimal
on
product
cost
impact.
Adding
security
after
the
original
product
design
is
completed
can
be
costly
and
time
consuming
and
is
rarely
as
effective.
The
challenge
is
deciding
on
the
level
of
security
for
the
IoT
solution,
namely
to
balance
the
risk
of
the
threat
and
potential
liability
in
a
“reasonable”
manner.
The
best-‐known
practice
is
to
value
the
risk
and
liability
using
industry
metrics
on
the
probability
of
being
hacked,
recognizing
the
magnitude
of
damages
that
would
result
and
implementing
security
that
cost
effectively
reduces
that
risk.
Components
of
Economic
Risk
1. Data
Breach
Liability
2. Damages
(economic
compensation)
3. Company
Devaluation
(share-‐holder
loss)
Data
Breach
Liability
There
are
regulatory-‐mandated
actions
required
when
revealing
any
person’s
identity,
plus
at
least
one
non-‐public
personal
information
item.
• Social
Security
number
• Credit/Debit
card
account
number
• Health
records
• Financial
Records
Notifications,
remediation
and
recovery
of
trust
have
been
economically
researched
on
a
regular
basis
giving
us
a
clear
financial
cost
for
each
data
record
breached.
The
IBM
&
Ponemon
Institute
“2014
Cost
of
Data
Breach
Study:
United
States”
shows
an
average
cost
of
$246
for
each
data
record
in
a
breach
of
10,000
records.
This
number
varies
by
industry
served
with
healthcare
being
at
the
most
expensive
end
of
the
economic
scale
at
$316
per
record
breached.
- 8. Guide
Report:
Security
Economics
for
IoT
Copyright
©
2015
RMAC
Technology
Partners,
Inc.
7
Damages
When
products
are
compromised
there
are
clear
risks
of
regulatory
penalties
and
civil
damage
claims.
The
regulatory
and
court
system
remedies
claims
through
penalties
and
economic
compensation
to
victims.
The
victim(s)
can
be
either
your
customer
or
a
3rd
party
who
was
damaged
as
a
result
of
your
product.
Examples;
• IoT
Refrigerator
-‐
hacked
so
as
to
destroy
the
food
it
was
intended
to
preserve,
and
used
as
a
tool
in
email
phishing
campaigns
and
coordinated
denial
of
service
attacks.
• HVAC
Thermostat
–
hacked
and
used
to
launch
a
coordinated
attack
against
the
electric
grid,
resulting
in
the
shutdown
of
a
town,
city
or
region
creating
economic
loss
for
many.
• Traffic
Signal
Light
–
hacked
to
turn
all
lights
green
or
red,
resulting
in
traffic
accidents
and
extreme
congestion.
• Irrigation
Controller
–
hacked
to
enable
excessive
watering
while
you
are
away
on
vacation
or
asleep,
resulting
in
huge
water
bills,
damage
to
property
and
wasting
resources.
In
2011
an
electrical
grid
in
Southern
California
experienced
an
outage
that
lasted
18
hours
and
caused
an
estimated
$100
million
total
economic
impact.
The
impact
on
the
utilities
involved
(20
incidents
occurred
in
an
11
minute
period
on
5
grids)
lead
to
two
nuclear
reactors
going
offline
and
a
major
metropolitan
area
being
left
in
total
darkness.
The
potential
of
such
incidents
is
hard
to
ignore
as
IoT
device
population
grows.
- 9. Guide
Report:
Security
Economics
for
IoT
Copyright
©
2015
RMAC
Technology
Partners,
Inc.
8
Company
Devaluation
or
Destruction
Valuation
of
many
companies
today
is
based
on
the
size
of
their
database
and
the
content
integrity
of
the
database.
Industry
research
on
database
value
ranges
from
$
40
-‐
$176
per
user
record,
with
larger
and
more
complex
data
bases
driving
the
higher
end
(Facebook),
and
customer
contact
data
at
the
lower
end.
The
effect
of
hackers
stealing
a
database
as
part
of
a
breach
is
significant
enough,
but
deliberate
and
undetected
corruption
of
data
for
months
or
years
impacts
confidence
in
the
data
retained
as
it
significantly
erodes
archive
and
backup
system
confidence.
Each
company
needs
to
evaluate
and
appropriately
value
database
assets,
as
well
as
the
potential
impact
on
revenue
and
recovery
costs
from
such
incidents.
Today
this
is
the
cost
of
doing
business
but
knowing
the
financial
impact
of
such
events
enables
appropriate
investment
in
security
to
reduce
risk,
and
most
importantly
to
avoid
devaluation
of
the
company’s
brand.
- 10. Guide
Report:
Security
Economics
for
IoT
Copyright
©
2015
RMAC
Technology
Partners,
Inc.
9
4 Calculating
the
Economic
Cost
Using
financial
estimates
for
the
impact
of
the
three
components
of
risk.
1. Data
Breach
Liability
2. Damages
(economic
compensation)
3. Company
Devaluation
(share-‐holder
loss)
Combined
with
the
probability
of
occurrence,
we
can
estimate
the
financial
impact
that
should
be
considered
in
the
business
model
as
well
as
in
new
product
solutions.
Economic
Risk
=
Data
Breach
Liability
*
PB
+
Damages
*
Po
+
Assets
Liability
*
PL
PB
=
Probability
of
a
Data
Breach
Po
=
Probability
of
Damage
Occurrence
PL
=
(PB
+
Po)
=
Probability
of
Assets
being
destroyed
Each
existing
and
new
product
market
plan
should
contain
a
model
of
economic
risk
and
the
probability
of
occurrences
to
understand
the
realistic
future
impact
on
the
business.
Once
these
economic
risks
are
quantified,
then
investments
in
security
can
be
made
to
reduce
the
cost
impact
these
risks
have
on
the
business.
A
report
released
by
HP
Fortify
revealed
that
70%
of
IoT
solutions
currently
shipping
to
customers
have
25
or
more
known
vulnerable
points
when
tested
against
the
OWASP
Internet
of
Things
Top
10
Project.
Each
vulnerability
vector
has
a
value
and
probability
of
occurrence
that
must
be
accounted
for
to
enable
appropriate
investment
in
security.
The
following
chart
is
a
top-‐level
calculation
example
at
a
high
level
covering
the
three
components
of
economic
risk.
For
each
of
these
components
there
are
multiple
subcategories
of
threat
vectors,
each
with
its
own
liability
value
and
probability
of
occurrence.
The
more
detailed
the
threat
identification
and
liability
estimation,
the
more
valuable
it
will
be
in
making
decision
on
where
to
invest
in
security.
Liability
and
probabilities
change
with
time
as
technology
advances
and
the
population
of
fielded
devices
increases.
An
economic
model
is
not
an
exact
science;
it
is
a
guide
on
understanding
the
risks
and
addressing
them
to
a
reasonable
level.
Professional
evaluations
of
risk
and
liabilities
from
legal,
technical
and
financial
experts
help
build
a
better
model.
- 11. Guide
Report:
Security
Economics
for
IoT
Copyright
©
2015
RMAC
Technology
Partners,
Inc.
10
Calculation
Example
Data
Breach:
Section
3.1
shows
that
a
database
of
10,000
records
has
a
19%
probability
of
occurrence
in
the
next
24
months,
with
an
impact
of
$246/record
exposed.
Breach
Cost
($/yr)
=
$246
*
10,000
*
19%
/
2
=
$
232,750/
year
Damages:
A
systemic
hack
could
result
in
10,000
devices
in
the
field
becoming
permanently
inoperable,
resulting
in
$
6500/unit
in
property
damage,
and
$450/unit
in
field
replacement
cost.
The
probability
of
occurrence
is
0.1%.
Damages
($/yr)
=
10,000
*$6950*
0.1%
=
$
69,500
/year
Company
Value:
Asset
rebuilding
and
validating
the
database
will
take
2-‐3
months.
Sales
are
stopped
for
90
days
as
security
measures
are
put
into
place
and
the
company
focuses
on
recovery
and
rebuilding
trust
with
customers
and
prospects.
Estimated
impact
of
the
recovery
effort
is
$3.5
million.
Value
Loss
($)
=
$3.5M
*
(0.19
+0.001)
/2
=
$
334,250./yr
Total
Economic
Cost
=
$
636,
500
/year
=
$6.365
/unit
shipped
- 12. Guide
Report:
Security
Economics
for
IoT
Copyright
©
2015
RMAC
Technology
Partners,
Inc.
11
5 Summary
There
is
no
such
thing
as
perfect
or
impenetrable
security.
Over
time,
new
and
improved
approaches
to
hacking
and
exploitation
evolve
as
unknown
vulnerabilities
are
discovered
that
can
cause
risk
factors
to
change.
The
three
core
components
of
economic
risk
can
guide
your
thought
process
as
you
develop
a
new
product
concept,
and
it
will
enable
decision
making
throughout
the
development
process
and
life
cycle
for
the
product.
1. Data
Breach
Liability
2. Damages
(economic
compensation)
3. Company
Devaluation
(share
holder
loss)
Understanding
and
modeling
financial
risks
that
a
product
introduces
to
the
business
model
enables
developing
reasonable
approaches
to
security
and
builds
confidence
with
customers
and
shareholders.
Without
an
economic
model,
companies
have
few
guidelines
on
making
reasonable
and
appropriate
decisions
on
security
investments.
In
today’s
market
there
are
a
multitude
of
security
approaches
available
to
developers,
ranging
from
physical
hardware
security
through
network
transport
layers
and
even
into
cloud/database/server
systems
and
BYOD
(bring
your
own
device)
applications.
There
are
also
measures
that
can
be
taken
in
the
product
definition
and
development
process,
as
well
as
in
how
a
business
operates,
that
can
dramatically
impact
the
risk
factors
and
financial
liability.
Consumers
and
users
decide
if
the
risk
of
a
security
breach
is
worth
the
value
that
IoT
solution
delivers.
Building
a
credible
and
proven
brand
reputation
for
security
makes
your
IoT
solution
more
valuable.
- 13. Guide
Report:
Security
Economics
for
IoT
Copyright
©
2015
RMAC
Technology
Partners,
Inc.
12
6 Learn
More
Look
for
our
follow-‐on
Guide
Reports:
• Guide
Report:
Security
Decisions
in
IoT
There
are
many
decision
points
in
the
development
of
an
IoT
product
that
need
to
be
held
accountable
for
security.
In
this
guide
we
walk
through
the
product
development
path,
giving
the
security
perspective
for
how
to
ensure
security
is
integrated
effectively
in
the
product
life
cycle.
• Guide
Report:
Security
Effectiveness
&
Testing
Security
is
an
ongoing
effort
in
the
life
of
a
product,
but
when
you
are
making
design
decisions,
how
do
you
know
the
effectiveness
of
the
multiple
approaches
to
security?
In
this
guide
we
provide
useful
insights
and
direction
to
the
process.
- 14. Guide
Report:
Security
Economics
for
IoT
Copyright
©
2015
RMAC
Technology
Partners,
Inc.
13
7 Credits,
Source
Links
&
Disclaimer
Thank
you
for
reading
our
Guide
Report.
This
series
of
reports
on
IoT
security
were
researched
and
written
to
help
the
IoT
industry
develop
a
common
approach
to
decision
making
on
how
security
is
implemented
in
products.
We
understand
that
the
hard
work
is
ahead
as
you
develop
products
and
make
key
decisions
that
impact
both
your
company’s
financial
outlook
and
the
security
of
your
customers.
We
assume
no
liability
for
your
reliance
on
this
information
and
to
use
your
best
judgment
in
the
effort.
As
you
go
through
the
economic
model
process
avoid
making
uninformed
assumptions
that
impact
the
modeling
of
financial
risks.
We
recognize
the
significant
contributions
of
sources
cited
below
for
openly
sharing
valuable
research
to
the
developer
market.
• Wikipedia
“Canadian
Privacy
Law”
sourced
at
http://en.wikipedia.org/wiki/Canadian_privacy_law
• Hewlett-‐
Packard
Development
Company
“HP
Study
Reveals
70
Percent
of
Internet
of
Things
Devices
Vulnerable
to
Attack”
July
29,
2014
by
Daniel
Miessler.
Sourced
from
http://h20195.www2.hp.com/V2/GetDocument.aspx?docname=4AA
5-‐4759ENW&cc=us&lc=en
• OWASP
–
The
Open
Web
Application
Security
Project.
Sourced
at
https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_
Ten_Project#tab=OWASP_Internet_of_Things_Top_10_for_2014
• Ponemon
Institute
and
IBM
“2015
Cost
of
Data
Breach
Study:
Global
Analysis”
sourced
at
http://www-‐03.ibm.com/security/data-‐
breach/#
• United
States
Federal
Trade
Commission
“Internet
of
Things”
FTC
Staff
Report
January
2015
sourced
at
https://www.ftc.gov/system/files/documents/reports/federal-‐trade-‐
commission-‐staff-‐report-‐november-‐2013-‐workshop-‐entitled-‐
internet-‐things-‐privacy/150127iotrpt.pdf