The value of our data

The Value of Big Data
Robin Basham,
Director Integrated Audit, Ellie Mae, Inc.
CISA, CGEIT, CRISC, M.Ed, M.IT, VRP, CRP, HISP
Prepared for ISACA SV and IMA Palo Alto
With reference to “Infonomics: The Practice of Information Economics” Doug Laney and
“Big data for the Masses The Unique Challenge of Big Data Integration” A Talend White
Paper

AGENDA
 The characteristics of
Big Data – It’s just data
◦ Limits and Benefits in use
◦ Why we use Big Data
◦ How we use Big Data
 Structured v.
Unstructured Data
◦ Web 3.0
◦ So, is it big or just more
BI?
 Overview of new
technologies
◦ Hiring these skills and
creating these skills
◦ Simply, what they do, how
they fit into any solution
◦ Complexity and
interpretation risk, you get
what you pay for
 Is Social Data on the
Balance Sheet?
◦ Risks in using social data
◦ Problems caused by
investing in social data
◦ Gartner guidance to
question data on the
balance sheet
2

As Director, Integrated Audit at Ellie Mae, is
accountable to creating and using a GRC
program, conducting SOX, SOC, ISMS and
various program specific audits including and
FDIC examination.
As creator of Facilitated Compliance
Management Software (4Point GRC), and
founder of EnterpriseGRC Solutions and
Phoenix Business and Systems Process, Inc.
- ISACA SV Conference Director, an ITPreneurs
partner, and board advisor for Holistic
Information Security Practitioners, provides
Cloud Security & Virtualization Controls
Management training in the San Francisco and
Bay Area. She’s known for successful GRC
implementations, supplying overall design,
development and training to companies ranging
from start up to fortune five hundred. Past
president for the Association for Certified Green
Technology Auditors, ACGTA, a frequent
committee contributor to the ISACA Silicon
Valley Chapter and liaison to the ITSMF SV
chapter, as well as frequent participant in Cloud
Security Alliance local chapter. EnterpriseGRC
Solutions is recently added to the Cloud
Credential Council and is named to the
certification committee of The Holistic
Information Security Practitioner Institute
(HISPI). EnterpriseGRC Solutions® is an active
sponsor to Information Systems Audit and
Control Association, ISACA®, listed as
corporate sponsor and many time CobiT®
trainer for the ITGI.
Visit http://enterprisegrc.com
Robin Basham, M.ED, M.IT, CISA, CGEIT, CRISC,
ACC, CRP, VRP, and HISP, founder EnterpriseGRC
Solutions Inc.®
Director Integrated Audit, Ellie Mae, Inc.

What is Big Data?
 When data sets became so large and complex that
they could no longer be managed using on-hand
database management tools, we saw an
emergence of Big data technologies.
 This new generation of technologies and
architectures were designed to extract economic
value from data sets by enabling high-velocity
capture, discovery and analysis.
 As a result of their invention, we now experience an
entirely new information economy, “Infonomics: The
Practice of Information Economics”
 Inadequately monitored and largely unregulated,
this presentation will highlight ways that this Big
Data puts our business strategy and Bay Area
economy at Big Risk.
©EnterpriseGRC Solutions, Inc.® 2012, All Rights
Reserved 4

What is the Value of our Big Data
 Facebook “likes” and Twitter
“tweets” are reported to
represent $14 per “share”
and $5 per “tweet”. *
 Either a company will report
an increase of revenue, or a
company will pay for that
tracked human behavior.
 Either we prove that a human
committed that behavior, we
prove that the activity had a
sales result, or we stop
accepting false claims.
 We need to do at least one.
Reserved 5
When is
information
an asset?
When is it
data, as
opposed to
information?

How We Use Big Data
 Marketing Campaign Analysis
 Recommendation Engine
 Customer Retention and Churn Analysis
 Social Graph Analysis
 Capital Markets Analysis
 Predictive Analytics
 Risk Management
 Rogue Trading
 Fraud Detection
 Retail Banking
 Network Monitoring
 Research And Development
 Archiving Please read more at the source
http://info.talend.com ©EnterpriseGRC Solutions, Inc.® 2012, All Rights
Reserved 6
Found in “Big
data for the
Masses
The Unique
Challenge of
Big Data
Integration”
A Talend White
Paper
Download the
white paper
Deep analytics that correlate accounting
data with position tracking and order
management systems can provide
valuable insights that are not available
using traditional data management
tools. In order to identify these issues,
an immense amount of near real time
data needs to be crunched from
multiple, inconsistent
sources. This computationally intense
function can now be accomplished
using big data technologies.

How Should We Use Big Data?
 While Business Intelligence
has had some time to
mature, Big “social” data
projects are new to the
requirements of
governance.
 It appears we may not be
equipped for rapidly
evolving changes to
enterprise management
and data governance.
 Limited Big Data
Resources
 Poor Data Quality = Big
Risks
 Project Governance not
Fully Understood
 What is a user worth?
(Valuation)
 What is a good user
(Validity)
 What is a real user vs.
a fake user?
(Accuracy, Fraud)
Reserved 7

Open Container V. Closed Container
The concept of tampering is
critical to valid data sources.
Science, Manufacturing,
Forensics, Law, all consider
the source of information
and the capacity that others
would have had to alter
them.
Big data has moved the
emphasis of business
intelligence from closed to
open containers.
How should this affect our
willingness and decisions to
use that body of data?
Which companies will
analyze and compile results
and scores based on that
information?
What will be our grounds to
select those vendors and
how will that selection be
controlled by contract and
SLA?
Reserved 8

What is
the
Basis
to Trust
Those
Who
Measur
e
Social
Data?
http://blog.bac
kupify.com/201
2/04/05/what-
is-social-data-
worth/
Reserved 9

Why Would We Use Big Data?
 Marketing Campaign
Analysis, a target
audience that identifies
the “right” person for the
“right” products.
 Big Data allows
marketing teams to
evaluate large volumes
from new data sources,
like click-stream data
and call detail records,
to increase the
accuracy of analysis.
Reserved 10

Web 3.0: With over a billion users, today's Internet is
arguably the most successful human artifact ever
created
This 6 minute video outlines the
basic themes of the European
Union's Future Internet initiative.
These include: an Internet of
Services, where services are
ubiquitous; an Internet of Things
where in principle every physical
object becomes an online
addressable resource; a Mobile
Internet where 24/7 seamless
connectivity over multiple devices
is the norm; and the need for
semantics in order to meet the
challenges presented by the
dramatic increase in the scale of
content and users."
Reserved 11
http://www.youtube.com/watch?v
=off08As3siM&feature=player_e
mbedded#at=97

Isn’t Big Data, Just More Data?
 What attributes would alert us to the use
of Big Data? Aren’t we just using OLTP
(On-Line Transactional Processing) and
OLAP (On-Line Analytical Processing)?
 Big Data describes large volumes of a
wide variety of data collected from
various sources across the enterprise
including transactional data from
 Enterprise applications
 Databases
 Social media data
 Mobile device data
 Unstructured data/documents,
 Machine-generated data
Reserved 12
http://beautifuldata.net/wp
-
content/uploads/2012/02/
BigDataVentures.png
is created by Benedikt
Koehler

Structured V. Unstructured – Keeping Up
 We, as auditors and business advisors, need to
gain comfort with these new technologies,
understanding their benefits and risks, adding
capabilities to our workforce, and establishing
ground rules for both application and project
governance.
 Traditionally, “Structured” Data is getting faster
and bigger. Machines can’t keep up
 Traditionally “Unstructured” Data leads the
technologies that would allow their management
and distribution; News and Research
Reserved 13

What are the New Technologies?
MapReduce
framework
Hadoop
Pig Hive
HBase Hcatalog
Flume Mahout
Oozie
NoSQL(Not
only SQL)
Sqoop …more
Reserved 14
MapReduce as a framework, enables big data
technology such as Hadoop to function.
For instance, the Hadoop File System (HDFS) uses
these components to persist data, execute functions
against it and then find results.
The NoSQL
databases, such as
MongoDB and
Cassandra use the
functions to store and
retrieve data for the
respective services.
Hive uses this
framework as the
baseline for a data
warehouse.

Reference Slide: Hadoop
 Hadoop was built to address the challenge of indexing the
entire World Wide Web every
 2004 - Google developed a paradigm called MapReduce
 2005 - Yahoo! started Hadoop as an implementation of
MapReduce, 2007 - open source project
 Hadoop has the basic constructs needed to perform computing:
 It has a file system, a language to write programs, a way of
managing the distribution of those programs over a distributed
cluster, and a way of accepting the results of those programs.
Ultimately the goal is to create a single result set.
With Hadoop, big data is distributed into pieces that are spread
over a series of nodes running on commodity hardware.
Reserved 15

Reference Slide: Pig
 The Apache Pig project is a high-level data-flow
programming language and execution framework
for creating MapReduce programs used with
Hadoop.
 The abstract language for this platform is called
Pig Latin and it abstracts the programming into a
notation, which makes MapReduce programming
similar to that of SQL for RDBMS systems.
 Pig Latin is extended using UDF (User Defined
Functions), which the user can write in Java and
then call directly from the language.
Reserved 16

Reference Slide: Job Tracker
 A Job Tracker is the entry point for a “map job” or process
to be applied to the data. A map job is typically a query
written in java and is the first step in the MapReduce
process. The Job
 Tracker asks the name node to identify and locate the
necessary data to complete the job. Once it has this
information it submits the query to the relevant named
nodes.
 Any required processing of the data occurs within each
named node, which provides the massively parallel
characteristic of Map Reduce. When each node has
finished processing, it stores the results. The client then
initiates a "Reduce" job.
 The results are then aggregated to determine the
“answer” to the original query.. The client then accesses
these results on the filesystem and can use them for©EnterpriseGRC Solutions, Inc.® 2012, All Rights
Reserved 17

Reference Slide: Hive and HiveQL
 Apache Hive is a data warehouse infrastructure
built on top of Hadoop (originally by Facebook) for
providing data summarization, ad-hoc query, and
analysis of large datasets.
 Hive provides a mechanism to project structure
onto this data and query the data using a SQL-like
language called HiveQL.
 HiveQL is used for business intelligence and
visualization tools.
Reserved 18

Reference Slide: HBase, HCatalog
 HBase is a non-relational database that runs on top
of the Hadoop file system (HDFS). It is columnar and
provides fault-tolerant storage and quick access to
large quantities of sparse data. It also adds
transactional capabilities to Hadoop, allowing users
to conduct updates, inserts and deletes. It was
originally developed by Facebook to serve their
messaging systems and is used heavily by eBay as
well.
 HCatalog is a table and storage management service
for data created using Apache Hadoop. It allows
interoperability across data processing tools such as
Pig, Map Reduce, Streaming, and Hive and a shared
schema and data type mechanism.
Reserved 19

Reference Slide: Flume, Oozie
 Flume - is a system of agents that populate a
Hadoop cluster. These agents are deployed across
an IT infrastructure and collect data and integrate it
back into Hadoop.
 Oozie - coordinates jobs written in multiple
languages such as Map Reduce, Pig and Hive. It
is a workflow system that links these jobs and
allows specification of order and dependencies
between them.
Reserved 20

Reference Slide: Mahout Sqoop
 Mahout - is a data mining library that implements
popular algorithms for clustering and statistical
modeling in MapReduce.
 Sqoop - is a set of data integration tools that allow
non-Hadoop data stores to interact with traditional
relational databases and data warehouses.
Reserved 21

Reference Slide: NoSQL
 NoSQL(Not only SQL) -
refers to a large class of
data storage
mechanisms that differ
significantly from the
well-known, traditional
relational data stores
(RDBMS). These
technologies implement
their own query
language and are
typically built on
advanced programming
structures for key/value
relationships, defined
objects, tabular methods
or tuples.
 NoSQL as a term is used
to describe the wide
range of data stores
classified as big data.
Some of the major
flavors adopted within
the big data world today
include
 Cassandra,
 MongoDB,
 NuoDB,
 Couchbase and
 VoltDB.
Reserved 22

True or False: Social Data is a part of
our Corporate Assets? “The Value of our
Data” Where is Data? Who’s
using it?
 What is Data Quality?
What is Data Integrity?
 How do we Enforce Data
Retention?
 What Is our Data
Liability?
 Can we spot the
difference between an
Illusion of Influence and
Actual Influence
 What was my data cost
in researching this or any
topic? ©EnterpriseGRC Solutions, Inc.® 2012, All Rights
Reserved 23
http://news.cnet.com/8301-1001_3-
57434736-92/big-data-is-worth-
nothing-without-big-science/

Cloud will create 14 Millions Jobs by
2014
Twitter
- tweet
Digg
LinkedIn
Share
Login
Questionnaire
Like
Bury
Login
Login
Login
Digg
Like
New
Threats
New
Fraud
New
Markets

Understanding Big Data Risk is Complex
 Where is the data?
 Can we trust the data?
 (False negatives
eventually self correct,
but do we have the
time?)
Reserved 25

Tracking, Liable, Exploit is Complex
 Something on this page is “blocked”.
 I am on the fence about buying that very dresser. I wonder if McAfee caught
that I was being tracked by an unsafe source? For this exercise, I elect to
unblock. ©EnterpriseGRC Solutions, Inc.® 2012, All Rights
Reserved 26

Perhaps Data Governance Should
Consider Source – Or Not use the Word
“Governance”
Reserved 27
 Should the
information we
commingle with
news differ from the
information used for
advertising?

What Is Our Reputational Risk?
Reserved 28
How Will The
Market Feel
When they See
What We Paid
and What We
Made?
How will we
differentiate the
use of big data,
as opposed to
big distraction?

Test if Functionality is Limited by
Restricting Cookies – Know the Risk to
Reader
Reserved 29
 This test shows that we can examine rank without being
tracked

Can We Trust the Media to
Recommend a Product?
Reserved 30
If results favor a
company’s
investments isn’t this
a step along the path
to fraud? This is not a
dig on CNET. It’s a
question about doing
what everyone else is
doing.
For example, New
York Times, and Wall
Street Journal have
set privacy and
governance that
would restrict this

GPS Act – Example Law
The GPS Act, short for the Geolocation Privacy and
Surveillance Act, is a bill co-sponsored by Senator Ron
Wyden (D-OR) and Rep. Jason Chaffetz (R-UT) and
introduced to the Senate and House in June 2011.
The bill would impose tighter restrictions on how and in
what instances law enforcement agencies could legally
obtain cell user location information, requiring a warrant in
all cases exception a few narrowly-defined emergency
situations, such as when an officer “reasonably
determines,” that there is risk of “immediate danger of death
or serious physical injury to any person,” or “conspiratorial
activities” relating to national security or “characteristic of
organized crime.”
The bill has been read twice and is stalled in committee.
Reserved 31
The GPS Act Supports Legitimate Investigations and Protects Privacy

Facebook Resolves User Right of Publicity Claims
Concerning Sponsored Stories Advertising
Facebook recently settled a class-action lawsuit stemming from Facebook’s
alleged unauthorized use of users’ photographs in ‘sponsored stories’
advertisements on its site. The class action plaintiffs alleged that Facebook’s
use of their images in “Sponsored Stories” advertisements violated the
plaintiffs’ rights under the California right of publicity statute, which reserves to
the individual the right to control their image for commercial purposes. Under
the terms of the settlement, Facebook agreed to pay a total of $20 million, with
half of the settlement funds donated to charities and law schools, and the other
half going to plaintiffs’ attorneys. Other than the three class representatives, no
Facebook users will receive any funds from the settlement.
Facebook users had been serving as unwitting brand promoters on the site,
appearing without their permission or knowledge in promotional ‘stories’
featuring advertised products and services. Merely ‘liking’ a company or brand
functioned as an effective opt-in that allowed Facebook to use the user’s
image in that company or brand’s advertising on the site. The only means of
withdrawing from promotional use of one’s image was to ‘unlike’ the brand,
which, prior to this settlement, was not an easy feat. […]
Published In: Civil Remedies Updates, Communications & Media Law
Updates, Personal Injury Updates, Privacy Updates © Kilpatrick Townsend
2012 | Attorney Advertising
Reserved 32
 Kilpatrick Townsend on 7/11/2012 authors: Barry M. Benjamin; Andrew I. Gerber

When We Use Social Data for A Business Decision,
Are We Protected Under CDA 230?
 Section 230 of Title 47 of the United States Code (47 U.S.C. §
230) was passed as part of the much-maligned Communication
Decency Act of 1996. Many aspects of the CDA were
unconstitutional restrictions of freedom of speech, but this
section survived and has been a valuable defense for Internet
intermediaries ever since. "By its plain language, § 230 creates
a federal immunity to any cause of action that would make
service providers liable for information originating with a third-
party user of the service”. Zeran v. America Online, Inc., 129
F.3d 327, 330 (4th Cir. 1997), cert. denied, 524 U.S. 937 (1998)
 EFF maintains an archive of CDA cases:
http://www.eff.org/legal/ISP_liability/CDA230/
 http://ilt.eff.org/index.php/Table_of_Contents
Reserved 33
Defamation: CDA Cases – consider Yelp and other reputation
data

How Might Social Data Open a Company to
Hate?
Reserved 34
 Is this a crowdsourcing benefit or a liability?

Risks in Life Logging - ENISA
 R1 – Breach of privacy
 R2 – Inappropriate secondary use of data
 R3 – Malicious attacks on smart devices
increase as their value to authenticate
individuals and store personal data increases
 R4 – Compliance with and enforcement of
data protection legislation made more difficult
 R5 – Discrimination and exclusion
 R6 – Monitoring, cyber-stalking, child
grooming and “friendly” surveillance
 R7 – Unanticipated changes in citizens’
behavior and creation of an “obedient” citizen
 R8 – Poor decision making / inability to make
decisions
 R9 – Psychological harm
 R10 – Physical theft of property or private
information from home environment
 R11 – Reduction of choices available to
individuals as consumers and user lock-in
 R12 – Decrease of productivity
To log or not to log? - Risks and benefits
of emerging life-logging applications
http://www.enisa.europa.eu/activities/risk-management/emerging-and-future-
risk/deliverables/life-logging-risk-assessment/to-log-or-not-to-log-risks-and-benefits-of-
emerging-life-logging-applications

Security and
Legal
Aspects
Issues
Affecting
Privacy
Reserved 36

Should We Show Off our Connections?
 April 28th , 2012 “Look at Me, me, me”
Reserved 37

Who Are We Hurting When We Give Information
Away?
 Why don’t we regulate companies that exceed a million user
threshold?
Reserved 38

Why Are We So Willing to Give Away our
Data?
Reserved 39
 After ten minutes of viewing Collusion, I decide to block all
tracking sites.

What Happens When We Turn Off
Tracking?
Reserved 40

What Do We Lose When We Turn Off Tracking?
If a follower is worth $118, I lost $35K (I lost
nothing)
Reserved 41

Can We Act On the Advice of Others?
Reserved 42
 What are the
implications of
driving
business
decisions that
involve access
or use of the
web?
 If followers are
assets, then
isn’t the
discouraging of
traffic a form of

Who Are the Contributors to the
Information We Trust? Can they have a
Paid Agenda?
 Should we better qualify contributors in our big data
sets?
Reserved 43

Bad Rating V. Buying a High Score
 Affiliate Programs SHOULD NOT be represented as Community
Rating
Reserved 44

© Gartner, Doug Laney on Value of Data
Infonomics: The Practice of Information Economics
 The Value of Information
 Why Put a Value on
Information?
 Information is a Unique Asset
 Where Are Information Assets
on the Balance Sheet?
 Reasons to Acknowledge and
Account for Information as an
Asset
 Measuring the Value of Your
Information
 Understanding Your True
Information ROI
 Securing Your Information
 Influencing Your Corporate
Valuation
 Assessing Contractual Risks
 Borrowing Against Information
 Bartering With Information
 Selling Information
Doug Laney is research
vice president for Gartner
Reserved 45
“Information assets cannot be formally recognized according to
accounting standards, but in time that may change”

What is the Basis for Posting Value?
 The sample shows a small business site valued at one MILLIONTH the
other companies, that topped placement in a financially valued list. The
company in first place has made no revenue as a result of that
placement.
Reserved 46

Unless We Enforce Standards in
User Engagement Reporting We
May Destroy Our Information
Economy
 What Are The Incentives to Lie?
 How do we define Propaganda?
 What constitutes illegal protest?
Reserved 47

We Have to Define Free Speech
and our Rights to Influence Others
 Free speech is not for pay
 Free speech is not automated in a batch of hundreds
or thousands of communicated response
 We have to safeguard our rights to be counted
 Instead of making it illegal to track me, perhaps it
should be illegal to MISTRACK me.
Reserved 48

Wash Your Hands Before You Eat
 What are some of the things we should clean or
delete?
 Competitors from your first connections
 Private Phone messages stored for playback on
the internet
 Facebook applications (unless the product is well
understood and serves specific scope and function)
 Anonymous identities (oxymoron?)
 Connections representing bias or undue influence
 Hateful comments, explicit content, personal
content
 Anything that stores your password and shares
your identity with other applications
Reserved 49

Questions?
 Yeah, me too.
 I use social media to track the security flaws in
social media
Reserved 50

The value of our data

More Related Content

What's hot

Viewers also liked

Similar to The value of our data

Recently uploaded

The value of our data

Editor's Notes