10. IT (security) budge1ng process
Expectations
1. Conduct a risk assessment
2. Quantify expected losses
3. Agree on risk appetite
4. Plan the controls
5. Implement the controls
6. Maintain the controls
7. Measure the controls
11. IT (security) budgeting process
Reality
1. Plan the budget
2. Present the budget
3. Divide the budget in half
4. Defend the budget
5. Divide the budget in half
6. Get the budget approval
7. Try not to cry in public
13. But if it only worked…
Expecta(ons
Corporate governance
Risk management
Market and government
regulations
Reality
IndustrialControlSystemsHealthcheck
15. Cyber security economics
Market challenges:
Information asymmetry*
Invisibility of prevented loss
Lack of incidents disclosure
Poor regulation
_
* George Akerlof - The Market for Lemons
16. Why corporate security (normally) sucks
“Best prac+ce” driven
determinis+c approach
The promised land of
“Management commitment”
Obsession with formal authority
18. “Best practice” vs Real security
The Real security:
Direct business impact
Security for business
Indirect business impact
Security for customers
Support of business strategy
Security against customers
Delft University of Technology – Cyber Security Economics 101
19. Management commitment
Expecta(on
ISO-IEC 27001 – 5.1 Management
commitment
Management shall provide evidence of its
commitment to the establishment,
implementation, operation, monitoring,
review, maintenance and improvement of
the ISMS by:
…
d) communicating to the organization the
importance of …;
e) providing sufficient resources to …;
…
20. Management commitment
Expectation
ISO-IEC 27001 – 5.1 Management
commitment
Management shall provide evidence of its
commitment to the establishment,
implementation, operation, monitoring,
review, maintenance and improvement of
the ISMS by:
…
d) communicating to the organization the
importance of …;
e) providing sufficient resources to …;
…
Reality
22. Obsession with authority
Reality
“CISO” reports to the highest-
ranking executive who knows
what is the difference between a
firewall and an antivirus
ImagecourtesyofSca?Adamsh?p://dilbert.com
23. Cyber security business
Paper tigers
Blinking boxes
Feynman threat
Do it yourself attitude
Evolution of “fair price”
29. Plan A: let’s save 200 people!
• All 600 will survive with P=33%
• None will survive with P=66%
Plan B: 400 people will die…
• No one will die with P=33%
• Everyone will die with P=66%
Scenario: a virus outbreak is expected to kill 600 people. We have two
treatment plans to choose from.
Tversky, Amos; Kahneman, Daniel (1981). "The Framing of decisions and the psychology of choice". Science 211 (4481): 453–458.
How it works
78% 22%
33. Expert power
An expert is a man who has made all the mistakes which can be made,
in a narrow field.
--Niels Bohr
34. Expert power
An expert is a human who has made all the mistakes which can be
made, in a narrow field.
--Niels Bohr
35. Expert power
Open Design
Least Privilege
Fail-Safe Defaults
Defense in Depth
Complete Mediation
Separation of Privilege
Economy of Mechanism
Secure Weakest Link First
Psychological Acceptability
Least Common Mechanism
Ross Anderson – Security Engineering
41. Step 1: Introduction of self
Define yourself via your background and brief history
Name top-3 or top-2 cool things you did professionally
State the purpose of your pitch
42. Step 2: The “Why now?” frame
Recent changes by economic, social, and technological forces: factual
and external to the company
Backstory of the idea: important changes in the business, forecast of
trends, impact on cost and demand, and the opening window of
opportunity
43. Step 3: Idea introduc1on pa2ern
“For [the beneficiary],
Who are dissatisfied with [the current situation],
My proposed idea/product/project is a [new thing],
That provides [key problem-solving solution],
Unlike [the alternative(s)].
My idea/product/project/solution is: [describe key features]”
45. I spent 16 years in IT infrastructure,
Information Security Management,
IT Audit, Application Security, and
Security consulting
for the largest banking, telecom,
software development and professional
services companies in Ukraine.
46. I am one of the ”founding fathers” of UISG,
co-founder of OWASP Kyiv, NoNameCon security conference,
and my own consulCng company Berezha Security.
47. Today I am here to help you
secure adequate budget
for your cyber security program.
48. All of you are aware of
1. increase in frequency and financial impact of cyber attacks,
2. strengthening of government and market regulations,
3. and inability of traditional IT security solutions to thwart the
permanent threat of state-sponsored hacking backed by Russia.
In the face of
1. poor InfoSec market conditions that will not improve in the
nearest future,
2. and the inevitable period of increased geopolitical tension
caused by the upcoming presidential elections;
You shall not miss the opportunity to secure the funding required
to implement adequate safeguards as soon as possible.
49. For your security organiza0on,
that is poorly funded in line with “tradi0onal” corporate
budge0ng process that creates a disbalance of es0mated goals
and assigned costs,
my proposed method is a tool for leveraging natural human
features, beliefs, and aspira0ons,
that provides tangible percep0on of “fair amount” of cyber
security spending to all stakeholders,
unlike the tradi0onal “risk assessment” approach that is
inherently prone to error and doesn’t fully cover the ever-
changing threat landscape.
50. My proposed method uses current body of knowledge in
psychology, social sciences, and cyber security economics to
help security leaders
• obtain necessary resources,
• deal with cyber security market challenges,
• build and maintain influence power in the organization,
• and take well-deserved place in the business hierarchy.
51. How to find me
sapran@pm.me
https://fb.me/vstyran
@arunninghacker
52. References
George Akerlof - The Market for Lemons
Del6 University of Technology – Cyber Security Economics 101
Ross Anderson – Security Engineering
University of Michigan – Influencing People
Robert Cialdini – Influence
Oren Klaff – Pitch Anything
CulMvaMng Compassionate Tech CommuniMes - April Wensel -
AnxietyTech 2018
53. Recommendations
Introduction to Psychology, University of Toronto
Christopher Hadnagy, Social Engineering: The Art of Human Hacking 1st
Edition
Robert B. Cialdini, Influence: The Psychology of Persuasion, Revised
Edition
Dan Arieli, Predictably Irrational, Revised and Expanded Edition: The
Hidden Forces That Shape Our Decisions
Social Engineer Podcast