1. ENABLING A COST/ BENEFIT ANALYSIS OF IMPLEMENTING ENCRYPTION- AT-REST USING FAIR CASE STUDY SHARED COURTESY OF RISKLENS CONFIDENTIAL - FAIR INSTITUTE 2016 1

2. ANALYSIS SCOPING CONFIDENTIAL - FAIR INSTITUTE 2016 2 Understand how much less risk a system would have if data-at-rest encryption is implemented RISK SCENARIO DESCRIPTION Sensitive customer/employee data (PII & Potentially Card Data) stored on internal customer systems ASSET(S) DESCRIPTION Confidentiality LOSS TYPE Malicious insiders, external attackers (general & cyber criminals) THREAT(S) DESCRIPTION

3. ANALYSIS SCOPING CONFIDENTIAL - FAIR INSTITUTE 2016 3 Assessing Risk Reduction Through Comparison of Scenarios Assessed how much risk a given system has with data stored un-encrypted. Assessed how much risk a given system has with data stored in an encrypted state.* RISK SCENARIO DESCRIPTION *ASSUMPTION: There is still a low probability that the encrypted data can be comprised by either: Theft of the data in an decrypted state (application attack) Compromise of the encryption keys Both were considered within the analysis.

4. ANALYSIS SCOPING CONFIDENTIAL - FAIR INSTITUTE 2016 4 Look at the risk reduction from two perspectives: 1.Reduction in loss exposure (annualized risk) 2.Reduction in per event magnitude INTERPRET RESULTS

5. ANALYSIS RESULTS CONFIDENTIAL - FAIR INSTITUTE 2016 5 RISK = Frequency x Magnitude of future loss. We express risk in terms of loss exposure. AVG. RISK REDUCTIONMAX RISK REDUCTION # RecordsUnencryptedEncryptedChangeUnencryptedEncryptedChange 10K$63,000$15,000$48,000$390,000$17,000$373,000 100K$147,000$17,000$130,000$768,000$66,000$702,000 500K$278,000$17,000$261,000$1,600,000$66,000$1,534,000 1M$365,000$19,000$346,000$1,700,000$70,000$1,630,000 10M$3,000,000$21,000$2,979,000$12,600,000$85,000$12,515,000 Max represents the more probable 90th percentile of simulation results. ANNUALIZED REDUCTION IN LOSS EXPOSURE (RISK)

6. ANALYSIS RESULTS CONFIDENTIAL - FAIR INSTITUTE 2016 6 Change in Average Loss Exposure 10K RECORDS 100K RECORDS500K RECORDS 1M RECORDS 10M RECORDS

7. ANALYSIS LEVERAGED THE FAIR MODEL CONFIDENTIAL - FAIR INSTITUTE 2016 7 Risk Contact Frequency Probability of Action Threat Capability Resistance Strength Loss Event Frequency Loss Magnitude Threat Event Frequency VulnerabilityPrimary LossSecondary Loss Loss Event Frequency Loss Magnitude

8. THE FAIR MODEL CONFIDENTIAL - FAIR INSTITUTE 2016 8 Risk Contact Frequency Probability of Action Threat Capability Resistance Strength Loss Event Frequency Loss Magnitude Threat Event Frequency VulnerabilityPrimary LossSecondary Loss Loss Event Frequency Loss Magnitude

9. ANALYSIS CONSIDERATIONS CONFIDENTIAL - FAIR INSTITUTE 2016 9 Timely completion of all analyses within two weeks Forecasted risk reduction based on current and future state exposure Enables business-driven cost/benefit analysis Authentication Access Privileges Patching / Structural Integrity

10. THE FAIR MODEL CONFIDENTIAL - FAIR INSTITUTE 2016 10 Risk Contact Frequency Probability of Action Threat Capability Resistance Strength Loss Event Frequency Loss Magnitude Threat Event Frequency VulnerabilityPrimary LossSecondary Loss Loss Event Frequency Loss Magnitude

11. ANALYSIS INPUT CONFIDENTIAL - FAIR INSTITUTE 2016 11 Incident response Investigation PRIMARY LOSSES Notification / credit monitoring Regulatory notification Possible fines / judgments Customer service requests Potential litigation Loss of current/future customers (reputation) Card replacement SECONDARY LOSSES

12. DECISION SUPPORT / ROI CONFIDENTIAL - FAIR INSTITUTE 2016 12 When does encryption at rest become important as a control? When does it become vital? THE CISO WAS ABLE TO UNDERSTAND Encryption projects for the next year are appropriately prioritized Smaller systems previously listed within the project are now removed as there is not a strong cost/benefit to implementation of encryption THE CISO WAS ABLE TO DO THE FOLLOWING