Towards Cybersecurity in Business Terms: Quantifying … · Towards Cybersecurity in Business...
Transcript of Towards Cybersecurity in Business Terms: Quantifying … · Towards Cybersecurity in Business...
Towards Cybersecurity in Business Terms:
Quantifying the Risk in Dollars
Dr. Thomas Lee, CEO VivoSecurity Inc. [email protected]
We are easily duped by low probability - high impact events Why Subjective Assessments Cannot Work
Most industry data is provided by vendors
Why Subjective Assessments Cannot Work
Board of Directors Senior Management
Business Objectives
Monitor
Com
pliance
Status Quo: Risk Management in the Dark
Security, IT, Compliance
O
Risk Manageme
Weigh Security Restrictions
CIT, CIT CS
anction P
olicies
Objectives O
Coooooooommmmmmmmmmppppppppplllllliiiiiiance
Restriction
SSSSSSSSSSSSSSSSSSSSSSSSSSaaaaaaaaaaan
tionnnnnnnnnnnnnnnnnnnnnnnnn P
oliciiiiiiiiiiiiiiiiiieeeeeeeeeeeeeeeeessssssssssssssssssssssssss
Deficiencies • Views security as compliance • Doesn’t foster partnership or
strategy • Blind to risk
Board of Directors Senior Management
Business Priorities
Quantified Risk Changes the Approach: Manage in Business Context
Security, IT, Compliance
Weigh Expected Loss
Secccccccccuuuuuuurrrrrrrrriiiiiiiiittttttttyyyyyy, IT
Negotiate
Budgets
, CoooooooooommmmmmmmppppppppllllllllT,E
xpected Loss eeee lllllllliiiiiiiiaaaaaaaaaaannnncccceeeeeeeee
Expected
Objective, Comprehensive
Integrated
Negotiate dgets
NBB Ne
Bu
Based on ROI
More effectively mitigate risk
Manage black-swan events
Measure reduction in risk
Focus where risk is highest
Adopt a strategic approach
Manage risk in business terms
Communicate risk in dollars
Justify Security Investments
Weigh risk against business priorities
Quantifying Risk Solves Two Problems
Building Momentum Towards Quantifying Risk in Dollars
FAIR taxonomy, 2000s Factor Analysis of Information Risk
Traditional Frameworks Red/Yellow/Green
World Economic Forum Recommended Framework (2015)
Next gen Automated, statistics-based
Security ratings Bitsight, others
Joint Government & Industry Conference, Cyber Resilience Initiative 2011-2015
2012 Call for Quantification
• Promotes executive involvement
• Promotes strategic risk management
• Championed a statistical approach
2015 Propose Framework
• Still falls short – subjective, manual
• No success leveraging statistics
• Reiterates need for statistics and value at risk
The Next Generation
� Calculate expected loss (risk in dollars)
� Use empirically derived factors (new paradigm)
i.e. look for predictive factors rather than making assumptions
� Automated
What is the goal?
Apply to the enterprise • Apply probability values to each
device and major resources
• Probabilities are based upon measured factors like OS, device type, user training
Measure financial Impact • Broken down by data types
• Both structured and unstructured data
Calculate expected loss (i.e. Risk in dollars) Rate e Value at
Risk Risk Impact
Factor Rkkk
Bayesian Statistics
Ponemon Reports
Forrester Reports
Verizon Data
Breach Report
Microsoft Security Report
US Census
Data
HHS Database
SEC Filings
Scientific Journals
Data Sources
A Statistical Model
Rate Value at Risk
Risk Incident Type,
Data Type
Impact Factor
Incident Types: • Lost/Stolen Device • Internal Espionage • Short Term Espionage • Long Term Espionage • External Theft Financial Data • Internal Theft Financial Data
Data Types: • Custodial Data • Proprietary Data • Third Party Data • Financial/Personal Data
Impact Factors derived from industry data
Multiple risk values calculated for each device and system
Model Details� Use actuarial definition of risk
For Each Device
and System
Rate and Impact are Derived from Industry Data
0
2
4
6
8
10
12
Windows XP, SP3, 32 bit
Windows 7, SP1, 32 bit
Windows 7, SP1, 64 bit
Server 2003, SP2, 32 bit
Server 2008, R2, SP1, 64 bit
Infe
ctio
ns p
er 1
000
Co
mp
ute
rs
Malware Infection Rates
2011
2012
2013
Example: Correlate Incident Rates with Malware Clean Rates
Microsoft data on clean rates
������
���
���
���
����������
��
���
��� ������
������
���
���
���
���
���
���
���
���
��
��������
���
������
���
���
������
���
������
���
���
���
���
���
��
��
��
���
�����
���
������
���
y = 1.122E-05x
0
2
4
6
8
10
12
14
16
18
20
0 500 1,000 1,500 2,000
Da
ta B
rea
ch
Inc
ide
nts
Employees Thousands
Year 2011
Establish Probability for Breach by Combining HHS Data with US Census Data
5,000
50,000
500,000
5,000,000
50,000,000
500,000,000
$1 $10 $100 $1,000
Rec
ord
s Br
ea
che
d
Cost per Record
From SEC Filings
$100 $1 000
From Ponemon
VivoSecurity, 2014 analysis
Establishing Cost per Record for Personal Financial Data
Industry NAICS: 54 (Pharma)
Employees: 300
Country: US, China
Computers: Mix desktops/laptops
Case Study (expected loss)
$0
$500,000
$1,000,000
$1,500,000
$2,000,000
$2,500,000
$3,000,000
$3,500,000
Summer-Interns Regulatory-Affairs Quality-Assurance
PreClinical Pharmacology
Legal Human Resource
Finance Facilities
Default Group Default Group
Clinical Development Clinical Development Clinical Development Clinical Development
Chemistry Cell-Biology
Analytical-Development
Custodial Proprietary
Calculate Value at Risk from Unstructured Data Each horizontal bar is a single computer. Impact for two data types are shown for each computer.
Data Value at Risk
$0
$200,000
$400,000
$600,000
$800,000
$1,000,000
$1,200,000
$1,400,000
$1,600,000
$1,800,000
$2,000,000
00.0010% 0.0100% 0.1000% 1.0000% 10.0000% 100.0000%
Fina
ncia
l Im
pact
Probability of a Cyber Security Incident per Year
Lost or Stolen Laptops Espionage Malware Advanced Persistent Threat
Total� Custodial� Proprietary�Total� $69,713.74� $60,609.71� $9,104.03�
(per employee)� ($232.38)� ($202.03)� ($30.35)���.�� $69,605.39� $60,589.51� $9,015.88�
������ $69.35� $12.93� $56.42��� $39.01� $7.27� $31.73�� $6$6$6$69999,606060605555.39393939� $69.35� $39.01
Total$69,713.74
($232.38)
6$66999 60660555 393939
Example Risk Quantification Results This is real data, for a single company.
Average Annual Risk senior management can use this to set the cyber security budget and risk appetite for the company
� Broken down by incident type use this information to focus security resources.
� Broken down by data type use this information to test solutions.
VivoSecurity Proprietary and Confidential
Industry NAICS: 54
Employees: 500
Country: US
Windows 7,64bit: 624
Mac OSX: 41
Case Study (probability only)
0
0.02
0.04
0.06
0.08
0.1
0.12
Current, training (-)
Current, training (+)
All Windows 8, training (-)
All Mac, training (-)
All Windows 8, training (+)
All Mac, training (+)
Tota
l Pro
ba
bili
ty o
f Esp
iona
ge
Probability of an Espionage Incident with Modeled changes to training Operating Systems training(+)……...with anti-phish training training(-)………without anti-phish training Current…………624 Windows 7, 64bit, 41 Mac OSX All Windows 8…665 Windows 8 All Mac…………665 M
Modeled Changes to Enterprise
Model Study
Anti-phish decoy training
Upgrade Administrators to Windows 8
A ti hi h d t i iA ti hi h
Solutions Risk Breakdown
Anti-phish decoy training
Anti-phish awareness training
$44K from domain admin
accounts
$8K file share
$8K doc system
$4K work stations
Eliminate a domain admin account
Example: High Impact Production Database
SolutionsRisk Breakdown
$65K Average Annual Risk 600 employees Win7 32bit SP1, 3 domain admins NAICS=54 (Professional), $125M enterprise value
$5K
$3K
$5K$5K
Cost
$20K
$2K
$35K
$34K
CC
$35K$35K
Benefit
$16K
$8K
700% 700%70
ROI
1000%
80%
400%
$0.5K $15K 3000%
The degree to which the solution addresses the risk
World Economic Forum emphasized the importance of quantifying risk
� Requires business to participate to foster better use of resources
� Method must be statistically relevant
Conclusion
Model should:
� Calculate expected loss
� Use empirically derived factors
� Be able to be automated
Conclusion
Thanks