1 / 33

Security Policy and Financial Costs

Security Policy and Financial Costs. (original slides from Josh Kaplan, Stephanie Losi, and Eric Chang). How NOT to sell…. “IT relies on, more than anything, fear, uncertainty, and doubt to sell security—in other words, FUD. The thinking is, if you scare them, they will spend.”

ernestof
Download Presentation

Security Policy and Financial Costs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Security Policy and Financial Costs (original slides from Josh Kaplan, Stephanie Losi, and Eric Chang)

  2. How NOT to sell… • “IT relies on, more than anything, fear, uncertainty, and doubt to sell security—in other words, FUD. The thinking is, if you scare them, they will spend.” - Scott Berinato, CIO Magazine

  3. The PGP/Ponemon Survey • Summarizing the actual costs incurred by 14 organizations that lost confidential customer information and had regulatory requirement to publicly notify affected individuals.

  4. Participating Organizations

  5. How Do Customers React?

  6. Customer Turnover

  7. How Much Does This Really Cost?

  8. This Study Was Long Overdue • Why has it been so hard to quantify the cost of security breaches? • No real efforts have been made to deal with these issues until several years ago. • The PGP/Ponemon survey provides a strong benchmark for actual quantification. • Can an organization use these findings to address such cost implications?

  9. A Proposed Methodology

  10. Example: Regulatory Compliance

  11. Decide What You Are Going to Do In terms of costs, you must determine: • What are you going to measure? • Staffing and technology costs? • Projected costs of an incident? • Probabilities of an incident? • Effects on customers and suppliers? • Etc. • How are you going to measure it? • There will be a lot of acronyms here! • DON’T PANIC

  12. What Are You Going to Measure? • Lost productivity • Loss of revenue during outages • Loss of data (temporary or permanent) • Compromise of data (disclosure or modification) • Repair costs • Loss of reputation Source: CMU, Infosec World 2003

  13. Also, Think About This… Are you going to measure indirect losses • To your customers and suppliers? • To your shareholders? • To your reputation? These are real losses!

  14. Let Me Measure It, Already! One of the simplest ways to calculate ROI is called “payback” To calculate payback: • Add up the costs of an investment in security (hardware, software, salaries, training, upgrades, etc.) over several years • Calculate the benefits of the investment over that same time period. For security, this calculation will be based on losses that do NOT occur.

  15. Payback Example The security manager at XYZ Corp., which employs 50 people, wants to implement a company-wide, 2-day-per-year security training program for all employees for the next 3 years. He decides to use the payback method to justify his investment to the CEO.

  16. Payback Example

  17. The Importance of Expected Value Expected value can be used to calculate the benefits of a security investment. EV = (probability of X) * (cost of X) In security terms, since we are dealing with probabilities of loss, this can also be viewed as the annualized loss expectancy (ALE) Source: CMU, Infosec World 2003

  18. Here’s a Concrete Example • The chance of a breach due to password cracking was 90% per year before the training program. The cost of such a breach averaged $150,000. Therefore, the expected cost per year was: (.90) * ($150,000) = $135,000 • The training program is expected to reduce the chance of a breach due to password cracking to 30% per year. The cost of such a breach remains the same, so the expected cost per year is now: (.30) * ($150,000) = $45,000

  19. Enter NPV and IRR NPV = Net Present Value • NPV takes into account a discount rate. • In other words, $90,000 tomorrow is worth less than $90,000 today. • We see this in everyday life all the time. NPV = Σ Cash Flow / (1+rate)t

  20. This Time Using NPV… • Let’s look at the example from before, but this time we will use NPV with a discount rate of 10% to calculate the value of the security investment.

  21. NPV Example

  22. Making a Decision For example, what if XYZ Corp. is considering buying an experimental firewall that costs $600,000 but will save the company $250,000 per year for 3 years by reducing intrusions? It will cost $50,000 to train XYZ staff to use the firewall and $25,000 per year for upgrades and maintenance.

  23. Payback Says Yes

  24. NPV Says No

  25. Advantages of NPV • Often, this is what CFOs and CEOs are looking for — it’s what they know. • Other departments often use the NPV metric. • NPV is designed for calculating the value of uncertain gains and losses.

  26. One More Measure • One more measure you may want to consider using is IRR, the internal rate of return. • This is the rate that causes the NPV of the project to be zero (neither a profit nor a loss).

  27. How IRR Works For example, if a security investment requires you to spend $100 today and will result in savings of $105 in the next year, its IRR is: 0 = -$100 + $105/(1+IRR)1 IRR = 0.05 = 5 percent How did we do this? Remember the NPV formula: NPV = Σ Cash Flow / (1+rate)t The IRR is simply the point at which the NPV equals zero, so plug in 0 on the left side of the equation and solve for the IRR.

  28. The IRR Rule This leads to a simple rule that can help with many investment decisions if you choose to use IRR: • As long as a project is not mutually exclusive with another project, you can accept the project if its IRR is greater than the discount rate (which is an economic factor that you, as the company, cannot control), and reject the project if its IRR is less than the discount rate.

  29. However, Remember This… As stated earlier in our presentation: • Gordon and Loeb found that the optimal amount to spend on security never exceeds 37% of the expected loss resulting from a breach. Therefore, in the real world, you might not accept a project with a zero or slightly positive NPV. • This also makes IRR less useful.

  30. To Sum Up • Decide what you are going to measure. • Decide on a method of measuring it. • State which method you are going to use in your security policy. • STICK WITH THAT METHOD!

  31. One Last Note • Remember those indirect costs we discussed earlier? • Often, the positive effects of a security investment—or the negative effects of a breach—on customers, suppliers, and shareholders cannot be precisely measured. • There is no easy solution to this problem, but you should be aware that intangible benefits and costs can and do exist. • It might help to view them as analogous to the “goodwill” often represented on corporate balance sheets.

  32. A Few Good References • CSI/FBI Computer Crime and Security Survey • Gordon, Loeb, Lucyshyn, and Richardson • Managing Cybersecurity Resources: A Cost-Benefit Analysis • Lawrence A. Gordon and Martin P. Loeb • The Economics of Information Security Investment • Lawrence A. Gordon and Martin P. Loeb • Finally, a Real Return on Security Spending • Scott Berinato, CIO Magazine

  33. Some More Good References • Economics and Security Resource Page • Ross Anderson • Return on Information Security Investment • Adrian Mizzi • Corporate Finance (7th Edition) • Ross, Westerfield, and Jaffe • Security in Computing (3rd Edition) • Charles P. Pfleeger

More Related