Download presentation
Presentation is loading. Please wait.
Published byTracey Goodman Modified over 9 years ago
1
Return On Security Investment Taz Daughtrey Becky Neary James Madison University EDUCAUSE Security Professionals Workshop May 18, 2004 Copyright Taz Daughtrey 2004. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
2
Return On Security Investment Taz Daughtrey Associate Director Becky Neary Student Assistant Institute for Infrastructure and Information Assurancewww.jmu.edu/iiia James Madison University Harrisonburg, Virginia
3
R eturn O n S ecurity Investment Investment
4
A SSETS T HREATS V ULNERABILITIES C OUNTERMEASURES I NVESTMENTS E VALUATION A SSETS C OUNTERMEASURES T HREATS I NVESTMENTS V ULNERABILITIES E VALUATION
5
C ONFIDENTIALITY : Preserving authorized restrictions on access and disclosure. I NTEGRITY : Guarding against improper modification or destruction A VAILABILITY : Ensuring timely and reliable access and use FIPS PUBLICATION 199, Standards for Security Categorization of Federal Information and Information Systems Achieving Security Objectives
6
A loss of confidentiality is the unauthorized disclosure of information. A loss of integrity is the unauthorized modification or destruction of information. A loss of availability is the disruption of access to or use of information or an information system. FIPS PUBLICATION 199, Standards for Security Categorization of Federal Information and Information Systems Not Achieving Security: Consequences
7
Return Return Return On Investment = --------------- Investment Investment
8
Benefit Benefit R O I = --------------- Cost Cost
9
“How much to spend?” “Where to spend it?” R eturn O n S ecurity I nvestment I nvestment
10
Risk Management Risk Exposure = Probability of occurrence X Consequence of occurrence
11
Risk Management Risk Avoidance reducing probability of occurrence of occurrence Risk Mitigation reducing consequence of occurrence
12
Risk Avoidance X Consequence of occurrence Risk Exposure = Probability of occurrence
13
Before Risk Avoidance
14
After Risk Avoidance
15
Risk Mitigation Risk Exposure = Probability of occurrence X Consequence of occurrence
16
Before Risk Mitigation
17
After Risk Mitigation
18
Return Return Return On Investment = --------------- Investment Investment
19
Reduction in Risk Exposure Reduction in Risk Exposure R O S I = ---------------------------------- Investment in Countermeasures Investment in Countermeasures
20
Costs of achieving security COST OF SECURITY Costs of not achieving security Prevention Appraisal Detection Containment Recovery Remediation
21
Pay me now, or pay me later "A small security review up front might cost $100,000, while an emergency response to an incident after the fact could run $350,000 to $500,000.".
22
Return on Security Investment breaches
23
Return on Security Investment exploited vulnerability
24
Return on Security Investment known vulnerabilities exploited
25
Return on Security Investment known vulnerabilities unexploited exploited
26
Return on Security Investment known vulnerabilities = 2437 exploited According to one study, last year … = 50 2%
27
Return on Security Investment known vulnerabilities = 4200 exploited According to another source … = 16 Less than half of 1%
28
“How much to spend?” “Where to spend it?” R eturn O n S ecurity I nvestment I nvestment
29
Conclusion We all face a real and growing threat to our critical infrastructures We all face a real and growing threat to our critical infrastructures Best defensive approaches combine attention to cyber and physical aspects Best defensive approaches combine attention to cyber and physical aspects Significant achievements can be orchestrated through collaborations Significant achievements can be orchestrated through collaborations
30
Return On Security Investment Taz Daughtrey James Madison University 540 568 2778 daughtht@jmu.edu
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.