Rachel Greenstadt October 17, 2016 Lecture 6: Spending Rachel Greenstadt October 17, 2016
Cyber losses https://www.youtube.com/watch?v=SUxJqoZtXyw
Reminders CITI Training due Thursday before class Discussion on Thursday/Friday online Mini-Guest Lecture today Andrea Forte on qualitative research Feb 13 Midterm
Spending on Security 2016 numbers from SANS survey
Why Spend on Security?
Why Spend on Security? Avoid Loss How much loss? Will spending work?
Other reasons Reputation / Branding damage New business process Share price effect New business process Compliance with standards SOX, HIPAA in U.S. PIPEDA (Canada), EU data protection National security (defense contractors) Nonprofits – ethical not just business case
Individuals Theft prevention Privacy concerns
Non-reasons Forensics and attribution Hard and expensive Uh oh. Some state actor must have turned down the hot water pressure to my shower this morning. – Matt Blaze Hard and expensive
Non-reasons: Worms Fast spreading Internet worms How to 0wn the Internet in your spare time Incentives – fast spreading worms not that useful Though slow, subtle ones (Stuxnet)
More non-reasons History of non-spending Competitive advantage New CISO Fear / Guilt Competitive advantage Most businesses don’t develop in-house security, so other people can buy it too
How much security for software products? Argument for very little Customers think cost/speed/functionality more important Just enough to overcome claims of insecurity
How much security for software products? Argument for “top priority” Avoid competitive disadvantage “good enough” security Enhance other IT functions (monitoring/awareness)
How much to spend? “To avoid security incidents” negative goal, hard to measure Measurable goals might be better, but difficult
Spending approaches Wait and see, then recover Buy one of everything Externals measures What do consultants recommend? What is everyone else doing?
Price does matter (Let’s Encrypt)
Return on Investment (ROI) Size of investment / gain Gain = losses that didn’t happen ROI security measure – reduce losses Annual loss expected (ALE) Prob (loss event) * Cost(loss event) How to we get these numbers (esp Prob (loss event) Doesn’t account for possibility of failure or opportunity cost
Actuarial data
Cyberinsurance CLIC – Cyber liability insurance cover Available since early 2000s Now $2.5 billion, 80 carriers 2016 80% of companies with > 1,000 employees bought a policy-Insurance Business Improvement in underwriting
Policies First party – expenses occurred by company experiencing breach Third party – effect of breaches on other companies that affect you
Why insurance Cover cost of breaches Contractual obligations especially notifications Contractual obligations
Effect of Cyberinsurance Motivation for data on risks, measurable security
Fear as a motivator > 500 road fatalities per year caused by avoidance of air travel due to security screening procedures 1018 estimated additional road fatalities during the three months post 9/11
Big event High profile breach, worm infection No $$ - lots of $$$ Might be spent irrationally Boom/bust “Fighting the last war”
Security Tools Total cost of ownership (TCO) Hard for security because operational costs often exceed purchasing price SANS : most spending for in-house labor Survey respondent on the relationship between tools and skills: Do not overspend for tools that you do not have the personnel or expertise to use.
Vulnerability Scanning The more the better?
Dlp – data loss prevention IPS/UTM – Intrusion prevention system, unified threat management (fancy firewalls) Byod – bring your own device Mdm – mobile device management Nac – network access control
Spending questions Already have capability? Existing vendors will soon provide?
Security awareness training? Breaking security rule makes life easier Little company loyalty “Users are not the enemy” – most people who violated security rules were trying to get work done
Security policies Not a firing offense Most people don’t know company security policies Even if they did – either too detailed and technical or too abstract
Invest in Cyber Security Boom? HACK ETF – exchange-traded fund Various “cyber” companies
Invest in Cyber Security Boom? HACK ETF – exchange-traded fund Various “cyber” companies