1 / 25

Security from a Manager’s Perspective

Security from a Manager’s Perspective. CSMN 601. Agenda. Economic impact of disruptions and failures due to security breaches Information Security Technologies Justifying IT security expenditures Role of the insurance industry Conclusions. 1. Economic Impact of Security Breaches.

zwi
Download Presentation

Security from a Manager’s Perspective

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security from a Manager’s Perspective CSMN 601

  2. Agenda • Economic impact of disruptions and failures due to security breaches • Information Security Technologies • Justifying IT security expenditures • Role of the insurance industry • Conclusions

  3. 1. Economic Impact of Security Breaches • Examples of global costs to the economy • Computer Security Institute / FBI Surveys (U.S. only) • 2004 - $141.5M • Average estimated loss = $2 million per organization Source: Computer Economics How accurate are these figures?

  4. Examples of Security Breaches

  5. Economic Impact of Security Breaches • Tangible Costs • Lost resources (information, equipment, human lives) • Lost revenue • Lost productivity • Labor and material costs associated with restoring system • Labor costs associated with catching the attacker • Public relation costs • Intangible Costs • Loss of trust • Loss of intellectual property • Loss of competitive edge

  6. 2. Information Security Technologies Source: Gartner

  7. 3. Justifying IT Security Investments – Micro/Project Level View • “Discretionary Judgment” Approaches • FUD Approach • Bear Chase Approach • “Hot New Technology” Approach Are these approaches effective? Do they help you make trade-offs? Can they be used in a business case?

  8. Financial Metrics • Payback Period • Return on Investment (ROI) • Net Present Value (NPV) • Internal Rate of Return (IRR) • Annual Loss Expectation (ALE) and Return on Security Investment (ROSI) Some people claim that traditional economic analysis is not applicable to computer security area investments. Agree or disagree?

  9. Payback Period • Time it takes to repay an investment No. of Years to Payback (constant cash flow) = Investment ---- Annual Savings Example: $10,000 $2,000 Example (uneven cash flow): = 5 Years Payback period = about 3 yrs

  10. Return on Investment (ROI) ROI = Savings – Investment Savings – Investment Investment ($12,000 - $10,000) $10,000 • Amount of “bang for the buck” ROI(%) = Example: = 20%

  11. Net Present Value (NPV) • Based on calculating the current value of future money. • PV = FV/[(1+i)^N] • PV = Present Value • FV = Future Value (e.g. Savings) • i = Interest Rate per Period • N = Number of Periods • NPV = PV – Investment • NPV > 0 usually indicates that you should undertake project i=9%

  12. Internal Rate of Return (IRR) • Discount rate when the NPV = 0. NPV = 0 = CF0 + CF1/(1+IRR)1 + CF2/(1+IRR)2 +…+ CFt/(1+IRR)t CFt = cash flow at time t • Typically, IRR is compared to a minimum threshold value (cost of capital).

  13. Annual Loss Expectation (ALE)and Return on Security Investment (ROSI) • ALE = [Damage Cost per event + Recover cost per event] x Events per year [$1500/event + $1000/event] x 3 events/year = $7500 • ROSI = ALE – Investment (Attractive if > 0) ROSI = ALE – Investment (%) Investment $7500 – $5000 (cost of tool) = $2500 Also, express as a percentage: $7500 – $5000 = 50% $5000 Source: CIO Magazine

  14. Which Metric is being Used? Which metric does your organization use?

  15. Example of Using Financial Metrics • Caremark case study • Sun designed and deployed a physical access pilot program • IRR surpassed company target of 20% • Used this result to sell program to CFO • Achieved ROI in 7 months • Improved compliance with HIPAA and Sarbanes-Oxley Source: Gartner IT Security Summit

  16. Total Cost of Ownership (TCO) • Holistic assessment of IT costs over time. • Implies an all-encompassing collection of the costs associated with IT investments, including capital investment, license fees, leasing costs and service fees, as well as direct (budgeted) and indirect (unbudgeted) labor expenses. Total Project Cost = Source: Gartner

  17. Value-based Approaches • Total Value of Opportunity (TVO) • Methodology for determining the overall business value expected to be created by an IT-enabled business initiative. • Financial • Value Expectation • Business Impact • Benefit Realization • Monitoring Value Delivered

  18. Value-based Approaches • Value Measuring Methodology (VMM) • A scalable and flexible approach for quantifying and analyzing value, risk, and cost and evaluating the relationships among them • Helps to create a roadmap for on-going management and evaluation • Supports the development of critical management plans • Value Factors • Direct User (Customer) • Social • Government Operational/Foundational • Government Financial • Strategic Political

  19. Macro/Enterprise View: Benefits and Costs of Information Security Search for the S* where marginal benefits = marginal costs Source: Dr. Lawrence Gordon

  20. Macro/Enterprise View: Expected Loss • Minimize total expected cost Total Expected Loss = Expenditures on Information Security + Expected Loss from Information Security Breaches A risk-neutral firm should only spend a fraction of the total expected loss. Research indicates that this fraction never exceeds 37%. Source: Dr. Lawrence Gordon

  21. 4. Insurance Industry’s “Cyber-insurance” • Why insurance? • Recovery from loss of income and extra expenses associated with an event • Risk transfer to a third party • New threats appear all the time • Steps in devising a product • Analyze new exposures on the web • Pricing – work with actuarial specialists • Risk selection process for potential customers • Self-evaluation by organization • Insecure enterprises will pay more • Four area of losses covered • Unauthorized access and use • Denial of Service • Viruses, worms and Trojan horses • Errors and omissions • Excludes losses due to not maintaining appropriate security technology standards

  22. Use of Insurance to Manage Cyber-security Risks

  23. Cyber-Risk Management Framework for Information Security • Management Framework • Plan of Action • Conduct an information security risk audit • Assess current insurance coverage • Examine and evaluate available policies • Select a policy Source: Dr. Lawrence Gordon

  24. Conclusions • Best Practices • Incorporate security at the early stages of an initiative (ROSI = 21% Design, 15% Implement, 12% Testing) • Being prepared for a breach pays dividends than reacting to a breach • Develop an enterprise-level portfolio of security projects • Work collaboratively – information sharing leads to higher security at a lower investment level • Cyber-insurance What other best practices can you share?

  25. Conclusion • Emerging issues • Ways organizations evaluate their return on investment in terms of the performance of their computer security investments • Impact of outsourcing computer security activities – “managed security services” • Assessing the effects of information sharing

More Related