Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit. All rights reserved. Making Economics a Cyber-Security Weapon Scott Borg Director (CEO) and Chief.

Slides:



Advertisements
Similar presentations
Security+ All-In-One Edition Chapter 17 – Risk Management
Advertisements

RISK ANALYSIS.  Almost all of the things that we do involve risk of some kind, but it can sometimes be challenging to identify risk, let alone to prepare.
Capital Structure Theory Under Three Special Cases
City of Leesburg Electric Department City of Leesburg Electric Department CIP-001 Sabotage Reporting.
Office of Operations 2009 Fall Conference Navigating Uncertain Times October 21-22, 2009 Risk Assessment and Internal Controls Internal Controls Anna Tomassacci.
Three-way choice Option Price Option Value Real Options Calls & Puts Endogenous/Exogenous Option Price Option Value Real Options Calls & Puts Endogenous/Exogenous.
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
1 Decision making under large uncertainty * Marie-Laure Guillerminet * * ZMK, University of Hamburg Atlantis Meeting January 24 th, 2003.
Event Planning with the matrix Adapted from and used with the permission of Texas A & M University,
Randy Marchany VA Tech Computing Center
Competing for Advantage
Dyson and the bagless vacuum cleaner
MY RULES OF TRADING Dr. Daniel Daves 1. Don’t Be A Trade-A-Holic ! FDon’t be the guy who needs to be in the market at all times.
Effectively applying ISO9001:2000 clauses 5 and 8
INVESTING BECAUSE I SAY SO. AND YOU COULD POTENTIALLY EARN YOURSELF A BUNCH OF MONEY…
GSC: Standardization Advancing Global Communications 1 The New US-CCU Cyber-Security Check List SOURCE:U.S. Cyber Consequences Unit (Submitted by TIA)
1 Chapter 1: What is Finance? Copyright © Prentice Hall Inc Author: Nick Bagley, bdellaSoft, Inc. Objective To Define Finance The Value of Finance.
Visual 3. 1 Lesson 3 Risk Assessment and Risk Mitigation.
PRM 702 Project Risk Management Lecture #28
Conostix S.A. Sensible defence.
1 Introduction to Security Chapter 5 Risk Management: The Foundation of Private Security.
Systems Development Lifecycle Project Identification & Selection Project Initiation & Planning Analysis Logical Design Physical Design Implementation Maintenance.
Risk Analysis vs Security Controls. Security Controls Risk assessment is a flawed safeguard selection method. There is a tendency to confuse security.
Impact on Firms of a change in size. Content Reasons for growth Financing growth: –Internal –External Growth and cash flow Management reorganization –Change.
Risk Management Project Management Digital Media Department Unit Credit Value : 4 Essential Learning time : 120 hours.
Risk Assessment and Management. Objective To enable an organisation mission accomplishment, by better securing the IT systems that store, process, or.
Lesson 7-Managing Risk. Overview Defining risk. Identifying the risk to an organization. Measuring risk.
Welcome to Session 3 – Project Management Process Overview
Risk management (lecture). D efinitions of risk General: standard deviation Finance: volatility of return and costs Risk in project management (Lockyer.
Copyright © 2009 Pearson Prentice Hall. All rights reserved. Chapter 5 Risk and Return.
Competing For Advantage Part II – Strategic Analysis Chapter 4 – The Internal Organization: Resources, Capabilities, and Core Competencies.
Chapter-2 Risk and insurance. Concept of risk The definitions of risk: Risk is the chance of damage or loss. Risk is doubt concerning the outcome of a.
Are You Aware of Your Corporate Risk Liability? Safety and Security Take Center Stage.
The Application Of Fundamental Valuation Principles To Property/Casualty Insurance Companies Derek A. Jones, FCAS Joy A. Schwartzman, FCAS.
Ch 10 - Risk Management Learning Objectives You should be able to: List and describe risk management processes, inputs, outputs, and tools List and describe.
Question Four: Project Risk Management PMBOK definition of Project Risk Project risk management is the art and science of identifying, analyzing, and responding.
First edition Global Economic Issues and Policies PowerPoint Presentation by Charlie Cook Copyright © 2004 South-Western/Thomson Learning. All rights reserved.
Reporting to Stakeholders. What are Stakeholders? An individual or group with an interest in an organisation An individual or group with an interest in.
Insurance TING.pdf.
Selected Questions Chapter 11.
Mgmt.101 ~ Introduction to Business Risk Management & Insurance.
Presented to Managers. INTERNAL CONTROLS are the integration of the activities, plans, attitudes, policies and efforts of the people of an organization.
Unit 1: Fundamentals of Economics What is Economic s? Please take out… Notebook Summer Assignment (Fact Sheets) Please DO NOT OPEN THE BAG!
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
Basic Security Concepts University of Sunderland CIT304 Harry R Erwin, PhD.
COST BENEFITS OF IMPLEMENTING CREDIT CARD DATABASE TOKENIZATION USING FAIR CASE STUDY SHARED COURTESY OF RISKLENS CONFIDENTIAL - FAIR INSTITUTE
INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.
Trevor Tooke, M.Ed Candidate UVU Intern Objective 1 Marketing Plan Comprehensive 55% Complete.
Chapter 5 The Free Enterprise System. Traits of Private Enterprise Section 5.1.
Aged and Disabled Waiver Conflict-Free Case Management November 1, 2015.
Measuring and Increasing Profit. Unit 1 Reminder – What is Profit? Profit is the reward or return for taking risks & making investments.
Principles of Information Security, Fourth Edition Risk Management Ch4 Part II.
Milgrom and Roberts (1992): Chapter 6 Economics, Organization & Management Chapter 6: Moral Hazard and Performance Incentives Examples of Moral Hazard:
A. Define the term risk. Business Risk – the potential for loss or failure.
Chapter McGraw-Hill/Irwin Copyright © 2007 by The McGraw-Hill Companies, Inc. All rights reserved. Short-Run Alternative Choice Decisions 26.
Measuring and Increasing Profit
Headquarters U.S. Air Force
COST BENEFIT ANALYSIS OF IMPROVED PATCHING WINDOW USING FAIR
Goran Slavić, SOX Chief Engineer
RISK MANAGEMENT An Overview: NIPC Model
Cyber Security in the Mortgage Industry
Security Threats Severity Analysis
Assessing Deterrence Options for Cyberweapons
Risk management.
Gordon-Loeb Model for Cybersecurity Investments*
Cyber Risk & Cyber Security
Risk management.
Chapter 1 Key Security Terms.
CyberSecurity Strategy For Defendable ROI
Presentation transcript:

Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit. All rights reserved. Making Economics a Cyber-Security Weapon Scott Borg Director (CEO) and Chief Economist U.S. Cyber Consequences Unit

Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit2 If you are a cyber-security professional, what is your job? (from a business standpoint) (from a business standpoint) What were you hired for?

Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit3 The ultimate goal of cyber security: Reduce Cyber Risk Reduce Cyber Risk But... can you say what this is?

Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit4 Risk= Expected Loss Over Time= Threat x Consequence x Vulnerabilities Risk = Expected Loss Over Time = Threat x Consequence x Vulnerabilities Frequency of a given attack type with an associated skill level x Potential business loss from that attack x Extent to which that loss would occur, given a specific set of policies and counter-measures Frequency of a given attack type with an associated skill level x Potential business loss from that attack x Extent to which that loss would occur, given a specific set of policies and counter-measures = Annualized Expected Loss = Annualized Expected Loss

Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit5 Of the three risk factors, Threat, Consequence, and Vulnerability... the hardest to understand is Consequence the hardest to understand is Consequence

Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit6 OUTPUTS INPUTS (Inputs are benefits lost) (Outputs are benefits gained) Supplier Customer Value Creation What does a business or government agency do to create value? Businesses take Inputs and turn them into Outputs.

Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit7 OUTPUTS INPUTS Opportunity Cost Willingness- to-Pay Supplier Customer Total Value Created Value Creation MEASURING A PRODUCTIVE ACTIVITY

Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit8 Opportunity Cost Willingness- to-Pay Supplier Customer Willingness- to-Pay Opportunity Cost A CHANGE IN THE VALUE CREATED: WHAT SUBSTITUTES

Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit9 9 Protecting “High Value Assets” Is the Wrong Approach! The value of an asset doesn’t correlate with damage that could be done by attacking it The value of an asset doesn’t correlate with damage that could be done by attacking it Value in business doesn’t reside in things; value is something the business is continually creating Value in business doesn’t reside in things; value is something the business is continually creating Value is created by the way things work together, not by their separate outputs Value is created by the way things work together, not by their separate outputs Cyber attacks can do serious damage without doing anything observable to assets Cyber attacks can do serious damage without doing anything observable to assets

Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit10 Threat x Consequence x Vulnerabilities = Risk Frequency of a given attack type x Potential Loss x Extent to which the loss would occur = Annualized Expected Loss Frequency of a given attack type x Potential Loss x Extent to which the loss would occur = Annualized Expected Loss Making Cyber Risk Quantitative by Unpacking the Components THREAT Attackers Motives Targets Capabilities IV. Undermining III. Discrediting II. Corrupting I. Interrupting Business Effects Value Differential CONSEQUENCE VULNERABILITIES Findable Penetrable Corruptible Concealable Irreversible 1

Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit11 Being able to estimate cyber risk and say how it is changed by different cyber-security measures... Will give you an objective basis for every cyber-security choice Will give you an objective basis for every cyber-security choice Will justify your budget Will justify your budget Will allow you to determine the ROI for your activities Will allow you to determine the ROI for your activities Will give you a solid business defense of your actions if something goes wrong (i.e., save your job) Will give you a solid business defense of your actions if something goes wrong (i.e., save your job)

Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit12 But estimating cyber risk is hard, because you might not know enough yet about...  The potential attackers, their motives, how they choose attacks, what their capabilities are, and how these factors are changing over time  Where and how your organization creates value, where its potential liabilities are, and what would happen in the event of an attack  How your organization’s vulnerabilities would affect attacker activities and success rates collectively, rather than one-by-one

Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit13 What should you do in the meantime? (if you don’t have enough information to estimate risks)

Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit14 You already know a lot about how to do this! The stepping-stone goal for cyber security: Increase Attacker Costs Increase Attacker Costs (while holding down attacker gains) (while holding down attacker gains)

Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit15 Ask yourself — What hurdles would an attacker need to overcome to carry out a profitable attack? (Hint: never just penetration) How much time and skill would it take to overcome these hurdles? How can the time and skill required from an attacker be most effectively increased? You will probably find you can even make quantitative estimates of these things!

Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit16 Attacker cost is the real guide to hitting attackers where it hurts! (Even a modest-sized business can typically increase attacker costs by a factor of 10 or 100!) (Even a modest-sized business can typically increase attacker costs by a factor of 10 or 100!) This is how to make the game of cyber security into one you can win!

Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit17  If you can make the costs of attacking your systems greater than the benefits from attacking them, you have won absolutely!  If you can make the return-on-investment for attacking your organization considerably worse than for attacking another target, you have won relatively! Winning: Not as good a guide as quantifying risk (notice why!), but the next best thing

Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit18 What economics is most fundamentally about: Not cash flows and markets! Not cash flows and markets! Maximizing the benefits gained, relative to the benefits lost. Maximizing the benefits gained, relative to the benefits lost. Attackers are already thinking this way. You should be too!

Copyright © 2015 Scott Borg/U.S. Cyber Consequences Unit19 For more information or permission to use this material, please contact: For more information or permission to use this material, please contact: Scott Borg U.S. Cyber Consequences Unit P.O. Box 1390 Norwich, VT

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.