1. Achieving Durable Security :
Being Honest About What You Can Really Do.
Thomas Whipp MSc MEng CISSP CPP CBCI
Head of Risk
Oval Ltd
2. Presentation Overview
What are the
Thinking
Where are the
Where are you
real costs of
differently
risks?
starting from?
your strategy?
about security
4. Your Information?
Printers
Mobile Excel
Phones SQL
Emails Memory Sticks
Scanned Images
5. Your Business
Capital
Will it really
Who’s Value for
Incident
Politics
Costs
Vs. Displacement
Prevention
Detection
Will it work?
be spent?
budget? Response
Money?
Revenue
9. Rational Choice Theory
Evaluation of risk
and return ? How much will I get
? How likely am I to be caught
Uses
? How large is the punishment
A good model for planned offences
Typically acquisitive in nature
Largely fails to explain expressive offences
10. Routine activity theory
Can be used to
Lack of a
explain
Motivated
capable
offender
everyday type guardian
crimes
11. Situational Prevention
Ronald v Clarke
Examples:
Crimenot
Near not Increasethe
Reduce the
5 Main
Remove
Reduce
Key Concerns
How not why
Event driven
distant cause
criminality provocations
excuses
mechanisms
rewards
effort
risk
12. Defensible Space
Oscar Newman
Thinking point: Territoriality Natural
Key Points (key behaviour to surveillance
Image Milieu
Is it worth allowing encourage) personalisation at the desktop?
some
13. Displacement
A key criteria used to assess physical security initiatives
Putting in a control
May not reduce offending
May simply move it elsewhere
14. Disinhibition
Key challenge
Leads to
Strong
sense of
for InfoSec
anonymity
significant Lack of a sense
of consequence
awareness but
changes in
also situational
Disassociation
behaviour
from the ‘real
controls
world’
17. Choosing a Strategy...
What are the options?
Process Any option canProduct
deliver an
effective control
if implemented
properly
Service Architecture
19. Choosing a Strategy...
Controls and their true costs
100%
90%
80%
70%
60% Political
Effort
50% Revenue
Capital
40%
30%
20%
10%
0%
Process Product Service Architecture
20. Tom Whipp MSc MEng CISSP CPP CBCI
Head of Risk, Oval Ltd
Tel: 01924 433081
Mbl: 07500 796391
Email: tom.whipp@theovalgroup.com
Notas del editor
Thinking about offendingThinking about controlWhy do people behave differently online?Are we going in the wrong direction sometimes?
evaluation of risk and returnHow much will I getHow likely am I to be caughtHow large is the punishmentUsesA good model for planned offencesTypically acquisitive in natureLargely fails to explain expressive offences
A good model for "drive by" actssuitable targetmotivated offenderlack of a capable guardianCan be used to explain everyday type crimes.
Key ConcernsCrime not criminalityEvent drivenNear not distant causeHow not why5 main mechanismsIncrease the EffortIncrease the risksReduce the rewardsReduce provocationsRemove excusesExamples: CCTVHashing of card datalogon notice stating audit log policy