Add to collection(s) Add to saved
  1. Math
  2. Statistics And Probability
  3. Biostatistics

Is Security Worth It?

advertisement 
Is Security Worth It?
Alex Lauerman
Who is Alex?
• FishNet Security
• Veracode
• TrustFoundry
• SecKC
Why am I talking?
• Don’t like security being a checkbox
• I want security to be driven by its value
• Want to do better at the stock market
• Goal is to help understand cost of insecurity
What will I talk about?
• Cost Factors of a Data Breach
• Previous Research
• My Research
• Analysis of impact of data breach
What is a data breach?
• Accidental or intentional loss of:
• Personally Identifiable Information
• Financial Information
• Confidential Company Information
• Intellectual Property
• Health Information
What are the cost factors?
• Incident Response
• Communications
• Compensation
• Legal defense
• Regulatory Fines
• Indirect
• Loss of productivity
• Loss of customers
• Lost competitive edge
Ways to measure cost of breach
• Fixed
• Per Record (Variable)
• Add factors individually
• Estimate based on previous breach costs
Sources of Breaches
• datalossdb.org
• databreaches.net
• www.privacyrights.org
• www.idtheftcenter.org
• Google
DataLossDB
Information is Beautiful
Previous Research
• Ponemon
• Gold standard in data breach costs
• Brush Creek Partners – Cyber Liability Insurance
• Academic Sources
• Risk Centric Security (YouTube “Deconstructing Data Breach Cost”)
Previous Research – Ponemon
• Average cost of data breach $188/record (2013)
• Average cost of data breach $201/record (2014)
• Average number of records breached in US: 28,765 (2013)
• “The results show that a probability of a material data breach
involving a minimum of 10,000 records is more than 22 percent.”
• “India and Brazil have the highest estimated probability of
occurrence at 30 percent, while Germany has an approximate 2
percent rate of occurrence.”
Previous Research – Ponemon
• Total Average cost per US breach: $5,403,644 (2013) $5.85 (2014)
Previous Research – Ponemon
• Cost of data breach by size (2013)
Previous Research – Ponemon
• Cost of data breach by size (2014)
Previous Research – Ponemon
• Breakdown by industry
Previous Research – Ponemon
• Customer churn
Previous Research – Ponemon
• Cost of data breach per record – Causation or correlation?
• Adobe example
• Target example
Research – Brush Creek Partners
• Leverage Ponemon research
• Insurance cost is based on revenue and line of business
• Retail Inexpensive
• Healthcare & Financial - Expensive (fines)
• Encourage or require good security
• <10% of companies have cyber liability insurance
Previous Research – Risk Centric Security
• Lots of charts
• Direct Costs
• DSW Shoes – ~$4.64 – 6.79 per record
• TJX –: $1.90 – $2.12 per record
• Heartland Payment Systems – $0.90 per record
• Sony – $1.17 per record
• Global Payments - $15.71 - $80 per record
• South Carolina DoR - $3 - $5 per record
Previous Research – Stock Prices
• Gatzlaff
• -.84% 1 day after a breach
• Tomáš Klíma
• Data breaches impact stock prices
• Hovav
• Financial revenue most impact
• Vandal attacks have lower impact
• DoS almost no affect
• Cavusoglu
• 2.1% decrease in value in two days following the breach
• Morse
• Abnormal negative stock price returns
• SecurityNinja
Delayed Impact - Target
• Breach rumors Dec 18
• Announcement Dec 19th
Efficient Market Hypothesis
• Stock prices reflect the information available
• We can use this to determine the affect of data breaches
• “maybe the market isn’t quite as efficient as you think” – Charlie Munger in
response to Efficient Market Hypothesis
Quantitative Trading
• Trading strategies based on quantitative analysis which rely on mathematical
computations and number crunching to identify trading opportunities.
--investopedia
Quantitative Trading
Quantitative Trading Example
• Security that holds gold (GLD ETF)
• Track gold miners (GDX ETF)
Quantopian
Quantopian Example
Breach Trading Algorithm
• Tracks stock prices in relation to the date of their security breaches
Be warned
30-Day After Breach Transactions
DATE
SECURITY
TRANSACTION
2007-01-16
TJX
2007-02-19
# SHARES
PRICE
$ AMOUNT
BUY
6688
$14.84
$99,216.48
TJX
SELL
-6688
$14.29 ($95,538.08)
2009-01-19
HPY
BUY
6464
$14.22
$91,918.08
2009-02-19
HPY
SELL
-6464
$7.80
($50,419.20)
2011-03-16
EMC
BUY
3952
$25.59
$101,131.68
2011-04-18
EMC
SELL
-3952
$26.68 ($105,439.36)
2011-04-25
SNE
BUY
3324
$29.80
$99,055.20
2011-05-26
SNE
SELL
-3324
$26.83
($89,182.92)
2011-08-29
VDSI
BUY
13458
$7.03
$94,609.74
2011-09-29
VDSI
SELL
-13458
$5.07 ($68,218.60)
2013-10-02
ADBE
BUY
1940
$50.91
2013-11-04
ADBE
SELL
-1940
$54.75 ($106,215.00)
2013-12-18
TGT
BUY
1573
2014-01-21
TGT
SELL
-1573
$62.17
$98,765.40
$97,793.41
$58.96 ($92,744.08)
CHANGE
-3.7%
-45.1%
4.3%
-10.0%
-27.9%
7.5%
-5.2%
30-Day Transactions List (SPY Indexed)
DATE
2007-01-16
SECURITY
TJX
TRANSACTION
BUY
2007-01-16
SPY
SELL
-699
$142.97 ($99,936.03)
2007-02-19
TJX
SELL
-6688
$14.29 ($95,538.08)
2007-02-19
SPY
BUY
699
2009-01-19
SPY
SELL
-1176
2009-01-19
HPY
BUY
6464
$14.22
$91,918.08
2009-02-19
SPY
BUY
1176
$77.44
$91,069.44
2009-02-19
HPY
SELL
-6464
$7.80
($50,419.20)
2011-03-16
EMC
BUY
3952
$25.59
$101,131.68
2011-03-16
SPY
SELL
-792
$127.77 ($101,193.84)
2011-04-18
EMC
SELL
-3952
$26.68 ($105,439.36)
2011-04-18
SPY
BUY
792
# SHARES
6688
PRICE
$14.84
$146.13
$ AMOUNT
$99,216.48
$102,144.87
$80.59 ($94,773.84)
$131.32
$104,005.44
30-Day Algorithm (SPY Indexed)
30-Days After Breach – Stock Price
SECURITY
CHANGE
S&P 500
BENCHMARKED RETURN
Adobe
7.5%
5.1%
2.4%
EMC
4.3%
2.7%
1.6%
Heartland Payment Systems
-45.1%
-4.1%
-41.1%
Lockheed Martin
2.7%
-3.0%
5.7%
Sony
-10.0%
-1.0%
-9.0%
Target
-5.2%
1.5%
-6.7%
TJX
-3.7%
2.1%
-5.8%
Vasco Data Security
-27.9%
-7.0%
-20.9%
Average
-9.67%
-9.22%
Median
-4.44%
-6.26%
30-Days After Breach – Cost to Company
SECURITY
BENCHMARK MARKET CAP (B) ADJUSTED COST (B)
Adobe
2.4%
29.6
0.716
EMC
1.6%
52.08
0.821
Heartland Payment Systems
-41.1%
1.45
-0.596
Lockheed Martin
5.7%
52.74
3.019
Sony
-9.0%
18.14
-1.630
Target
-6.7%
37.44
-2.503
TJX
-5.8%
41.03
-2.393
Vasco Data Security
Average
Median
-20.9%
-9.22%
-6.26%
0.45
-0.094
29.12
33.52
-0.332
-0.344
Results – Market Capitalization
Algorithm
Average per
stock
1 Day
30 Days
90 Days
180 Days
365 Days
-44.4%
-70.1%
-44.0%
-62.1%
-58.3%
-5.5%
-8.76%
-5.5%
-7.76%
-7.28%
How to trade with this info
• Short sell a company immediately following a breach
• A data breach may be worth more to people who invest
with that information
Tro LLC
Tro LLC
How to make business decisions with this
• Need to understand factors
• If your company is publically traded, factors should
roughly add up to stock price
• Use this algorithm to generate data for companies similar
to yours
How to make business decisions with this
• Threat model your organization
• What could go wrong?
• Examine data and estimate impact
Questions
• Slides: trustfoundry.net
• alex.lauerman@trustfoundry.net
• @alexlauerman
• 913.271.7789
Related documents
High Court case Citation Court Procedural History Facts Issue
High Court case Citation Court Procedural History Facts Issue
Interested Industry Participant Registration Form
Interested Industry Participant Registration Form
Word - Salt Lake County
Word - Salt Lake County
DISCHARGE OF CONTRACT
DISCHARGE OF CONTRACT
Form 2 - Cost estimate
Form 2 - Cost estimate
Download
advertisement