Models for Estimating Risk and Optimizing the Return on Security Investment Introduction Objectives • Using risk assessment methods to estimate • • • • security investments Categorizing risks in the Risk Assessment Cube Calculating an expected value of loss Optimizing the return on investment for security Creating a complete organizational risk profile What Problem??? Information security is a business problem that can be assessed with the same analytic methods that are used for other businessrelated risks and consequences Risk Analysis – the full identity and assessment of risk factors, as well as the balance of expected costs of incidents with the cost of defense needed to avoid incidents. Quantitative Models for Business Decision • Expected Value Model– it gauges uncertainty about the financial impact of an outcome • Marginal Analysis Model – gives an estimation on investment in security defenses • Basis for estimating the cost of a loss and appraising an organization’s risk exposure. Importance of Risk Assessment In 2001, there was an estimated 4,000 U.S. business websites were victims of the DOS attacks each week Recent targeted attacks appear on the U.S. cyber crime website at www.cybercrime.gov These figures mention helps give an estimate of both the cost and frequency of the various attacks Risk Assessment (2) There is a vast difference in organizations’ security needs because in the size, attractiveness to the attackers, and dependence on the networks ISO 17799 – international standard for best practices in information security. Risk analysis is a basic requirement and is the establishment of security policy Information Security Budgets With budgeting, raising the priority of security investments is best done by calculating credible estimates of the expected loss from intrusions, negligence, or subsequent litigation by using risk management methods. Risk Management techniques and IT techniques are common and enables the decision makers of those businesses to tackle information security policies with little IT knowledge. Expected Cost of Loss Computer security is essentially about risk management. Before decisions on security spending, you must make a tough risk assessment. Expected Value – is a basic concept to make decisions when there is uncertainty about the financial impact of an outcome Expected Loss – is the type of expected value method that is relevant to security Expected Cost of Loss(2) Expected Loss Model (ELM) provides an important benchmark against which to assess and justify investments in digital security. Marginal cost-benefit analysis – estimates the investment in security defenses that optimizes return on investment (ROI). Marginal analysis is to minimize over-investment or under-investment. Risk Assessment Cube It is a structure categorizing risks. They are divided into three dimensions: – The Probability of an Incident – The Severity of the Outcome or Loss – The Duration of the Impact Figure 5.2 of pg 67 Expected Loss Value Estimations ELV estimations is used to extensively to evaluate the consequences of business decisions during a particular time segment. Here is the formula for expected loss computation: • Expected Loss = (Amount of Loss) * (Probability of Loss) The benefit of ELM is the ability to standardize the cost of incidents for comparison purposes. Provides hard data to substantiate the priority of security investment Challenges in Estimating Loss of Digital Assets Digital Assets are intangible – their value may only become fully understood in the actual event of loss. All types of businesses tend to underestimate the expected value of their digital assets drastically. They fail to take in account the variety of ways these assets can come under attack, therefore increasing probability of a loss. This also leads to poor investment decisions. Digital Assets(2) Physical assets tend to exist in only one place and therefore must only be protected in one instance. To protect digital assets is to retain multiple backup copies. It protects against accidental destruction. It also gives increased opportunities for theft. Cache – temporary file copies to enhance system performance. Each copy is vulnerable. Knowledge Assets While some digital assets have a direct monetary value, others have indirect value derived from their associated knowledge. Most knowledge assets are contained in employees themselves. Knowledge management is the system that is used to capture and store this commonly unstructured information. Knowledge Management (KM) KM assets range from production techniques to personal contact information. With these sort of assets, it is almost impossible to replace the knowledge once it is lost. This causes the valuation of knowledge assets to usually be more complicated. Mission-Critical Software Mission-critical software is software that has been customized or designed by the company and usually provides a competitive advantage to the company. This software is vulnerable in multiple ways. Valuation of Digital Assets and Risk There are two main ways to assign values to non-tangible assets. One is to examine their impact, the other is to focus on loss prevention. 3 main categories: Software Assets, Knowledge Assets, and Goodwill Valuation of Software Assets The risk, in this case, is not the loss of the software. The risk is due to the loss of the use of the software during the period of time it takes to restore the software from a backup. The average loss, is calculated by multiplying the average revenue by the total downtime. Productivity software is calculated by the percentage of productivity improvement. Valuation of Knowledge Assets The unique knowledge within an organization is what causes risk. The danger lies with what the attackers do with the stolen information. Some unique information may be grounds for legal actions if stolen. (email example) Valuation of Goodwill With companies who are extremely active on the internet and other networks, the company’s reliance on technology causes their goodwill to be vulnerable. The credit card information company in Atlanta is a perfect example of this. Attacks on a company’s goodwill can cause more long term damage than theft of a specific production procedure. (customers) Risk Information Sources CERT Coordination Center is a federally funded organization that is part of Carnegie Mellon University. InfraGard is an alliance of both the public and private sector that is designed to defend against cyber terrorism. Risk Evaluation Profile After Risk estimations have been done, a risk evaluation profile (REP) can be created. Asset Class Risk of Loss Risk of Lost Revenue Current Exposure Investment Priority Customer Data High High Moderate High R&D Docs. Moderate High Moderate High Transaction History Moderate Low Moderate Low Employee Data Low Low Low Low Odds and Ends. Over 90% of cyber attacks could have easily been prevented by the tech. at the time. Businesses who have secure network connections between themselves and other businesses occasionally run independent audits of their business partners. The reason the DLM works so well is because it does not only focus on technology. It mainly focuses on the nondigital aspects. the end