Enviar búsqueda
Cargar
Deconstructing The Cost Of A Data Breach
•
0 recomendaciones
•
418 vistas
H
hgoodnight
Seguir
An analysis of the many factors to be considered when talking about data breaches.
Leer menos
Leer más
Denunciar
Compartir
Denunciar
Compartir
1 de 30
Descargar ahora
Descargar para leer sin conexión
Recomendados
Base Rate Fallacy Sira Con 2012 05
Base Rate Fallacy Sira Con 2012 05
hgoodnight
Qureshi
Qureshi
Muhammad Mudassar
An Autonomous Self-Assessment Application to Track the Efficiency of a System...
An Autonomous Self-Assessment Application to Track the Efficiency of a System...
IOSR Journals
Anbefaling - Red Barnet Ungdom
Anbefaling - Red Barnet Ungdom
Kasper Susaa
Taher Abdel rahman Mohammed Gamal
Taher Abdel rahman Mohammed Gamal
Taher abdel rahman mohammed gamal
Diapositiva
Diapositiva
Jenifer Roca
Frederick county healthcare resource guide 5 29-12 engli 1
Frederick county healthcare resource guide 5 29-12 engli 1
wild_flower2012
112
112
Alejandro Escobar
Recomendados
Base Rate Fallacy Sira Con 2012 05
Base Rate Fallacy Sira Con 2012 05
hgoodnight
Qureshi
Qureshi
Muhammad Mudassar
An Autonomous Self-Assessment Application to Track the Efficiency of a System...
An Autonomous Self-Assessment Application to Track the Efficiency of a System...
IOSR Journals
Anbefaling - Red Barnet Ungdom
Anbefaling - Red Barnet Ungdom
Kasper Susaa
Taher Abdel rahman Mohammed Gamal
Taher Abdel rahman Mohammed Gamal
Taher abdel rahman mohammed gamal
Diapositiva
Diapositiva
Jenifer Roca
Frederick county healthcare resource guide 5 29-12 engli 1
Frederick county healthcare resource guide 5 29-12 engli 1
wild_flower2012
112
112
Alejandro Escobar
Shot list Olivia
Shot list Olivia
mediastudiesf1n34rts
Optimization of hard part turning of bohler K 110 steel with multiple perform...
Optimization of hard part turning of bohler K 110 steel with multiple perform...
IAEME Publication
FINAL_MCC_DM_A5_5mm Bleed_82419 QTY
FINAL_MCC_DM_A5_5mm Bleed_82419 QTY
Casey Wemyss
Moving To Dubai 2016
Moving To Dubai 2016
Kate Cerny
Psychology of healthy stress and coping
Psychology of healthy stress and coping
Mclillans Zebron
A Data Transmission Technique Based On RSSI in an Ad-Hoc Network
A Data Transmission Technique Based On RSSI in an Ad-Hoc Network
IOSR Journals
Deconstructing the cost of a data breach
Deconstructing the cost of a data breach
Patrick Florer
Cybersecurity Seminar March 2015
Cybersecurity Seminar March 2015
Lawley Insurance
Measurement, Quantitative vs. Qualitative and Other Cool Stuff
Measurement, Quantitative vs. Qualitative and Other Cool Stuff
Jody Keyser
wp-follow-the-data
wp-follow-the-data
Numaan Huq
Rcs triumfant watchful_webinar_final
Rcs triumfant watchful_webinar_final
Patrick Florer
CYVA_EMA3PageVentureSummaryAngelAM020150717
CYVA_EMA3PageVentureSummaryAngelAM020150717
CYVA Research Corporation
CYVA_EMA3PageVentureSummaryAngelAM020150717
CYVA_EMA3PageVentureSummaryAngelAM020150717
CYVA Research Corporation
CYVA_EMA3PageVentureSummaryAngelAM020150717
CYVA_EMA3PageVentureSummaryAngelAM020150717
CYVA Research Corporation
wp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industry
Numaan Huq
About Zero Point Risk Research Llc
About Zero Point Risk Research Llc
lrschade
Siskinds | Incident Response Plan
Siskinds | Incident Response Plan
Next Dimension Inc.
Isaca houston presentation 12 4 12
Isaca houston presentation 12 4 12
Patrick Florer
CSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local Government
Donald E. Hester
Protecting Law Firms and their Clients: The Role of the Virtual Chief Securit...
Protecting Law Firms and their Clients: The Role of the Virtual Chief Securit...
Eric Vanderburg
Measurement, Qualitative vs Quantitative Methods, and other Cool Stuff
Measurement, Qualitative vs Quantitative Methods, and other Cool Stuff
Patrick Florer
Rcs webinar 1 2011_06_23
Rcs webinar 1 2011_06_23
Jeff Bodin
Más contenido relacionado
Destacado
Shot list Olivia
Shot list Olivia
mediastudiesf1n34rts
Optimization of hard part turning of bohler K 110 steel with multiple perform...
Optimization of hard part turning of bohler K 110 steel with multiple perform...
IAEME Publication
FINAL_MCC_DM_A5_5mm Bleed_82419 QTY
FINAL_MCC_DM_A5_5mm Bleed_82419 QTY
Casey Wemyss
Moving To Dubai 2016
Moving To Dubai 2016
Kate Cerny
Psychology of healthy stress and coping
Psychology of healthy stress and coping
Mclillans Zebron
A Data Transmission Technique Based On RSSI in an Ad-Hoc Network
A Data Transmission Technique Based On RSSI in an Ad-Hoc Network
IOSR Journals
Destacado
(6)
Shot list Olivia
Shot list Olivia
Optimization of hard part turning of bohler K 110 steel with multiple perform...
Optimization of hard part turning of bohler K 110 steel with multiple perform...
FINAL_MCC_DM_A5_5mm Bleed_82419 QTY
FINAL_MCC_DM_A5_5mm Bleed_82419 QTY
Moving To Dubai 2016
Moving To Dubai 2016
Psychology of healthy stress and coping
Psychology of healthy stress and coping
A Data Transmission Technique Based On RSSI in an Ad-Hoc Network
A Data Transmission Technique Based On RSSI in an Ad-Hoc Network
Similar a Deconstructing The Cost Of A Data Breach
Deconstructing the cost of a data breach
Deconstructing the cost of a data breach
Patrick Florer
Cybersecurity Seminar March 2015
Cybersecurity Seminar March 2015
Lawley Insurance
Measurement, Quantitative vs. Qualitative and Other Cool Stuff
Measurement, Quantitative vs. Qualitative and Other Cool Stuff
Jody Keyser
wp-follow-the-data
wp-follow-the-data
Numaan Huq
Rcs triumfant watchful_webinar_final
Rcs triumfant watchful_webinar_final
Patrick Florer
CYVA_EMA3PageVentureSummaryAngelAM020150717
CYVA_EMA3PageVentureSummaryAngelAM020150717
CYVA Research Corporation
CYVA_EMA3PageVentureSummaryAngelAM020150717
CYVA_EMA3PageVentureSummaryAngelAM020150717
CYVA Research Corporation
CYVA_EMA3PageVentureSummaryAngelAM020150717
CYVA_EMA3PageVentureSummaryAngelAM020150717
CYVA Research Corporation
wp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industry
Numaan Huq
About Zero Point Risk Research Llc
About Zero Point Risk Research Llc
lrschade
Siskinds | Incident Response Plan
Siskinds | Incident Response Plan
Next Dimension Inc.
Isaca houston presentation 12 4 12
Isaca houston presentation 12 4 12
Patrick Florer
CSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local Government
Donald E. Hester
Protecting Law Firms and their Clients: The Role of the Virtual Chief Securit...
Protecting Law Firms and their Clients: The Role of the Virtual Chief Securit...
Eric Vanderburg
Measurement, Qualitative vs Quantitative Methods, and other Cool Stuff
Measurement, Qualitative vs Quantitative Methods, and other Cool Stuff
Patrick Florer
Rcs webinar 1 2011_06_23
Rcs webinar 1 2011_06_23
Jeff Bodin
HEALTHCARE IT: IS YOUR INFORMATION AT RISK?
HEALTHCARE IT: IS YOUR INFORMATION AT RISK?
IJNSA Journal
Debix OnCall Healthcare
Debix OnCall Healthcare
itsmecramer
Data Breach: It Can Happen To You
Data Breach: It Can Happen To You
Cooperative of American Physicians, Inc.
Responding to a Company-Wide PII Data Breach
Responding to a Company-Wide PII Data Breach
CBIZ, Inc.
Similar a Deconstructing The Cost Of A Data Breach
(20)
Deconstructing the cost of a data breach
Deconstructing the cost of a data breach
Cybersecurity Seminar March 2015
Cybersecurity Seminar March 2015
Measurement, Quantitative vs. Qualitative and Other Cool Stuff
Measurement, Quantitative vs. Qualitative and Other Cool Stuff
wp-follow-the-data
wp-follow-the-data
Rcs triumfant watchful_webinar_final
Rcs triumfant watchful_webinar_final
CYVA_EMA3PageVentureSummaryAngelAM020150717
CYVA_EMA3PageVentureSummaryAngelAM020150717
CYVA_EMA3PageVentureSummaryAngelAM020150717
CYVA_EMA3PageVentureSummaryAngelAM020150717
CYVA_EMA3PageVentureSummaryAngelAM020150717
CYVA_EMA3PageVentureSummaryAngelAM020150717
wp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industry
About Zero Point Risk Research Llc
About Zero Point Risk Research Llc
Siskinds | Incident Response Plan
Siskinds | Incident Response Plan
Isaca houston presentation 12 4 12
Isaca houston presentation 12 4 12
CSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local Government
Protecting Law Firms and their Clients: The Role of the Virtual Chief Securit...
Protecting Law Firms and their Clients: The Role of the Virtual Chief Securit...
Measurement, Qualitative vs Quantitative Methods, and other Cool Stuff
Measurement, Qualitative vs Quantitative Methods, and other Cool Stuff
Rcs webinar 1 2011_06_23
Rcs webinar 1 2011_06_23
HEALTHCARE IT: IS YOUR INFORMATION AT RISK?
HEALTHCARE IT: IS YOUR INFORMATION AT RISK?
Debix OnCall Healthcare
Debix OnCall Healthcare
Data Breach: It Can Happen To You
Data Breach: It Can Happen To You
Responding to a Company-Wide PII Data Breach
Responding to a Company-Wide PII Data Breach
Deconstructing The Cost Of A Data Breach
1.
Risk Centric Security,
Inc. www.riskcentricsecurity.com Authorized reseller of ModelRisk from Vose Software Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2012 Risk Centric Security, Inc . All rights reserved. Risk Analysis for the 21st Century®
2.
Risk Centric Security,
Inc. Confidential and Proprietary . Copyright © 2012 Risk Centric Security, Inc . All rights reserved. Patrick Florer has worked in information technology for 32 years. In addition, he worked a parallel track in medical outcomes research, analysis, and the creation of evidence-based guidelines for medical treatment. His roles have included IT operations, programming, and systems analysis. From 1986 until now, he has worked as an independent consultant, helping customers with strategic development, analytics, risk analysis, and decision analysis. He is a cofounder of Risk Centric Security and currently serves as Chief Technology Officer.
3.
What is a
breach? What are data? What kinds of costs are we talking about? Whose costs are we talking about? How do we estimate costs / impact? Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
4.
breach 1. a. An
opening, a tear, or a rupture. b. A gap or rift, especially in or as if in a solid structure such as a dike or fortification. 2. A violation or infraction, as of a law, a legal obligation, or a promise. 3. A breaking up or disruption of friendly relations; an estrangement. 4. A leap of a whale from the water. 5. The breaking of waves or surf. The American Heritage® Dictionary of the English Language, Fourth Edition copyright ©2000 by Houghton Mifflin Company. Updated in 2009. Published by Houghton Mifflin Company. All rights reserved Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2012 Risk Centric Security, Inc . All rights reserved. .
5.
breach 1. a crack,
break, or rupture 2. a breaking, infringement, or violation of a promise, obligation, etc 3. any severance or separation 4. (Military) a gap in an enemy's fortifications or line of defense created by bombardment or attack 5. (Life Sciences & Allied Applications / Zoology) the act of a whale in breaking clear of the water 6. (Earth Sciences / Physical Geography) the breaking of sea waves on a shore or rock 7. (Medicine / Pathology) an obsolete word for wound1 Collins English Dictionary – Complete and Unabridged © HarperCollins Publishers 1991, 1994, 1998, 2000, 2003 . Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2012 Risk Centric Security, Inc . All rights reserved. .
6.
breach 1. the act
or a result of breaking; break or rupture. 2. an infraction or violation, as of a law, trust, faith, or promise. 3. a gap made in a wall, fortification, line of soldiers, etc.; rift; fissure. 4. a severance of friendly relations. 5. the leap of a whale above the surface of the water. www.dictionary.com Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2012 Risk Centric Security, Inc . All rights reserved. .
7.
Data Breach: A data
breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property. The law is evolving – basically a breach is an unauthorized use of a computer system. Many prosecutions take place under provisions of the Computer Fraud and Abuse Act (CFAA) Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2012 Risk Centric Security, Inc . All rights reserved. .
8.
Data Breach: Is the
concept of a breach too narrow to describe many types of events? Do we need different words and concepts? • A single event at a single point in time? • What about an attack that exfiltrates data over a long period of time? Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2012 Risk Centric Security, Inc . All rights reserved. .
9.
Operational Data Intellectual Property Financial
Information Personal Information Personally Identifiable Information (PII) Protected Health Information (PHI) Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
10.
Operational Data: • Unpublished
phone numbers • Private email addresses • Passwords and login credentials • Certificates • Encryption keys • Tokenization data • Network and infrastructure data Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
11.
Intellectual Property: • Company
confidential information • Financial information • Merger, acquisition, divestiture, marketing, and other plans • Product designs, plans, formulas, recipes • HR data about employees Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
12.
Financial Information: • Credit
/ debit card data • Bank account and transit routing data • Financial trading account data • ACH credentials and data Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
13.
Personally Information: Data that
identify a person that are not considered protected: • Name • Address • Phone number • Email address • Facebook name • Twitter handle Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
14.
Personally Identifiable Information
(PII): The U.S. government used the term "personally identifiable" in 2007 in a memorandum from the Executive Office of the President, Office of Management and Budget (OMB),[2] and that usage now appears in US standards such as the NIST Guide to Protecting the Confidentiality of Personally Identifiable Information (SP 800-122).[3] The OMB memorandum defines PII as follows: • Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc. from wikipedia.com Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
15.
Personally Identifiable Information
(PII): A term similar to PII, "personal data" is defined in EU directive 95/46/EC, for the purposes of the directive:[4] Article 2a: 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity; From wikipedia.com: Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
16.
Personally Identifiable Information
(PII): According to the OMB, it is not always the case that PII is "sensitive", and context may be taken into account in deciding whether certain PII is or is not sensitive. Was the Epsilon breach a “breach”? Have there been other “non-breach” breaches? Given the powerful correlations that can be made, are these definitions too narrow? Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
17.
Protected Health Information
(PHI): Protected health information (PHI), under the US Health Insurance Portability and Accountability Act (HIPAA), is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual. This is interpreted rather broadly and includes any part of a patient’s medical record or payment history. Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
18.
Protected Health Information
(PHI): PHI that is linked based on the following list of 18 identifiers must be treated with special care according to HIPAA: • Names • All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000 • Dates (other than year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older • Phone numbers Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
19.
Protected Health Information
(PHI): • Fax numbers • Electronic mail addresses • Social Security numbers • Medical record numbers • Health plan beneficiary numbers • Account numbers • Certificate/license numbers • Vehicle identifiers and serial numbers, including license plate numbers; • Device identifiers and serial numbers; • Web Uniform Resource Locators (URLs) • Internet Protocol (IP) address numbers • Biometric identifiers, including finger, retinal and voice prints • Full face photographic images and any comparable images • Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data) Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
20.
Costs that we
should be able to discover and/or estimate Costs that might be difficult to discover and/or estimate Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
21.
Costs that we
should be able to discover and/or estimate: • Lost productivity • Incident response and forensics costs • Costs of replacing lost or damaged hardware, software, or information • Public relations costs • Legal costs • Costs of sending letters to notify customers and business partners • Costs of providing credit monitoring • Fines from governmental action (HIPAA/HITECH, FTC, State Attorneys General, etc.) Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
22.
Costs that we
should be able to discover and/or estimate: • Fines and indemnifications imposed by contracts with business partners • Contractual fines and penalties resulting from PCI DSS related incidents - either data loss or compliance failure • Judgments and legal settlements - customers, business partners, shareholders • Additional compliance and audit costs related to legal settlements (20 years of additional reporting, for example) Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
23.
Costs that might
be difficult to discover and/or estimate: • Loss of competitive advantage • Loss of shareholder value • Reputation loss • Opportunity and Sales losses from customers and business partners who went elsewhere • Value of intellectual property Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
24.
• Breached entity? •
Shareholders? • Citizens / the public at large? • Card brands? • Issuing banks? • Customers? • Business partners? • Consumers? • Taxpayers (law enforcement costs)? Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
25.
Fixed / Overall
Costs Per record costs: • Direct/Primary • Indirect/Secondary • Variable costs that scale with magnitude of breach Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
26.
How to value? •
Fair Market Value • Fair Value • Historical Value Methodologies: • Cost Approach • Market Approach • Income Approach • Relief from Royalty Approach • Technology Factor Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
27.
How do we
know about data breaches? • Victim notifications • News media • Securities and Exchange Commission (SEC) filings • Department of Justice (DOJ) indictments • HIPAA/HITECH Office of Civil Rights (OCR) actions • FTC actions • Press releases Disclosure laws • HIPAA/HITECH • State breach laws • New SEC Guidance re “material” impact Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
28.
Research projects: • Datalossdb.org
(www.datalossdb.org) • Identity Theft Resource Center (www.idtheftcenter.org) • Office of Inadequate Security (www.databreaches.net) Published reports: • Cisco • Mandiant • Ponemon Institute • Sophos • Symantec • Verizon Business DBIR • X-Force (IBM) Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
29.
Non-public sources: • Forensics
Investigators • Card Brands • Payment Processors • Subscription services • Data sharing consortia – Information Sharing and Analysis Centers (ISAC’s) • Government Intelligence agencies • Word of mouth and anecdotal evidence Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2012 Risk Centric Security, Inc . All rights reserved.
30.
Thank you ! Patrick
Florer CTO and Co-founder Risk Centric Security, Inc patrick@riskcentricsecurity.com 214.828.1172 Authorized reseller of ModelRisk from Vose Software To provide feedback on this presentation: https://www.surveymonkey.com/sourceboston12 Risk Centric Security, Inc. Confidential and Proprietary. Copyright © 2012 Risk Centric Security, Inc . All rights reserved. Risk Analysis for the 21st Century ®
Descargar ahora