1 security policy and financial costs (original slides from josh kaplan, stephanie losi, and eric...
TRANSCRIPT
1
Security Policy and Financial Costs
(original slides from Josh Kaplan, Stephanie Losi, and Eric Chang)
2
How NOT to sell…
• “IT relies on, more than anything, fear, uncertainty, and doubt to sell security—in other words, FUD. The thinking is, if you scare them, they will spend.”
- Scott Berinato, CIO Magazine
3
• Summarizing the actual costs incurred by 14 organizations that lost confidential customer information and had regulatory requirement to publicly notify affected individuals.
The PGP/Ponemon Survey
4
Participating Organizations
5
How Do Customers React?
6
Customer Turnover
7
How Much Does This Really Cost?
8
This Study Was Long Overdue
• Why has it been so hard to quantify the cost of security breaches?– No real efforts have been made to deal with
these issues until several years ago.– The PGP/Ponemon survey provides a strong
benchmark for actual quantification.
• Can an organization use these findings to address such cost implications?
9
A Proposed Methodology
10
Example: Regulatory Compliance
11
Decide What You Are Going to Do
In terms of costs, you must determine:• What are you going to measure?
– Staffing and technology costs?– Projected costs of an incident?– Probabilities of an incident?– Effects on customers and suppliers?– Etc.
• How are you going to measure it?– There will be a lot of acronyms here!– DON’T PANIC
12
What Are You Going to Measure?
• Lost productivity
• Loss of revenue during outages
• Loss of data (temporary or permanent)
• Compromise of data (disclosure or modification)
• Repair costs
• Loss of reputation
Source: CMU, Infosec World 2003
13
Also, Think About This…
Are you going to measure indirect losses
• To your customers and suppliers?
• To your shareholders?
• To your reputation?
These are real losses!
14
Let Me Measure It, Already!
One of the simplest ways to calculate ROI is called “payback”
To calculate payback:• Add up the costs of an investment in security
(hardware, software, salaries, training, upgrades, etc.) over several years
• Calculate the benefits of the investment over that same time period. For security, this calculation will be based on losses that do NOT occur.
15
Payback Example
The security manager at XYZ Corp., which employs 50 people, wants to implement a company-wide, 2-day-per-year security training program for all employees for the next 3 years. He decides to use the payback method to justify his investment to the CEO.
16
Payback Example
Year 0 Year 1 Year 2 Year 3
Staffing $10,000$10,000 $60,000$60,000 $62,400$62,400 $64,896$64,896
Opportunity Cost - $16,016 $16,656 $17,322
Reduced Insider Threat
- $30,000 $30,000 $30,000
Reduced Social Engineering
- $45,000 $45,000 $45,000
Reduced Password Cracking
- $90,000 $90,000 $90,000
Total Per Year $10,000 $88,984 $85,944 $82,782
Total Payback $247,710
17
The Importance of Expected Value
Expected value can be used to calculate the benefits of a security investment.
EV = (probability of X) * (cost of X)
In security terms, since we are dealing with probabilities of loss, this can also be viewed as the annualized loss expectancy (ALE)
Source: CMU, Infosec World 2003
18
Here’s a Concrete Example
• The chance of a breach due to password cracking was 90% per year before the training program. The cost of such a breach averaged $150,000. Therefore, the expected cost per year was:
(.90) * ($150,000) = $135,000
• The training program is expected to reduce the chance of a breach due to password cracking to 30% per year. The cost of such a breach remains the same, so the expected cost per year is now:
(.30) * ($150,000) = $45,000
19
Enter NPV and IRR
NPV = Net Present Value• NPV takes into account a discount rate.• In other words, $90,000 tomorrow is worth
less than $90,000 today.• We see this in everyday life all the time.
NPV = Σ Cash Flow / (1+rate)t
20
This Time Using NPV…
• Let’s look at the example from before, but this time we will use NPV with a discount rate of 10% to calculate the value of the security investment.
21
NPV Example
Year 0 Year 1 Year 2 Year 3
Staffing $10,000$10,000 $54,545$54,545 $51,570$51,570 $48,757$48,757
Opportunity Cost 0 $14,560 $13,765 $13,014
Reduced Insider Threat
0 $27,272 $24,793 $22,539
Reduced Social Engineering
0 $40,909 $37,190 $33,809
Reduced Password Cracking
0 $81,818 $74,380 $67,618
Total PV Per Yr $10,000 $80,894 $71,028 $62,195
NPV $204,117
22
Making a Decision
For example, what if XYZ Corp. is considering buying an experimental firewall that costs $600,000 but will save the company $250,000 per year for 3 years by reducing intrusions? It will cost $50,000 to train XYZ staff to use the firewall and $25,000 per year for upgrades and maintenance.
23
Payback Says Yes
Year 0 Year 1 Year 2 Year 3
Experimental Firewall
$600,000$600,000 $25,000$25,000 $25,000$25,000 $25,000$25,000
Staff Training $50,000 - - -
Reduced Intrusions
- $250,000 $250,000 $250,000
Total Per Year $650,000 $225,000 $225,000 $225,000
Total Payback $25,000
24
NPV Says No
Year 0 Year 1 Year 2 Year 3
Experimental Firewall
$600,000$600,000 $22,727$22,727 $20,661$20,661 $18,783$18,783
Staff Training $50,000 - - -
Reduced Intrusions
- $227,272 $206,612 $187,829
Total PV Per Yr $650,000 $204,545 $185,951 $169,046
NPV $90,458
25
Advantages of NPV
• Often, this is what CFOs and CEOs are looking for — it’s what they know.
• Other departments often use the NPV metric.
• NPV is designed for calculating the value of uncertain gains and losses.
26
One More Measure
• One more measure you may want to consider using is IRR, the internal rate of return.
• This is the rate that causes the NPV of the project to be zero (neither a profit nor a loss).
27
How IRR Works
For example, if a security investment requires you to spend $100 today and will result in savings of $105 in the next year, its IRR is:
0 = -$100 + $105/(1+IRR)1
IRR = 0.05 = 5 percentHow did we do this? Remember the NPV formula: NPV = Σ Cash Flow / (1+rate)t
The IRR is simply the point at which the NPV equals zero, so plug in 0 on the left side of the equation and solve for the IRR.
28
The IRR Rule
This leads to a simple rule that can help with many investment decisions if you choose to use IRR:
• As long as a project is not mutually exclusive with another project, you can accept the project if its IRR is greater than the discount rate (which is an economic factor that you, as the company, cannot control), and reject the project if its IRR is less than the discount rate.
29
However, Remember This…
As stated earlier in our presentation:
• Gordon and Loeb found that the optimal amount to spend on security never exceeds 37% of the expected loss resulting from a breach. Therefore, in the real world, you might not accept a project with a zero or slightly positive NPV.
• This also makes IRR less useful.
30
To Sum Up
• Decide what you are going to measure.
• Decide on a method of measuring it.
• State which method you are going to use in your security policy.
• STICK WITH THAT METHOD!
31
One Last Note
• Remember those indirect costs we discussed earlier?
• Often, the positive effects of a security investment—or the negative effects of a breach—on customers, suppliers, and shareholders cannot be precisely measured.
• There is no easy solution to this problem, but you should be aware that intangible benefits and costs can and do exist.
• It might help to view them as analogous to the “goodwill” often represented on corporate balance sheets.
32
A Few Good References
• CSI/FBI Computer Crime and Security Survey– Gordon, Loeb, Lucyshyn, and Richardson
• Managing Cybersecurity Resources: A Cost-Benefit Analysis– Lawrence A. Gordon and Martin P. Loeb
• The Economics of Information Security Investment– Lawrence A. Gordon and Martin P. Loeb
• Finally, a Real Return on Security Spending– Scott Berinato, CIO Magazine
33
Some More Good References
• Economics and Security Resource Page– Ross Anderson
• Return on Information Security Investment– Adrian Mizzi
• Corporate Finance (7th Edition)– Ross, Westerfield, and Jaffe
• Security in Computing (3rd Edition)– Charles P. Pfleeger