Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation

OWASP

http://www.owasp.org

Real Life Information Security

Bringing cost-benefit analysis into risk management

2OWASP

Hewitt Associates

Human Resources Outsourcing~25’000 employees worldwideHighly sensitive clients’ data

3OWASP

HRO Market

Not purely financialMostly B2BHighly competitive

Stay competitive Stay flexible

4OWASP

Shepherds or policemen?

Very high pressure from businessNo „one size fits all” approachLessons learnt

Talk to business Have real arguments Talk business

Where do all these numbers come from?

5OWASP

From the past

Source: DatalossDB.org

6OWASP

From market analytics

~$100 USD per recordNo actual abuse required„Losing control” is the bad wordHow much to spend and where to stop?

Source: Ponemon Institute, „2008 Annual Study: Cost of Data Breach”

7OWASP

From others’ fines

Source: FSA, 22 July 2009

8OWASP

From Risk Analysis

Risk = Potential Loss * Threat Probability

Potential Loss ~ Asset Cost, Brand Value...

9OWASP

When Risk Analysis makes sense?

Control Cost << Asset Cost

Source: Flickr (edouаrd)

10OWASP

What makes Control cost?

Roll-out cost Obvious

Change cost Not so obvious

Management cost Not so obvious

End-user usage cost Largely ignored Especially if outside

Source: Flickr (dаveme)

11OWASP

Potential loss → Control → Real loss

12OWASP

Case studies

13OWASP

Qualified Certificate in ZUS*

ZUS costs Roll-out = ? Administration = ?

Taxpayer costs (245’000 QC’s) 100-140 million PLN – one-time ~40 million PLN – annual QC renewal

Future costs Attribute certificates (ZUS & taxpayers) = ? „e-PUAP trusted profiles” (ZUS) = ?

Source: Money.pl, ZUS

* ZUS = Polish public pensions provider

14OWASP

Invoicing

What’s the cost of invoicing?People, paper, printing, postal, processingAverage €1,4 per paper invoiceUltimate solutionGive up VAT When e-invoicing makes sense?

» Electronic invoice TCO << Paper invoice TCO» Theory: €0,4 versus €1,4» Key word: TCO

Sources: EU MEMO/00/85

15OWASP

E-Invoicing in Europe

DenmarkOCES & others allowed

OCES: Quite simple origin & integrity authentication

OCES: Proportional to e-invoicing risks

Around 66% of all invoices are e-invoices

PolandOnly QES & EDI allowed

EDI: supermarkets only QES: Not designed for

automatic signature QES: More legal that real

security

Around 5% of companies use e-invoicing

Sources: EEI 2007, ITST, OECD; GUS 2008

16OWASP

Risk Management in e-banking

Auth method

Number

Individual Corporate

Millions of clients

High non-repudiation needs

SMS 15 ↑Usable, ↓Big cost

↓Repudiation

Token 11 ↓Big cost ↓Repudiation

TAN 7 ↓Low security, ↑ Low cost

↓Repudiation

Smartcard

2 ↓Not usable, ↓Big cost

↑ Non-repudiation

Source: Bankier.pl report, October 2009 (selected data only)

17OWASP

Laffer’s curve in security

Source: Wikipedia

18OWASP

Mayfield’s Paradox

Source: ISACA, „Mathematical Proofs of Mayfield's Paradox”, 2001

19OWASP

How to?

20OWASP

Pitfall of „One-size fits all” approach

0

10

20

30

40

50

60

70

80

Risk Cost

A

B

C

21OWASPSource: Willem Duiff, GE (SASMA 2009)

22OWASP

Control questions

Before deploying a new solutionDo my controls help, instead of breaking process?How do my controls help business do its work?

Before asking for new fundingWhat we earned on last project?

23OWASP

Is security a cost?

Security is an investment to prevent lossesSpend $100k to prevent losing $1m = 10x benefitNOT: „Security again spent $100k”YES: „Security helped save $1M for just $100k”

24OWASP

How FDE saves money

Office break-inFour laptops stolenAll with full-disk encryptionCost of incident – zero

Hardware – insurance Data confidentality – able to prove to client Data availability – backups & network drives

Where’s ROI of FDE? No $$$ in fines No $$ in breach notification No $? in brand damage

25OWASP

Building a consistent security policy #1

Should people should take their laptops home? Isn’t that increasing risk of

theft?

Laptop theft Lose laptop ($) Lose data ($$$)

Source: Flickr (аresnick)

26OWASP

Building a consistent security policy #2

Laptop at homeWork from home

Disaster recovery, business continuity

Examples: UK snow (2009), London flood (2009), Hemel Hempstead explosion (2005)

Need to prevent the other risks

Source: Wikipedia

27OWASP

Building a consistent security policy #3

End-user message „Always take your laptop home”

FDE is standard, non-optional proces

28OWASP

Things we learned when talking to bussiness

Avoid „weasel talk” and buzzwords„Some attacks exist that might pose a significant

risk...”Use as much facts and numbers as possibleDo use industry reports Be careful with vendor reports

„How spam filtering helps preventing global warming”

Filter them through your company’s reality checkLearn from historic incidents in your organisationPerform periodic review of your controlsMake sure at the old threat is still thereMake sure no new threats appeared

29OWASP

Questions?

Questions, comments

PAWEL.KRAWCZYK@HEWITT.COM

http://www.linkedin.com/in/pawelkrawczyk