2. EU Information Security Market
For the EU:
15.5 Bil. EUR InfoSec Market size
20.8 million companies
216.4 million workers
Sources:
The European Network and Information Security Market Scenario, Trends and Challenges. DG Information Society & Media.
Annual Report on EU Small and Medium sized Enterprises 2010/2011. DG Enterprise.
European Union Labour Force Survey – Annul Results 2010. Eurostat.
Information Security Protection. 2
3. Which means -
Spent on Information Security in Europe:
~750 EUR per company per year
~70 EUR per worker per year
Is this too little or too much?
How would we know?
Information Security Protection. 3
4. Why Spend Money on Information Security?
- Compliance
Legal requirement
Data Protection Directive (95/46/EC)
e-Privacy Directive (2002/58/EC)
Data Retention Directive (2006/24/EC)
Industry requirement
Payment Card Industry – Data Security Standard
Customer requirement
ISO 27002
Information Security Protection. 4
5. Why Spend Money on Information Security?
- Threat Protection
Accidental Malicious
Malware
Receiving data
Outsider Denial of Service Attacks
Corrupting data
Hacking
Deleting data Stealing data
Insider Transmitting data Destroying data
Losing devices Altering data
Think CIA – Confidentiality, Integrity, Availability of systems and data.
Information Security Protection. 5
6. Risk Analysis
Conducts Exploits Causes
Threat Threat
Vulnerability Impact
source action
Hacking collective Hacks Unpatched server Defaces website
Employee Emails data No address verification Breach of data
Source: Risk Management Guide for Information Technology Systems. NIST SP 800-30
Information Security Protection. 6
7. Role of Information Security
Threat Educate / deter
source
Threat Detect / neutralise
action
Vulnerability Remove / mitigate
Impact Reduce
Information Security Protection. 7
8. Information Security Benefit
Threat How much does protection cost?
source
Threat
action How effective at neutralising the threat?
How likely to occur is the threat?
Vulnerability
Impact Monetary loss due to harm?
Information Security Protection. 8
9. What is malware?
Viruses – self replicating code.
Worms – replicates over network by exploiting vulnerabilities.
Trojan – malicious code that does not replicate (may appear non-malicious)
Rootkit – executable code hidden from the operating system
Spyware –
FakeAV –
Malware – code that is detrimental to the interests of the person running it.
Information Security Protection. 9
10. So What?
So What?
Information Security Protection. 10
11. Will You Get Infected?
14% believe they will never be
12%
infected by a virus.
8%
37%
29% believe it is very unlikely that they
will be infected.
14%
Neutral
Not Very Likely
Not at All Likely
29%
Extremely Likely
Very Likely
Source : “A Look at Consumers' Awareness of Email Security and Practices”, July 2009, pub. MAAWG
http://www.maawg.org/about/publishedDocuments/2009_MAAWG-Consumer_Survey-Part2.pdf
Information Security Protection. 11
12. I Got a Virus!
Teenage daughter downloaded virus to my home computer.
2 days of my free time to remove it. ~ 8 hours.
1 week internet ban for daughter.
Implications for business:
Time to restore computer.
~2 hours => £ 100
Further consequences?
Information Security Protection. 12
13. Spamming
IP black listing – you can’t send legitimate mail.
Spam content – law firm sending out porn.
Consequent loss to reputation.
Financial loss?
Information Security Protection. 13
14. Spamming
How much did this cost to
the reputation of the
individual involved?
Source: http://news.bbc.co.uk/1/hi/7908498.stm
Information Security Protection. 14
15. How Much Might it Cost?
Ponemon Cost of a Data Breach Survey .
UK - $3.1 million total cost average per breach.
US - $7.2 million total cost average per breach.
Information Breaches Survey.
Large companies averaged 45 incidents / yr,
Small companies 14 incidents / yr.
Cost of worst incident:
Small companies £27 500 - £55 000
Large companies £280 000 - £690 000
Sources : “2010 Annual Study: global Cost of a Data Breach”, Ponemon Inst,
http://www.symantec.com/content/en/us/about/media/pdfs/symantec_cost_of_data_breach_global_2010.pdf
“Information Security Breaches Survey 2010” , Infosecurity Europe. http://www.infosec.co.uk/files/isbs_2010_technical_report_single_pages.pdf
Information Security Protection. 15
16. Cost Framework
Incident Cost Analysis and Modeling Project II (I-CAMP II).
Time spent cleaning up incident, restoring systems.
Lost productivity due to down time.
US Code § 1030 Fraud and related activity in connection with
computers.
the term “loss” means any reasonable cost to any victim, including
the cost of responding to an offense, conducting a damage
assessment, and restoring the data, program, system, or information
to its condition prior to the offense, and any revenue lost, cost
incurred, or other consequential damages incurred because of
interruption of service
Information Security Protection. 16
17. Costs Example
City Council - Conficker
Large incident, local government.
£600 000 IT consultancy costs.
£600 000 other direct IT costs.
£178 000 staff over time costs.
£43 000 in cancelled traffic fines.
£169 000 to clear backlog of benefit claims and unpaid tax.
Total ~ £1.5 Million
Sources : “Bus lane fines axed over bug”, 2009, Manchester Evening
News, http://www.manchestereveningnews.co.uk/news/s/1121846_bus_lane_fines_axed_over_bug
“Manchester City Council Report for Resolution”, 2009, http://www.manchester.gov.uk/egov_downloads/Item_11.pdf
Information Security Protection. 17
18. Expanded Framework
Items to consider:
Repair cost
Lost productivity
Revenue loss
Cost of data loss
Cost of confidentiality breach
Cost of reputation
Source :“Damages From Internet Security Incidents. A framework and toolkit for assessing the economic costs of security breaches”, Feb 2009,
pub. Delft University of Technology. http://www.opta.nl/nl/download/publicatie/?id=3083
Information Security Protection. 18
19. Data Loss Costs
How much did this cost?
How would we calculate it?
How much would have prevention
cost?
Source: http://www.bbc.co.uk/news/technology-13256817
Information Security Protection. 19
20. Market Costs
1% - 2% loss of market capitalisation following data breaches.
Payment System Breach
Drop in market cap $572.27 million
Other costs $140 million
Sources : “Estimating the market impact of security breach announcements on firm values ”,Goel, S., Shawky, H.A., Information &
Management v.46 p.404 (2009). http://dx.doi.org/10.1016/j.im.2009.06.005
Information Security Protection. 20
21. Monetary Penalties
How could this have been prevented?
How much would have prevention cost?
Source : Information Commisioner’s Office, News Release 28/11/2011
http://www.ico.gov.uk/news/latest_news/2011/monetary-penalties-served-to-councils-for-serious-email-errors-28112011.aspx
Information Security Protection. 21
22. What It Means For You?
Information Security Protection. 22
23. Model Your Exposure
Minor incidents.
~ £ 100 - check logs – many times per day.
Major incidents.
cost depends on your business - once / year
Severe incidents.
compromised data / financial systems – less than once / year
high cost.
Information Security Protection. 23
24. Justification – Annual Loss Expectancy.
Leads to Associated with
Consequence
Risk X Cost Z
Y
We expect this n times per year.
Annual loss expectancy = n x Z
Mitigation costs a per year
Will reduce probability of Y by b
Information Security Protection. 24
25. Council Example
Cost = £80 000 fine + ~£80 000 other costs.
= £160 000
DLP = £ 10 000
if email marked ‘confidential’ and sent to external address, route to
admin for review.
95% success rate.
Information Security Protection. 25
26. Council Example
Saving = ( 0.95 x 160 000 ) – 10 000 = £142 000
Expectancy of risk is 1:5 years
ALE = (0.95 x 160 000 ) / 5 = 30 400
We can spend £30 000 per year on this problem and still save money!
Information Security Protection. 26
29. Know Your Assets, Know Attack Vectors
Information Security Protection. 29
30. Layers of Protection Provide Maximum
Detection
Information Security Protection. 30
31. Conclusion
Know what it is that you are protecting.
Know the types and frequency of attacks.
Model your exposure.
Choose & justify appropriate protection.
Information Security Protection. 31
This is a sample Pie Chart slide, ideal for communicating product or market segmentation information.To Change Font Color/Size: Select text, right-click and adjust the font setting on the Mini toolbar. Select desired attributes to change: font, size, boldness, color, etc. Note: many of the same commands can also be accessed from the Font group of the Home tab.Edit Chart:Click the chart to edit and select the Chart Tools Design tab (or double-click on the chart). Click the Edit Data button to access the underlying Excel 2007 spreadsheet.Copying Data From a Separate Excel Spreadsheet:From an existing Excel spreadsheet, select the range of cells to be copied, select copy (Ctrl C).In PowerPoint, click the chart to edit and select the Chart Tools Design tab (or double-click on the chart.) Click the Edit Data button to open the spreadsheet for editing.Select all the data in the Chart in Microsoft Office PowerPoint spreadsheet by clicking the top left corner cell, right-click and select DeleteClick in the first empty cell of the spreadsheet and paste (Ctrl V) to place the data copied from the other Excel file. Change Orientation:Click the chart to edit and select the Chart Tools Design tab (or double-click on the chart.) Click the Switch Row/Column button. If the Switch Row/Column button is disabled, click the Select Data button and then click the Switch Row/Column button from within the Select Data Source dialog box, click OK.
Sources : “The Effect of Internet Security Breach Announcements on Market Value of Breached Firms and Internet Security Developers”. Cavusoglu, H., Mishra B.K., and Raghunathan S., International Journal of Electronic Commerce, v.8 p.4 (2004) http://portal.acm.org/citation.cfm?id=1278168.1278173&coll=GUIDE&dl=GUIDE “Estimating the market impact of security breach announcements on firm values ”,Goel, S., Shawky, H.A., Information & Management v.46 p.404 (2009). http://dx.doi.org/10.1016/j.im.2009.06.005
Sources : “The Effect of Internet Security Breach Announcements on Market Value of Breached Firms and Internet Security Developers”. Cavusoglu, H., Mishra B.K., and Raghunathan S., International Journal of Electronic Commerce, v.8 p.4 (2004) http://portal.acm.org/citation.cfm?id=1278168.1278173&coll=GUIDE&dl=GUIDE “Estimating the market impact of security breach announcements on firm values ”,Goel, S., Shawky, H.A., Information & Management v.46 p.404 (2009). http://dx.doi.org/10.1016/j.im.2009.06.005