Isaca houston presentation 12 4 12

Risk Centric Security, Inc.
www.riskcentricsecurity.com
Authorized reseller of ModelRisk from Vose Software

Risk Centric Security, Inc. Confidential and Proprietary . Risk Analysis for the 21st Century®
Copyright © 2012 Risk Centric Security, Inc . All rights reserved.

Risk Centric Security offers state of the art SaaS tools and
training that empower Information Security Professionals to
perform credible, defensible, and reproducible risk and
decision analyses, and to articulate the results and relevance
of these analyses in language that business counterparts will
understand.

Risk Centric Security was founded by two Information
Technology and Information Security veterans who have
almost fifty years of combined experience providing solutions
to complex problems for smaller companies as well as for
companies in the Fortune 1000.

Risk Centric Security, Inc. Confidential and Proprietary .

Deconstructing the cost of a data breach:

Data breaches can involve many types of data.
Data breaches can involve many types of costs.
The costs of a data breach can range from zero to more
than $170 million.
There may be patterns and correlations in the data that
will help us predict the impact of a data breach.

Q&A


Operational Data
Intellectual Property
Financial Information
Personally Identifiable Information (PII)
Protected Health Information (PHI)


Personally Identifiable Information (PII):
According to the OMB, it is not always the case that PII is
"sensitive", and context may be taken into account in deciding
whether certain PII is or is not sensitive.
Geo-location data?
Was the Epsilon breach a “breach”?
Have there been other “non-breach” breaches?
Given the powerful correlations that can be made, are these
definitions too narrow?


Costs that we should be able to discover and/or estimate:
Lost productivity
Incident response and forensics costs
Costs of replacing lost or damaged hardware, software, or
information
Public relations costs
Legal costs
Costs of sending letters to notify customers and business
partners
Costs of providing credit monitoring
Fines from governmental action (HIPAA/HITECH, FTC, State
Attorneys General, etc.)

Ponemon Institute 2011 Cost of Data Breach Study:
United States
49 Companies surveyed – multiple people per company.
Breach sizes ranged from 5K – 100K exposed records.
Participants estimated the minimum and maximum
amounts for a number of costs, from which the mid-point
value was selected.
According to some legal experts, Ponemon Institute
numbers are the “gold” standard in the Federal Courts.
The raw data are published in the report appendix.


In the 2011 report:
Overall weighted average per record = $194 (down from $214
in 2010)
Overall average total = $5.5 M (down from $7.2M in 2011)
Minimum total cost = $566 K
Median total cost = $4.5 M
Maximum total cost = $20.9 M


Ponemon Institute 2012 Cost of Cyber Crime Study:
United States
56 Organizations Companies surveyed, > 1,000 seats
Costs were due to cyber crime – no errors or accidental
exposures
4 week study period extrapolated to 52 weeks.
The 56 organizations in the study experienced 102 cyber
attacks per week; 1.8 attacks each per week.
Annualized costs per company ranged from $1.4M to
$46M, with the average = $8.9M and the median = $6.2M
Average attack took 24 days to resolve and cost $592K


Net Diligence 2012 Cyber Liability & Data Breach
Insurance Claims study
137 events between 2009 and 2011 – claims data were
provided by underwriters
Average cost per breach = $3.7 million
Payouts were net of deductibles/retentions, which ranged
from $50K to $1M
Report breaks out many types of costs: Crisis services,
Legal Defense, Legal Settlements
Cyber insurance does not reimburse for “soft” costs like
lost customers, brand damage, and lost stock value.


Measured on a per record basis, the cost per record
declines as the size of the breach increases

Measured on a total cost basis, the total cost increases
as the number of exposed records increases

Both of these correlations are weak


Normal Copula Correlation: Variable 1 = records, Variable 2 = Total Cost


Model breach cost by size of breach, using a scale that is
logarithmic (mostly):

<5K records
5K – 100K records
100K – 1M records
1M – 10M records
10M – 100M records
>100M records


We have covered many topics today. To summarize:

Breaches can involve many types of data:
To date, most reported breaches deal with PII, PHI, and
credit card data.
For many of these breaches, the number of records
exposed is not reported, often because the number is
unknown.
Intellectual property breaches are seldom reported,
possibly because they are so difficult to detect.


Breaches involve many types of costs:
In the largest credit card breaches, the majority of costs
are due to settlements with the card brands.
A PHI breach may result in fines that seem
disproportionate to the number of records exposed.
Per-record metrics are appropriate for some types of
breaches (PII, PHI, CCard), but not others (IP).
Brand damage and loss of stock value are difficult to
measure, and, in some cases, do not appear to exist.


The costs of a data breach can range from nothing to over
$170 million.
Breaches that are never detected cost nothing – nothing
that can be measured, at least.
Per the numbers from the 2011 Ponemon Institute Cost of
Breach study, there is a wide variation in total breach cost:
from $500K to over $20 million.
For breaches that expose more than 1 million records, the
reported costs per record vary greatly, ranging from as little
as $0.90 (HPS) per record to as much as $80 per record (GP).


There may be patterns in the data that can help us predict
the cost of a breach, should it happen to us:
The numbers of records exposed in reported breaches
appear to follow a lognormal distribution.
Although the correlations are not strong, total costs
increase and per-record costs decrease as the number of
exposed records increases.
As breach size increases, some costs appear to scale more
than others: forensics = less, notifications = more, credit
monitoring = more, fines & judgments = more, customer
loss = unknown


Operational Data:
Unpublished phone numbers
Private email addresses
HR data about employees
Passwords and login credentials
Certificates
Encryption keys
Tokenization data
Network and infrastructure data


Intellectual Property:
Company confidential information
Financial information
Merger, acquisition, divestiture, marketing, and other plans
Product designs, plans, formulas, recipes


Financial information:
Credit / debit card data
Bank account and transit routing data
Financial trading account data
ACH credentials and data


Personally Identifiable Information (PII):
A term similar to PII, "personal data" is defined in EU directive
95/46/EC, for the purposes of the directive:[4]

Article 2a: 'personal data' shall mean any information relating to
an identified or identifiable natural person ('data subject'); an
identifiable person is one who can be identified, directly or
indirectly, in particular by reference to an identification number
or to one or more factors specific to his physical, physiological,
mental, economic, cultural or social identity;
from wikipedia.com


PHI that is linked based on the following list of 18
identifiers must be treated with special care according to
HIPAA:
Names
All geographical subdivisions smaller than a State, including street address, city,
county, precinct, zip code, and their equivalent geocodes, except for the initial
three digits of a zip code, if according to the current publicly available data from
the Bureau of the Census: (1) The geographic unit formed by combining all zip
codes with the same three initial digits contains more than 20,000 people; and (2)
The initial three digits of a zip code for all such geographic units containing 20,000
or fewer people is changed to 000
Dates (other than year) for dates directly related to an individual, including birth
date, admission date, discharge date, date of death; and all ages over 89 and all
elements of dates (including year) indicative of such age, except that such ages
and elements may be aggregated into a single category of age 90 or older
Phone numbers


Protected Health Information (PHI):
Fax numbers
Electronic mail addresses
Social Security numbers
Medical record numbers
Health plan beneficiary numbers
Account numbers
Certificate/license numbers
Vehicle identifiers and serial numbers, including license plate numbers;
Device identifiers and serial numbers;
Web Uniform Resource Locators (URLs)
Internet Protocol (IP) address numbers
Biometric identifiers, including finger, retinal and voice prints
Full face photographic images and any comparable images
Any other unique identifying number, characteristic, or code (note this does not mean
the unique code assigned by the investigator to code the data)


How to value?
Fair Market Value
Cost to Create
Historical Value

Methodologies:
Cost Approach: Reproduction or Replacement
Market Approach
Income Approach
Relief from Royalty Approach
Technology Factor


Thank you !
Heather Goodnight
President and Co-founder
214.405.5789
Risk Analysis for the 21st Century ®
Patrick Florer
CTO and Co-founder
Risk Centric Security, Inc
patrick@riskcentricsecurity.com

214.828.1172
Authorized reseller of ModelRisk from Vose Software

Risk Centric Security, Inc. Confidential and Proprietary.

Isaca houston presentation 12 4 12

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (6)

Similar to Isaca houston presentation 12 4 12

Similar to Isaca houston presentation 12 4 12 (20)

Recently uploaded

Recently uploaded (20)

Isaca houston presentation 12 4 12