Towards Cybersecurity in Business Terms:

Quantifying the Risk in Dollars

Dr. Thomas Lee, CEO VivoSecurity Inc. ThomasL@VivoSecurity.com

We are easily duped by low probability - high impact events Why Subjective Assessments Cannot Work

Most industry data is provided by vendors

Why Subjective Assessments Cannot Work

Board of Directors Senior Management

Business Objectives

Monitor

Com

pliance

Status Quo: Risk Management in the Dark

Security, IT, Compliance

O

Risk Manageme

Weigh Security Restrictions

CIT, CIT CS

anction P

olicies

Objectives O

Coooooooommmmmmmmmmppppppppplllllliiiiiiance

Restriction

SSSSSSSSSSSSSSSSSSSSSSSSSSaaaaaaaaaaan

tionnnnnnnnnnnnnnnnnnnnnnnnn P

oliciiiiiiiiiiiiiiiiiieeeeeeeeeeeeeeeeessssssssssssssssssssssssss

Deficiencies • Views security as compliance • Doesn’t foster partnership or

strategy • Blind to risk

Board of Directors Senior Management

Business Priorities

Quantified Risk Changes the Approach: Manage in Business Context

Security, IT, Compliance

Weigh Expected Loss

Secccccccccuuuuuuurrrrrrrrriiiiiiiiittttttttyyyyyy, IT

Negotiate

Budgets

, CoooooooooommmmmmmmppppppppllllllllT,E

xpected Loss eeee lllllllliiiiiiiiaaaaaaaaaaannnncccceeeeeeeee

Expected

Objective, Comprehensive

Integrated

Negotiate dgets

NBB Ne

Bu

Based on ROI

More effectively mitigate risk

Manage black-swan events

Measure reduction in risk

Focus where risk is highest

Adopt a strategic approach

Manage risk in business terms

Communicate risk in dollars

Justify Security Investments

Weigh risk against business priorities

Quantifying Risk Solves Two Problems

Building Momentum Towards Quantifying Risk in Dollars

FAIR taxonomy, 2000s Factor Analysis of Information Risk

Traditional Frameworks Red/Yellow/Green

World Economic Forum Recommended Framework (2015)

Next gen Automated, statistics-based

Security ratings Bitsight, others

Joint Government & Industry Conference, Cyber Resilience Initiative 2011-2015

2012 Call for Quantification

•  Promotes executive involvement

•  Promotes strategic risk management

•  Championed a statistical approach

2015 Propose Framework

•  Still falls short – subjective, manual

•  No success leveraging statistics

•  Reiterates need for statistics and value at risk

The Next Generation

�  Calculate expected loss (risk in dollars)

�  Use empirically derived factors (new paradigm)

i.e. look for predictive factors rather than making assumptions

�  Automated

What is the goal?

Apply to the enterprise •  Apply probability values to each

device and major resources

•  Probabilities are based upon measured factors like OS, device type, user training

Measure financial Impact •  Broken down by data types

•  Both structured and unstructured data

Calculate expected loss (i.e. Risk in dollars) Rate e Value at

Risk Risk Impact

Factor Rkkk

Bayesian Statistics

Ponemon Reports

Forrester Reports

Verizon Data

Breach Report

Microsoft Security Report

US Census

Data

HHS Database

SEC Filings

Scientific Journals

Data Sources

A Statistical Model

Rate Value at Risk

Risk Incident Type,

Data Type

Impact Factor

Incident Types: •  Lost/Stolen Device •  Internal Espionage • Short Term Espionage •  Long Term Espionage • External Theft Financial Data •  Internal Theft Financial Data

Data Types: • Custodial Data • Proprietary Data • Third Party Data • Financial/Personal Data

Impact Factors derived from industry data

Multiple risk values calculated for each device and system

Model Details� Use actuarial definition of risk

For Each Device

and System

Rate and Impact are Derived from Industry Data

0

2

4

6

8

10

12

Windows XP, SP3, 32 bit

Windows 7, SP1, 32 bit

Windows 7, SP1, 64 bit

Server 2003, SP2, 32 bit

Server 2008, R2, SP1, 64 bit

Infe

ctio

ns p

er 1

000

Co

mp

ute

rs

Malware Infection Rates

2011

2012

2013

Example: Correlate Incident Rates with Malware Clean Rates

Microsoft data on clean rates

������

���

���

���

����������

��

���

��� ������

������

���

���

���

���

���

���

���

���

��

��������

���

������

���

���

������

���

������

���

���

���

���

���

��

��

��

���

�����

���

������

���

y = 1.122E-05x

0

2

4

6

8

10

12

14

16

18

20

0 500 1,000 1,500 2,000

Da

ta B

rea

ch

Inc

ide

nts

Employees Thousands

Year 2011

Establish Probability for Breach by Combining HHS Data with US Census Data

5,000

50,000

500,000

5,000,000

50,000,000

500,000,000

$1 $10 $100 $1,000

Rec

ord

s Br

ea

che

d

Cost per Record

From SEC Filings

$100 $1 000

From Ponemon

VivoSecurity, 2014 analysis

Establishing Cost per Record for Personal Financial Data

Industry NAICS: 54 (Pharma)

Employees: 300

Country: US, China

Computers: Mix desktops/laptops

Case Study (expected loss)

$0

$500,000

$1,000,000

$1,500,000

$2,000,000

$2,500,000

$3,000,000

$3,500,000

Summer-Interns Regulatory-Affairs Quality-Assurance

PreClinical Pharmacology

Legal Human Resource

Finance Facilities

Default Group Default Group

Clinical Development Clinical Development Clinical Development Clinical Development

Chemistry Cell-Biology

Analytical-Development

Custodial Proprietary

Calculate Value at Risk from Unstructured Data Each horizontal bar is a single computer. Impact for two data types are shown for each computer.

Data Value at Risk

$0

$200,000

$400,000

$600,000

$800,000

$1,000,000

$1,200,000

$1,400,000

$1,600,000

$1,800,000

$2,000,000

00.0010% 0.0100% 0.1000% 1.0000% 10.0000% 100.0000%

Fina

ncia

l Im

pact

Probability of a Cyber Security Incident per Year

Lost or Stolen Laptops Espionage Malware Advanced Persistent Threat

Total� Custodial� Proprietary�Total� $69,713.74� $60,609.71� $9,104.03�

(per employee)� ($232.38)� ($202.03)� ($30.35)���.�� $69,605.39� $60,589.51� $9,015.88�

������ $69.35� $12.93� $56.42��� $39.01� $7.27� $31.73�� $6$6$6$69999,606060605555.39393939� $69.35� $39.01

Total$69,713.74

($232.38)

6$66999 60660555 393939

Example Risk Quantification Results This is real data, for a single company.

Average Annual Risk senior management can use this to set the cyber security budget and risk appetite for the company

�  Broken down by incident type use this information to focus security resources.

�  Broken down by data type use this information to test solutions.

VivoSecurity Proprietary and Confidential

Industry NAICS: 54

Employees: 500

Country: US

Windows 7,64bit: 624

Mac OSX: 41

Case Study (probability only)

0

0.02

0.04

0.06

0.08

0.1

0.12

Current, training (-)

Current, training (+)

All Windows 8, training (-)

All Mac, training (-)

All Windows 8, training (+)

All Mac, training (+)

Tota

l Pro

ba

bili

ty o

f Esp

iona

ge

Probability of an Espionage Incident with Modeled changes to training Operating Systems training(+)……...with anti-phish training training(-)………without anti-phish training Current…………624 Windows 7, 64bit, 41 Mac OSX All Windows 8…665 Windows 8 All Mac…………665 M

Modeled Changes to Enterprise

Model Study

Anti-phish decoy training

Upgrade Administrators to Windows 8

A ti hi h d t i iA ti hi h

Solutions Risk Breakdown

Anti-phish decoy training

Anti-phish awareness training

$44K from domain admin

accounts

$8K file share

$8K doc system

$4K work stations

Eliminate a domain admin account

Example: High Impact Production Database

SolutionsRisk Breakdown

$65K Average Annual Risk 600 employees Win7 32bit SP1, 3 domain admins NAICS=54 (Professional), $125M enterprise value

$5K

$3K

$5K$5K

Cost

$20K

$2K

$35K

$34K

CC

$35K$35K

Benefit

$16K

$8K

700% 700%70

ROI

1000%

80%

400%

$0.5K $15K 3000%

The degree to which the solution addresses the risk

World Economic Forum emphasized the importance of quantifying risk

�  Requires business to participate to foster better use of resources

�  Method must be statistically relevant

Conclusion

Model should:

�  Calculate expected loss

�  Use empirically derived factors

�  Be able to be automated

Conclusion

Thanks