Presentation is loading. Please wait.

Presentation is loading. Please wait.

Rachel Greenstadt October 17, 2016

Published byHorace Randall Modified over 6 years ago

Similar presentations

Presentation on theme: "Rachel Greenstadt October 17, 2016"— Presentation transcript:

1 Rachel Greenstadt October 17, 2016
Lecture 6: Spending Rachel Greenstadt October 17, 2016

2 Cyber losses

3 Reminders CITI Training due Thursday before class
Discussion on Thursday/Friday online Mini-Guest Lecture today Andrea Forte on qualitative research Feb 13 Midterm

4 Spending on Security 2016 numbers from SANS survey

5 Why Spend on Security?

6 Why Spend on Security? Avoid Loss How much loss? Will spending work?

7 Other reasons Reputation / Branding damage New business process
Share price effect New business process Compliance with standards SOX, HIPAA in U.S. PIPEDA (Canada), EU data protection National security (defense contractors) Nonprofits – ethical not just business case

8 Individuals Theft prevention Privacy concerns

9 Non-reasons Forensics and attribution Hard and expensive
Uh oh. Some state actor must have turned down the hot water pressure to my shower this morning. – Matt Blaze Hard and expensive

10 Non-reasons: Worms Fast spreading Internet worms
How to 0wn the Internet in your spare time Incentives – fast spreading worms not that useful Though slow, subtle ones (Stuxnet)

11 More non-reasons History of non-spending Competitive advantage
New CISO Fear / Guilt Competitive advantage Most businesses don’t develop in-house security, so other people can buy it too

12

13 How much security for software products?
Argument for very little Customers think cost/speed/functionality more important Just enough to overcome claims of insecurity

14 How much security for software products?
Argument for “top priority” Avoid competitive disadvantage “good enough” security Enhance other IT functions (monitoring/awareness)

15 How much to spend? “To avoid security incidents”
negative goal, hard to measure Measurable goals might be better, but difficult

16 Spending approaches Wait and see, then recover Buy one of everything
Externals measures What do consultants recommend? What is everyone else doing?

17 Price does matter (Let’s Encrypt)

18

19 Return on Investment (ROI)
Size of investment / gain Gain = losses that didn’t happen ROI security measure – reduce losses Annual loss expected (ALE) Prob (loss event) * Cost(loss event) How to we get these numbers (esp Prob (loss event) Doesn’t account for possibility of failure or opportunity cost

20 Actuarial data

21 Cyberinsurance CLIC – Cyber liability insurance cover
Available since early 2000s Now $2.5 billion, 80 carriers % of companies with > 1,000 employees bought a policy-Insurance Business Improvement in underwriting

22 Policies First party – expenses occurred by company experiencing breach Third party – effect of breaches on other companies that affect you

23 Why insurance Cover cost of breaches Contractual obligations
especially notifications Contractual obligations

24 Effect of Cyberinsurance
Motivation for data on risks, measurable security

25 Fear as a motivator > 500 road fatalities per year caused by avoidance of air travel due to security screening procedures 1018 estimated additional road fatalities during the three months post 9/11

26 Big event High profile breach, worm infection No $$ - lots of $$$
Might be spent irrationally Boom/bust “Fighting the last war”

27 Security Tools Total cost of ownership (TCO)
Hard for security because operational costs often exceed purchasing price SANS : most spending for in-house labor Survey respondent on the relationship between tools and skills: Do not overspend for tools that you do not have the personnel or expertise to use.

28 Vulnerability Scanning
The more the better?

29 Dlp – data loss prevention
IPS/UTM – Intrusion prevention system, unified threat management (fancy firewalls) Byod – bring your own device Mdm – mobile device management Nac – network access control

30 Spending questions Already have capability?
Existing vendors will soon provide?

31 Security awareness training?
Breaking security rule makes life easier Little company loyalty “Users are not the enemy” – most people who violated security rules were trying to get work done

32 Security policies Not a firing offense
Most people don’t know company security policies Even if they did – either too detailed and technical or too abstract

33 Invest in Cyber Security Boom?
HACK ETF – exchange-traded fund Various “cyber” companies

34 Invest in Cyber Security Boom?
HACK ETF – exchange-traded fund Various “cyber” companies

Download ppt "Rachel Greenstadt October 17, 2016"

Similar presentations

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
Cyber Insurance Today: Lots of Interest, Lots of Product Innovation, and Lots of Risk Richard S. Betterley, CMC Betterley Risk Consultants, Inc. Sterling,

Cyber Insurance Today: Lots of Interest, Lots of Product Innovation, and Lots of Risk Richard S. Betterley, CMC Betterley Risk Consultants, Inc. Sterling,
Lockton Companies International Limited. Authorised and regulated by the Financial Services Authority. A Lloyd’s Broker. Protecting Your Business from.

Lockton Companies International Limited. Authorised and regulated by the Financial Services Authority. A Lloyd’s Broker. Protecting Your Business from.
© 2006 PCE Systems Ltd IT Systems Integrity Chris Nabavi BSc SMIEEE.

© 2006 PCE Systems Ltd IT Systems Integrity Chris Nabavi BSc SMIEEE.
Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.

Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.
Rethinking Security to Enable Business LJ Johnson Nike’s Global Information Security Officer August 16, 2005.

Rethinking Security to Enable Business LJ Johnson Nike’s Global Information Security Officer August 16, 2005.
1 ZIXCORP The Criticality of Email Security Dena Bauckman Director Product Management April 2015.

1 ZIXCORP The Criticality of Security Dena Bauckman Director Product Management April 2015.
Oklahoma Chapter Information Systems Security Association Oklahoma Chapter, Tulsa Oklahoma City Chapter, OKC Student Chapter, Okmulgee Oklahoma Chapter,

Oklahoma Chapter Information Systems Security Association Oklahoma Chapter, Tulsa Oklahoma City Chapter, OKC Student Chapter, Okmulgee Oklahoma Chapter,
Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.

Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.
© 2009 IDBI Intech, Inc. All rights reserved.IDBI Intech Confidential 1 Information (Data) Security & Risk Mitigation.

© 2009 IDBI Intech, Inc. All rights reserved.IDBI Intech Confidential 1 Information (Data) Security & Risk Mitigation.
Enterprise Computing Community June 13 - 15, 2010February 27, 2010 1 Information Security Industry View Linda Betz IBM Director IT Policy and Information.

Enterprise Computing Community June , 2010February 27, Information Security Industry View Linda Betz IBM Director IT Policy and Information.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.

What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.

Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
Cloud Computing Characteristics A service provided by large internet-based specialised data centres that offers storage, processing and computer resources.

Cloud Computing Characteristics A service provided by large internet-based specialised data centres that offers storage, processing and computer resources.
To protect the confidential and proprietary information included in this material, it may not be disclosed or provided to any third parties without the.

To protect the confidential and proprietary information included in this material, it may not be disclosed or provided to any third parties without the.
Big Data Bijan Barikbin Denisa Teme Matthew Joseph.

Big Data Bijan Barikbin Denisa Teme Matthew Joseph.
IT Strategy for Business © Oxford University Press 2008 All rights reserved Chapter 12 IT Security Strategies.

IT Strategy for Business © Oxford University Press 2008 All rights reserved Chapter 12 IT Security Strategies.
Insurance of the risk Policy covers & underwriting issues Stephen Ridley, Senior Development Underwriter.

Insurance of the risk Policy covers & underwriting issues Stephen Ridley, Senior Development Underwriter.

Similar presentations

Ads by Google