Models for Estimating Risk and Optimizing the Return on Security

advertisement
Models for Estimating Risk and
Optimizing the Return on
Security Investment
Introduction
Objectives
• Using risk assessment methods to estimate
•
•
•
•
security investments
Categorizing risks in the Risk Assessment Cube
Calculating an expected value of loss
Optimizing the return on investment for security
Creating a complete organizational risk profile
What Problem???
 Information security is a business problem
that can be assessed with the same analytic
methods that are used for other businessrelated risks and consequences
 Risk Analysis – the full identity and
assessment of risk factors, as well as the
balance of expected costs of incidents with
the cost of defense needed to avoid
incidents.
Quantitative Models for Business
Decision
• Expected Value Model– it gauges
uncertainty about the financial impact of an
outcome
• Marginal Analysis Model – gives an
estimation on investment in security
defenses
• Basis for estimating the cost of a loss and
appraising an organization’s risk exposure.
Importance of Risk Assessment
 In 2001, there was an estimated 4,000 U.S.
business websites were victims of the DOS attacks
each week
 Recent targeted attacks appear on the U.S. cyber
crime website at www.cybercrime.gov
 These figures mention helps give an estimate of
both the cost and frequency of the various attacks
Risk Assessment (2)
 There is a vast difference in organizations’
security needs because in the size, attractiveness to
the attackers, and dependence on the networks
 ISO 17799 – international standard for best
practices in information security. Risk analysis is a
basic requirement and is the establishment of
security policy
Information Security Budgets
 With budgeting, raising the priority of security
investments is best done by calculating credible
estimates of the expected loss from intrusions,
negligence, or subsequent litigation by using risk
management methods.
 Risk Management techniques and IT techniques
are common and enables the decision makers of
those businesses to tackle information security
policies with little IT knowledge.
Expected Cost of Loss
 Computer security is essentially about risk
management. Before decisions on security
spending, you must make a tough risk assessment.
 Expected Value – is a basic concept to make
decisions when there is uncertainty about the
financial impact of an outcome
 Expected Loss – is the type of expected value
method that is relevant to security
Expected Cost of Loss(2)
 Expected Loss Model (ELM) provides an
important benchmark against which to assess and
justify investments in digital security.
 Marginal cost-benefit analysis – estimates the
investment in security defenses that optimizes
return on investment (ROI).
 Marginal analysis is to minimize over-investment
or under-investment.
Risk Assessment Cube
 It is a structure categorizing risks. They are
divided into three dimensions:
– The Probability of an Incident
– The Severity of the Outcome or Loss
– The Duration of the Impact
 Figure 5.2 of pg 67
Expected Loss Value Estimations
 ELV estimations is used to extensively to evaluate
the consequences of business decisions during a
particular time segment.
 Here is the formula for expected loss computation:
• Expected Loss = (Amount of Loss) * (Probability of Loss)
 The benefit of ELM is the ability to standardize
the cost of incidents for comparison purposes.
Provides hard data to substantiate the priority of
security investment
Challenges in Estimating Loss of
Digital Assets
 Digital Assets are intangible – their value may
only become fully understood in the actual event
of loss.
 All types of businesses tend to underestimate the
expected value of their digital assets drastically.
 They fail to take in account the variety of ways
these assets can come under attack, therefore
increasing probability of a loss. This also leads to
poor investment decisions.
Digital Assets(2)
 Physical assets tend to exist in only one place and
therefore must only be protected in one instance.
To protect digital assets is to retain multiple
backup copies.
 It protects against accidental destruction.
 It also gives increased opportunities for theft.
 Cache – temporary file copies to enhance system
performance. Each copy is vulnerable.
Knowledge Assets
 While some digital assets have a direct
monetary value, others have indirect value
derived from their associated knowledge.
 Most knowledge assets are contained in
employees themselves.
 Knowledge management is the system that
is used to capture and store this commonly
unstructured information.
Knowledge Management (KM)
 KM assets range from production
techniques to personal contact information.
 With these sort of assets, it is almost
impossible to replace the knowledge once it
is lost.
 This causes the valuation of knowledge
assets to usually be more complicated.
Mission-Critical Software
 Mission-critical software is software that
has been customized or designed by the
company and usually provides a
competitive advantage to the company.
 This software is vulnerable in multiple
ways.
Valuation of Digital Assets and Risk
 There are two main ways to assign values to
non-tangible assets.
 One is to examine their impact, the other is
to focus on loss prevention.
 3 main categories: Software Assets,
Knowledge Assets, and Goodwill
Valuation of Software Assets
 The risk, in this case, is not the loss of the
software. The risk is due to the loss of the
use of the software during the period of
time it takes to restore the software from a
backup.
 The average loss, is calculated by
multiplying the average revenue by the total
downtime.
 Productivity software is calculated by the
percentage of productivity improvement.
Valuation of Knowledge Assets
 The unique knowledge within an
organization is what causes risk.
 The danger lies with what the attackers do
with the stolen information.
 Some unique information may be grounds
for legal actions if stolen. (email example)
Valuation of Goodwill
 With companies who are extremely active
on the internet and other networks, the
company’s reliance on technology causes
their goodwill to be vulnerable.
 The credit card information company in
Atlanta is a perfect example of this.
 Attacks on a company’s goodwill can cause
more long term damage than theft of a
specific production procedure. (customers)
Risk Information Sources
 CERT Coordination Center is a federally
funded organization that is part of Carnegie
Mellon University.
 InfraGard is an alliance of both the public
and private sector that is designed to defend
against cyber terrorism.
Risk Evaluation Profile
 After Risk estimations have been done, a risk
evaluation profile (REP) can be created.
Asset Class
Risk of Loss
Risk of Lost
Revenue
Current
Exposure
Investment
Priority
Customer
Data
High
High
Moderate
High
R&D Docs.
Moderate
High
Moderate
High
Transaction
History
Moderate
Low
Moderate
Low
Employee
Data
Low
Low
Low
Low
Odds and Ends.
 Over 90% of cyber attacks could have
easily been prevented by the tech. at the
time.
 Businesses who have secure network
connections between themselves and other
businesses occasionally run independent
audits of their business partners.
 The reason the DLM works so well is
because it does not only focus on
technology. It mainly focuses on the nondigital aspects.
the end
Download