SlideShare a Scribd company logo

GR - Security Economics in IoT 150817- Rel.1

Clay Melugin
Clay Melugin
1 of 14
Download to read offline
                    Wireless Strategy & Business Development for the Connected World Guide  Report:   Security  Economics  for  IoT    
Guide  Report:    Security  Economics  for  IoT                               Copyright  ©  2015  RMAC  Technology  Partners,  Inc.   1   Attribution     Executive  Editor:  Clay  Melugin   Authored  by  Clay  Melugin   Contributors:  Jim  Riley,  Gary  Lizama   Quality  Assurance:  Clay  Melugin   Published  by  RMAC  Technology  Partners,  Inc.     Copyright  ©  2015  RMAC  Technology  Partners,  Inc.   San  Diego,  California  92130     All  rights  reserved.  No  part  of  this  report  may  be  reproduced,  in  any  form  or  by  any  means,   without  permission  in  writing  from  the  publisher.     Printed  in  the  United  States  of  America     Disclaimer             RMAC  Technology  Partners,  Inc.  has  made  every  reasonable  effort  to  ensure  that  all  information   in  this  report  is  correct.  We  assume  no  responsibility  for  any  inadvertent  errors.     Revisions:                         8/17/2015     v1.0  –  Initial  Public  Release        
Guide  Report:    Security  Economics  for  IoT                               Copyright  ©  2015  RMAC  Technology  Partners,  Inc.   2     Table  of  Contents   1   Introduction  ........................................................................................................................  3   2   Why  Security  is  important  in  IoT  .................................................................................  4   Developer  Intentions;  ...................................................................................................................  4   Government  Intentions  on  IoT  Security;  ................................................................................  5   3   Economics  of  Security  ......................................................................................................  6   Components  of  Economic  Risk  ...................................................................................................  6   Data  Breach  Liability  .....................................................................................................................  6   Damages  ............................................................................................................................................  7   Company  Devaluation  or  Destruction  .....................................................................................  8   4   Calculating  the  Economic  Cost  ......................................................................................  9   Calculation  Example:  ..................................................................................................................  10   5   Summary  ...........................................................................................................................  11   6   Learn  More  .......................................................................................................................  12   7   Credits,  Source  Links  &  Disclaimer  ..........................................................................  13          
Guide  Report:    Security  Economics  for  IoT                               Copyright  ©  2015  RMAC  Technology  Partners,  Inc.   3   1 Introduction     The  Internet  of  Things  (IoT)  ecosystem  is  a  valuable  marketplace  for  developers  of   devices  and  applications  that  increase  productivity,  efficiency  and  awareness,  but   it’s  also  a  rich  target  for  hackers  seeking  to  gain  access  to  data  and  potentially   disrupt  operations.    An  IoT  strategy  needs  to  include  a  reasonable  security  strategy   as  a  fundamental  requirement  from  concept  through  product  support,  to   appropriately  protect  and  serve  the  market.     Security  should  be  an  economic  decision  that  is  rooted  in  the  product  concept.    We   focus  on  the  value  a  product  in  the  market,  but  the  financial  risk  (liability)  of   shipping  the  product  should  also  be  part  of  decision-­‐making  process.    When  the   financial  liability  is  accrued  into  product  cost,  security  technology  becomes  a  key   tool  to  reduce  the  product  cost.     You  will  learn  in  this  guide  how  to  define  a  reasonable  level  of  security  for  an  IoT   solution.    Understanding  the  financial  liability  of  security  breaches  empowers   developers  to  make  practical  and  reasonable  security  decisions  for  implementing   best  practices  to  secure  devices,  data  and  networks.    This  not  only  mitigates  costly   liabilities  from  hacking,  but  also  delivers  an  IoT  product  that  is  competitive  in  the   market.     Explained  below  are  key  definitions  to  get  everyone  on  the  same  page;     Security:       The  state  of  being  free  from  danger  or  threat.       Cyber-­‐security:    The  state  of  being  protected  against  the  criminal  or   unauthorized  use  of  electronic  data,  or  the  measures  taken   to  achieve.     Cyber-­‐warfare:    The  use  of  computers  to  disrupt  the  activities  of  an  enemy   country,  especially  the  deliberate  attacking  of   communication  systems  and  infrastructure.     Security  critical  system:     A  system  whose  failure    would  put  the  safety  of  people  at   risk.     Privacy:     The  ability  of  an  individual  or  group  to  seclude  themselves,   or  information  about  themselves,  and  thereby  selectively   decide  what  is  shared  publicly.          
Guide  Report:    Security  Economics  for  IoT                               Copyright  ©  2015  RMAC  Technology  Partners,  Inc.   4   2 Why  Security  is  important  in  IoT     Developer  Intentions   In  the  beginning  of  every  product  concept,  there  is  a  vision  of  a  world  changing   product  or  device  that  enriches  the  lives  of  people  or  businesses  that  are  seeking   solutions  to  problems.    A  nefarious  motive  to  damage  or  destroy  the  lives  of  people   or  businesses  does  not  drive  the  creative  concept  of  most  developers.     What  we  sometimes  miss  is  the  fact  that  great  intentions  and  inventions  can  have   unintended  consequences  outside  the  vision  of  the  creator.    So  here  we  begin  the   process  of  making  decisions  to  keep  the  product  on  track  and  in  the  control  of  those   who  it  is  designed  to  serve.         You  never  want  to  be  in  the  situation  of  realizing  that  your  product  has  been  turned   into  a  weapon.    Even  the  most  basic  of  products  can  be  turned  against  the  consumer   infringing  on  their  privacy,  safety  and  that  of  society.    As  has  been  increasingly   reported  in  the  news.     There  are  people  and  organizations  that  exist  to  exploit  devices  to  meet  their   agenda,  be  it  theft,  invasion  of  privacy  or  even  cyber  warfare.    We  don’t  know  these   people  and  they  should  not  engage  our  creative  talents;  they  simply  need  to  be   recognized  and  addressed  by  design.     Decisions  made  in  the  concept,  design  development,  distribution  and  field  support   phases  of  a  product  life  cycle  can  reduce  the  risk  of  giving  up  access  or  control  in  a   reasonable,  balanced  and  risk-­‐appropriate  manner.    Ignoring  the  security  aspects  of   any  product  can  have  devastating  unintended  consequences.        
Guide  Report:    Security  Economics  for  IoT                               Copyright  ©  2015  RMAC  Technology  Partners,  Inc.   5   Government  Intentions  on  IoT  Security     The  US  Federal  Trade  Commission  hosted  an  industry  workshop  “Internet  of  Things   –  Privacy  &  Security  in  a  Connected  World”  in  late  2013  as  part  of  their   responsibility  to  protect  consumers  in  the  commercial  environment.         The  Workshop  participants  highlighted  the  risks  of  IoT:     “IoT  presents  a  variety  of  potential  security  risks  that  could  be  exploited  to  harm   consumers  by:     1. Enabling  unauthorized  access  and  misuse  of  personal  information   2. Facilitating  attacks  on  other  systems   3. Creating  risks  to  personal  safety     Participants  also  noted  that  privacy  risks  may  flow  from  the  collection  of   personal  information,  habits,  locations,  and  physical  conditions  over  time”     The  FTC  Staff  Report  2015  demonstrates  the  intention  of  the  FTC  to  monitor  and   control  IoT  security  not  by  direct  regulation  of  IoT,  but  through  enforcement  of   existing  regulatory  statutes,  and  education  on  existing  Fair  Information  Practice   Principles  (FIPPs)  for  companies  manufacturing  IoT  solutions  to  incorporate   “reasonable  security”  into  their  IoT  solutions  and  products.     • Fair  Information  Practice  Principles  (FIPPs)   o Data  Security   o Data  Minimization   o Notice   o Choice   • Fair  Credit  Reporting  Act  (FCRA)   • Health  Insurance  Portability  and  Accountability  Act  (HIPAA)      The  FTC  Staff  Report  2015  also  requested  legislative  action.         “Recommendation  for  Congress  to  enact  strong,  flexible,  and  technology  neutral   federal  legislation  to  strengthen  its  existing  data  security  enforcement  tools  and   to  provide  notification  to  consumers  when  there  is  a  data  breach.”              
Guide  Report:    Security  Economics  for  IoT                               Copyright  ©  2015  RMAC  Technology  Partners,  Inc.   6   3 Economics  of  Security     Security  increases  a  products  value  to  consumers  and  simultaneously  lowers  both   liability  and  operating  expenses  for  the  Original  Equipment  Manufacturer  (OEM).     When  security  is  designed  into  IoT  solutions  as  part  of  the  new  product  concept,  the   impact  is  significant  in  effectiveness  yet  minimal  on  product  cost  impact.    Adding   security  after  the  original  product  design  is  completed  can  be  costly  and  time   consuming  and  is  rarely  as  effective.     The  challenge  is  deciding  on  the  level  of  security  for  the  IoT  solution,  namely  to   balance  the  risk  of  the  threat  and  potential  liability  in  a  “reasonable”  manner.         The  best-­‐known  practice  is  to  value  the  risk  and  liability  using  industry  metrics  on   the  probability  of  being  hacked,  recognizing  the  magnitude  of  damages  that  would   result  and  implementing  security  that  cost  effectively  reduces  that  risk.     Components  of  Economic  Risk     1. Data  Breach  Liability   2. Damages  (economic  compensation)   3. Company  Devaluation  (share-­‐holder  loss)     Data  Breach  Liability     There  are  regulatory-­‐mandated  actions  required  when  revealing  any  person’s   identity,  plus  at  least  one  non-­‐public  personal  information  item.     • Social  Security  number   • Credit/Debit  card  account  number   • Health  records   • Financial  Records     Notifications,  remediation  and  recovery  of  trust  have  been  economically  researched   on  a  regular  basis  giving  us  a  clear  financial  cost  for  each  data  record  breached.    The   IBM  &  Ponemon  Institute    “2014  Cost  of  Data  Breach  Study:  United  States”  shows  an   average  cost  of  $246  for  each  data  record  in  a  breach  of  10,000  records.    This   number  varies  by  industry  served  with  healthcare  being  at  the  most  expensive  end   of  the  economic  scale  at  $316  per  record  breached.    
Guide  Report:    Security  Economics  for  IoT                               Copyright  ©  2015  RMAC  Technology  Partners,  Inc.   7       Damages     When  products  are  compromised  there  are  clear  risks  of  regulatory  penalties  and   civil  damage  claims.  The  regulatory  and  court  system  remedies  claims  through   penalties  and  economic  compensation  to  victims.    The  victim(s)  can  be  either  your   customer  or  a  3rd  party  who  was  damaged  as  a  result  of  your  product.       Examples;     • IoT  Refrigerator  -­‐  hacked  so  as  to  destroy  the  food  it  was  intended  to   preserve,  and  used  as  a  tool  in  email  phishing  campaigns  and  coordinated   denial  of  service  attacks.   • HVAC  Thermostat  –  hacked  and  used  to  launch  a  coordinated  attack  against   the  electric  grid,  resulting  in  the  shutdown  of  a  town,  city  or  region  creating   economic  loss  for  many.       • Traffic  Signal  Light  –  hacked  to  turn  all  lights  green  or  red,  resulting  in  traffic   accidents  and  extreme  congestion.   • Irrigation  Controller  –  hacked  to  enable  excessive  watering  while  you  are   away  on  vacation  or  asleep,  resulting  in  huge  water  bills,  damage  to  property   and  wasting  resources.     In  2011  an  electrical  grid  in  Southern  California  experienced  an  outage  that  lasted   18  hours  and  caused  an  estimated  $100  million  total  economic  impact.      The  impact   on  the  utilities  involved  (20  incidents  occurred  in  an  11  minute  period  on  5  grids)   lead  to  two  nuclear  reactors  going  offline  and  a  major  metropolitan  area  being  left  in   total  darkness.    The  potential  of  such  incidents  is  hard  to  ignore  as  IoT  device   population  grows.  
Guide  Report:    Security  Economics  for  IoT                               Copyright  ©  2015  RMAC  Technology  Partners,  Inc.   8   Company  Devaluation  or  Destruction     Valuation  of  many  companies  today  is  based  on  the  size  of  their  database  and  the   content  integrity  of  the  database.    Industry  research  on  database  value  ranges  from   $  40  -­‐  $176  per  user  record,  with  larger  and  more  complex  data  bases  driving  the   higher  end  (Facebook),  and  customer  contact  data  at  the  lower  end.     The  effect  of  hackers  stealing  a  database  as  part  of  a  breach  is  significant  enough,   but  deliberate  and  undetected  corruption  of  data  for  months  or  years  impacts   confidence  in  the  data  retained  as  it  significantly  erodes  archive  and  backup  system   confidence.     Each  company  needs  to  evaluate  and  appropriately  value  database  assets,  as  well  as   the  potential  impact  on  revenue  and  recovery  costs  from  such  incidents.    Today  this   is  the  cost  of  doing  business  but  knowing  the  financial  impact  of  such  events  enables   appropriate  investment  in  security  to  reduce  risk,  and  most  importantly  to  avoid   devaluation  of  the  company’s  brand.        
Guide  Report:    Security  Economics  for  IoT                               Copyright  ©  2015  RMAC  Technology  Partners,  Inc.   9   4 Calculating  the  Economic  Cost       Using  financial  estimates  for  the  impact  of  the  three  components  of  risk.     1. Data  Breach  Liability   2. Damages  (economic  compensation)   3. Company  Devaluation  (share-­‐holder  loss)     Combined  with  the  probability  of  occurrence,  we  can  estimate  the  financial  impact   that  should  be  considered  in  the  business  model  as  well  as  in  new  product  solutions.       Economic  Risk  =  Data  Breach  Liability  *  PB    +  Damages  *  Po  +  Assets  Liability  *  PL       PB  =  Probability  of  a  Data  Breach     Po  =  Probability  of  Damage  Occurrence     PL  =  (PB  +  Po)  =  Probability  of  Assets  being  destroyed     Each  existing  and  new  product  market  plan  should  contain  a  model  of  economic  risk   and  the  probability  of  occurrences  to  understand  the  realistic  future  impact  on  the   business.    Once  these  economic  risks  are  quantified,  then  investments  in  security   can  be  made  to  reduce  the  cost  impact  these  risks  have  on  the  business.     A  report  released  by  HP  Fortify  revealed  that  70%  of  IoT  solutions  currently   shipping  to  customers  have  25  or  more  known  vulnerable  points  when  tested   against  the  OWASP  Internet  of  Things  Top  10  Project.    Each  vulnerability  vector  has   a  value  and  probability  of  occurrence  that  must  be  accounted  for  to  enable   appropriate  investment  in  security.     The  following  chart  is  a  top-­‐level  calculation  example  at  a  high  level  covering  the   three  components  of  economic  risk.    For  each  of  these  components  there  are   multiple  subcategories  of  threat  vectors,  each  with  its  own  liability  value  and   probability  of  occurrence.      The  more  detailed  the  threat  identification  and  liability   estimation,  the  more  valuable  it  will  be  in  making  decision  on  where  to  invest  in   security.     Liability  and  probabilities  change  with  time  as  technology  advances  and  the   population  of  fielded  devices  increases.  An  economic  model  is  not  an  exact  science;   it  is  a  guide  on  understanding  the  risks  and  addressing  them  to  a  reasonable  level.     Professional  evaluations  of  risk  and  liabilities  from  legal,  technical  and  financial   experts  help  build  a  better  model.          
Guide  Report:    Security  Economics  for  IoT                               Copyright  ©  2015  RMAC  Technology  Partners,  Inc.   10   Calculation  Example       Data  Breach:    Section  3.1  shows  that  a  database  of  10,000  records  has  a   19%  probability  of  occurrence  in  the  next  24  months,  with   an  impact  of  $246/record  exposed.                                                                      Breach  Cost  ($/yr)    =  $246  *  10,000  *  19%  /  2                =    $  232,750/  year       Damages:                A  systemic  hack  could  result  in  10,000  devices  in  the  field   becoming  permanently  inoperable,  resulting  in  $  6500/unit   in  property  damage,  and  $450/unit  in  field  replacement  cost.     The  probability  of  occurrence  is  0.1%.                                                              Damages  ($/yr)              =  10,000  *$6950*  0.1%                                                                                                                                          =    $  69,500  /year         Company  Value:   Asset  rebuilding  and  validating  the  database  will  take  2-­‐3   months.    Sales  are  stopped  for  90  days  as  security  measures   are  put  into  place  and  the  company  focuses  on  recovery  and   rebuilding  trust  with  customers  and  prospects.    Estimated   impact  of  the  recovery  effort  is  $3.5  million.                Value  Loss  ($)                    =  $3.5M  *  (0.19  +0.001)  /2                                                                                        =  $  334,250./yr       Total  Economic  Cost  =        $  636,  500  /year      =      $6.365  /unit  shipped            
Guide  Report:    Security  Economics  for  IoT                               Copyright  ©  2015  RMAC  Technology  Partners,  Inc.   11   5 Summary     There  is  no  such  thing  as  perfect  or  impenetrable  security.    Over  time,  new  and   improved  approaches  to  hacking  and  exploitation  evolve  as  unknown  vulnerabilities   are  discovered  that  can  cause  risk  factors  to  change.         The  three  core  components  of  economic  risk  can  guide  your  thought  process  as  you   develop  a  new  product  concept,  and  it  will  enable  decision  making  throughout  the   development  process  and  life  cycle  for  the  product.     1. Data  Breach  Liability   2. Damages  (economic  compensation)   3. Company  Devaluation  (share  holder  loss)     Understanding  and  modeling  financial  risks  that  a  product  introduces  to  the   business  model  enables  developing  reasonable  approaches  to  security  and  builds   confidence  with  customers  and  shareholders.    Without  an  economic  model,   companies  have  few  guidelines  on  making  reasonable  and  appropriate  decisions  on   security  investments.     In  today’s  market  there  are  a  multitude  of  security  approaches  available  to   developers,  ranging  from  physical  hardware  security  through  network  transport   layers  and  even  into  cloud/database/server  systems  and  BYOD  (bring  your  own   device)  applications.      There  are  also  measures  that  can  be  taken  in  the  product   definition  and  development  process,  as  well  as  in  how  a  business  operates,  that  can   dramatically  impact  the  risk  factors  and  financial  liability.     Consumers  and  users  decide  if  the  risk  of  a  security  breach  is  worth  the  value   that  IoT  solution  delivers.    Building  a  credible  and  proven  brand  reputation   for  security  makes  your  IoT  solution  more  valuable.      
Guide  Report:    Security  Economics  for  IoT                               Copyright  ©  2015  RMAC  Technology  Partners,  Inc.   12   6 Learn  More     Look  for  our  follow-­‐on  Guide  Reports:     • Guide  Report:  Security  Decisions  in  IoT   There  are  many  decision  points  in  the  development  of  an  IoT  product  that   need  to  be  held  accountable  for  security.    In  this  guide  we  walk  through   the  product  development  path,  giving  the  security  perspective  for  how  to   ensure  security  is  integrated  effectively  in  the  product  life  cycle.     • Guide  Report:  Security  Effectiveness  &  Testing   Security  is  an  ongoing  effort  in  the  life  of  a  product,  but  when  you  are   making  design  decisions,  how  do  you  know  the  effectiveness  of  the   multiple  approaches  to  security?    In  this  guide  we  provide  useful  insights   and  direction  to  the  process.  
Guide  Report:    Security  Economics  for  IoT                               Copyright  ©  2015  RMAC  Technology  Partners,  Inc.   13   7 Credits,  Source  Links  &  Disclaimer     Thank  you  for  reading  our  Guide  Report.    This  series  of  reports  on  IoT  security  were   researched  and  written  to  help  the  IoT  industry  develop  a  common  approach  to   decision  making  on  how  security  is  implemented  in  products.    We  understand  that   the  hard  work  is  ahead  as  you  develop  products  and  make  key  decisions  that  impact   both  your  company’s  financial  outlook  and  the  security  of  your  customers.    We   assume  no  liability  for  your  reliance  on  this  information  and  to  use  your  best   judgment  in  the  effort.    As  you  go  through  the  economic  model  process  avoid   making  uninformed  assumptions  that  impact  the  modeling  of  financial  risks.     We  recognize  the  significant  contributions  of  sources  cited  below  for  openly  sharing   valuable  research  to  the  developer  market.     • Wikipedia  “Canadian  Privacy  Law”  sourced  at   http://en.wikipedia.org/wiki/Canadian_privacy_law       • Hewlett-­‐  Packard  Development  Company  “HP  Study  Reveals  70   Percent  of  Internet  of  Things  Devices  Vulnerable  to  Attack”  July  29,   2014  by  Daniel  Miessler.    Sourced  from   http://h20195.www2.hp.com/V2/GetDocument.aspx?docname=4AA 5-­‐4759ENW&cc=us&lc=en     • OWASP  –  The  Open  Web  Application  Security  Project.      Sourced  at   https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_ Ten_Project#tab=OWASP_Internet_of_Things_Top_10_for_2014     • Ponemon  Institute  and  IBM  “2015  Cost  of  Data  Breach  Study:  Global   Analysis”  sourced  at  http://www-­‐03.ibm.com/security/data-­‐ breach/#     • United  States  Federal  Trade  Commission  “Internet  of  Things”  FTC   Staff  Report  January  2015  sourced  at   https://www.ftc.gov/system/files/documents/reports/federal-­‐trade-­‐ commission-­‐staff-­‐report-­‐november-­‐2013-­‐workshop-­‐entitled-­‐ internet-­‐things-­‐privacy/150127iotrpt.pdf          

Recommended

Guide Report - Wireless Fundementals v1.0 150114
Guide Report - Wireless Fundementals v1.0 150114Guide Report - Wireless Fundementals v1.0 150114
Guide Report - Wireless Fundementals v1.0 150114Clay Melugin
 
A rede como um sensor de segurança
A rede como um sensor de segurança A rede como um sensor de segurança
A rede como um sensor de segurança Cisco do Brasil
 
1. How will the IoT help your business - cisco
1. How will the IoT help your business - cisco1. How will the IoT help your business - cisco
1. How will the IoT help your business - ciscoMITEF México
 
Why Juniper, Driven by Mist AI, Leads the Market
Why Juniper, Driven by Mist AI, Leads the Market Why Juniper, Driven by Mist AI, Leads the Market
Why Juniper, Driven by Mist AI, Leads the MarketJuniper Networks
 
Security of the Electric Grid: It's more than just NERC CIP
Security of the Electric Grid: It's more than just NERC CIPSecurity of the Electric Grid: It's more than just NERC CIP
Security of the Electric Grid: It's more than just NERC CIPEnergySec
 
Howe Brand, smart security grid risks
Howe Brand, smart security grid risksHowe Brand, smart security grid risks
Howe Brand, smart security grid risksGavan Howe
 
After the Catastrophe: IP Resiliency In the Post-Disaster Environment
After the Catastrophe: IP Resiliency In the Post-Disaster Environment After the Catastrophe: IP Resiliency In the Post-Disaster Environment
After the Catastrophe: IP Resiliency In the Post-Disaster Environment Cisco Crisis Response
 
Internet Of EveryThing
Internet Of EveryThingInternet Of EveryThing
Internet Of EveryThingBabylon University/Iraq
 

Recommended

Guide Report - Wireless Fundementals v1.0 150114
Guide Report - Wireless Fundementals v1.0 150114Guide Report - Wireless Fundementals v1.0 150114
Guide Report - Wireless Fundementals v1.0 150114Clay Melugin
 
A rede como um sensor de segurança
A rede como um sensor de segurança A rede como um sensor de segurança
A rede como um sensor de segurança Cisco do Brasil
 
1. How will the IoT help your business - cisco
1. How will the IoT help your business - cisco1. How will the IoT help your business - cisco
1. How will the IoT help your business - ciscoMITEF México
 
Why Juniper, Driven by Mist AI, Leads the Market
Why Juniper, Driven by Mist AI, Leads the Market Why Juniper, Driven by Mist AI, Leads the Market
Why Juniper, Driven by Mist AI, Leads the MarketJuniper Networks
 
Security of the Electric Grid: It's more than just NERC CIP
Security of the Electric Grid: It's more than just NERC CIPSecurity of the Electric Grid: It's more than just NERC CIP
Security of the Electric Grid: It's more than just NERC CIPEnergySec
 
Howe Brand, smart security grid risks
Howe Brand, smart security grid risksHowe Brand, smart security grid risks
Howe Brand, smart security grid risksGavan Howe
 
After the Catastrophe: IP Resiliency In the Post-Disaster Environment
After the Catastrophe: IP Resiliency In the Post-Disaster Environment After the Catastrophe: IP Resiliency In the Post-Disaster Environment
After the Catastrophe: IP Resiliency In the Post-Disaster Environment Cisco Crisis Response
 
Internet Of EveryThing
Internet Of EveryThingInternet Of EveryThing
Internet Of EveryThingBabylon University/Iraq
 
The Network Enabled EOC
The Network Enabled EOCThe Network Enabled EOC
The Network Enabled EOCCisco Crisis Response
 
IT and Telecom Strategic Business Development New Opportunities In Testing ...
IT and Telecom Strategic Business Development New Opportunities In Testing ...IT and Telecom Strategic Business Development New Opportunities In Testing ...
IT and Telecom Strategic Business Development New Opportunities In Testing ...Alex G. Lee, Ph.D. Esq. CLP
 
The Inside Story: GE Healthcare's Industrial Internet of Things (IoT) Archite...
The Inside Story: GE Healthcare's Industrial Internet of Things (IoT) Archite...The Inside Story: GE Healthcare's Industrial Internet of Things (IoT) Archite...
The Inside Story: GE Healthcare's Industrial Internet of Things (IoT) Archite...Real-Time Innovations (RTI)
 
Noi siamo Ivanti: più forti insieme!
Noi siamo Ivanti: più forti insieme! Noi siamo Ivanti: più forti insieme!
Noi siamo Ivanti: più forti insieme! Ivanti
 
2-25-2014 Part 1 - NRECA Kickoff Meeting v2
2-25-2014 Part 1 - NRECA Kickoff Meeting v22-25-2014 Part 1 - NRECA Kickoff Meeting v2
2-25-2014 Part 1 - NRECA Kickoff Meeting v2Charles "Chuck" Speicher Jr.
 
Cisco Crisis Response Executive Overview 2.22.21
Cisco Crisis Response Executive Overview 2.22.21Cisco Crisis Response Executive Overview 2.22.21
Cisco Crisis Response Executive Overview 2.22.21Cisco Crisis Response
 
Mobile containers - The good, the bad and the ugly
Mobile containers - The good, the bad and the uglyMobile containers - The good, the bad and the ugly
Mobile containers - The good, the bad and the uglyPriyanka Aash
 
IoT: Security & Privacy at IGNITE 2015
IoT: Security & Privacy at IGNITE 2015IoT: Security & Privacy at IGNITE 2015
IoT: Security & Privacy at IGNITE 2015Hildebrand Technology
 
Industrial IOT Data Connectivity Standard
Industrial IOT Data Connectivity StandardIndustrial IOT Data Connectivity Standard
Industrial IOT Data Connectivity StandardGerardo Pardo-Castellote
 
Metaverse - The 'Killer App' for 5G, 6G and Beyond
Metaverse - The 'Killer App' for 5G, 6G and BeyondMetaverse - The 'Killer App' for 5G, 6G and Beyond
Metaverse - The 'Killer App' for 5G, 6G and BeyondAnand Bhojan
 
Expert mobility managing wi-fi wearables sensors iot for availability quality...
Expert mobility managing wi-fi wearables sensors iot for availability quality...Expert mobility managing wi-fi wearables sensors iot for availability quality...
Expert mobility managing wi-fi wearables sensors iot for availability quality...Priyanka Aash
 
Connecting Syria's Refugees
Connecting Syria's RefugeesConnecting Syria's Refugees
Connecting Syria's RefugeesCisco Crisis Response
 
The Industrial Internet of Things and RTI
The Industrial Internet of Things and RTIThe Industrial Internet of Things and RTI
The Industrial Internet of Things and RTIReal-Time Innovations (RTI)
 
The Digital Telecom. Security Services
The Digital Telecom. Security ServicesThe Digital Telecom. Security Services
The Digital Telecom. Security ServicesParviz Iskhakov, PhD
 
Blockchain — The Ledger Of Every Thing
Blockchain — The Ledger Of Every ThingBlockchain — The Ledger Of Every Thing
Blockchain — The Ledger Of Every ThingRids Vazi
 
5G & Edge: High Performance with Zero-Trust Security
5G & Edge: High Performance with Zero-Trust Security5G & Edge: High Performance with Zero-Trust Security
5G & Edge: High Performance with Zero-Trust SecurityRebekah Rodriguez
 
2. Enterprise and Business Architecture Cloud Video Data
2. Enterprise and Business Architecture Cloud Video Data2. Enterprise and Business Architecture Cloud Video Data
2. Enterprise and Business Architecture Cloud Video DataMrsAlways RigHt
 
Is3 Satcom Capabilities Brief
Is3 Satcom Capabilities BriefIs3 Satcom Capabilities Brief
Is3 Satcom Capabilities Briefmageeb
 
Sb securing-industrial-control-systems-with-fortinet
Sb securing-industrial-control-systems-with-fortinetSb securing-industrial-control-systems-with-fortinet
Sb securing-industrial-control-systems-with-fortinetIvan Carmona
 
Deployment Review: Carlton Complex Wildfire
Deployment Review: Carlton Complex WildfireDeployment Review: Carlton Complex Wildfire
Deployment Review: Carlton Complex WildfireCisco Crisis Response
 
Securing the internet of things: The conversation you need to have with your CEO
Securing the internet of things: The conversation you need to have with your CEOSecuring the internet of things: The conversation you need to have with your CEO
Securing the internet of things: The conversation you need to have with your CEOThe Economist Media Businesses
 
Security for the IoT - Report Summary
Security for the IoT - Report SummarySecurity for the IoT - Report Summary
Security for the IoT - Report SummaryAccenture Technology
 

More Related Content

What's hot

IT and Telecom Strategic Business Development New Opportunities In Testing ...
IT and Telecom Strategic Business Development New Opportunities In Testing ...IT and Telecom Strategic Business Development New Opportunities In Testing ...
IT and Telecom Strategic Business Development New Opportunities In Testing ...Alex G. Lee, Ph.D. Esq. CLP
 
The Inside Story: GE Healthcare's Industrial Internet of Things (IoT) Archite...
The Inside Story: GE Healthcare's Industrial Internet of Things (IoT) Archite...The Inside Story: GE Healthcare's Industrial Internet of Things (IoT) Archite...
The Inside Story: GE Healthcare's Industrial Internet of Things (IoT) Archite...Real-Time Innovations (RTI)
 
Noi siamo Ivanti: più forti insieme!
Noi siamo Ivanti: più forti insieme! Noi siamo Ivanti: più forti insieme!
Noi siamo Ivanti: più forti insieme! Ivanti
 
Cisco Crisis Response Executive Overview 2.22.21
Cisco Crisis Response Executive Overview 2.22.21Cisco Crisis Response Executive Overview 2.22.21
Cisco Crisis Response Executive Overview 2.22.21Cisco Crisis Response
 
Mobile containers - The good, the bad and the ugly
Mobile containers - The good, the bad and the uglyMobile containers - The good, the bad and the ugly
Mobile containers - The good, the bad and the uglyPriyanka Aash
 
IoT: Security & Privacy at IGNITE 2015
IoT: Security & Privacy at IGNITE 2015IoT: Security & Privacy at IGNITE 2015
IoT: Security & Privacy at IGNITE 2015Hildebrand Technology
 
Metaverse - The 'Killer App' for 5G, 6G and Beyond
Metaverse - The 'Killer App' for 5G, 6G and BeyondMetaverse - The 'Killer App' for 5G, 6G and Beyond
Metaverse - The 'Killer App' for 5G, 6G and BeyondAnand Bhojan
 
Expert mobility managing wi-fi wearables sensors iot for availability quality...
Expert mobility managing wi-fi wearables sensors iot for availability quality...Expert mobility managing wi-fi wearables sensors iot for availability quality...
Expert mobility managing wi-fi wearables sensors iot for availability quality...Priyanka Aash
 
The Digital Telecom. Security Services
The Digital Telecom. Security ServicesThe Digital Telecom. Security Services
The Digital Telecom. Security ServicesParviz Iskhakov, PhD
 
Blockchain — The Ledger Of Every Thing
Blockchain — The Ledger Of Every ThingBlockchain — The Ledger Of Every Thing
Blockchain — The Ledger Of Every ThingRids Vazi
 
5G & Edge: High Performance with Zero-Trust Security
5G & Edge: High Performance with Zero-Trust Security5G & Edge: High Performance with Zero-Trust Security
5G & Edge: High Performance with Zero-Trust SecurityRebekah Rodriguez
 
2. Enterprise and Business Architecture Cloud Video Data
2. Enterprise and Business Architecture Cloud Video Data2. Enterprise and Business Architecture Cloud Video Data
2. Enterprise and Business Architecture Cloud Video DataMrsAlways RigHt
 
Is3 Satcom Capabilities Brief
Is3 Satcom Capabilities BriefIs3 Satcom Capabilities Brief
Is3 Satcom Capabilities Briefmageeb
 
Sb securing-industrial-control-systems-with-fortinet
Sb securing-industrial-control-systems-with-fortinetSb securing-industrial-control-systems-with-fortinet
Sb securing-industrial-control-systems-with-fortinetIvan Carmona
 
Deployment Review: Carlton Complex Wildfire
Deployment Review: Carlton Complex WildfireDeployment Review: Carlton Complex Wildfire
Deployment Review: Carlton Complex WildfireCisco Crisis Response
 

What's hot (20)

The Network Enabled EOC
The Network Enabled EOCThe Network Enabled EOC
The Network Enabled EOC
 
IT and Telecom Strategic Business Development New Opportunities In Testing ...
IT and Telecom Strategic Business Development New Opportunities In Testing ...IT and Telecom Strategic Business Development New Opportunities In Testing ...
IT and Telecom Strategic Business Development New Opportunities In Testing ...
 
The Inside Story: GE Healthcare's Industrial Internet of Things (IoT) Archite...
The Inside Story: GE Healthcare's Industrial Internet of Things (IoT) Archite...The Inside Story: GE Healthcare's Industrial Internet of Things (IoT) Archite...
The Inside Story: GE Healthcare's Industrial Internet of Things (IoT) Archite...
 
Noi siamo Ivanti: più forti insieme!
Noi siamo Ivanti: più forti insieme! Noi siamo Ivanti: più forti insieme!
Noi siamo Ivanti: più forti insieme!
 
2-25-2014 Part 1 - NRECA Kickoff Meeting v2
2-25-2014 Part 1 - NRECA Kickoff Meeting v22-25-2014 Part 1 - NRECA Kickoff Meeting v2
2-25-2014 Part 1 - NRECA Kickoff Meeting v2
 
Cisco Crisis Response Executive Overview 2.22.21
Cisco Crisis Response Executive Overview 2.22.21Cisco Crisis Response Executive Overview 2.22.21
Cisco Crisis Response Executive Overview 2.22.21
 
Mobile containers - The good, the bad and the ugly
Mobile containers - The good, the bad and the uglyMobile containers - The good, the bad and the ugly
Mobile containers - The good, the bad and the ugly
 
IoT: Security & Privacy at IGNITE 2015
IoT: Security & Privacy at IGNITE 2015IoT: Security & Privacy at IGNITE 2015
IoT: Security & Privacy at IGNITE 2015
 
Industrial IOT Data Connectivity Standard
Industrial IOT Data Connectivity StandardIndustrial IOT Data Connectivity Standard
Industrial IOT Data Connectivity Standard
 
Metaverse - The 'Killer App' for 5G, 6G and Beyond
Metaverse - The 'Killer App' for 5G, 6G and BeyondMetaverse - The 'Killer App' for 5G, 6G and Beyond
Metaverse - The 'Killer App' for 5G, 6G and Beyond
 
Expert mobility managing wi-fi wearables sensors iot for availability quality...
Expert mobility managing wi-fi wearables sensors iot for availability quality...Expert mobility managing wi-fi wearables sensors iot for availability quality...
Expert mobility managing wi-fi wearables sensors iot for availability quality...
 
Connecting Syria's Refugees
Connecting Syria's RefugeesConnecting Syria's Refugees
Connecting Syria's Refugees
 
The Industrial Internet of Things and RTI
The Industrial Internet of Things and RTIThe Industrial Internet of Things and RTI
The Industrial Internet of Things and RTI
 
The Digital Telecom. Security Services
The Digital Telecom. Security ServicesThe Digital Telecom. Security Services
The Digital Telecom. Security Services
 
Blockchain — The Ledger Of Every Thing
Blockchain — The Ledger Of Every ThingBlockchain — The Ledger Of Every Thing
Blockchain — The Ledger Of Every Thing
 
5G & Edge: High Performance with Zero-Trust Security
5G & Edge: High Performance with Zero-Trust Security5G & Edge: High Performance with Zero-Trust Security
5G & Edge: High Performance with Zero-Trust Security
 
2. Enterprise and Business Architecture Cloud Video Data
2. Enterprise and Business Architecture Cloud Video Data2. Enterprise and Business Architecture Cloud Video Data
2. Enterprise and Business Architecture Cloud Video Data
 
Is3 Satcom Capabilities Brief
Is3 Satcom Capabilities BriefIs3 Satcom Capabilities Brief
Is3 Satcom Capabilities Brief
 
Sb securing-industrial-control-systems-with-fortinet
Sb securing-industrial-control-systems-with-fortinetSb securing-industrial-control-systems-with-fortinet
Sb securing-industrial-control-systems-with-fortinet
 
Deployment Review: Carlton Complex Wildfire
Deployment Review: Carlton Complex WildfireDeployment Review: Carlton Complex Wildfire
Deployment Review: Carlton Complex Wildfire
 

Similar to GR - Security Economics in IoT 150817- Rel.1

Securing the internet of things: The conversation you need to have with your CEO
Securing the internet of things: The conversation you need to have with your CEOSecuring the internet of things: The conversation you need to have with your CEO
Securing the internet of things: The conversation you need to have with your CEOThe Economist Media Businesses
 
Security for the IoT - Report Summary
Security for the IoT - Report SummarySecurity for the IoT - Report Summary
Security for the IoT - Report SummaryAccenture Technology
 
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...Dr Dev Kambhampati
 
Cyber Security, User Interface, and You - Deloitte CIO - WSJ
Cyber Security, User Interface, and You - Deloitte CIO - WSJCyber Security, User Interface, and You - Deloitte CIO - WSJ
Cyber Security, User Interface, and You - Deloitte CIO - WSJSherry Jones
 
Cyber Security, User Interface, and You - Deloitte CIO - WSJ
Cyber Security, User Interface, and You - Deloitte CIO - WSJCyber Security, User Interface, and You - Deloitte CIO - WSJ
Cyber Security, User Interface, and You - Deloitte CIO - WSJSherry Jones
 
A Comprehensive Review of Cyber Security, Threats and Cyber Attacks
A Comprehensive Review of Cyber Security, Threats and Cyber AttacksA Comprehensive Review of Cyber Security, Threats and Cyber Attacks
A Comprehensive Review of Cyber Security, Threats and Cyber AttacksIRJET Journal
 
Strengthening IoT Security Against Cyber Threats.pdf
Strengthening IoT Security Against Cyber Threats.pdfStrengthening IoT Security Against Cyber Threats.pdf
Strengthening IoT Security Against Cyber Threats.pdfSeasiaInfotech2
 
End-to-End OT SecOps Transforming from Good to Great
End-to-End OT SecOps Transforming from Good to GreatEnd-to-End OT SecOps Transforming from Good to Great
End-to-End OT SecOps Transforming from Good to Greataccenture
 
Security and Governance Strategies for the Consumerization of IT
Security and Governance Strategies for the Consumerization of ITSecurity and Governance Strategies for the Consumerization of IT
Security and Governance Strategies for the Consumerization of ITMicrosoft
 
IoT security and privacy: main challenges and how ISOC-OTA address them
IoT security and privacy: main challenges and how ISOC-OTA address themIoT security and privacy: main challenges and how ISOC-OTA address them
IoT security and privacy: main challenges and how ISOC-OTA address themRadouane Mrabet
 
Future of Cybersecurity 2016 - M.Rosenquist
Future of Cybersecurity 2016 - M.RosenquistFuture of Cybersecurity 2016 - M.Rosenquist
Future of Cybersecurity 2016 - M.RosenquistMatthew Rosenquist
 
Secure your Future with IoT Security Testing | Application Security
Secure your Future with IoT Security Testing | Application SecuritySecure your Future with IoT Security Testing | Application Security
Secure your Future with IoT Security Testing | Application SecurityCigniti Technologies Ltd
 
Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...LabSharegroup
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)Sarah Jarvis
 
Final Research Project - Securing IoT Devices What are the Challe.docx
Final Research Project - Securing IoT Devices What are the Challe.docxFinal Research Project - Securing IoT Devices What are the Challe.docx
Final Research Project - Securing IoT Devices What are the Challe.docxtjane3
 
Final Research Project - Securing IoT Devices What are the Challe.docx
Final Research Project - Securing IoT Devices What are the Challe.docxFinal Research Project - Securing IoT Devices What are the Challe.docx
Final Research Project - Securing IoT Devices What are the Challe.docxlmelaine
 
The 5 most trusted cyber security companies to watch.
The 5 most trusted cyber security companies to watch.The 5 most trusted cyber security companies to watch.
The 5 most trusted cyber security companies to watch.Merry D'souza
 
Ravi i ot-security
Ravi i ot-securityRavi i ot-security
Ravi i ot-securityskumartarget
 

Similar to GR - Security Economics in IoT 150817- Rel.1 (20)

Securing the internet of things: The conversation you need to have with your CEO
Securing the internet of things: The conversation you need to have with your CEOSecuring the internet of things: The conversation you need to have with your CEO
Securing the internet of things: The conversation you need to have with your CEO
 
Security for the IoT - Report Summary
Security for the IoT - Report SummarySecurity for the IoT - Report Summary
Security for the IoT - Report Summary
 
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...
Dr Dev Kambhampati | Strategic Principles for Securing the Internet of Things...
 
Looking into the future of security
Looking into the future of securityLooking into the future of security
Looking into the future of security
 
Cyber Security, User Interface, and You - Deloitte CIO - WSJ
Cyber Security, User Interface, and You - Deloitte CIO - WSJCyber Security, User Interface, and You - Deloitte CIO - WSJ
Cyber Security, User Interface, and You - Deloitte CIO - WSJ
 
Cyber Security, User Interface, and You - Deloitte CIO - WSJ
Cyber Security, User Interface, and You - Deloitte CIO - WSJCyber Security, User Interface, and You - Deloitte CIO - WSJ
Cyber Security, User Interface, and You - Deloitte CIO - WSJ
 
A Comprehensive Review of Cyber Security, Threats and Cyber Attacks
A Comprehensive Review of Cyber Security, Threats and Cyber AttacksA Comprehensive Review of Cyber Security, Threats and Cyber Attacks
A Comprehensive Review of Cyber Security, Threats and Cyber Attacks
 
Strengthening IoT Security Against Cyber Threats.pdf
Strengthening IoT Security Against Cyber Threats.pdfStrengthening IoT Security Against Cyber Threats.pdf
Strengthening IoT Security Against Cyber Threats.pdf
 
End-to-End OT SecOps Transforming from Good to Great
End-to-End OT SecOps Transforming from Good to GreatEnd-to-End OT SecOps Transforming from Good to Great
End-to-End OT SecOps Transforming from Good to Great
 
Security and Governance Strategies for the Consumerization of IT
Security and Governance Strategies for the Consumerization of ITSecurity and Governance Strategies for the Consumerization of IT
Security and Governance Strategies for the Consumerization of IT
 
IoT security and privacy: main challenges and how ISOC-OTA address them
IoT security and privacy: main challenges and how ISOC-OTA address themIoT security and privacy: main challenges and how ISOC-OTA address them
IoT security and privacy: main challenges and how ISOC-OTA address them
 
Future of Cybersecurity 2016 - M.Rosenquist
Future of Cybersecurity 2016 - M.RosenquistFuture of Cybersecurity 2016 - M.Rosenquist
Future of Cybersecurity 2016 - M.Rosenquist
 
Secure your Future with IoT Security Testing | Application Security
Secure your Future with IoT Security Testing | Application SecuritySecure your Future with IoT Security Testing | Application Security
Secure your Future with IoT Security Testing | Application Security
 
Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...Software security, secure software development in the age of IoT, smart thing...
Software security, secure software development in the age of IoT, smart thing...
 
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
SYMANTEC_DELOITTE_PARTNERSHIP-UK (3)
 
Final Research Project - Securing IoT Devices What are the Challe.docx
Final Research Project - Securing IoT Devices What are the Challe.docxFinal Research Project - Securing IoT Devices What are the Challe.docx
Final Research Project - Securing IoT Devices What are the Challe.docx
 
Final Research Project - Securing IoT Devices What are the Challe.docx
Final Research Project - Securing IoT Devices What are the Challe.docxFinal Research Project - Securing IoT Devices What are the Challe.docx
Final Research Project - Securing IoT Devices What are the Challe.docx
 
The 5 most trusted cyber security companies to watch.
The 5 most trusted cyber security companies to watch.The 5 most trusted cyber security companies to watch.
The 5 most trusted cyber security companies to watch.
 
Ravi i ot-security
Ravi i ot-securityRavi i ot-security
Ravi i ot-security
 
16231
1623116231
16231
 

GR - Security Economics in IoT 150817- Rel.1

  • 1.                     Wireless Strategy & Business Development for the Connected World Guide  Report:   Security  Economics  for  IoT    
  • 2. Guide  Report:    Security  Economics  for  IoT                               Copyright  ©  2015  RMAC  Technology  Partners,  Inc.   1   Attribution     Executive  Editor:  Clay  Melugin   Authored  by  Clay  Melugin   Contributors:  Jim  Riley,  Gary  Lizama   Quality  Assurance:  Clay  Melugin   Published  by  RMAC  Technology  Partners,  Inc.     Copyright  ©  2015  RMAC  Technology  Partners,  Inc.   San  Diego,  California  92130     All  rights  reserved.  No  part  of  this  report  may  be  reproduced,  in  any  form  or  by  any  means,   without  permission  in  writing  from  the  publisher.     Printed  in  the  United  States  of  America     Disclaimer             RMAC  Technology  Partners,  Inc.  has  made  every  reasonable  effort  to  ensure  that  all  information   in  this  report  is  correct.  We  assume  no  responsibility  for  any  inadvertent  errors.     Revisions:                         8/17/2015     v1.0  –  Initial  Public  Release        
  • 3. Guide  Report:    Security  Economics  for  IoT                               Copyright  ©  2015  RMAC  Technology  Partners,  Inc.   2     Table  of  Contents   1   Introduction  ........................................................................................................................  3   2   Why  Security  is  important  in  IoT  .................................................................................  4   Developer  Intentions;  ...................................................................................................................  4   Government  Intentions  on  IoT  Security;  ................................................................................  5   3   Economics  of  Security  ......................................................................................................  6   Components  of  Economic  Risk  ...................................................................................................  6   Data  Breach  Liability  .....................................................................................................................  6   Damages  ............................................................................................................................................  7   Company  Devaluation  or  Destruction  .....................................................................................  8   4   Calculating  the  Economic  Cost  ......................................................................................  9   Calculation  Example:  ..................................................................................................................  10   5   Summary  ...........................................................................................................................  11   6   Learn  More  .......................................................................................................................  12   7   Credits,  Source  Links  &  Disclaimer  ..........................................................................  13          
  • 4. Guide  Report:    Security  Economics  for  IoT                               Copyright  ©  2015  RMAC  Technology  Partners,  Inc.   3   1 Introduction     The  Internet  of  Things  (IoT)  ecosystem  is  a  valuable  marketplace  for  developers  of   devices  and  applications  that  increase  productivity,  efficiency  and  awareness,  but   it’s  also  a  rich  target  for  hackers  seeking  to  gain  access  to  data  and  potentially   disrupt  operations.    An  IoT  strategy  needs  to  include  a  reasonable  security  strategy   as  a  fundamental  requirement  from  concept  through  product  support,  to   appropriately  protect  and  serve  the  market.     Security  should  be  an  economic  decision  that  is  rooted  in  the  product  concept.    We   focus  on  the  value  a  product  in  the  market,  but  the  financial  risk  (liability)  of   shipping  the  product  should  also  be  part  of  decision-­‐making  process.    When  the   financial  liability  is  accrued  into  product  cost,  security  technology  becomes  a  key   tool  to  reduce  the  product  cost.     You  will  learn  in  this  guide  how  to  define  a  reasonable  level  of  security  for  an  IoT   solution.    Understanding  the  financial  liability  of  security  breaches  empowers   developers  to  make  practical  and  reasonable  security  decisions  for  implementing   best  practices  to  secure  devices,  data  and  networks.    This  not  only  mitigates  costly   liabilities  from  hacking,  but  also  delivers  an  IoT  product  that  is  competitive  in  the   market.     Explained  below  are  key  definitions  to  get  everyone  on  the  same  page;     Security:       The  state  of  being  free  from  danger  or  threat.       Cyber-­‐security:    The  state  of  being  protected  against  the  criminal  or   unauthorized  use  of  electronic  data,  or  the  measures  taken   to  achieve.     Cyber-­‐warfare:    The  use  of  computers  to  disrupt  the  activities  of  an  enemy   country,  especially  the  deliberate  attacking  of   communication  systems  and  infrastructure.     Security  critical  system:     A  system  whose  failure    would  put  the  safety  of  people  at   risk.     Privacy:     The  ability  of  an  individual  or  group  to  seclude  themselves,   or  information  about  themselves,  and  thereby  selectively   decide  what  is  shared  publicly.          
  • 5. Guide  Report:    Security  Economics  for  IoT                               Copyright  ©  2015  RMAC  Technology  Partners,  Inc.   4   2 Why  Security  is  important  in  IoT     Developer  Intentions   In  the  beginning  of  every  product  concept,  there  is  a  vision  of  a  world  changing   product  or  device  that  enriches  the  lives  of  people  or  businesses  that  are  seeking   solutions  to  problems.    A  nefarious  motive  to  damage  or  destroy  the  lives  of  people   or  businesses  does  not  drive  the  creative  concept  of  most  developers.     What  we  sometimes  miss  is  the  fact  that  great  intentions  and  inventions  can  have   unintended  consequences  outside  the  vision  of  the  creator.    So  here  we  begin  the   process  of  making  decisions  to  keep  the  product  on  track  and  in  the  control  of  those   who  it  is  designed  to  serve.         You  never  want  to  be  in  the  situation  of  realizing  that  your  product  has  been  turned   into  a  weapon.    Even  the  most  basic  of  products  can  be  turned  against  the  consumer   infringing  on  their  privacy,  safety  and  that  of  society.    As  has  been  increasingly   reported  in  the  news.     There  are  people  and  organizations  that  exist  to  exploit  devices  to  meet  their   agenda,  be  it  theft,  invasion  of  privacy  or  even  cyber  warfare.    We  don’t  know  these   people  and  they  should  not  engage  our  creative  talents;  they  simply  need  to  be   recognized  and  addressed  by  design.     Decisions  made  in  the  concept,  design  development,  distribution  and  field  support   phases  of  a  product  life  cycle  can  reduce  the  risk  of  giving  up  access  or  control  in  a   reasonable,  balanced  and  risk-­‐appropriate  manner.    Ignoring  the  security  aspects  of   any  product  can  have  devastating  unintended  consequences.        
  • 6. Guide  Report:    Security  Economics  for  IoT                               Copyright  ©  2015  RMAC  Technology  Partners,  Inc.   5   Government  Intentions  on  IoT  Security     The  US  Federal  Trade  Commission  hosted  an  industry  workshop  “Internet  of  Things   –  Privacy  &  Security  in  a  Connected  World”  in  late  2013  as  part  of  their   responsibility  to  protect  consumers  in  the  commercial  environment.         The  Workshop  participants  highlighted  the  risks  of  IoT:     “IoT  presents  a  variety  of  potential  security  risks  that  could  be  exploited  to  harm   consumers  by:     1. Enabling  unauthorized  access  and  misuse  of  personal  information   2. Facilitating  attacks  on  other  systems   3. Creating  risks  to  personal  safety     Participants  also  noted  that  privacy  risks  may  flow  from  the  collection  of   personal  information,  habits,  locations,  and  physical  conditions  over  time”     The  FTC  Staff  Report  2015  demonstrates  the  intention  of  the  FTC  to  monitor  and   control  IoT  security  not  by  direct  regulation  of  IoT,  but  through  enforcement  of   existing  regulatory  statutes,  and  education  on  existing  Fair  Information  Practice   Principles  (FIPPs)  for  companies  manufacturing  IoT  solutions  to  incorporate   “reasonable  security”  into  their  IoT  solutions  and  products.     • Fair  Information  Practice  Principles  (FIPPs)   o Data  Security   o Data  Minimization   o Notice   o Choice   • Fair  Credit  Reporting  Act  (FCRA)   • Health  Insurance  Portability  and  Accountability  Act  (HIPAA)      The  FTC  Staff  Report  2015  also  requested  legislative  action.         “Recommendation  for  Congress  to  enact  strong,  flexible,  and  technology  neutral   federal  legislation  to  strengthen  its  existing  data  security  enforcement  tools  and   to  provide  notification  to  consumers  when  there  is  a  data  breach.”              
  • 7. Guide  Report:    Security  Economics  for  IoT                               Copyright  ©  2015  RMAC  Technology  Partners,  Inc.   6   3 Economics  of  Security     Security  increases  a  products  value  to  consumers  and  simultaneously  lowers  both   liability  and  operating  expenses  for  the  Original  Equipment  Manufacturer  (OEM).     When  security  is  designed  into  IoT  solutions  as  part  of  the  new  product  concept,  the   impact  is  significant  in  effectiveness  yet  minimal  on  product  cost  impact.    Adding   security  after  the  original  product  design  is  completed  can  be  costly  and  time   consuming  and  is  rarely  as  effective.     The  challenge  is  deciding  on  the  level  of  security  for  the  IoT  solution,  namely  to   balance  the  risk  of  the  threat  and  potential  liability  in  a  “reasonable”  manner.         The  best-­‐known  practice  is  to  value  the  risk  and  liability  using  industry  metrics  on   the  probability  of  being  hacked,  recognizing  the  magnitude  of  damages  that  would   result  and  implementing  security  that  cost  effectively  reduces  that  risk.     Components  of  Economic  Risk     1. Data  Breach  Liability   2. Damages  (economic  compensation)   3. Company  Devaluation  (share-­‐holder  loss)     Data  Breach  Liability     There  are  regulatory-­‐mandated  actions  required  when  revealing  any  person’s   identity,  plus  at  least  one  non-­‐public  personal  information  item.     • Social  Security  number   • Credit/Debit  card  account  number   • Health  records   • Financial  Records     Notifications,  remediation  and  recovery  of  trust  have  been  economically  researched   on  a  regular  basis  giving  us  a  clear  financial  cost  for  each  data  record  breached.    The   IBM  &  Ponemon  Institute    “2014  Cost  of  Data  Breach  Study:  United  States”  shows  an   average  cost  of  $246  for  each  data  record  in  a  breach  of  10,000  records.    This   number  varies  by  industry  served  with  healthcare  being  at  the  most  expensive  end   of  the  economic  scale  at  $316  per  record  breached.    
  • 8. Guide  Report:    Security  Economics  for  IoT                               Copyright  ©  2015  RMAC  Technology  Partners,  Inc.   7       Damages     When  products  are  compromised  there  are  clear  risks  of  regulatory  penalties  and   civil  damage  claims.  The  regulatory  and  court  system  remedies  claims  through   penalties  and  economic  compensation  to  victims.    The  victim(s)  can  be  either  your   customer  or  a  3rd  party  who  was  damaged  as  a  result  of  your  product.       Examples;     • IoT  Refrigerator  -­‐  hacked  so  as  to  destroy  the  food  it  was  intended  to   preserve,  and  used  as  a  tool  in  email  phishing  campaigns  and  coordinated   denial  of  service  attacks.   • HVAC  Thermostat  –  hacked  and  used  to  launch  a  coordinated  attack  against   the  electric  grid,  resulting  in  the  shutdown  of  a  town,  city  or  region  creating   economic  loss  for  many.       • Traffic  Signal  Light  –  hacked  to  turn  all  lights  green  or  red,  resulting  in  traffic   accidents  and  extreme  congestion.   • Irrigation  Controller  –  hacked  to  enable  excessive  watering  while  you  are   away  on  vacation  or  asleep,  resulting  in  huge  water  bills,  damage  to  property   and  wasting  resources.     In  2011  an  electrical  grid  in  Southern  California  experienced  an  outage  that  lasted   18  hours  and  caused  an  estimated  $100  million  total  economic  impact.      The  impact   on  the  utilities  involved  (20  incidents  occurred  in  an  11  minute  period  on  5  grids)   lead  to  two  nuclear  reactors  going  offline  and  a  major  metropolitan  area  being  left  in   total  darkness.    The  potential  of  such  incidents  is  hard  to  ignore  as  IoT  device   population  grows.  
  • 9. Guide  Report:    Security  Economics  for  IoT                               Copyright  ©  2015  RMAC  Technology  Partners,  Inc.   8   Company  Devaluation  or  Destruction     Valuation  of  many  companies  today  is  based  on  the  size  of  their  database  and  the   content  integrity  of  the  database.    Industry  research  on  database  value  ranges  from   $  40  -­‐  $176  per  user  record,  with  larger  and  more  complex  data  bases  driving  the   higher  end  (Facebook),  and  customer  contact  data  at  the  lower  end.     The  effect  of  hackers  stealing  a  database  as  part  of  a  breach  is  significant  enough,   but  deliberate  and  undetected  corruption  of  data  for  months  or  years  impacts   confidence  in  the  data  retained  as  it  significantly  erodes  archive  and  backup  system   confidence.     Each  company  needs  to  evaluate  and  appropriately  value  database  assets,  as  well  as   the  potential  impact  on  revenue  and  recovery  costs  from  such  incidents.    Today  this   is  the  cost  of  doing  business  but  knowing  the  financial  impact  of  such  events  enables   appropriate  investment  in  security  to  reduce  risk,  and  most  importantly  to  avoid   devaluation  of  the  company’s  brand.        
  • 10. Guide  Report:    Security  Economics  for  IoT                               Copyright  ©  2015  RMAC  Technology  Partners,  Inc.   9   4 Calculating  the  Economic  Cost       Using  financial  estimates  for  the  impact  of  the  three  components  of  risk.     1. Data  Breach  Liability   2. Damages  (economic  compensation)   3. Company  Devaluation  (share-­‐holder  loss)     Combined  with  the  probability  of  occurrence,  we  can  estimate  the  financial  impact   that  should  be  considered  in  the  business  model  as  well  as  in  new  product  solutions.       Economic  Risk  =  Data  Breach  Liability  *  PB    +  Damages  *  Po  +  Assets  Liability  *  PL       PB  =  Probability  of  a  Data  Breach     Po  =  Probability  of  Damage  Occurrence     PL  =  (PB  +  Po)  =  Probability  of  Assets  being  destroyed     Each  existing  and  new  product  market  plan  should  contain  a  model  of  economic  risk   and  the  probability  of  occurrences  to  understand  the  realistic  future  impact  on  the   business.    Once  these  economic  risks  are  quantified,  then  investments  in  security   can  be  made  to  reduce  the  cost  impact  these  risks  have  on  the  business.     A  report  released  by  HP  Fortify  revealed  that  70%  of  IoT  solutions  currently   shipping  to  customers  have  25  or  more  known  vulnerable  points  when  tested   against  the  OWASP  Internet  of  Things  Top  10  Project.    Each  vulnerability  vector  has   a  value  and  probability  of  occurrence  that  must  be  accounted  for  to  enable   appropriate  investment  in  security.     The  following  chart  is  a  top-­‐level  calculation  example  at  a  high  level  covering  the   three  components  of  economic  risk.    For  each  of  these  components  there  are   multiple  subcategories  of  threat  vectors,  each  with  its  own  liability  value  and   probability  of  occurrence.      The  more  detailed  the  threat  identification  and  liability   estimation,  the  more  valuable  it  will  be  in  making  decision  on  where  to  invest  in   security.     Liability  and  probabilities  change  with  time  as  technology  advances  and  the   population  of  fielded  devices  increases.  An  economic  model  is  not  an  exact  science;   it  is  a  guide  on  understanding  the  risks  and  addressing  them  to  a  reasonable  level.     Professional  evaluations  of  risk  and  liabilities  from  legal,  technical  and  financial   experts  help  build  a  better  model.          
  • 11. Guide  Report:    Security  Economics  for  IoT                               Copyright  ©  2015  RMAC  Technology  Partners,  Inc.   10   Calculation  Example       Data  Breach:    Section  3.1  shows  that  a  database  of  10,000  records  has  a   19%  probability  of  occurrence  in  the  next  24  months,  with   an  impact  of  $246/record  exposed.                                                                      Breach  Cost  ($/yr)    =  $246  *  10,000  *  19%  /  2                =    $  232,750/  year       Damages:                A  systemic  hack  could  result  in  10,000  devices  in  the  field   becoming  permanently  inoperable,  resulting  in  $  6500/unit   in  property  damage,  and  $450/unit  in  field  replacement  cost.     The  probability  of  occurrence  is  0.1%.                                                              Damages  ($/yr)              =  10,000  *$6950*  0.1%                                                                                                                                          =    $  69,500  /year         Company  Value:   Asset  rebuilding  and  validating  the  database  will  take  2-­‐3   months.    Sales  are  stopped  for  90  days  as  security  measures   are  put  into  place  and  the  company  focuses  on  recovery  and   rebuilding  trust  with  customers  and  prospects.    Estimated   impact  of  the  recovery  effort  is  $3.5  million.                Value  Loss  ($)                    =  $3.5M  *  (0.19  +0.001)  /2                                                                                        =  $  334,250./yr       Total  Economic  Cost  =        $  636,  500  /year      =      $6.365  /unit  shipped            
  • 12. Guide  Report:    Security  Economics  for  IoT                               Copyright  ©  2015  RMAC  Technology  Partners,  Inc.   11   5 Summary     There  is  no  such  thing  as  perfect  or  impenetrable  security.    Over  time,  new  and   improved  approaches  to  hacking  and  exploitation  evolve  as  unknown  vulnerabilities   are  discovered  that  can  cause  risk  factors  to  change.         The  three  core  components  of  economic  risk  can  guide  your  thought  process  as  you   develop  a  new  product  concept,  and  it  will  enable  decision  making  throughout  the   development  process  and  life  cycle  for  the  product.     1. Data  Breach  Liability   2. Damages  (economic  compensation)   3. Company  Devaluation  (share  holder  loss)     Understanding  and  modeling  financial  risks  that  a  product  introduces  to  the   business  model  enables  developing  reasonable  approaches  to  security  and  builds   confidence  with  customers  and  shareholders.    Without  an  economic  model,   companies  have  few  guidelines  on  making  reasonable  and  appropriate  decisions  on   security  investments.     In  today’s  market  there  are  a  multitude  of  security  approaches  available  to   developers,  ranging  from  physical  hardware  security  through  network  transport   layers  and  even  into  cloud/database/server  systems  and  BYOD  (bring  your  own   device)  applications.      There  are  also  measures  that  can  be  taken  in  the  product   definition  and  development  process,  as  well  as  in  how  a  business  operates,  that  can   dramatically  impact  the  risk  factors  and  financial  liability.     Consumers  and  users  decide  if  the  risk  of  a  security  breach  is  worth  the  value   that  IoT  solution  delivers.    Building  a  credible  and  proven  brand  reputation   for  security  makes  your  IoT  solution  more  valuable.      
  • 13. Guide  Report:    Security  Economics  for  IoT                               Copyright  ©  2015  RMAC  Technology  Partners,  Inc.   12   6 Learn  More     Look  for  our  follow-­‐on  Guide  Reports:     • Guide  Report:  Security  Decisions  in  IoT   There  are  many  decision  points  in  the  development  of  an  IoT  product  that   need  to  be  held  accountable  for  security.    In  this  guide  we  walk  through   the  product  development  path,  giving  the  security  perspective  for  how  to   ensure  security  is  integrated  effectively  in  the  product  life  cycle.     • Guide  Report:  Security  Effectiveness  &  Testing   Security  is  an  ongoing  effort  in  the  life  of  a  product,  but  when  you  are   making  design  decisions,  how  do  you  know  the  effectiveness  of  the   multiple  approaches  to  security?    In  this  guide  we  provide  useful  insights   and  direction  to  the  process.  
  • 14. Guide  Report:    Security  Economics  for  IoT                               Copyright  ©  2015  RMAC  Technology  Partners,  Inc.   13   7 Credits,  Source  Links  &  Disclaimer     Thank  you  for  reading  our  Guide  Report.    This  series  of  reports  on  IoT  security  were   researched  and  written  to  help  the  IoT  industry  develop  a  common  approach  to   decision  making  on  how  security  is  implemented  in  products.    We  understand  that   the  hard  work  is  ahead  as  you  develop  products  and  make  key  decisions  that  impact   both  your  company’s  financial  outlook  and  the  security  of  your  customers.    We   assume  no  liability  for  your  reliance  on  this  information  and  to  use  your  best   judgment  in  the  effort.    As  you  go  through  the  economic  model  process  avoid   making  uninformed  assumptions  that  impact  the  modeling  of  financial  risks.     We  recognize  the  significant  contributions  of  sources  cited  below  for  openly  sharing   valuable  research  to  the  developer  market.     • Wikipedia  “Canadian  Privacy  Law”  sourced  at   http://en.wikipedia.org/wiki/Canadian_privacy_law       • Hewlett-­‐  Packard  Development  Company  “HP  Study  Reveals  70   Percent  of  Internet  of  Things  Devices  Vulnerable  to  Attack”  July  29,   2014  by  Daniel  Miessler.    Sourced  from   http://h20195.www2.hp.com/V2/GetDocument.aspx?docname=4AA 5-­‐4759ENW&cc=us&lc=en     • OWASP  –  The  Open  Web  Application  Security  Project.      Sourced  at   https://www.owasp.org/index.php/OWASP_Internet_of_Things_Top_ Ten_Project#tab=OWASP_Internet_of_Things_Top_10_for_2014     • Ponemon  Institute  and  IBM  “2015  Cost  of  Data  Breach  Study:  Global   Analysis”  sourced  at  http://www-­‐03.ibm.com/security/data-­‐ breach/#     • United  States  Federal  Trade  Commission  “Internet  of  Things”  FTC   Staff  Report  January  2015  sourced  at   https://www.ftc.gov/system/files/documents/reports/federal-­‐trade-­‐ commission-­‐staff-­‐report-­‐november-­‐2013-­‐workshop-­‐entitled-­‐ internet-­‐things-­‐privacy/150127iotrpt.pdf