SlideShare a Scribd company logo

Return on Security Investment

Conferencias FIST
Conferencias FIST

The document discusses return on security investment (ROSI) and making security decisions based on hard data rather than fear or random choices. It outlines two types of security measures - vulnerability reduction, which aims to prevent incidents, and impact reduction, which limits maximum loss. Vulnerability reduction ROI can be calculated by comparing risk costs before and after investing in a measure. Impact reduction provides efficiency but not a direct ROI. Gathering information on past incidents is important for making data-driven security choices.

Technology
1 of 17
Download to read offline
FIST Conference October 2003 @ Return on Security Investment © Vicente Aceituno
Why expend on security measures Just one word: INCIDENTS © Vicente Aceituno vaceituno@telefonica.net 2
The direct cost of incidents The direct cost of incidents is: Income loss. Property damage and loss. Direct economic loss. Plus the cost to return the system to the pre-incident state. Other direct cost could be: Human life. Information loss. Penalties. © Vicente Aceituno vaceituno@telefonica.net 3
The indirect cost of incidents Damaged Image. Loss of Trust. Treasury problems. Breaching of contracts and other legal responsibilities. Social and moral obligations breaching. Additional costs. © Vicente Aceituno vaceituno@telefonica.net 4
Lifecycle of Information Systems Requirements (Business, User, Technical, Security). Analysis. Design. Construction. Quality Assurance (Testing). Implementation. More often than not security requirements are not considered. © Vicente Aceituno vaceituno@telefonica.net 5
Quality Assurance Testers emulate authorized users performing Business Requirements Tests. User Requirements Tests. Technical Requirements Tests. Security Requirements Tests. PenTesters emulate unauthorized users trying to overcome security measures. Auditors mostly check existing evidence © Vicente Aceituno vaceituno@telefonica.net 6
How to turn intuition into hard data? Número de Incidentes Bigger Coste de la Coste por Incidente Coste por Incidente Usabilidad Medida Valor de los Activos Parque de Activos Gestionabilidad Coste de la Amenaza Ventana de Oportunidad Smaller Valor para el atacante © Vicente Aceituno vaceituno@telefonica.net 7
Widespread knowledge Mayfield’s Paradox It cost an infinite amount of money both to give everyone access to a system, and to prevent everyone access the same system. Cost CMU – CERT study: % People The more you spend, the less difference it makes on your security. Security Idaho University formula. (R-E)+T= ALE R-ALE=ROSI. ROSI=E-T, but where do you get E? Investment Problem: Lack of real Data & too many assumptions: Risk Cost monotonically decreases with investment. Risk Cost is subject to diminishing return on investment. ROSI is positive for all levels of investment. © Vicente Aceituno vaceituno@telefonica.net 8
What is ROSI for? ¡It’s not about how much you make, it’s about where do you put your budget! Nowadays, security measures are selected based on: Fear Uncertainty and Doubt decisions. Paranoid decisions. Coolness decisions. Random decisions. A ROSI based decision allows for: Selecting the best security measures with a given budget. Determine if a budget is enough to meet security targets. No security measure is ever selected based on profitability. © Vicente Aceituno vaceituno@telefonica.net 9
Security Measures There are two distinctive kinds of Security Measures. Vulnerability reduction of specific risks. (aka Preventive) Firewalls. Locks. Access Control. … Impact reduction of unspecific risks. (aka Paliative) RAID. Data Backup. Redundant communications links. … © Vicente Aceituno vaceituno@telefonica.net 10
Vulnerability Reduction Security Measures Benefits Vulnerability reduction means less incidents. ROSI = ( RCbefore – RCafter) / SMcost When ROSI > 1, the security measure gives a return. RiskCost = Number of Incidents*Cost of an Incident. It depends strongly on the environment and number of potential targets. You need hard data to calculate RC.To get hard data you need Information Gathering. The security measure must prevent incidents for at least what it is worth per investment period. © Vicente Aceituno vaceituno@telefonica.net 11
Vulnerability Reduction Measures ROI Example: There are two laptop thefts out of 50 in a year. A laptop replacement cost is 1800 euros. The following year there are 75 laptops in the company. 60€ latches protect every laptop. There is only 1 laptop theft the following, when the latches are installed. © Vicente Aceituno vaceituno@telefonica.net 12
Vulnerability Reduction Measures ROI ROSI = ( RCbefore – RCafter) / Smcost ROSI = ((1800+Iv)*3-((1800+Iv)*1+75*60))/(75*60), Iv=0, ROSI < 1. *Incidents are adjusted for increased number of “targets”. If a laptop’s information worth is nil, the security measure return is unprofitable. For this example, 60€ latches give a return when any laptop’s Information value is over 2700€, or when you expect 5 thefts for this year (based on historic info). With this kind of analysis, you could: Decide to use latches only for laptops that hold valuable information. Calculate the maximum you should pay for latches for all laptops (24€ when Iv=0). © Vicente Aceituno vaceituno@telefonica.net 13
Impact Reduction Security Measures Benefits Impact reduction is like insurance: It puts a cap on your maximum loss. You can’t measure impact reduction investment return. When the best happens it is never used. When the worst happens twice, it seems to be worth twice the value of your assets, but who would spend twice the worth of anything in security measures? The real factor is what protection do you get for your money. You can measure efficiency. For Time to Recover efficiency, you have off-site backups (some extra cost) on one end, and fully redundant systems (over 2X cost) on the other. Ideally this security measures are never used. © Vicente Aceituno vaceituno@telefonica.net 14
Hard Data based Choices Direct cost Indirect cost Vulnerability Choice based on Quality Assurance: Reduction risk cost reduction Penetration Testing. ROSI > 1 Auditing. Information Gathering from IDS, Honeypots, logs, etc. Impact Choice based on Quality Assurance: Reduction Efficiency (“bang for Incidents Emulation. the buck”, normally Time to Recover) Forensics. Information Gathering from Incidents Evaluation. Information Choice of Security Quality Assurance: System Requirements Security Requirements Lifecycle Testing. Code Auditing. © Vicente Aceituno vaceituno@telefonica.net 15
Afterthoughts. To take hard data based decisions you have to assume the indirect cost of information gathering. Information systems designed with security requirements in mind are cheaper in the long run. Your neighbour’s security measure with the best ROSI won’t necessarily be yours too. Don’t be tight: Use impact reduction measures for critical assets. Assume testing and trial of your security measures as an indirect cost. © Vicente Aceituno vaceituno@telefonica.net 16
Return on Security Investment FIST Conference © Vicente Aceituno 25 October 2003

Recommended

Information Security Awareness, Petronas Marketing Sudan
Information Security Awareness, Petronas Marketing SudanInformation Security Awareness, Petronas Marketing Sudan
Information Security Awareness, Petronas Marketing Sudan
Ahmed Musaad
 
Security Awareness &amp; Training
Security Awareness &amp; TrainingSecurity Awareness &amp; Training
Security Awareness &amp; Training
novemberchild
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
William Mann
 
Cybersecurity Awareness Session by Adam
Cybersecurity Awareness Session by AdamCybersecurity Awareness Session by Adam
Cybersecurity Awareness Session by Adam
Mohammed Adam
 
End-User Security Awareness
End-User Security AwarenessEnd-User Security Awareness
End-User Security Awareness
Surya Bathulapalli
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
Dmitriy Scherbina
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
Daniel P Wallace
 
Employee Security Awareness Program
Employee Security Awareness ProgramEmployee Security Awareness Program
Employee Security Awareness Program
davidcurriecia
 

Recommended

Information Security Awareness, Petronas Marketing Sudan
Information Security Awareness, Petronas Marketing SudanInformation Security Awareness, Petronas Marketing Sudan
Information Security Awareness, Petronas Marketing Sudan
Ahmed Musaad
 
Security Awareness &amp; Training
Security Awareness &amp; TrainingSecurity Awareness &amp; Training
Security Awareness &amp; Training
novemberchild
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
William Mann
 
Cybersecurity Awareness Session by Adam
Cybersecurity Awareness Session by AdamCybersecurity Awareness Session by Adam
Cybersecurity Awareness Session by Adam
Mohammed Adam
 
End-User Security Awareness
End-User Security AwarenessEnd-User Security Awareness
End-User Security Awareness
Surya Bathulapalli
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
Dmitriy Scherbina
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
Daniel P Wallace
 
Employee Security Awareness Program
Employee Security Awareness ProgramEmployee Security Awareness Program
Employee Security Awareness Program
davidcurriecia
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
SnapComms
 
When Cyber Security Meets Machine Learning
When Cyber Security Meets Machine LearningWhen Cyber Security Meets Machine Learning
When Cyber Security Meets Machine LearningLior Rokach
 
Human Error- Data breaches/Cyber Security
Human Error- Data breaches/Cyber SecurityHuman Error- Data breaches/Cyber Security
Human Error- Data breaches/Cyber Security
kommieni divya
 
Elements of security risk assessment and risk management
Elements of security risk assessment and risk managementElements of security risk assessment and risk management
Elements of security risk assessment and risk management
healthpoint
 
Raising information security awareness
Raising information security awarenessRaising information security awareness
Raising information security awareness
Terranovatraining
 
Security Plan for Small Networks/Offices
Security Plan for Small Networks/Offices Security Plan for Small Networks/Offices
Security Plan for Small Networks/Offices
Ajay Jassi
 
Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)
KP Naidu
 
Structure of iso 27001
Structure of iso 27001Structure of iso 27001
Structure of iso 27001
CUNIX INDIA
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber Resilience
Donald Tabone
 
Corporate threat vector and landscape
Corporate threat vector and landscapeCorporate threat vector and landscape
Corporate threat vector and landscape
yohansurya2
 
resilient_training_labs v12 copy.pptx
resilient_training_labs v12 copy.pptxresilient_training_labs v12 copy.pptx
resilient_training_labs v12 copy.pptx
modathernady
 
Information Security Awareness for everyone
Information Security Awareness for everyoneInformation Security Awareness for everyone
Information Security Awareness for everyone
Yasir Nafees
 
ISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTINGISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTING
Arul Nambi
 
Information Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn HospitalInformation Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn HospitalAtlantic Training, LLC.
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellence
Erik Taavila
 
Information Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & ResponsibilitiesInformation Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & Responsibilities
Kroll
 
Machine Learning & Cyber Security: Detecting Malicious URLs in the Haystack
Machine Learning & Cyber Security: Detecting Malicious URLs in the HaystackMachine Learning & Cyber Security: Detecting Malicious URLs in the Haystack
Machine Learning & Cyber Security: Detecting Malicious URLs in the Haystack
Alistair Gillespie
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber risk
Stephen Cobb
 
How to perform an Infrastructure Security Gap Analysis
How to perform an Infrastructure Security Gap AnalysisHow to perform an Infrastructure Security Gap Analysis
How to perform an Infrastructure Security Gap Analysis
Carlo Dapino
 
Roles and responsibilities of a CISO
Roles and responsibilities of a CISORoles and responsibilities of a CISO
Roles and responsibilities of a CISO
EC-Council
 
The ROI on Intrusion Prevention: Protecting Both Your Network & Investment
The ROI on Intrusion Prevention: Protecting Both Your Network & InvestmentThe ROI on Intrusion Prevention: Protecting Both Your Network & Investment
The ROI on Intrusion Prevention: Protecting Both Your Network & Investment
IBM Security
 
Investment Securities
Investment SecuritiesInvestment Securities
Investment Securities
ASAD ALI
 

More Related Content

What's hot

Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
SnapComms
 
When Cyber Security Meets Machine Learning
When Cyber Security Meets Machine LearningWhen Cyber Security Meets Machine Learning
When Cyber Security Meets Machine LearningLior Rokach
 
Human Error- Data breaches/Cyber Security
Human Error- Data breaches/Cyber SecurityHuman Error- Data breaches/Cyber Security
Human Error- Data breaches/Cyber Security
kommieni divya
 
Elements of security risk assessment and risk management
Elements of security risk assessment and risk managementElements of security risk assessment and risk management
Elements of security risk assessment and risk management
healthpoint
 
Raising information security awareness
Raising information security awarenessRaising information security awareness
Raising information security awareness
Terranovatraining
 
Security Plan for Small Networks/Offices
Security Plan for Small Networks/Offices Security Plan for Small Networks/Offices
Security Plan for Small Networks/Offices
Ajay Jassi
 
Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)
KP Naidu
 
Structure of iso 27001
Structure of iso 27001Structure of iso 27001
Structure of iso 27001
CUNIX INDIA
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber Resilience
Donald Tabone
 
Corporate threat vector and landscape
Corporate threat vector and landscapeCorporate threat vector and landscape
Corporate threat vector and landscape
yohansurya2
 
resilient_training_labs v12 copy.pptx
resilient_training_labs v12 copy.pptxresilient_training_labs v12 copy.pptx
resilient_training_labs v12 copy.pptx
modathernady
 
Information Security Awareness for everyone
Information Security Awareness for everyoneInformation Security Awareness for everyone
Information Security Awareness for everyone
Yasir Nafees
 
ISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTINGISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTING
Arul Nambi
 
Information Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn HospitalInformation Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn HospitalAtlantic Training, LLC.
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellence
Erik Taavila
 
Information Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & ResponsibilitiesInformation Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & Responsibilities
Kroll
 
Machine Learning & Cyber Security: Detecting Malicious URLs in the Haystack
Machine Learning & Cyber Security: Detecting Malicious URLs in the HaystackMachine Learning & Cyber Security: Detecting Malicious URLs in the Haystack
Machine Learning & Cyber Security: Detecting Malicious URLs in the Haystack
Alistair Gillespie
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber risk
Stephen Cobb
 
How to perform an Infrastructure Security Gap Analysis
How to perform an Infrastructure Security Gap AnalysisHow to perform an Infrastructure Security Gap Analysis
How to perform an Infrastructure Security Gap Analysis
Carlo Dapino
 
Roles and responsibilities of a CISO
Roles and responsibilities of a CISORoles and responsibilities of a CISO
Roles and responsibilities of a CISO
EC-Council
 

What's hot (20)

Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
 
When Cyber Security Meets Machine Learning
When Cyber Security Meets Machine LearningWhen Cyber Security Meets Machine Learning
When Cyber Security Meets Machine Learning
 
Human Error- Data breaches/Cyber Security
Human Error- Data breaches/Cyber SecurityHuman Error- Data breaches/Cyber Security
Human Error- Data breaches/Cyber Security
 
Elements of security risk assessment and risk management
Elements of security risk assessment and risk managementElements of security risk assessment and risk management
Elements of security risk assessment and risk management
 
Raising information security awareness
Raising information security awarenessRaising information security awareness
Raising information security awareness
 
Security Plan for Small Networks/Offices
Security Plan for Small Networks/Offices Security Plan for Small Networks/Offices
Security Plan for Small Networks/Offices
 
Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)Managing Personally Identifiable Information (PII)
Managing Personally Identifiable Information (PII)
 
Structure of iso 27001
Structure of iso 27001Structure of iso 27001
Structure of iso 27001
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber Resilience
 
Corporate threat vector and landscape
Corporate threat vector and landscapeCorporate threat vector and landscape
Corporate threat vector and landscape
 
resilient_training_labs v12 copy.pptx
resilient_training_labs v12 copy.pptxresilient_training_labs v12 copy.pptx
resilient_training_labs v12 copy.pptx
 
Information Security Awareness for everyone
Information Security Awareness for everyoneInformation Security Awareness for everyone
Information Security Awareness for everyone
 
ISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTINGISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTING
 
Information Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn HospitalInformation Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn Hospital
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellence
 
Information Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & ResponsibilitiesInformation Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & Responsibilities
 
Machine Learning & Cyber Security: Detecting Malicious URLs in the Haystack
Machine Learning & Cyber Security: Detecting Malicious URLs in the HaystackMachine Learning & Cyber Security: Detecting Malicious URLs in the Haystack
Machine Learning & Cyber Security: Detecting Malicious URLs in the Haystack
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber risk
 
How to perform an Infrastructure Security Gap Analysis
How to perform an Infrastructure Security Gap AnalysisHow to perform an Infrastructure Security Gap Analysis
How to perform an Infrastructure Security Gap Analysis
 
Roles and responsibilities of a CISO
Roles and responsibilities of a CISORoles and responsibilities of a CISO
Roles and responsibilities of a CISO
 

Viewers also liked

The ROI on Intrusion Prevention: Protecting Both Your Network & Investment
The ROI on Intrusion Prevention: Protecting Both Your Network & InvestmentThe ROI on Intrusion Prevention: Protecting Both Your Network & Investment
The ROI on Intrusion Prevention: Protecting Both Your Network & Investment
IBM Security
 
Investment Securities
Investment SecuritiesInvestment Securities
Investment Securities
ASAD ALI
 
Sécurité informatique : le Retour sur Investissement que vous n'attendiez pas
Sécurité informatique : le Retour sur Investissement que vous n'attendiez pasSécurité informatique : le Retour sur Investissement que vous n'attendiez pas
Sécurité informatique : le Retour sur Investissement que vous n'attendiez pas
Maxime ALAY-EDDINE
 
Islamic securities market
Islamic securities marketIslamic securities market
Islamic securities market
Samer Abou Zaghla, MSc.
 
NetScout nGeniusONE overview
NetScout nGeniusONE overviewNetScout nGeniusONE overview
NetScout nGeniusONE overview
BAKOTECH
 
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
ShortestPathFirst
 
How to launch and defend against a DDoS
How to launch and defend against a DDoSHow to launch and defend against a DDoS
How to launch and defend against a DDoSjgrahamc
 
BGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionBGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and Discussion
APNIC
 
Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)
btpsec
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacks
Security Session
 

Viewers also liked (11)

The ROI on Intrusion Prevention: Protecting Both Your Network & Investment
The ROI on Intrusion Prevention: Protecting Both Your Network & InvestmentThe ROI on Intrusion Prevention: Protecting Both Your Network & Investment
The ROI on Intrusion Prevention: Protecting Both Your Network & Investment
 
Investment Securities
Investment SecuritiesInvestment Securities
Investment Securities
 
Sécurité informatique : le Retour sur Investissement que vous n'attendiez pas
Sécurité informatique : le Retour sur Investissement que vous n'attendiez pasSécurité informatique : le Retour sur Investissement que vous n'attendiez pas
Sécurité informatique : le Retour sur Investissement que vous n'attendiez pas
 
Islamic securities market
Islamic securities marketIslamic securities market
Islamic securities market
 
NetScout nGeniusONE overview
NetScout nGeniusONE overviewNetScout nGeniusONE overview
NetScout nGeniusONE overview
 
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
 
How to launch and defend against a DDoS
How to launch and defend against a DDoSHow to launch and defend against a DDoS
How to launch and defend against a DDoS
 
BGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionBGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and Discussion
 
Cyber crime
Cyber crimeCyber crime
Cyber crime
 
Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacks
 

Similar to Return on Security Investment

Dynamic Log Analysis™ Business Value Sheet
Dynamic Log Analysis™ Business Value SheetDynamic Log Analysis™ Business Value Sheet
Dynamic Log Analysis™ Business Value SheetClear Technologies
 
"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy
Jason Clark
 
Maximizing Security Training ROI
Maximizing Security Training ROIMaximizing Security Training ROI
Maximizing Security Training ROI
Symosis Security (Previously C-Level Security)
 
Gainful Information Security 2012 services
Gainful Information Security 2012 servicesGainful Information Security 2012 services
Gainful Information Security 2012 services
Cade Zvavanjanja
 
The Perils that PCI brings to Security
The Perils that PCI brings to SecurityThe Perils that PCI brings to Security
The Perils that PCI brings to Security
Tripwire
 
Information Security By Design
Information Security By DesignInformation Security By Design
Information Security By Design
Nalneesh Gaur
 
Business Driven Security Securing the Smarter Planet pcty_020710_rev
Business Driven Security Securing the Smarter Planet pcty_020710_revBusiness Driven Security Securing the Smarter Planet pcty_020710_rev
Business Driven Security Securing the Smarter Planet pcty_020710_revShanker Sareen
 
Convergence of Security Risks
Convergence of Security RisksConvergence of Security Risks
Convergence of Security Risks
Enterprise Security Risk Management
 
Isaca houston presentation 12 4 12
Isaca houston presentation 12 4 12Isaca houston presentation 12 4 12
Isaca houston presentation 12 4 12
Patrick Florer
 
Cyber security
Cyber securityCyber security
Cyber security
Vaibhav Jain
 
Shifting Risks and IT Complexities Create Demands for New Enterprise Security...
Shifting Risks and IT Complexities Create Demands for New Enterprise Security...Shifting Risks and IT Complexities Create Demands for New Enterprise Security...
Shifting Risks and IT Complexities Create Demands for New Enterprise Security...
Booz Allen Hamilton
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
asherad
 
2021 English Part One Anti-phishing Webinar Presentation Slides
2021 English Part One Anti-phishing Webinar Presentation Slides2021 English Part One Anti-phishing Webinar Presentation Slides
2021 English Part One Anti-phishing Webinar Presentation Slides
Ivanti
 
Protect Your Organization with Multi-Layered Approach to Anti-Phishing
Protect Your Organization with Multi-Layered Approach to Anti-PhishingProtect Your Organization with Multi-Layered Approach to Anti-Phishing
Protect Your Organization with Multi-Layered Approach to Anti-Phishing
Ivanti
 
It risk assessment_methodology
It risk assessment_methodology It risk assessment_methodology
It risk assessment_methodology Bruno Mmassy
 
IP UtiliNET ©Fusitronics Facial Biometric Systems Application Brief
IP UtiliNET ©Fusitronics Facial Biometric Systems Application Brief IP UtiliNET ©Fusitronics Facial Biometric Systems Application Brief
IP UtiliNET ©Fusitronics Facial Biometric Systems Application Brief
Mestizo Enterprises
 
Dod IA Pen Testing Brief
Dod IA Pen Testing BriefDod IA Pen Testing Brief
Dod IA Pen Testing Brief
David McGuire
 
Journey to the Center of Security Operations
Journey to the Center of Security OperationsJourney to the Center of Security Operations
Journey to the Center of Security Operations
♟Sergej Epp
 
Jedi mind tricks for building application security programs
Jedi mind tricks for building application security programsJedi mind tricks for building application security programs
Jedi mind tricks for building application security programs
Security BSides London
 

Similar to Return on Security Investment (20)

Dynamic Log Analysis™ Business Value Sheet
Dynamic Log Analysis™ Business Value SheetDynamic Log Analysis™ Business Value Sheet
Dynamic Log Analysis™ Business Value Sheet
 
"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy
 
Maximizing Security Training ROI
Maximizing Security Training ROIMaximizing Security Training ROI
Maximizing Security Training ROI
 
Gainful Information Security 2012 services
Gainful Information Security 2012 servicesGainful Information Security 2012 services
Gainful Information Security 2012 services
 
The Perils that PCI brings to Security
The Perils that PCI brings to SecurityThe Perils that PCI brings to Security
The Perils that PCI brings to Security
 
Information Security By Design
Information Security By DesignInformation Security By Design
Information Security By Design
 
Business Driven Security Securing the Smarter Planet pcty_020710_rev
Business Driven Security Securing the Smarter Planet pcty_020710_revBusiness Driven Security Securing the Smarter Planet pcty_020710_rev
Business Driven Security Securing the Smarter Planet pcty_020710_rev
 
Convergence of Security Risks
Convergence of Security RisksConvergence of Security Risks
Convergence of Security Risks
 
Isaca houston presentation 12 4 12
Isaca houston presentation 12 4 12Isaca houston presentation 12 4 12
Isaca houston presentation 12 4 12
 
Cyber security
Cyber securityCyber security
Cyber security
 
Shifting Risks and IT Complexities Create Demands for New Enterprise Security...
Shifting Risks and IT Complexities Create Demands for New Enterprise Security...Shifting Risks and IT Complexities Create Demands for New Enterprise Security...
Shifting Risks and IT Complexities Create Demands for New Enterprise Security...
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 
2021 English Part One Anti-phishing Webinar Presentation Slides
2021 English Part One Anti-phishing Webinar Presentation Slides2021 English Part One Anti-phishing Webinar Presentation Slides
2021 English Part One Anti-phishing Webinar Presentation Slides
 
Protect Your Organization with Multi-Layered Approach to Anti-Phishing
Protect Your Organization with Multi-Layered Approach to Anti-PhishingProtect Your Organization with Multi-Layered Approach to Anti-Phishing
Protect Your Organization with Multi-Layered Approach to Anti-Phishing
 
It risk assessment_methodology
It risk assessment_methodology It risk assessment_methodology
It risk assessment_methodology
 
IP UtiliNET ©Fusitronics Facial Biometric Systems Application Brief
IP UtiliNET ©Fusitronics Facial Biometric Systems Application Brief IP UtiliNET ©Fusitronics Facial Biometric Systems Application Brief
IP UtiliNET ©Fusitronics Facial Biometric Systems Application Brief
 
Dod IA Pen Testing Brief
Dod IA Pen Testing BriefDod IA Pen Testing Brief
Dod IA Pen Testing Brief
 
Security Feature Cover Story
Security Feature Cover StorySecurity Feature Cover Story
Security Feature Cover Story
 
Journey to the Center of Security Operations
Journey to the Center of Security OperationsJourney to the Center of Security Operations
Journey to the Center of Security Operations
 
Jedi mind tricks for building application security programs
Jedi mind tricks for building application security programsJedi mind tricks for building application security programs
Jedi mind tricks for building application security programs
 

More from Conferencias FIST

Seguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceSeguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceConferencias FIST
 
Las Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática ForenseLas Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática ForenseConferencias FIST
 
Evolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFiEvolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFiConferencias FIST
 
El Information Security Forum
El Information Security ForumEl Information Security Forum
El Information Security ForumConferencias FIST
 
Inseguridad en Redes Wireless
Inseguridad en Redes WirelessInseguridad en Redes Wireless
Inseguridad en Redes WirelessConferencias FIST
 
Mas allá de la Concienciación
Mas allá de la ConcienciaciónMas allá de la Concienciación
Mas allá de la ConcienciaciónConferencias FIST
 
Riesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el DesarrolloRiesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el DesarrolloConferencias FIST
 
Demostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis ForenseDemostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis ForenseConferencias FIST
 

More from Conferencias FIST (20)

Seguridad en Open Solaris
Seguridad en Open SolarisSeguridad en Open Solaris
Seguridad en Open Solaris
 
Seguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceSeguridad en Entornos Web Open Source
Seguridad en Entornos Web Open Source
 
Spanish Honeynet Project
Spanish Honeynet ProjectSpanish Honeynet Project
Spanish Honeynet Project
 
Seguridad en Windows Mobile
Seguridad en Windows MobileSeguridad en Windows Mobile
Seguridad en Windows Mobile
 
SAP Security
SAP SecuritySAP Security
SAP Security
 
Que es Seguridad
Que es SeguridadQue es Seguridad
Que es Seguridad
 
Network Access Protection
Network Access ProtectionNetwork Access Protection
Network Access Protection
 
Las Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática ForenseLas Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática Forense
 
Evolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFiEvolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFi
 
El Information Security Forum
El Information Security ForumEl Information Security Forum
El Information Security Forum
 
Criptografia Cuántica
Criptografia CuánticaCriptografia Cuántica
Criptografia Cuántica
 
Inseguridad en Redes Wireless
Inseguridad en Redes WirelessInseguridad en Redes Wireless
Inseguridad en Redes Wireless
 
Mas allá de la Concienciación
Mas allá de la ConcienciaciónMas allá de la Concienciación
Mas allá de la Concienciación
 
Security Metrics
Security MetricsSecurity Metrics
Security Metrics
 
PKI Interoperability
PKI InteroperabilityPKI Interoperability
PKI Interoperability
 
Wifislax 3.1
Wifislax 3.1Wifislax 3.1
Wifislax 3.1
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
 
Riesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el DesarrolloRiesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el Desarrollo
 
Demostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis ForenseDemostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis Forense
 
Security Maturity Model
Security Maturity ModelSecurity Maturity Model
Security Maturity Model
 

Recently uploaded

FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
g2nightmarescribd
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 

Recently uploaded (20)

FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 

Return on Security Investment

  • 1. FIST Conference October 2003 @ Return on Security Investment © Vicente Aceituno
  • 2. Why expend on security measures Just one word: INCIDENTS © Vicente Aceituno vaceituno@telefonica.net 2
  • 3. The direct cost of incidents The direct cost of incidents is: Income loss. Property damage and loss. Direct economic loss. Plus the cost to return the system to the pre-incident state. Other direct cost could be: Human life. Information loss. Penalties. © Vicente Aceituno vaceituno@telefonica.net 3
  • 4. The indirect cost of incidents Damaged Image. Loss of Trust. Treasury problems. Breaching of contracts and other legal responsibilities. Social and moral obligations breaching. Additional costs. © Vicente Aceituno vaceituno@telefonica.net 4
  • 5. Lifecycle of Information Systems Requirements (Business, User, Technical, Security). Analysis. Design. Construction. Quality Assurance (Testing). Implementation. More often than not security requirements are not considered. © Vicente Aceituno vaceituno@telefonica.net 5
  • 6. Quality Assurance Testers emulate authorized users performing Business Requirements Tests. User Requirements Tests. Technical Requirements Tests. Security Requirements Tests. PenTesters emulate unauthorized users trying to overcome security measures. Auditors mostly check existing evidence © Vicente Aceituno vaceituno@telefonica.net 6
  • 7. How to turn intuition into hard data? Número de Incidentes Bigger Coste de la Coste por Incidente Coste por Incidente Usabilidad Medida Valor de los Activos Parque de Activos Gestionabilidad Coste de la Amenaza Ventana de Oportunidad Smaller Valor para el atacante © Vicente Aceituno vaceituno@telefonica.net 7
  • 8. Widespread knowledge Mayfield’s Paradox It cost an infinite amount of money both to give everyone access to a system, and to prevent everyone access the same system. Cost CMU – CERT study: % People The more you spend, the less difference it makes on your security. Security Idaho University formula. (R-E)+T= ALE R-ALE=ROSI. ROSI=E-T, but where do you get E? Investment Problem: Lack of real Data & too many assumptions: Risk Cost monotonically decreases with investment. Risk Cost is subject to diminishing return on investment. ROSI is positive for all levels of investment. © Vicente Aceituno vaceituno@telefonica.net 8
  • 9. What is ROSI for? ¡It’s not about how much you make, it’s about where do you put your budget! Nowadays, security measures are selected based on: Fear Uncertainty and Doubt decisions. Paranoid decisions. Coolness decisions. Random decisions. A ROSI based decision allows for: Selecting the best security measures with a given budget. Determine if a budget is enough to meet security targets. No security measure is ever selected based on profitability. © Vicente Aceituno vaceituno@telefonica.net 9
  • 10. Security Measures There are two distinctive kinds of Security Measures. Vulnerability reduction of specific risks. (aka Preventive) Firewalls. Locks. Access Control. … Impact reduction of unspecific risks. (aka Paliative) RAID. Data Backup. Redundant communications links. … © Vicente Aceituno vaceituno@telefonica.net 10
  • 11. Vulnerability Reduction Security Measures Benefits Vulnerability reduction means less incidents. ROSI = ( RCbefore – RCafter) / SMcost When ROSI > 1, the security measure gives a return. RiskCost = Number of Incidents*Cost of an Incident. It depends strongly on the environment and number of potential targets. You need hard data to calculate RC.To get hard data you need Information Gathering. The security measure must prevent incidents for at least what it is worth per investment period. © Vicente Aceituno vaceituno@telefonica.net 11
  • 12. Vulnerability Reduction Measures ROI Example: There are two laptop thefts out of 50 in a year. A laptop replacement cost is 1800 euros. The following year there are 75 laptops in the company. 60€ latches protect every laptop. There is only 1 laptop theft the following, when the latches are installed. © Vicente Aceituno vaceituno@telefonica.net 12
  • 13. Vulnerability Reduction Measures ROI ROSI = ( RCbefore – RCafter) / Smcost ROSI = ((1800+Iv)*3-((1800+Iv)*1+75*60))/(75*60), Iv=0, ROSI < 1. *Incidents are adjusted for increased number of “targets”. If a laptop’s information worth is nil, the security measure return is unprofitable. For this example, 60€ latches give a return when any laptop’s Information value is over 2700€, or when you expect 5 thefts for this year (based on historic info). With this kind of analysis, you could: Decide to use latches only for laptops that hold valuable information. Calculate the maximum you should pay for latches for all laptops (24€ when Iv=0). © Vicente Aceituno vaceituno@telefonica.net 13
  • 14. Impact Reduction Security Measures Benefits Impact reduction is like insurance: It puts a cap on your maximum loss. You can’t measure impact reduction investment return. When the best happens it is never used. When the worst happens twice, it seems to be worth twice the value of your assets, but who would spend twice the worth of anything in security measures? The real factor is what protection do you get for your money. You can measure efficiency. For Time to Recover efficiency, you have off-site backups (some extra cost) on one end, and fully redundant systems (over 2X cost) on the other. Ideally this security measures are never used. © Vicente Aceituno vaceituno@telefonica.net 14
  • 15. Hard Data based Choices Direct cost Indirect cost Vulnerability Choice based on Quality Assurance: Reduction risk cost reduction Penetration Testing. ROSI > 1 Auditing. Information Gathering from IDS, Honeypots, logs, etc. Impact Choice based on Quality Assurance: Reduction Efficiency (“bang for Incidents Emulation. the buck”, normally Time to Recover) Forensics. Information Gathering from Incidents Evaluation. Information Choice of Security Quality Assurance: System Requirements Security Requirements Lifecycle Testing. Code Auditing. © Vicente Aceituno vaceituno@telefonica.net 15
  • 16. Afterthoughts. To take hard data based decisions you have to assume the indirect cost of information gathering. Information systems designed with security requirements in mind are cheaper in the long run. Your neighbour’s security measure with the best ROSI won’t necessarily be yours too. Don’t be tight: Use impact reduction measures for critical assets. Assume testing and trial of your security measures as an indirect cost. © Vicente Aceituno vaceituno@telefonica.net 16
  • 17. Return on Security Investment FIST Conference © Vicente Aceituno 25 October 2003