Similar to NTXISSACSC3 - Fundamentals Matter - A Brief Introduction to Risk Analysis for Information Security by Patrick Florer and Heather Goodnight (20)
How to Troubleshoot Apps for the Modern Connected Worker
NTXISSACSC3 - Fundamentals Matter - A Brief Introduction to Risk Analysis for Information Security by Patrick Florer and Heather Goodnight
1. Fundamentals Matter – A Brief
Introduction to Risk Analysis for
Information Security
Heather Goodnight, Partner
Patrick Florer, Partner
Cyber Breach Response Partners, LLC
October 2, 2015
2. @NTXISSA #NTXISSACSC3
Agenda
• Introductions
• Risk and the Risk Landscape
• Scales of Measurement:
Qualitative vs. Quantitative
• Possibility and Probability
• Precision vs. Accuracy
• Data – Fit For Purpose
• Use Case; Data Breach
2
3. @NTXISSA #NTXISSACSC3 3
Headquartered in Dallas, TX
◦ Risk Centric Security Founded in 2009
◦ Cyber Breach Response Founded in 2015
Experienced Leadership Team
◦ Ponemon Institute RIM Council
◦ Distinguished Fellow, Ponemon Institute
◦ Director of Education, Society of Information Risk Analysts
(SIRA)
◦ Guest Lecturer SMU School of Engineering
◦ 20-35+ Years of Experience
Diverse Customer and Partner Community
◦ Multiple Vertical Markets
•
8. @NTXISSA #NTXISSACSC3 8
What Risk is (simple version)
Risk =
a frequency / likelihood of occurrence expressed
quantitatively
and
an impact expressed quantitatively in $$$ or mission
impairment
(ALE = SLE x ARO)
16. Data Fit For Purpose
Use Case: Data Breach
Sources: WEIS; Net Diligence; Ponemon; Verizon
17. @NTXISSA #NTXISSACSC3
Data Breaches
What is a data breach?
A data breach is an incident in which sensitive, protected or
confidential data has potentially been viewed, stolen or used
by an individual or group unauthorized to do so. Data
breaches may involve personal health information (PHI),
personally identifiable information (PII), trade secrets or
intellectual property.
Security Incidents vs Data Breaches?
NTX ISSA Cyber Security Conference – October 2-3, 2015 17
18. @NTXISSA #NTXISSACSC3
Types of Data Breaches
Intellectual Property (IP)
Personally Identifiable Information (PII)
Protected Health Information (PHI)
Credit / Debit Card Information
Other Financial Data
Other Personal Information
Correlated Data
NTX ISSA Cyber Security Conference – October 2-3, 2015 18
20. @NTXISSA #NTXISSACSC3
Frequency
Edwards et al. (WEIS 2015, Belgium):
Frequency and size of breaches is not increasing.
ITRC sample is representative of all breaches
Predictions of frequency for 2016
Ponemon Institute:
Fifth Annual Benchmark Study on Privacy and Security of
Healthcare Data, May, 2015:
40% of organizations had > 5 breaches in 2 years
NTX ISSA Cyber Security Conference – October 2-3, 2015 20
21. @NTXISSA #NTXISSACSC3
Types of Attacks
Opportunistic attacks
Targeted attacks
Accidental exposures
NTX ISSA Cyber Security Conference – October 2-3, 2015 21
23. @NTXISSA #NTXISSACSC3
Breach Costs
Per record costs vs total cost per breach
Correlation between number of records and per
record costs – more records, lower costs per
record
Correlation between number of records and total
breach costs – more records, higher total costs
NTX ISSA Cyber Security Conference – October 2-3, 2015 23
24. @NTXISSA #NTXISSACSC3
Breach Costs
Whose costs?
Breached entity?
Employees?
Shareholders?
Insurers?
Card brands?
Issuing banks?
Customers?
Business partners?
Consumers?
Taxpayers (law enforcement costs)?
Citizens / the public at large?
NTX ISSA Cyber Security Conference – October 2-3, 2015 24
25. @NTXISSA #NTXISSACSC3
Breach Costs
Which costs?
Direct Costs:
Crisis response: Forensics, Credit Monitoring,
Notification, Legal Guidance/Breach Coach
Legal Defense, Damages, settlements
Regulatory defense, fines, and settlements
PCI defense, fines, and settlements
Indirect Costs:
Customer Churn / Brand Damage / Stock price
Cyber Insurance payouts vs Total Costs
NTX ISSA Cyber Security Conference – October 2-3, 2015 25
26. @NTXISSA #NTXISSACSC3
Sources for Breach Costs
NetDiligence: Cyber Claims studies
•Most recent report published September 30, 2015
•Reports on claims paid – not the same as total data breach costs
•Deductibles/retention, exclusions, limits, sub-limits, open/closed
status, primary/secondary coverage all factor in
•Sample size is small -study reports approximately 5% of all claims
from all insurers
•Median records = 2,300 / average records = 3.2M
•Median claim amount = $77K / average claim = $674K
NTX ISSA Cyber Security Conference – October 2-3, 2015 26
27. @NTXISSA #NTXISSACSC3
Sources for Breach Costs
Ponemon Institute:
2015 Cost of Data Breach Study (US), May 2015 (10th edition):
•Benchmark study, not just a survey
•62 US companies surveyed – breaches exposed between 5K and
100K records
•Results should NOT be used for mega breaches (specific disclaimer)
•$6.5M average total cost of breach
•$217 per record overall average
•Direct vs indirect = $74 (34%) vs $143 (66%)
•Approximately 2/3 of average per record cost is in indirect costs – this
has been the case in the previous 5 studies
NTX ISSA Cyber Security Conference – October 2-3, 2015 27
28. @NTXISSA #NTXISSACSC3
Sources for Breach Costs
Ponemon Institute:
2014 Costs of Cybercrime Cyber Crime Study (US), October, 2014 (5th
edition)
•59 US companies surveyed / 544 interviews
•138 attacks / 2.3 attacks per surveyed company per year
•$12.7M in annualized costs
NTX ISSA Cyber Security Conference – October 2-3, 2015 28
29. @NTXISSA #NTXISSACSC3
Sources for Breach Costs
Ponemon Institute:
Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data,
May, 2015
•90% of entities surveyed had at least 1 breach during previous 2 years
•40% had more than 5 breaches
•Average cost > $2.1M for surveyed healthcare organization; > $1M for
business associates
NTX ISSA Cyber Security Conference – October 2-3, 2015 29
30. @NTXISSA #NTXISSACSC3
Sources for Breach Costs
Verizon DBIR
•Forensics data – 70 organization contributors
•Analysis of NetDiligence cyber claims data using log / log approach
and confidence intervals
•Assertion that Claims paid = total cost of breach is FALSE
•$0.58 per record does not pass the sniff test
•Table of predicted costs by size of breach has such wide spreads as
to be uninformative
NTX ISSA Cyber Security Conference – October 2-3, 2015 30
32. @NTXISSA #NTXISSACSC3
Thank You!
NTX ISSA Cyber Security Conference – October 2-3, 2015 32
Heather Goodnight
Patrick Florer
Cyber Breach Response Partners, LLC
patrick@cyberbreachpartners.com
214.828.1172
33. @NTXISSA #NTXISSACSC3@NTXISSA #NTXISSACSC3
The Collin College Engineering Department
Collin College Student Chapter of the North Texas ISSA
North Texas ISSA (Information Systems Security Association)
NTX ISSA Cyber Security Conference – October 2-3, 2015 33
Thank you
50. SIRA
The Society of Information Risk Analysts
societyinforisk.org
@societyinforisk
51. @NTXISSA #NTXISSACSC3
The Mission of SIRA
Be a resource for practitioners who are exploring the most
important management challenges facing their organizations
Help members discover how methods from other risk
management disciplines can help them meet information risk
challenges
Provide a forum where members can build meaningful,
professional relationships that keep them at the top of their
profession
52. @NTXISSA #NTXISSACSC3
Who is SIRA
SIRA membership is a blend of researchers, students,
analysts, senior management & C-level talent in Information
Security, Operational Risk, IT Risk Management, IT Audit & IT
Compliance
SIRA members come from Finance, Technology, Consulting,
Health Care & Higher Education from companies like Citi,
RBS, Liberty Mutual, HP, EMC, KPMG, E&Y, Kaiser Health,
Harvard & George Mason University
53. @NTXISSA #NTXISSACSC3
Participation in SIRA
563 active base members and over 30 paid members
Information & sharing via mailing list:
http://lists.societyinforisk.org/mailman/listinfo/sira
Annual convention (SIRAcon)
Development of the IRMBOK (Information Risk Management
Body of Knowledge)