SlideShare ist ein Scribd-Unternehmen logo

Is Information Security Protection Worth the Cost

M
martin_lee1969

Talk given at University of Gloucestershire, March 2012

1 von 32
Information Security Protection – Is It Worth it? Martin Lee CISSP CEng Senior Analyst Information Security Protection. 1
EU Information Security Market For the EU: 15.5 Bil. EUR InfoSec Market size 20.8 million companies 216.4 million workers Sources: The European Network and Information Security Market Scenario, Trends and Challenges. DG Information Society & Media. Annual Report on EU Small and Medium sized Enterprises 2010/2011. DG Enterprise. European Union Labour Force Survey – Annul Results 2010. Eurostat. Information Security Protection. 2
Which means - Spent on Information Security in Europe: ~750 EUR per company per year ~70 EUR per worker per year Is this too little or too much? How would we know? Information Security Protection. 3
Why Spend Money on Information Security? - Compliance Legal requirement Data Protection Directive (95/46/EC) e-Privacy Directive (2002/58/EC) Data Retention Directive (2006/24/EC) Industry requirement Payment Card Industry – Data Security Standard Customer requirement ISO 27002 Information Security Protection. 4
Why Spend Money on Information Security? - Threat Protection Accidental Malicious Malware Receiving data Outsider Denial of Service Attacks Corrupting data Hacking Deleting data Stealing data Insider Transmitting data Destroying data Losing devices Altering data Think CIA – Confidentiality, Integrity, Availability of systems and data. Information Security Protection. 5
Risk Analysis Conducts Exploits Causes Threat Threat Vulnerability Impact source action Hacking collective Hacks Unpatched server Defaces website Employee Emails data No address verification Breach of data Source: Risk Management Guide for Information Technology Systems. NIST SP 800-30 Information Security Protection. 6
Role of Information Security Threat Educate / deter source Threat Detect / neutralise action Vulnerability Remove / mitigate Impact Reduce Information Security Protection. 7
Information Security Benefit Threat How much does protection cost? source Threat action How effective at neutralising the threat? How likely to occur is the threat? Vulnerability Impact Monetary loss due to harm? Information Security Protection. 8
What is malware? Viruses – self replicating code. Worms – replicates over network by exploiting vulnerabilities. Trojan – malicious code that does not replicate (may appear non-malicious) Rootkit – executable code hidden from the operating system Spyware – FakeAV – Malware – code that is detrimental to the interests of the person running it. Information Security Protection. 9
So What? So What? Information Security Protection. 10
Will You Get Infected? 14% believe they will never be 12% infected by a virus. 8% 37% 29% believe it is very unlikely that they will be infected. 14% Neutral Not Very Likely Not at All Likely 29% Extremely Likely Very Likely Source : “A Look at Consumers' Awareness of Email Security and Practices”, July 2009, pub. MAAWG http://www.maawg.org/about/publishedDocuments/2009_MAAWG-Consumer_Survey-Part2.pdf Information Security Protection. 11
I Got a Virus! Teenage daughter downloaded virus to my home computer. 2 days of my free time to remove it. ~ 8 hours. 1 week internet ban for daughter. Implications for business: Time to restore computer. ~2 hours => £ 100 Further consequences? Information Security Protection. 12
Spamming IP black listing – you can’t send legitimate mail. Spam content – law firm sending out porn. Consequent loss to reputation. Financial loss? Information Security Protection. 13
Spamming How much did this cost to the reputation of the individual involved? Source: http://news.bbc.co.uk/1/hi/7908498.stm Information Security Protection. 14
How Much Might it Cost? Ponemon Cost of a Data Breach Survey . UK - $3.1 million total cost average per breach. US - $7.2 million total cost average per breach. Information Breaches Survey. Large companies averaged 45 incidents / yr, Small companies 14 incidents / yr. Cost of worst incident: Small companies £27 500 - £55 000 Large companies £280 000 - £690 000 Sources : “2010 Annual Study: global Cost of a Data Breach”, Ponemon Inst, http://www.symantec.com/content/en/us/about/media/pdfs/symantec_cost_of_data_breach_global_2010.pdf “Information Security Breaches Survey 2010” , Infosecurity Europe. http://www.infosec.co.uk/files/isbs_2010_technical_report_single_pages.pdf Information Security Protection. 15
Cost Framework Incident Cost Analysis and Modeling Project II (I-CAMP II). Time spent cleaning up incident, restoring systems. Lost productivity due to down time. US Code § 1030 Fraud and related activity in connection with computers. the term “loss” means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service Information Security Protection. 16
Costs Example City Council - Conficker Large incident, local government. £600 000 IT consultancy costs. £600 000 other direct IT costs. £178 000 staff over time costs. £43 000 in cancelled traffic fines. £169 000 to clear backlog of benefit claims and unpaid tax. Total ~ £1.5 Million Sources : “Bus lane fines axed over bug”, 2009, Manchester Evening News, http://www.manchestereveningnews.co.uk/news/s/1121846_bus_lane_fines_axed_over_bug “Manchester City Council Report for Resolution”, 2009, http://www.manchester.gov.uk/egov_downloads/Item_11.pdf Information Security Protection. 17
Expanded Framework Items to consider: Repair cost Lost productivity Revenue loss Cost of data loss Cost of confidentiality breach Cost of reputation Source :“Damages From Internet Security Incidents. A framework and toolkit for assessing the economic costs of security breaches”, Feb 2009, pub. Delft University of Technology. http://www.opta.nl/nl/download/publicatie/?id=3083 Information Security Protection. 18
Data Loss Costs How much did this cost? How would we calculate it? How much would have prevention cost? Source: http://www.bbc.co.uk/news/technology-13256817 Information Security Protection. 19
Market Costs 1% - 2% loss of market capitalisation following data breaches. Payment System Breach Drop in market cap $572.27 million Other costs $140 million Sources : “Estimating the market impact of security breach announcements on firm values ”,Goel, S., Shawky, H.A., Information & Management v.46 p.404 (2009). http://dx.doi.org/10.1016/j.im.2009.06.005 Information Security Protection. 20
Monetary Penalties How could this have been prevented? How much would have prevention cost? Source : Information Commisioner’s Office, News Release 28/11/2011 http://www.ico.gov.uk/news/latest_news/2011/monetary-penalties-served-to-councils-for-serious-email-errors-28112011.aspx Information Security Protection. 21
What It Means For You? Information Security Protection. 22
Model Your Exposure Minor incidents. ~ £ 100 - check logs – many times per day. Major incidents. cost depends on your business - once / year Severe incidents. compromised data / financial systems – less than once / year high cost. Information Security Protection. 23
Justification – Annual Loss Expectancy. Leads to Associated with Consequence Risk X Cost Z Y We expect this n times per year. Annual loss expectancy = n x Z Mitigation costs a per year Will reduce probability of Y by b Information Security Protection. 24
Council Example Cost = £80 000 fine + ~£80 000 other costs. = £160 000 DLP = £ 10 000 if email marked ‘confidential’ and sent to external address, route to admin for review. 95% success rate. Information Security Protection. 25
Council Example Saving = ( 0.95 x 160 000 ) – 10 000 = £142 000 Expectancy of risk is 1:5 years ALE = (0.95 x 160 000 ) / 5 = 30 400 We can spend £30 000 per year on this problem and still save money! Information Security Protection. 26
Examples Information Security Protection. 27
Protect Yourself Information Security Protection. 28
Know Your Assets, Know Attack Vectors Information Security Protection. 29
Layers of Protection Provide Maximum Detection Information Security Protection. 30
Conclusion Know what it is that you are protecting. Know the types and frequency of attacks. Model your exposure. Choose & justify appropriate protection. Information Security Protection. 31
Thank you! Martin Lee martin_lee@symantec.com +44 7775 823 278 Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Information Security Protection. 32

Empfohlen

White Paper: Is Your Network Safe Behind Just a Firewall?
White Paper: Is Your Network Safe Behind Just a Firewall?White Paper: Is Your Network Safe Behind Just a Firewall?
White Paper: Is Your Network Safe Behind Just a Firewall?Windstream Enterprise
 
Il Cloud a difesa della mail e del web
Il Cloud a difesa della mail e del webIl Cloud a difesa della mail e del web
Il Cloud a difesa della mail e del webSymantec Italia
 
Cybercriminals and security attacks
Cybercriminals and security attacksCybercriminals and security attacks
Cybercriminals and security attacksGFI Software
 
Hakin9 interview w Prof Sood
Hakin9 interview w Prof SoodHakin9 interview w Prof Sood
Hakin9 interview w Prof SoodZsolt Nemeth
 
Cyber Influence Operations
Cyber Influence OperationsCyber Influence Operations
Cyber Influence OperationsPapadakis K.-Cyber-Information Warfare Analyst & Cyber Defense/Security Consultant-Hellenic MoD
 
Cyber Security for the Military and Defence Sector 2013
Cyber Security for the Military and Defence Sector 2013Cyber Security for the Military and Defence Sector 2013
Cyber Security for the Military and Defence Sector 2013Dale Butler
 
Trend Micro - Targeted attacks: Have you found yours?
Trend Micro - Targeted attacks: Have you found yours?Trend Micro - Targeted attacks: Have you found yours?
Trend Micro - Targeted attacks: Have you found yours?Global Business Events
 
Cyber Security
Cyber SecurityCyber Security
Cyber Securitybethpatrick
 

Empfohlen

White Paper: Is Your Network Safe Behind Just a Firewall?
White Paper: Is Your Network Safe Behind Just a Firewall?White Paper: Is Your Network Safe Behind Just a Firewall?
White Paper: Is Your Network Safe Behind Just a Firewall?Windstream Enterprise
 
Il Cloud a difesa della mail e del web
Il Cloud a difesa della mail e del webIl Cloud a difesa della mail e del web
Il Cloud a difesa della mail e del webSymantec Italia
 
Cybercriminals and security attacks
Cybercriminals and security attacksCybercriminals and security attacks
Cybercriminals and security attacksGFI Software
 
Hakin9 interview w Prof Sood
Hakin9 interview w Prof SoodHakin9 interview w Prof Sood
Hakin9 interview w Prof SoodZsolt Nemeth
 
Cyber Influence Operations
Cyber Influence OperationsCyber Influence Operations
Cyber Influence OperationsPapadakis K.-Cyber-Information Warfare Analyst & Cyber Defense/Security Consultant-Hellenic MoD
 
Cyber Security for the Military and Defence Sector 2013
Cyber Security for the Military and Defence Sector 2013Cyber Security for the Military and Defence Sector 2013
Cyber Security for the Military and Defence Sector 2013Dale Butler
 
Trend Micro - Targeted attacks: Have you found yours?
Trend Micro - Targeted attacks: Have you found yours?Trend Micro - Targeted attacks: Have you found yours?
Trend Micro - Targeted attacks: Have you found yours?Global Business Events
 
Cyber Security
Cyber SecurityCyber Security
Cyber Securitybethpatrick
 
Spam and Phishing Report - Marzo 2010
Spam and Phishing Report - Marzo 2010Spam and Phishing Report - Marzo 2010
Spam and Phishing Report - Marzo 2010Symantec Italia
 
Empowering the business while efficiently mitigating risks - Eva Chen (Trend ...
Empowering the business while efficiently mitigating risks - Eva Chen (Trend ...Empowering the business while efficiently mitigating risks - Eva Chen (Trend ...
Empowering the business while efficiently mitigating risks - Eva Chen (Trend ...Minh Le
 
Enhancing Cybersecurity Readiness Through International Cooperation
Enhancing Cybersecurity Readiness Through International CooperationEnhancing Cybersecurity Readiness Through International Cooperation
Enhancing Cybersecurity Readiness Through International CooperationPositive Hack Days
 
Scansafe Annual Global Threat Report 2009
Scansafe Annual Global Threat Report 2009Scansafe Annual Global Threat Report 2009
Scansafe Annual Global Threat Report 2009Kim Jensen
 
Trend keamanan komputer 2012
Trend keamanan komputer 2012Trend keamanan komputer 2012
Trend keamanan komputer 2012Ayu Anita
 
Mobile Application Security
Mobile Application Security Mobile Application Security
Mobile Application Security Booz Allen Hamilton
 
2 21677 splunk_big_data_futureofsecurity
2 21677 splunk_big_data_futureofsecurity2 21677 splunk_big_data_futureofsecurity
2 21677 splunk_big_data_futureofsecuritySvetlana Belyaeva
 
Think like a hacker for better security awareness
Think like a hacker for better security awarenessThink like a hacker for better security awareness
Think like a hacker for better security awarenessCOMSATS
 
READ - Risk Exposure Awareness and Deflection - creating an organization-wide...
READ - Risk Exposure Awareness and Deflection - creating an organization-wide...READ - Risk Exposure Awareness and Deflection - creating an organization-wide...
READ - Risk Exposure Awareness and Deflection - creating an organization-wide...Global Risk Forum GRFDavos
 
The state of privacy and data security compliance
The state of privacy and data security complianceThe state of privacy and data security compliance
The state of privacy and data security complianceFindWhitePapers
 
Evolving Threat Landscape Web Spam Bot
Evolving Threat Landscape Web Spam BotEvolving Threat Landscape Web Spam Bot
Evolving Threat Landscape Web Spam BotSymantec
 
Buyers Guide to Endpoint Protection Platforms
Buyers Guide to Endpoint Protection PlatformsBuyers Guide to Endpoint Protection Platforms
Buyers Guide to Endpoint Protection PlatformsFindWhitePapers
 
Infromation Security as an Institutional Priority
Infromation Security as an Institutional PriorityInfromation Security as an Institutional Priority
Infromation Security as an Institutional Priorityzohaibqadir
 
Targeted Attacks: Have you found yours?
Targeted Attacks: Have you found yours?Targeted Attacks: Have you found yours?
Targeted Attacks: Have you found yours?Trend Micro (EMEA) Limited
 
Responding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacksResponding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacksIBM
 
Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman
 
Gainful Information Security 2012 services
Gainful Information Security 2012 servicesGainful Information Security 2012 services
Gainful Information Security 2012 servicesCade Zvavanjanja
 
The software-security-risk-report
The software-security-risk-reportThe software-security-risk-report
The software-security-risk-reportКомсс Файквэе
 
Honeypots
HoneypotsHoneypots
HoneypotsBilal ZIANE
 
Top Security Trends for 2013
Top Security Trends for 2013Top Security Trends for 2013
Top Security Trends for 2013Imperva
 
Halvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber WebinarHalvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber WebinarHalvorsen on Risk
 
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze DataExchangeAgency
 

Weitere ähnliche Inhalte

Was ist angesagt?

Spam and Phishing Report - Marzo 2010
Spam and Phishing Report - Marzo 2010Spam and Phishing Report - Marzo 2010
Spam and Phishing Report - Marzo 2010Symantec Italia
 
Empowering the business while efficiently mitigating risks - Eva Chen (Trend ...
Empowering the business while efficiently mitigating risks - Eva Chen (Trend ...Empowering the business while efficiently mitigating risks - Eva Chen (Trend ...
Empowering the business while efficiently mitigating risks - Eva Chen (Trend ...Minh Le
 
Enhancing Cybersecurity Readiness Through International Cooperation
Enhancing Cybersecurity Readiness Through International CooperationEnhancing Cybersecurity Readiness Through International Cooperation
Enhancing Cybersecurity Readiness Through International CooperationPositive Hack Days
 
Scansafe Annual Global Threat Report 2009
Scansafe Annual Global Threat Report 2009Scansafe Annual Global Threat Report 2009
Scansafe Annual Global Threat Report 2009Kim Jensen
 
Trend keamanan komputer 2012
Trend keamanan komputer 2012Trend keamanan komputer 2012
Trend keamanan komputer 2012Ayu Anita
 
2 21677 splunk_big_data_futureofsecurity
2 21677 splunk_big_data_futureofsecurity2 21677 splunk_big_data_futureofsecurity
2 21677 splunk_big_data_futureofsecuritySvetlana Belyaeva
 
Think like a hacker for better security awareness
Think like a hacker for better security awarenessThink like a hacker for better security awareness
Think like a hacker for better security awarenessCOMSATS
 
READ - Risk Exposure Awareness and Deflection - creating an organization-wide...
READ - Risk Exposure Awareness and Deflection - creating an organization-wide...READ - Risk Exposure Awareness and Deflection - creating an organization-wide...
READ - Risk Exposure Awareness and Deflection - creating an organization-wide...Global Risk Forum GRFDavos
 
The state of privacy and data security compliance
The state of privacy and data security complianceThe state of privacy and data security compliance
The state of privacy and data security complianceFindWhitePapers
 
Evolving Threat Landscape Web Spam Bot
Evolving Threat Landscape Web Spam BotEvolving Threat Landscape Web Spam Bot
Evolving Threat Landscape Web Spam BotSymantec
 
Buyers Guide to Endpoint Protection Platforms
Buyers Guide to Endpoint Protection PlatformsBuyers Guide to Endpoint Protection Platforms
Buyers Guide to Endpoint Protection PlatformsFindWhitePapers
 
Infromation Security as an Institutional Priority
Infromation Security as an Institutional PriorityInfromation Security as an Institutional Priority
Infromation Security as an Institutional Priorityzohaibqadir
 
Responding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacksResponding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacksIBM
 
Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman
 
Gainful Information Security 2012 services
Gainful Information Security 2012 servicesGainful Information Security 2012 services
Gainful Information Security 2012 servicesCade Zvavanjanja
 
Top Security Trends for 2013
Top Security Trends for 2013Top Security Trends for 2013
Top Security Trends for 2013Imperva
 

Was ist angesagt? (20)

Spam and Phishing Report - Marzo 2010
Spam and Phishing Report - Marzo 2010Spam and Phishing Report - Marzo 2010
Spam and Phishing Report - Marzo 2010
 
Empowering the business while efficiently mitigating risks - Eva Chen (Trend ...
Empowering the business while efficiently mitigating risks - Eva Chen (Trend ...Empowering the business while efficiently mitigating risks - Eva Chen (Trend ...
Empowering the business while efficiently mitigating risks - Eva Chen (Trend ...
 
Enhancing Cybersecurity Readiness Through International Cooperation
Enhancing Cybersecurity Readiness Through International CooperationEnhancing Cybersecurity Readiness Through International Cooperation
Enhancing Cybersecurity Readiness Through International Cooperation
 
Scansafe Annual Global Threat Report 2009
Scansafe Annual Global Threat Report 2009Scansafe Annual Global Threat Report 2009
Scansafe Annual Global Threat Report 2009
 
Trend keamanan komputer 2012
Trend keamanan komputer 2012Trend keamanan komputer 2012
Trend keamanan komputer 2012
 
Mobile Application Security
Mobile Application Security Mobile Application Security
Mobile Application Security
 
2 21677 splunk_big_data_futureofsecurity
2 21677 splunk_big_data_futureofsecurity2 21677 splunk_big_data_futureofsecurity
2 21677 splunk_big_data_futureofsecurity
 
Think like a hacker for better security awareness
Think like a hacker for better security awarenessThink like a hacker for better security awareness
Think like a hacker for better security awareness
 
READ - Risk Exposure Awareness and Deflection - creating an organization-wide...
READ - Risk Exposure Awareness and Deflection - creating an organization-wide...READ - Risk Exposure Awareness and Deflection - creating an organization-wide...
READ - Risk Exposure Awareness and Deflection - creating an organization-wide...
 
The state of privacy and data security compliance
The state of privacy and data security complianceThe state of privacy and data security compliance
The state of privacy and data security compliance
 
Evolving Threat Landscape Web Spam Bot
Evolving Threat Landscape Web Spam BotEvolving Threat Landscape Web Spam Bot
Evolving Threat Landscape Web Spam Bot
 
Buyers Guide to Endpoint Protection Platforms
Buyers Guide to Endpoint Protection PlatformsBuyers Guide to Endpoint Protection Platforms
Buyers Guide to Endpoint Protection Platforms
 
Infromation Security as an Institutional Priority
Infromation Security as an Institutional PriorityInfromation Security as an Institutional Priority
Infromation Security as an Institutional Priority
 
Targeted Attacks: Have you found yours?
Targeted Attacks: Have you found yours?Targeted Attacks: Have you found yours?
Targeted Attacks: Have you found yours?
 
Responding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacksResponding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacks
 
Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015
 
Gainful Information Security 2012 services
Gainful Information Security 2012 servicesGainful Information Security 2012 services
Gainful Information Security 2012 services
 
The software-security-risk-report
The software-security-risk-reportThe software-security-risk-report
The software-security-risk-report
 
Honeypots
HoneypotsHoneypots
Honeypots
 
Top Security Trends for 2013
Top Security Trends for 2013Top Security Trends for 2013
Top Security Trends for 2013
 

Ähnlich wie Is Information Security Protection Worth the Cost

Halvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber WebinarHalvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber WebinarHalvorsen on Risk
 
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze DataExchangeAgency
 
Social Networking Security For OCRI - Scott Wright - Condensed July 9, 2009
Social Networking Security For OCRI - Scott Wright - Condensed July 9, 2009Social Networking Security For OCRI - Scott Wright - Condensed July 9, 2009
Social Networking Security For OCRI - Scott Wright - Condensed July 9, 2009Scott Wright
 
Stop Watering Holes, Spear-Phishing and Drive-by Downloads
Stop Watering Holes, Spear-Phishing and Drive-by DownloadsStop Watering Holes, Spear-Phishing and Drive-by Downloads
Stop Watering Holes, Spear-Phishing and Drive-by DownloadsInvincea, Inc.
 
Module0&1 intro-foundations-b
Module0&1 intro-foundations-bModule0&1 intro-foundations-b
Module0&1 intro-foundations-bBbAOC
 
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...North Texas Chapter of the ISSA
 
Getting users to care about security
Getting users to care about securityGetting users to care about security
Getting users to care about securityAlison Gianotto
 
The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention ...
The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention ...The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention ...
The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention ...JoAnna Cheshire
 
Identity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access ManagementIdentity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access ManagementProlifics
 
Security Threats for SMBs
Security Threats for SMBsSecurity Threats for SMBs
Security Threats for SMBsGFI Software
 
Cybersecurity Myths for Small and Medium-Sized Businesses
Cybersecurity Myths for Small and Medium-Sized BusinessesCybersecurity Myths for Small and Medium-Sized Businesses
Cybersecurity Myths for Small and Medium-Sized BusinessesSeqrite
 
SMBs: The Threat Ahead
SMBs: The Threat AheadSMBs: The Threat Ahead
SMBs: The Threat Aheadmartin_lee1969
 
2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target
2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target 2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target
2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target Raleigh ISSA
 
Segurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago CavannaSegurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago CavannaSantiago Cavanna
 
Cyber security do your part be the resistance
Cyber security do your part be the resistanceCyber security do your part be the resistance
Cyber security do your part be the resistancePaul-Charife Allen
 
Data Leak Protection Using Text Mining and Social Network Analysis
Data Leak Protection Using Text Mining and Social Network AnalysisData Leak Protection Using Text Mining and Social Network Analysis
Data Leak Protection Using Text Mining and Social Network AnalysisIJERD Editor
 

Ähnlich wie Is Information Security Protection Worth the Cost (20)

Halvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber WebinarHalvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber Webinar
 
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
 
HoneyPots.pptx
HoneyPots.pptxHoneyPots.pptx
HoneyPots.pptx
 
Social Networking Security For OCRI - Scott Wright - Condensed July 9, 2009
Social Networking Security For OCRI - Scott Wright - Condensed July 9, 2009Social Networking Security For OCRI - Scott Wright - Condensed July 9, 2009
Social Networking Security For OCRI - Scott Wright - Condensed July 9, 2009
 
Stop Watering Holes, Spear-Phishing and Drive-by Downloads
Stop Watering Holes, Spear-Phishing and Drive-by DownloadsStop Watering Holes, Spear-Phishing and Drive-by Downloads
Stop Watering Holes, Spear-Phishing and Drive-by Downloads
 
Module0&1 intro-foundations-b
Module0&1 intro-foundations-bModule0&1 intro-foundations-b
Module0&1 intro-foundations-b
 
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
 
Getting users to care about security
Getting users to care about securityGetting users to care about security
Getting users to care about security
 
The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention ...
The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention ...The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention ...
The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention ...
 
Perimeter Security is Failing
Perimeter Security is FailingPerimeter Security is Failing
Perimeter Security is Failing
 
Identity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access ManagementIdentity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access Management
 
Security Threats for SMBs
Security Threats for SMBsSecurity Threats for SMBs
Security Threats for SMBs
 
Cybersecurity Myths for Small and Medium-Sized Businesses
Cybersecurity Myths for Small and Medium-Sized BusinessesCybersecurity Myths for Small and Medium-Sized Businesses
Cybersecurity Myths for Small and Medium-Sized Businesses
 
SMBs: The Threat Ahead
SMBs: The Threat AheadSMBs: The Threat Ahead
SMBs: The Threat Ahead
 
Network security
Network securityNetwork security
Network security
 
2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target
2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target 2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target
2010-05 Real Business, Real Threats! Don't be an Unsuspecting Target
 
Segurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago CavannaSegurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago Cavanna
 
Cyber security do your part be the resistance
Cyber security do your part be the resistanceCyber security do your part be the resistance
Cyber security do your part be the resistance
 
Data Security in Healthcare
Data Security in HealthcareData Security in Healthcare
Data Security in Healthcare
 
Data Leak Protection Using Text Mining and Social Network Analysis
Data Leak Protection Using Text Mining and Social Network AnalysisData Leak Protection Using Text Mining and Social Network Analysis
Data Leak Protection Using Text Mining and Social Network Analysis
 

Is Information Security Protection Worth the Cost

  • 1. Information Security Protection – Is It Worth it? Martin Lee CISSP CEng Senior Analyst Information Security Protection. 1
  • 2. EU Information Security Market For the EU: 15.5 Bil. EUR InfoSec Market size 20.8 million companies 216.4 million workers Sources: The European Network and Information Security Market Scenario, Trends and Challenges. DG Information Society & Media. Annual Report on EU Small and Medium sized Enterprises 2010/2011. DG Enterprise. European Union Labour Force Survey – Annul Results 2010. Eurostat. Information Security Protection. 2
  • 3. Which means - Spent on Information Security in Europe: ~750 EUR per company per year ~70 EUR per worker per year Is this too little or too much? How would we know? Information Security Protection. 3
  • 4. Why Spend Money on Information Security? - Compliance Legal requirement Data Protection Directive (95/46/EC) e-Privacy Directive (2002/58/EC) Data Retention Directive (2006/24/EC) Industry requirement Payment Card Industry – Data Security Standard Customer requirement ISO 27002 Information Security Protection. 4
  • 5. Why Spend Money on Information Security? - Threat Protection Accidental Malicious Malware Receiving data Outsider Denial of Service Attacks Corrupting data Hacking Deleting data Stealing data Insider Transmitting data Destroying data Losing devices Altering data Think CIA – Confidentiality, Integrity, Availability of systems and data. Information Security Protection. 5
  • 6. Risk Analysis Conducts Exploits Causes Threat Threat Vulnerability Impact source action Hacking collective Hacks Unpatched server Defaces website Employee Emails data No address verification Breach of data Source: Risk Management Guide for Information Technology Systems. NIST SP 800-30 Information Security Protection. 6
  • 7. Role of Information Security Threat Educate / deter source Threat Detect / neutralise action Vulnerability Remove / mitigate Impact Reduce Information Security Protection. 7
  • 8. Information Security Benefit Threat How much does protection cost? source Threat action How effective at neutralising the threat? How likely to occur is the threat? Vulnerability Impact Monetary loss due to harm? Information Security Protection. 8
  • 9. What is malware? Viruses – self replicating code. Worms – replicates over network by exploiting vulnerabilities. Trojan – malicious code that does not replicate (may appear non-malicious) Rootkit – executable code hidden from the operating system Spyware – FakeAV – Malware – code that is detrimental to the interests of the person running it. Information Security Protection. 9
  • 10. So What? So What? Information Security Protection. 10
  • 11. Will You Get Infected? 14% believe they will never be 12% infected by a virus. 8% 37% 29% believe it is very unlikely that they will be infected. 14% Neutral Not Very Likely Not at All Likely 29% Extremely Likely Very Likely Source : “A Look at Consumers' Awareness of Email Security and Practices”, July 2009, pub. MAAWG http://www.maawg.org/about/publishedDocuments/2009_MAAWG-Consumer_Survey-Part2.pdf Information Security Protection. 11
  • 12. I Got a Virus! Teenage daughter downloaded virus to my home computer. 2 days of my free time to remove it. ~ 8 hours. 1 week internet ban for daughter. Implications for business: Time to restore computer. ~2 hours => £ 100 Further consequences? Information Security Protection. 12
  • 13. Spamming IP black listing – you can’t send legitimate mail. Spam content – law firm sending out porn. Consequent loss to reputation. Financial loss? Information Security Protection. 13
  • 14. Spamming How much did this cost to the reputation of the individual involved? Source: http://news.bbc.co.uk/1/hi/7908498.stm Information Security Protection. 14
  • 15. How Much Might it Cost? Ponemon Cost of a Data Breach Survey . UK - $3.1 million total cost average per breach. US - $7.2 million total cost average per breach. Information Breaches Survey. Large companies averaged 45 incidents / yr, Small companies 14 incidents / yr. Cost of worst incident: Small companies £27 500 - £55 000 Large companies £280 000 - £690 000 Sources : “2010 Annual Study: global Cost of a Data Breach”, Ponemon Inst, http://www.symantec.com/content/en/us/about/media/pdfs/symantec_cost_of_data_breach_global_2010.pdf “Information Security Breaches Survey 2010” , Infosecurity Europe. http://www.infosec.co.uk/files/isbs_2010_technical_report_single_pages.pdf Information Security Protection. 15
  • 16. Cost Framework Incident Cost Analysis and Modeling Project II (I-CAMP II). Time spent cleaning up incident, restoring systems. Lost productivity due to down time. US Code § 1030 Fraud and related activity in connection with computers. the term “loss” means any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service Information Security Protection. 16
  • 17. Costs Example City Council - Conficker Large incident, local government. £600 000 IT consultancy costs. £600 000 other direct IT costs. £178 000 staff over time costs. £43 000 in cancelled traffic fines. £169 000 to clear backlog of benefit claims and unpaid tax. Total ~ £1.5 Million Sources : “Bus lane fines axed over bug”, 2009, Manchester Evening News, http://www.manchestereveningnews.co.uk/news/s/1121846_bus_lane_fines_axed_over_bug “Manchester City Council Report for Resolution”, 2009, http://www.manchester.gov.uk/egov_downloads/Item_11.pdf Information Security Protection. 17
  • 18. Expanded Framework Items to consider: Repair cost Lost productivity Revenue loss Cost of data loss Cost of confidentiality breach Cost of reputation Source :“Damages From Internet Security Incidents. A framework and toolkit for assessing the economic costs of security breaches”, Feb 2009, pub. Delft University of Technology. http://www.opta.nl/nl/download/publicatie/?id=3083 Information Security Protection. 18
  • 19. Data Loss Costs How much did this cost? How would we calculate it? How much would have prevention cost? Source: http://www.bbc.co.uk/news/technology-13256817 Information Security Protection. 19
  • 20. Market Costs 1% - 2% loss of market capitalisation following data breaches. Payment System Breach Drop in market cap $572.27 million Other costs $140 million Sources : “Estimating the market impact of security breach announcements on firm values ”,Goel, S., Shawky, H.A., Information & Management v.46 p.404 (2009). http://dx.doi.org/10.1016/j.im.2009.06.005 Information Security Protection. 20
  • 21. Monetary Penalties How could this have been prevented? How much would have prevention cost? Source : Information Commisioner’s Office, News Release 28/11/2011 http://www.ico.gov.uk/news/latest_news/2011/monetary-penalties-served-to-councils-for-serious-email-errors-28112011.aspx Information Security Protection. 21
  • 22. What It Means For You? Information Security Protection. 22
  • 23. Model Your Exposure Minor incidents. ~ £ 100 - check logs – many times per day. Major incidents. cost depends on your business - once / year Severe incidents. compromised data / financial systems – less than once / year high cost. Information Security Protection. 23
  • 24. Justification – Annual Loss Expectancy. Leads to Associated with Consequence Risk X Cost Z Y We expect this n times per year. Annual loss expectancy = n x Z Mitigation costs a per year Will reduce probability of Y by b Information Security Protection. 24
  • 25. Council Example Cost = £80 000 fine + ~£80 000 other costs. = £160 000 DLP = £ 10 000 if email marked ‘confidential’ and sent to external address, route to admin for review. 95% success rate. Information Security Protection. 25
  • 26. Council Example Saving = ( 0.95 x 160 000 ) – 10 000 = £142 000 Expectancy of risk is 1:5 years ALE = (0.95 x 160 000 ) / 5 = 30 400 We can spend £30 000 per year on this problem and still save money! Information Security Protection. 26
  • 29. Know Your Assets, Know Attack Vectors Information Security Protection. 29
  • 30. Layers of Protection Provide Maximum Detection Information Security Protection. 30
  • 31. Conclusion Know what it is that you are protecting. Know the types and frequency of attacks. Model your exposure. Choose & justify appropriate protection. Information Security Protection. 31
  • 32. Thank you! Martin Lee martin_lee@symantec.com +44 7775 823 278 Copyright © 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Information Security Protection. 32

Hinweis der Redaktion

  1. This is a sample Pie Chart slide, ideal for communicating product or market segmentation information.To Change Font Color/Size: Select text, right-click and adjust the font setting on the Mini toolbar. Select desired attributes to change: font, size, boldness, color, etc. Note: many of the same commands can also be accessed from the Font group of the Home tab.Edit Chart:Click the chart to edit and select the Chart Tools Design tab (or double-click on the chart). Click the Edit Data button to access the underlying Excel 2007 spreadsheet.Copying Data From a Separate Excel Spreadsheet:From an existing Excel spreadsheet, select the range of cells to be copied, select copy (Ctrl C).In PowerPoint, click the chart to edit and select the Chart Tools Design tab (or double-click on the chart.) Click the Edit Data button to open the spreadsheet for editing.Select all the data in the Chart in Microsoft Office PowerPoint spreadsheet by clicking the top left corner cell, right-click and select DeleteClick in the first empty cell of the spreadsheet and paste (Ctrl V) to place the data copied from the other Excel file. Change Orientation:Click the chart to edit and select the Chart Tools Design tab (or double-click on the chart.) Click the Switch Row/Column button. If the Switch Row/Column button is disabled, click the Select Data button and then click the Switch Row/Column button from within the Select Data Source dialog box, click OK.
  2. Sources : “The Effect of Internet Security Breach Announcements on Market Value of Breached Firms and Internet Security Developers”. Cavusoglu, H., Mishra B.K., and Raghunathan S., International Journal of Electronic Commerce, v.8 p.4 (2004) http://portal.acm.org/citation.cfm?id=1278168.1278173&coll=GUIDE&dl=GUIDE “Estimating the market impact of security breach announcements on firm values ”,Goel, S., Shawky, H.A., Information & Management v.46 p.404 (2009). http://dx.doi.org/10.1016/j.im.2009.06.005
  3. Sources : “The Effect of Internet Security Breach Announcements on Market Value of Breached Firms and Internet Security Developers”. Cavusoglu, H., Mishra B.K., and Raghunathan S., International Journal of Electronic Commerce, v.8 p.4 (2004) http://portal.acm.org/citation.cfm?id=1278168.1278173&coll=GUIDE&dl=GUIDE “Estimating the market impact of security breach announcements on firm values ”,Goel, S., Shawky, H.A., Information & Management v.46 p.404 (2009). http://dx.doi.org/10.1016/j.im.2009.06.005