Presentation is loading. Please wait.

Presentation is loading. Please wait.

Return On Security Investment Taz Daughtrey Becky Neary James Madison University EDUCAUSE Security Professionals Workshop May 18, 2004 Copyright Taz Daughtrey.

Similar presentations


Presentation on theme: "Return On Security Investment Taz Daughtrey Becky Neary James Madison University EDUCAUSE Security Professionals Workshop May 18, 2004 Copyright Taz Daughtrey."— Presentation transcript:

1 Return On Security Investment Taz Daughtrey Becky Neary James Madison University EDUCAUSE Security Professionals Workshop May 18, 2004 Copyright Taz Daughtrey 2004. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2 Return On Security Investment Taz Daughtrey Associate Director Becky Neary Student Assistant Institute for Infrastructure and Information Assurancewww.jmu.edu/iiia James Madison University Harrisonburg, Virginia

3 R eturn O n S ecurity Investment Investment

4 A SSETS T HREATS V ULNERABILITIES C OUNTERMEASURES I NVESTMENTS E VALUATION A SSETS C OUNTERMEASURES T HREATS I NVESTMENTS V ULNERABILITIES E VALUATION

5 C ONFIDENTIALITY : Preserving authorized restrictions on access and disclosure. I NTEGRITY : Guarding against improper modification or destruction A VAILABILITY : Ensuring timely and reliable access and use FIPS PUBLICATION 199, Standards for Security Categorization of Federal Information and Information Systems Achieving Security Objectives

6 A loss of confidentiality is the unauthorized disclosure of information. A loss of integrity is the unauthorized modification or destruction of information. A loss of availability is the disruption of access to or use of information or an information system. FIPS PUBLICATION 199, Standards for Security Categorization of Federal Information and Information Systems Not Achieving Security: Consequences

7 Return Return Return On Investment = --------------- Investment Investment

8 Benefit Benefit R O I = --------------- Cost Cost

9 “How much to spend?” “Where to spend it?” R eturn O n S ecurity I nvestment I nvestment

10 Risk Management Risk Exposure = Probability of occurrence X Consequence of occurrence

11 Risk Management Risk Avoidance  reducing probability of occurrence of occurrence Risk Mitigation  reducing consequence of occurrence

12 Risk Avoidance X Consequence of occurrence Risk Exposure = Probability of occurrence

13 Before Risk Avoidance

14 After Risk Avoidance

15 Risk Mitigation Risk Exposure = Probability of occurrence X Consequence of occurrence

16 Before Risk Mitigation

17 After Risk Mitigation

18 Return Return Return On Investment = --------------- Investment Investment

19 Reduction in Risk Exposure Reduction in Risk Exposure R O S I = ---------------------------------- Investment in Countermeasures Investment in Countermeasures

20 Costs of achieving security COST OF SECURITY Costs of not achieving security  Prevention  Appraisal  Detection  Containment  Recovery  Remediation

21 Pay me now, or pay me later "A small security review up front might cost $100,000, while an emergency response to an incident after the fact could run $350,000 to $500,000.".

22 Return on Security Investment breaches

23 Return on Security Investment exploited vulnerability

24 Return on Security Investment known vulnerabilities exploited

25 Return on Security Investment known vulnerabilities unexploited exploited

26 Return on Security Investment known vulnerabilities = 2437 exploited According to one study, last year … = 50 2%

27 Return on Security Investment known vulnerabilities = 4200 exploited According to another source … = 16 Less than half of 1%

28 “How much to spend?” “Where to spend it?” R eturn O n S ecurity I nvestment I nvestment

29 Conclusion We all face a real and growing threat to our critical infrastructures We all face a real and growing threat to our critical infrastructures Best defensive approaches combine attention to cyber and physical aspects Best defensive approaches combine attention to cyber and physical aspects Significant achievements can be orchestrated through collaborations Significant achievements can be orchestrated through collaborations

30 Return On Security Investment Taz Daughtrey James Madison University 540 568 2778 daughtht@jmu.edu


Download ppt "Return On Security Investment Taz Daughtrey Becky Neary James Madison University EDUCAUSE Security Professionals Workshop May 18, 2004 Copyright Taz Daughtrey."

Similar presentations


Ads by Google