NTXISSACSC3 - Fundamentals Matter - A Brief Introduction to Risk Analysis for Information Security by Patrick Florer and Heather Goodnight

Fundamentals Matter – A Brief
Introduction to Risk Analysis for
Information Security
Heather Goodnight, Partner
Patrick Florer, Partner
Cyber Breach Response Partners, LLC
October 2, 2015

@NTXISSA #NTXISSACSC3
Agenda
• Introductions
• Risk and the Risk Landscape
• Scales of Measurement:
Qualitative vs. Quantitative
• Possibility and Probability
• Precision vs. Accuracy
• Data – Fit For Purpose
• Use Case; Data Breach
2

@NTXISSA #NTXISSACSC3 3
 Headquartered in Dallas, TX
◦ Risk Centric Security Founded in 2009
◦ Cyber Breach Response Founded in 2015
 Experienced Leadership Team
◦ Ponemon Institute RIM Council
◦ Distinguished Fellow, Ponemon Institute
◦ Director of Education, Society of Information Risk Analysts
(SIRA)
◦ Guest Lecturer SMU School of Engineering
◦ 20-35+ Years of Experience
 Diverse Customer and Partner Community
◦ Multiple Vertical Markets
•

What is Risk?

The Current State of Confusion …
.
Cyber Breach Response Partners, LLC. Confidential and Proprietary .
Copyright © Cyber Breach Response Partners, LLC. All rights reserved.

Often leads to this …
ROI IRR
EPS EMV
EBITDA
≠

What Risk Isn’t!
Vulnerability
Threat

What Risk is (simple version)
Risk =
a frequency / likelihood of occurrence expressed
quantitatively
and
an impact expressed quantitatively in $$$ or mission
impairment
(ALE = SLE x ARO)

Scales of Measurement
9
Qualitative Quantitative

Qualitative Scales
10
Nominal/Categorical
IntervalOrdinal
HIGH - Red
MEDIUM - Orange
LOW - Green
First, Second, Third … On a scale of …

Quantitative/Ratio Scales
11
1, 2, 3, 4, 5, 6, … n

Possibility and Probability: Possibility
12

Possibility and Probability: Probability
13

Precision and Accuracy
14

Data
15
Good Data Bad Data
Big Data
Little Data

Data Fit For Purpose
Use Case: Data Breach
Sources: WEIS; Net Diligence; Ponemon; Verizon

Data Breaches
What is a data breach?
A data breach is an incident in which sensitive, protected or
confidential data has potentially been viewed, stolen or used
by an individual or group unauthorized to do so. Data
breaches may involve personal health information (PHI),
personally identifiable information (PII), trade secrets or
intellectual property.
Security Incidents vs Data Breaches?
NTX ISSA Cyber Security Conference – October 2-3, 2015 17

Types of Data Breaches
Intellectual Property (IP)
Personally Identifiable Information (PII)
Protected Health Information (PHI)
Credit / Debit Card Information
Other Financial Data
Other Personal Information
Correlated Data

Risk = Frequency x Impact
Frequency
Risk

Frequency
Edwards et al. (WEIS 2015, Belgium):
Frequency and size of breaches is not increasing.
ITRC sample is representative of all breaches
Predictions of frequency for 2016
Ponemon Institute:
Fifth Annual Benchmark Study on Privacy and Security of
Healthcare Data, May, 2015:
40% of organizations had > 5 breaches in 2 years

Types of Attacks
Opportunistic attacks
Targeted attacks
Accidental exposures

Impact
Risk

Breach Costs
Per record costs vs total cost per breach
Correlation between number of records and per
record costs – more records, lower costs per
record
Correlation between number of records and total
breach costs – more records, higher total costs

Breach Costs
Whose costs?
Breached entity?
Employees?
Shareholders?
Insurers?
Card brands?
Issuing banks?
Customers?
Business partners?
Consumers?
Taxpayers (law enforcement costs)?
Citizens / the public at large?

Breach Costs
Which costs?
Direct Costs:
Crisis response: Forensics, Credit Monitoring,
Notification, Legal Guidance/Breach Coach
Legal Defense, Damages, settlements
Regulatory defense, fines, and settlements
PCI defense, fines, and settlements
Indirect Costs:
Customer Churn / Brand Damage / Stock price
Cyber Insurance payouts vs Total Costs

Sources for Breach Costs
NetDiligence: Cyber Claims studies
•Most recent report published September 30, 2015
•Reports on claims paid – not the same as total data breach costs
•Deductibles/retention, exclusions, limits, sub-limits, open/closed
status, primary/secondary coverage all factor in
•Sample size is small -study reports approximately 5% of all claims
from all insurers
•Median records = 2,300 / average records = 3.2M
•Median claim amount = $77K / average claim = $674K

Ponemon Institute:
2015 Cost of Data Breach Study (US), May 2015 (10th edition):
•Benchmark study, not just a survey
•62 US companies surveyed – breaches exposed between 5K and
100K records
•Results should NOT be used for mega breaches (specific disclaimer)
•$6.5M average total cost of breach
•$217 per record overall average
•Direct vs indirect = $74 (34%) vs $143 (66%)
•Approximately 2/3 of average per record cost is in indirect costs – this
has been the case in the previous 5 studies

Ponemon Institute:
2014 Costs of Cybercrime Cyber Crime Study (US), October, 2014 (5th
edition)
•59 US companies surveyed / 544 interviews
•138 attacks / 2.3 attacks per surveyed company per year
•$12.7M in annualized costs

Ponemon Institute:
Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data,
May, 2015
•90% of entities surveyed had at least 1 breach during previous 2 years
•40% had more than 5 breaches
•Average cost > $2.1M for surveyed healthcare organization; > $1M for
business associates

Verizon DBIR
•Forensics data – 70 organization contributors
•Analysis of NetDiligence cyber claims data using log / log approach
and confidence intervals
•Assertion that Claims paid = total cost of breach is FALSE
•$0.58 per record does not pass the sniff test
•Table of predicted costs by size of breach has such wide spreads as
to be uninformative

Frequency
Impact
Risk

Thank You!
Heather Goodnight
Patrick Florer
Cyber Breach Response Partners, LLC
patrick@cyberbreachpartners.com
214.828.1172

@NTXISSA #NTXISSACSC3@NTXISSA #NTXISSACSC3
The Collin College Engineering Department
Collin College Student Chapter of the North Texas ISSA
North Texas ISSA (Information Systems Security Association)
Thank you

Appendix

”We don’t have enough data!” - Sources
Open Security Foundation: datalossdb and osvdb
http://www.opensecurityfoundation.org/
Office of Inadequate Security:
http://www.databreaches.net/
Identity Theft Resource Center:
http://www.idtheftcenter.org/
ISACA: www.isaca.org
ISSA: www.issa.org

Mitre Corporation: www.mitre.org
OWASP: http://owasp.com/index.php/Main_Page
Privacy Rights Clearing House:
http://www.privacyrights.org/
SANS: www.sans.org
The Ponemon Institute: www.ponemon.org

Conference procedings: Black Hat, RSA, Source
Conferences, BSides
Internet tools:
Search engines: Google, Bing, Yahoo, Ask.com
Trend Analyzers:
Google trends: http://www.google.com/trends
Twitter Trends: www.trendistic.com
Amazon: http://www.metricjunkie.com/

Securitymetrics.org – mailing list
Society of Information Risk Analysts (SIRA)
Books:
How to Measure Anything – Hubbard
The Failure of Risk Management – Hubbard
Risk Analysis: A Quantitative Guide – Vose
Clinical Epidemiology and Biostatistics – Kramer
Data-Driven Security: Analysis, Visualization and Dashboards – Jacobs and Rudis

How much data is enough data?
How do I get to the mall?
How do we build this?
vs.

Data from Calibrated Estimates
More often than you might think, the data we have to work with comes from Subject
Matter Experts (SME’s).
How can we improve the accuracy of these SME’s – to a 90% confidence level?
With calibration.
Example: How much does an iPhone 5s weigh?

Monte Carlo Simulation
The average = $12,500
$2,500 $12,500 $32,000
The range is:
The distributions are:

Monte Carlo Simulation

The Beta Pert Calculator
Minimum:
What is the least or lowest (best or worst) numerical estimate that
you believe to be reasonable? This will be the smallest number
you come up with.
Most Likely:
What is the most likely or most probable numerical estimate in
your opinion? This number must fall between the minimum and
maximum. It may equal either the minimum or the maximum, but
should not equal both

Maximum:
What is the greatest or highest (best or worst) numerical
estimate that you believe to be reasonable?
Note that “best” or “worst” case estimates could be either
minimum or maximum values, depending upon the
scenario.
In a risk / loss exposure scenario, lower is better, so the
minimum represents the lowest loss, or best outcome. The
maximum represents the highest loss, or worst outcome.
In a sales or opportunity scenario, it’s the reverse: lower is
not better, so the minimum represents the worst case.
Higher is better, so the maximum represents the best case.
Risk Centric Security, Inc. Confidential and Proprietary.
Copyright © 2014 Risk Centric Security, Inc . All rights reserved.

Confidence:
On a scale that includes “Very Low”, “Low”, “Average”, “High”, and
“Very High”, how confident are you in the accuracy of your
estimates?
This parameter controls the sampling around the most likely value,
and thereby also controls the height of the histogram or slope of
the cumulative plot.
For most analyses, using “Average” for the confidence parameter
works well. In this instance, “Average” really means having no
strong feeling about the matter – being evenly divided between
under-confidence and over-confidence.

Percentile Tables

Percentile Tables
1% of values are <= 10,044 and 99% are > 10,044
The 50th percentile has another name - it’s called the Median.
The Median is the mid-point in a list of values - half of the values
in the list are less and half are greater than the Median.

Histogram

Cumulative Plot

SIRA
The Society of Information Risk Analysts
societyinforisk.org
@societyinforisk

The Mission of SIRA
Be a resource for practitioners who are exploring the most
important management challenges facing their organizations
Help members discover how methods from other risk
management disciplines can help them meet information risk
challenges
Provide a forum where members can build meaningful,
professional relationships that keep them at the top of their
profession

Who is SIRA
SIRA membership is a blend of researchers, students,
analysts, senior management & C-level talent in Information
Security, Operational Risk, IT Risk Management, IT Audit & IT
Compliance
SIRA members come from Finance, Technology, Consulting,
Health Care & Higher Education from companies like Citi,
RBS, Liberty Mutual, HP, EMC, KPMG, E&Y, Kaiser Health,
Harvard & George Mason University

Participation in SIRA
563 active base members and over 30 paid members
Information & sharing via mailing list:
http://lists.societyinforisk.org/mailman/listinfo/sira
Annual convention (SIRAcon)
Development of the IRMBOK (Information Risk Management
Body of Knowledge)

NTXISSACSC3 - Fundamentals Matter - A Brief Introduction to Risk Analysis for Information Security by Patrick Florer and Heather Goodnight

Recommended

Recommended

More Related Content

What's hot

What's hot (19)

Viewers also liked

Viewers also liked (10)

Similar to NTXISSACSC3 - Fundamentals Matter - A Brief Introduction to Risk Analysis for Information Security by Patrick Florer and Heather Goodnight

Similar to NTXISSACSC3 - Fundamentals Matter - A Brief Introduction to Risk Analysis for Information Security by Patrick Florer and Heather Goodnight (20)

More from North Texas Chapter of the ISSA

More from North Texas Chapter of the ISSA (20)

Recently uploaded

Recently uploaded (20)

NTXISSACSC3 - Fundamentals Matter - A Brief Introduction to Risk Analysis for Information Security by Patrick Florer and Heather Goodnight