Download - Is Security Worth It? Alex Lauerman. Who is Alex? FishNet Security Veracode TrustFoundry SecKC
![Page 1: Is Security Worth It? Alex Lauerman. Who is Alex? FishNet Security Veracode TrustFoundry SecKC](https://reader030.vdocuments.net/reader030/viewer/2022032722/56649cdb5503460f949a6004/html5/thumbnails/1.jpg)
Is Security Worth It?Alex Lauerman
![Page 2: Is Security Worth It? Alex Lauerman. Who is Alex? FishNet Security Veracode TrustFoundry SecKC](https://reader030.vdocuments.net/reader030/viewer/2022032722/56649cdb5503460f949a6004/html5/thumbnails/2.jpg)
Who is Alex?
• FishNet Security
• Veracode
• TrustFoundry
• SecKC
![Page 3: Is Security Worth It? Alex Lauerman. Who is Alex? FishNet Security Veracode TrustFoundry SecKC](https://reader030.vdocuments.net/reader030/viewer/2022032722/56649cdb5503460f949a6004/html5/thumbnails/3.jpg)
Why am I talking?
• Don’t like security being a checkbox• I want security to be driven by its value
• Want to do better at the stock market
• Goal is to help understand cost of insecurity
![Page 4: Is Security Worth It? Alex Lauerman. Who is Alex? FishNet Security Veracode TrustFoundry SecKC](https://reader030.vdocuments.net/reader030/viewer/2022032722/56649cdb5503460f949a6004/html5/thumbnails/4.jpg)
What will I talk about?
• Cost Factors of a Data Breach
• Previous Research
• My Research
• Analysis of impact of data breach
![Page 5: Is Security Worth It? Alex Lauerman. Who is Alex? FishNet Security Veracode TrustFoundry SecKC](https://reader030.vdocuments.net/reader030/viewer/2022032722/56649cdb5503460f949a6004/html5/thumbnails/5.jpg)
What is a data breach?
• Accidental or intentional loss of:• Personally Identifiable Information• Financial Information• Confidential Company Information• Intellectual Property
• Health Information
![Page 6: Is Security Worth It? Alex Lauerman. Who is Alex? FishNet Security Veracode TrustFoundry SecKC](https://reader030.vdocuments.net/reader030/viewer/2022032722/56649cdb5503460f949a6004/html5/thumbnails/6.jpg)
What are the cost factors?• Incident Response
• Communications
• Compensation
• Legal defense
• Regulatory Fines
• Indirect
• Loss of productivity
• Loss of customers
• Lost competitive edge
![Page 7: Is Security Worth It? Alex Lauerman. Who is Alex? FishNet Security Veracode TrustFoundry SecKC](https://reader030.vdocuments.net/reader030/viewer/2022032722/56649cdb5503460f949a6004/html5/thumbnails/7.jpg)
Ways to measure cost of breach
• Fixed
• Per Record (Variable)
• Add factors individually
• Estimate based on previous breach costs
![Page 8: Is Security Worth It? Alex Lauerman. Who is Alex? FishNet Security Veracode TrustFoundry SecKC](https://reader030.vdocuments.net/reader030/viewer/2022032722/56649cdb5503460f949a6004/html5/thumbnails/8.jpg)
Sources of Breaches
• datalossdb.org
• databreaches.net
• www.privacyrights.org
• www.idtheftcenter.org
![Page 9: Is Security Worth It? Alex Lauerman. Who is Alex? FishNet Security Veracode TrustFoundry SecKC](https://reader030.vdocuments.net/reader030/viewer/2022032722/56649cdb5503460f949a6004/html5/thumbnails/9.jpg)
DataLossDB
![Page 10: Is Security Worth It? Alex Lauerman. Who is Alex? FishNet Security Veracode TrustFoundry SecKC](https://reader030.vdocuments.net/reader030/viewer/2022032722/56649cdb5503460f949a6004/html5/thumbnails/10.jpg)
Information is Beautiful
![Page 11: Is Security Worth It? Alex Lauerman. Who is Alex? FishNet Security Veracode TrustFoundry SecKC](https://reader030.vdocuments.net/reader030/viewer/2022032722/56649cdb5503460f949a6004/html5/thumbnails/11.jpg)
Previous Research
• Ponemon
• Gold standard in data breach costs
• Brush Creek Partners – Cyber Liability Insurance
• Academic Sources
• Risk Centric Security (YouTube “Deconstructing Data Breach Cost”)
![Page 12: Is Security Worth It? Alex Lauerman. Who is Alex? FishNet Security Veracode TrustFoundry SecKC](https://reader030.vdocuments.net/reader030/viewer/2022032722/56649cdb5503460f949a6004/html5/thumbnails/12.jpg)
Previous Research – Ponemon
• Average cost of data breach $188/record (2013)
• Average cost of data breach $201/record (2014)
• Average number of records breached in US: 28,765 (2013)
• “The results show that a probability of a material data breach involving a minimum of 10,000 records is more than 22 percent.”
• “India and Brazil have the highest estimated probability of occurrence at 30 percent, while Germany has an approximate 2 percent rate of occurrence.”
![Page 13: Is Security Worth It? Alex Lauerman. Who is Alex? FishNet Security Veracode TrustFoundry SecKC](https://reader030.vdocuments.net/reader030/viewer/2022032722/56649cdb5503460f949a6004/html5/thumbnails/13.jpg)
Previous Research – Ponemon• Total Average cost per US breach: $5,403,644 (2013) $5.85 (2014)
![Page 14: Is Security Worth It? Alex Lauerman. Who is Alex? FishNet Security Veracode TrustFoundry SecKC](https://reader030.vdocuments.net/reader030/viewer/2022032722/56649cdb5503460f949a6004/html5/thumbnails/14.jpg)
Previous Research – Ponemon• Cost of data breach by size (2013)
![Page 15: Is Security Worth It? Alex Lauerman. Who is Alex? FishNet Security Veracode TrustFoundry SecKC](https://reader030.vdocuments.net/reader030/viewer/2022032722/56649cdb5503460f949a6004/html5/thumbnails/15.jpg)
Previous Research – Ponemon• Cost of data breach by size (2014)
![Page 16: Is Security Worth It? Alex Lauerman. Who is Alex? FishNet Security Veracode TrustFoundry SecKC](https://reader030.vdocuments.net/reader030/viewer/2022032722/56649cdb5503460f949a6004/html5/thumbnails/16.jpg)
Previous Research – Ponemon• Breakdown by industry
![Page 17: Is Security Worth It? Alex Lauerman. Who is Alex? FishNet Security Veracode TrustFoundry SecKC](https://reader030.vdocuments.net/reader030/viewer/2022032722/56649cdb5503460f949a6004/html5/thumbnails/17.jpg)
Previous Research – Ponemon• Customer churn
![Page 18: Is Security Worth It? Alex Lauerman. Who is Alex? FishNet Security Veracode TrustFoundry SecKC](https://reader030.vdocuments.net/reader030/viewer/2022032722/56649cdb5503460f949a6004/html5/thumbnails/18.jpg)
Previous Research – Ponemon
• Cost of data breach per record – Causation or correlation?
• Adobe example
• Target example
![Page 19: Is Security Worth It? Alex Lauerman. Who is Alex? FishNet Security Veracode TrustFoundry SecKC](https://reader030.vdocuments.net/reader030/viewer/2022032722/56649cdb5503460f949a6004/html5/thumbnails/19.jpg)
Research – Brush Creek Partners
• Leverage Ponemon research
• Insurance cost is based on revenue and line of business• Retail Inexpensive• Healthcare & Financial - Expensive (fines)
• Encourage or require good security
• <10% of companies have cyber liability insurance
![Page 20: Is Security Worth It? Alex Lauerman. Who is Alex? FishNet Security Veracode TrustFoundry SecKC](https://reader030.vdocuments.net/reader030/viewer/2022032722/56649cdb5503460f949a6004/html5/thumbnails/20.jpg)
Previous Research – Risk Centric Security
• Lots of charts
• Direct Costs
• DSW Shoes – ~$4.64 – 6.79 per record
• TJX –: $1.90 – $2.12 per record
• Heartland Payment Systems – $0.90 per record
• Sony – $1.17 per record
• Global Payments - $15.71 - $80 per record
• South Carolina DoR - $3 - $5 per record
![Page 21: Is Security Worth It? Alex Lauerman. Who is Alex? FishNet Security Veracode TrustFoundry SecKC](https://reader030.vdocuments.net/reader030/viewer/2022032722/56649cdb5503460f949a6004/html5/thumbnails/21.jpg)
Previous Research – Stock Prices• Gatzlaff
• -.84% 1 day after a breach
• Tomáš Klíma
• Data breaches impact stock prices
• Hovav
• Financial revenue most impact
• Vandal attacks have lower impact
• DoS almost no affect
• Cavusoglu
• 2.1% decrease in value in two days following the breach
• Morse
• Abnormal negative stock price returns
• SecurityNinja
![Page 22: Is Security Worth It? Alex Lauerman. Who is Alex? FishNet Security Veracode TrustFoundry SecKC](https://reader030.vdocuments.net/reader030/viewer/2022032722/56649cdb5503460f949a6004/html5/thumbnails/22.jpg)
Delayed Impact - Target• Breach rumors Dec 18
• Announcement Dec 19th
![Page 23: Is Security Worth It? Alex Lauerman. Who is Alex? FishNet Security Veracode TrustFoundry SecKC](https://reader030.vdocuments.net/reader030/viewer/2022032722/56649cdb5503460f949a6004/html5/thumbnails/23.jpg)
Efficient Market Hypothesis• Stock prices reflect the information available
• We can use this to determine the affect of data breaches
• “maybe the market isn’t quite as efficient as you think” – Charlie Munger in response to Efficient Market Hypothesis
![Page 24: Is Security Worth It? Alex Lauerman. Who is Alex? FishNet Security Veracode TrustFoundry SecKC](https://reader030.vdocuments.net/reader030/viewer/2022032722/56649cdb5503460f949a6004/html5/thumbnails/24.jpg)
Quantitative Trading• Trading strategies based on quantitative analysis which rely on
mathematical computations and number crunching to identify trading opportunities. --investopedia
![Page 25: Is Security Worth It? Alex Lauerman. Who is Alex? FishNet Security Veracode TrustFoundry SecKC](https://reader030.vdocuments.net/reader030/viewer/2022032722/56649cdb5503460f949a6004/html5/thumbnails/25.jpg)
Quantitative Trading
![Page 26: Is Security Worth It? Alex Lauerman. Who is Alex? FishNet Security Veracode TrustFoundry SecKC](https://reader030.vdocuments.net/reader030/viewer/2022032722/56649cdb5503460f949a6004/html5/thumbnails/26.jpg)
Quantitative Trading Example• Security that holds gold (GLD ETF)
• Track gold miners (GDX ETF)
![Page 27: Is Security Worth It? Alex Lauerman. Who is Alex? FishNet Security Veracode TrustFoundry SecKC](https://reader030.vdocuments.net/reader030/viewer/2022032722/56649cdb5503460f949a6004/html5/thumbnails/27.jpg)
Quantopian
![Page 28: Is Security Worth It? Alex Lauerman. Who is Alex? FishNet Security Veracode TrustFoundry SecKC](https://reader030.vdocuments.net/reader030/viewer/2022032722/56649cdb5503460f949a6004/html5/thumbnails/28.jpg)
Quantopian Example
![Page 29: Is Security Worth It? Alex Lauerman. Who is Alex? FishNet Security Veracode TrustFoundry SecKC](https://reader030.vdocuments.net/reader030/viewer/2022032722/56649cdb5503460f949a6004/html5/thumbnails/29.jpg)
Breach Trading Algorithm• Tracks stock prices in relation to the date of their security breaches
![Page 30: Is Security Worth It? Alex Lauerman. Who is Alex? FishNet Security Veracode TrustFoundry SecKC](https://reader030.vdocuments.net/reader030/viewer/2022032722/56649cdb5503460f949a6004/html5/thumbnails/30.jpg)
Be warned
![Page 31: Is Security Worth It? Alex Lauerman. Who is Alex? FishNet Security Veracode TrustFoundry SecKC](https://reader030.vdocuments.net/reader030/viewer/2022032722/56649cdb5503460f949a6004/html5/thumbnails/31.jpg)
30-Day After Breach TransactionsDATE SECURITY TRANSACTI
ON#
SHARESPRICE $
AMOUNTCHANGE
2007-01-16
TJX BUY 6688 $14.84 $99,216.48 -3.7%
2007-02-19
TJX SELL -6688 $14.29 ($95,538.08)
2009-01-19
HPY BUY 6464 $14.22 $91,918.08 -45.1%
2009-02-19
HPY SELL -6464 $7.80 ($50,419.20)
2011-03-16
EMC BUY 3952 $25.59 $101,131.68
4.3%
2011-04-18
EMC SELL -3952 $26.68 ($105,439.36)
2011-04-25
SNE BUY 3324 $29.80 $99,055.20 -10.0%
2011-05-26
SNE SELL -3324 $26.83 ($89,182.92)
2011-08-29
VDSI BUY 13458 $7.03 $94,609.74 -27.9%
2011-09-29
VDSI SELL -13458 $5.07 ($68,218.60)
2013-10-02
ADBE BUY 1940 $50.91 $98,765.40 7.5%
2013-11-04
ADBE SELL -1940 $54.75 ($106,215.00)
2013-12-18
TGT BUY 1573 $62.17 $97,793.41 -5.2%
2014-01-21
TGT SELL -1573 $58.96 ($92,744.08)
![Page 32: Is Security Worth It? Alex Lauerman. Who is Alex? FishNet Security Veracode TrustFoundry SecKC](https://reader030.vdocuments.net/reader030/viewer/2022032722/56649cdb5503460f949a6004/html5/thumbnails/32.jpg)
30-Day Transactions List (SPY Indexed)DATE SECURITY TRANSACT
ION#
SHARESPRICE $
AMOUNT2007-01-16
TJX BUY 6688 $14.84 $99,216.48
2007-01-16
SPY SELL -699 $142.97 ($99,936.03)
2007-02-19
TJX SELL -6688 $14.29 ($95,538.08)
2007-02-19
SPY BUY 699 $146.13 $102,144.87
2009-01-19
SPY SELL -1176 $80.59 ($94,773.84)
2009-01-19
HPY BUY 6464 $14.22 $91,918.08
2009-02-19
SPY BUY 1176 $77.44 $91,069.44
2009-02-19
HPY SELL -6464 $7.80 ($50,419.20)
2011-03-16
EMC BUY 3952 $25.59 $101,131.68
2011-03-16
SPY SELL -792 $127.77 ($101,193.84)
2011-04-18
EMC SELL -3952 $26.68 ($105,439.36)
2011-04-18
SPY BUY 792 $131.32 $104,005.44
![Page 33: Is Security Worth It? Alex Lauerman. Who is Alex? FishNet Security Veracode TrustFoundry SecKC](https://reader030.vdocuments.net/reader030/viewer/2022032722/56649cdb5503460f949a6004/html5/thumbnails/33.jpg)
30-Day Algorithm (SPY Indexed)
![Page 34: Is Security Worth It? Alex Lauerman. Who is Alex? FishNet Security Veracode TrustFoundry SecKC](https://reader030.vdocuments.net/reader030/viewer/2022032722/56649cdb5503460f949a6004/html5/thumbnails/34.jpg)
30-Days After Breach – Stock Price
SECURITY CHANGE
S&P 500
BENCHMARKED RETURN
Adobe 7.5% 5.1% 2.4%
EMC 4.3% 2.7% 1.6%
Heartland Payment Systems -45.1% -4.1% -41.1%
Lockheed Martin 2.7% -3.0% 5.7%
Sony -10.0% -1.0% -9.0%
Target -5.2% 1.5% -6.7%
TJX -3.7% 2.1% -5.8%
Vasco Data Security -27.9% -7.0% -20.9%
Average -9.67% -9.22%
Median -4.44% -6.26%
![Page 35: Is Security Worth It? Alex Lauerman. Who is Alex? FishNet Security Veracode TrustFoundry SecKC](https://reader030.vdocuments.net/reader030/viewer/2022032722/56649cdb5503460f949a6004/html5/thumbnails/35.jpg)
30-Days After Breach – Cost to Company
SECURITY BENCHMARK
MARKET CAP (B)
ADJUSTED COST (B)
Adobe 2.4% 29.6 0.716
EMC 1.6% 52.08 0.821
Heartland Payment Systems -41.1% 1.45 -0.596
Lockheed Martin 5.7% 52.74 3.019
Sony -9.0% 18.14 -1.630
Target -6.7% 37.44 -2.503
TJX -5.8% 41.03 -2.393
Vasco Data Security -20.9% 0.45 -0.094Average -9.22% 29.12 -0.332Median -6.26% 33.52 -0.344
![Page 36: Is Security Worth It? Alex Lauerman. Who is Alex? FishNet Security Veracode TrustFoundry SecKC](https://reader030.vdocuments.net/reader030/viewer/2022032722/56649cdb5503460f949a6004/html5/thumbnails/36.jpg)
Results – Market Capitalization
1 Day 30 Days
90 Days
180 Days
365 Days
Algorithm -44.4% -70.1% -44.0% -62.1% -58.3%
Average per stock -5.5% -8.76% -5.5% -7.76% -7.28%
![Page 37: Is Security Worth It? Alex Lauerman. Who is Alex? FishNet Security Veracode TrustFoundry SecKC](https://reader030.vdocuments.net/reader030/viewer/2022032722/56649cdb5503460f949a6004/html5/thumbnails/37.jpg)
How to trade with this info
• Short sell a company immediately following a breach
• A data breach may be worth more to people who invest with that information
![Page 38: Is Security Worth It? Alex Lauerman. Who is Alex? FishNet Security Veracode TrustFoundry SecKC](https://reader030.vdocuments.net/reader030/viewer/2022032722/56649cdb5503460f949a6004/html5/thumbnails/38.jpg)
Tro LLC
![Page 39: Is Security Worth It? Alex Lauerman. Who is Alex? FishNet Security Veracode TrustFoundry SecKC](https://reader030.vdocuments.net/reader030/viewer/2022032722/56649cdb5503460f949a6004/html5/thumbnails/39.jpg)
Tro LLC
![Page 40: Is Security Worth It? Alex Lauerman. Who is Alex? FishNet Security Veracode TrustFoundry SecKC](https://reader030.vdocuments.net/reader030/viewer/2022032722/56649cdb5503460f949a6004/html5/thumbnails/40.jpg)
How to make business decisions with this
• Need to understand factors
• If your company is publically traded, factors should roughly add up to stock price
• Use this algorithm to generate data for companies similar to yours
![Page 41: Is Security Worth It? Alex Lauerman. Who is Alex? FishNet Security Veracode TrustFoundry SecKC](https://reader030.vdocuments.net/reader030/viewer/2022032722/56649cdb5503460f949a6004/html5/thumbnails/41.jpg)
How to make business decisions with this
• Threat model your organization• What could go wrong?
• Examine data and estimate impact
![Page 42: Is Security Worth It? Alex Lauerman. Who is Alex? FishNet Security Veracode TrustFoundry SecKC](https://reader030.vdocuments.net/reader030/viewer/2022032722/56649cdb5503460f949a6004/html5/thumbnails/42.jpg)
Questions
• Slides: trustfoundry.net
• @alexlauerman
• 913.271.7789