Week 12 – Monday

 What did we talk about last time?  Security policies  Physical security  Lock picking

Graham Welsh

 If you do IT, you may need to make a case for spending money on security  For your own benefit (because it justifies your position)  For the business's benefit (because a security problem could be costly)  You shouldn't lie or exaggerate  Your proposal should be based on real improvements that are likely to cost the company less in the long run  You should use business language so that the proposal can be compared to other non-security and non-IT proposals

 A business case is a proposal that justifies an expenditure, usually including:  A description of the problem you're trying to solve  A list of possible solutions  Constraints on solving the problem  A list of assumptions  Analysis of each alternative ▪ Risks ▪ Costs ▪ Benefits  A summary of why your proposal is best

 Research suggests that investments should be considered from the following perspectives:  Customer – keeping customers happy  Operational – keeping your business running smoothly  Financial – return on investment or share price  Improvement – affect on market leadership  Companies tend to focus only on the financial perspective because it is the easiest to measure

 Companies can be reluctant to invest in security  Surveys suggest that these are the motivating influences: CategoryImportance Regulatory requirement30.1% History or IT staff knowledge18.9% Client requirement or request16.2% Internal or external audit12.4% Current events and media attention8.2% Response to compromised internal security7.3% Reaction to external mandate or request5.0% Other1.7%

 Businesses care about money  But there are several different ways to evaluate the economic value of a decision  Net present value  Internal rate of return  Return on investment  Is spending this money now a good idea? We could invest it instead  Measuring IT impact in general is difficult  People only see how their life is changed after the fact

 Net present value (NPV) of a proposal is the present value of benefits minus the value of the initial investment  NPV looks at the lifetime of a project  Example:  Spending $100 today could earn a profit of $200 in 5 years  But, investing $100 could yield $170 in 5 years  NPV = $200 - $170 = $30  A positive NPV is a good proposal, and a negative is not

 The internal rate of return (IRR) is the discount rate that makes NPV zero  In other words, how good of an investment is your proposal?  Return on investment (ROI) is the last period's profits divided by the cost of the investments needed to realize the profits  ROI is a measure of how the company has performed  IRR and NPV are estimates of future performance

 The accounting ideas from the previous section depend on measuring the benefits of security  Difficult  We can relatively easily list:  Assets needing protection  Vulnerabilities in a system  Threats to a system  But what is the impact when an attack happens?

 We need data to make decisions  National and global data about security measures how cybersecurity affects national and international economies  Enterprise data lets us see how companies are preventing and recovering from attacks and how much it costs  Technology data outlines the attacks that are possible or common  The data needs to be:  Accurate  Consistent  Timely  Reliable

 We will list the results from a number of surveys, starting with the Information Security Breaches Survey (ISBS) from 2006 about cost of security incidents in the UK Overall Change Change for Large Businesses Companies affectedDown 20%Down 10% Median number of incidents at affected companies Up 50%Down 30% Average cost of each incidentUp 20%Down 10% Total change in cost of incidentsUp 50%Down 50%

 5,000 information security practitioners surveyed in 2005, 699 responded  Key findings:  Viruses are the largest source of financial loss  Unauthorized access went up, replacing DoS as the second greatest source of loss  The total dollar amount of financial loss from cyber crime is decreasing  Companies are reporting intrusions less because of negative publicity  87% of respondents conduct security audits, increased from 82% in the previous survey

 540 security officers surveyed in 2005, 188 responded  Key findings:  35% experienced attacks that affected CIA in 2005, 49% in 2004, and 42% in 2003  Insider attacks stayed at a constant 37% over three years  Viruses were the most prevalent attack  DoS caused the most financial loss  37% of respondents used security standards in 2003 but 65% used them in 2005

 Given in 2005  Key findings:  Organizations have improved security, making them less attractive to hackers  Humans are the weakest link, falling prey to phishing and pharming  17% of respondents think government regulations are very effective, and 50% think they are effective  Chief information security officers are reporting to the highest levels of the organization more and more

 Given in 2004  Key findings:  1 in 5 respondents strongly agreed that their organization put information security as a priority  Lack of security awareness by users is the top problem  But only 28% of respondents put raising employee awareness as a top initiative  Top concerns were viruses, Trojans, and worms with employee misconduct a distant second  Less than half of the respondents provide ongoing employee security training  1 in 4 thought their information security departments were successful at meeting organizational needs

 231,000 complaints in 2005  Key findings:  Almost 100,000 complaints were referred to law enforcement  Most cases involved fraud with a total loss of $182 million and a median loss of $424 per complainant  Internet auction fraud at 62.7% was the most common  Nondelivered merchandise or nonpayment was 16%  Credit card fraud was 7%  More than 75% of perpetrators were male  Half lived in CA, NY, FL, TX, IL, PA, or OH  For every dollar lost by a woman, $1.86 was lost by a man  Super Bowl ticket scams, phishing attempts, reshipping, eBay account takeovers, natural disaster fraud, and international lottery scams had high activity

 Surveyed 204 information technology and storage managers in 2004  Key findings:  Most companies have no formal data backup or storage procedures, relying on individual initiative  viruses are the main reason companies change their data protection procedures  Regular testing of disaster recovery procedures is not a common practice

 Surveyed 2,196 security practitioners in 2002, looking at the impact of business size  Key findings:  Security spending per user and per machine decreases as organization size increases  Allocating money for security does not reduce the probability of being attack but does help detect losses  Most organizations do not have a security culture or an incident response pan

 Surveys measure different things  Some have conflicting results  We can't know the level of expertise of the respondents in many cases  Regular users vs. security officers  Surveys were mostly voluntary  People who care about security or have recently had an incident are more likely to respond  Categories are inconsistent  "Electronic attacks" vs. "security incidents"  Are these the same things?

 Some of these surveys say that costs are going up  Others say cost is going down  The ICSA 2004 survey claimed that "respondents in our survey historically underestimate costs by a factor of 7 to 10"  How do they even know that?  Conclusions:  Viruses are bad  Phishing is bad  We should have better training and policies  We should have better surveys

 Modeling security

 Keep reading Chapter 9  Keep working on Project 3 Phase 1  Ack! Actually due on Thursday, April 17, unlike originally stated