1 / 30

CS363

Week 12 – Monday. CS363. Last time. What did we talk about last time? Security policies Physical security Lock picking. Questions?. Project 3. Security Presentation. Graham Welsh. Making a Business Case for Security. Making a business case.

marrim
Download Presentation

CS363

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Week 12 – Monday CS363

  2. Last time • What did we talk about last time? • Security policies • Physical security • Lock picking

  3. Questions?

  4. Project 3

  5. Security Presentation Graham Welsh

  6. Making a Business Case for Security

  7. Making a business case • If you do IT, you may need to make a case for spending money on security • For your own benefit (because it justifies your position) • For the business's benefit (because a security problem could be costly) • You shouldn't lie or exaggerate • Your proposal should be based on real improvements that are likely to cost the company less in the long run • You should use business language so that the proposal can be compared to other non-security and non-IT proposals

  8. Elements of a business case • A business case is a proposal that justifies an expenditure, usually including: • A description of the problem you're trying to solve • A list of possible solutions • Constraints on solving the problem • A list of assumptions • Analysis of each alternative • Risks • Costs • Benefits • A summary of why your proposal is best

  9. Investment perspectives • Research suggests that investments should be considered from the following perspectives: • Customer – keeping customers happy • Operational – keeping your business running smoothly • Financial – return on investment or share price • Improvement – affect on market leadership • Companies tend to focus only on the financial perspective because it is the easiest to measure

  10. Influences that lead to security investment • Companies can be reluctant to invest in security • Surveys suggest that these are the motivating influences:

  11. Determining economic value • Businesses care about money • But there are several different ways to evaluate the economic value of a decision • Net present value • Internal rate of return • Return on investment • Is spending this money now a good idea? We could invest it instead • Measuring IT impact in general is difficult • People only see how their life is changed after the fact

  12. Net present value • Net present value (NPV) of a proposal is the present value of benefits minus the value of the initial investment • NPV looks at the lifetime of a project • Example: • Spending $100 today could earn a profit of $200 in 5 years • But, investing $100 could yield $170 in 5 years • NPV = $200 - $170 = $30 • A positive NPV is a good proposal, and a negative is not

  13. Formally calculating NPV • In order to calculate the NPV in general, you have to have an idea of the rate of return if you were investing your money typically • This rate is called the discount rate or opportunity cost • Business people always think about what their money could be doing other than your project • C0 is the initial investment • Bt is the benefit in time period t • Ct is the cost in time period t • k is the discount rate • n is the number of time periods

  14. Return on investment • The internal rate of return (IRR) is the discount rate that makes NPV zero • In other words, how good of an investment is your proposal? • Return on investment (ROI) is the last period's profits divided by the cost of the investments needed to realize the profits • ROI is a measure of how the company has performed • IRR and NPV are estimates of future performance

  15. Quantifying Security

  16. Economic decisions • The accounting ideas from the previous section depend on measuring the benefits of security • Difficult • We can relatively easily list: • Assets needing protection • Vulnerabilities in a system • Threats to a system • But what is the impact when an attack happens?

  17. Data for justification • We need data to make decisions • National and global data about security measures how cybersecurity affects national and international economies • Enterprise data lets us see how companies are preventing and recovering from attacks and how much it costs • Technology data outlines the attacks that are possible or common • The data needs to be: • Accurate • Consistent • Timely • Reliable

  18. Survey results • We will list the results from a number of surveys, starting with the Information Security Breaches Survey (ISBS) from 2006 about cost of security incidents in the UK

  19. CSI/FBI Computer Crime and Security Survey • 5,000 information security practitioners surveyed in 2005, 699 responded • Key findings: • Viruses are the largest source of financial loss • Unauthorized access went up, replacing DoS as the second greatest source of loss • The total dollar amount of financial loss from cyber crime is decreasing • Companies are reporting intrusions less because of negative publicity • 87% of respondents conduct security audits, increased from 82% in the previous survey

  20. Australian Computer Crime and Security Survey • 540 security officers surveyed in 2005, 188 responded • Key findings: • 35% experienced attacks that affected CIA in 2005, 49% in 2004, and 42% in 2003 • Insider attacks stayed at a constant 37% over three years • Viruses were the most prevalent attack • DoS caused the most financial loss • 37% of respondents used security standards in 2003 but 65% used them in 2005

  21. Deloitte Touche Tohmatsu Global Security Survey • Given in 2005 • Key findings: • Organizations have improved security, making them less attractive to hackers • Humans are the weakest link, falling prey to phishing and pharming • 17% of respondents think government regulations are very effective, and 50% think they are effective • Chief information security officers are reporting to the highest levels of the organization more and more

  22. Ernst and Young Global Information Security Survey • Given in 2004 • Key findings: • 1 in 5 respondents strongly agreed that their organization put information security as a priority • Lack of security awareness by users is the top problem • But only 28% of respondents put raising employee awareness as a top initiative • Top concerns were viruses, Trojans, and worms with employee misconduct a distant second • Less than half of the respondents provide ongoing employee security training • 1 in 4 thought their information security departments were successful at meeting organizational needs

  23. Internet Crime Complaint Center • 231,000 complaints in 2005 • Key findings: • Almost 100,000 complaints were referred to law enforcement • Most cases involved fraud with a total loss of $182 million and a median loss of $424 per complainant • Internet auction fraud at 62.7% was the most common • Nondelivered merchandise or nonpayment was 16% • Credit card fraud was 7% • More than 75% of perpetrators were male • Half lived in CA, NY, FL, TX, IL, PA, or OH • For every dollar lost by a woman, $1.86 was lost by a man • Super Bowl ticket scams, phishing attempts, reshipping, eBay account takeovers, natural disaster fraud, and international lottery scams had high activity

  24. Imation Data Protection Survey • Surveyed 204 information technology and storage managers in 2004 • Key findings: • Most companies have no formal data backup or storage procedures, relying on individual initiative • E-mail viruses are the main reason companies change their data protection procedures • Regular testing of disaster recovery procedures is not a common practice

  25. Information Security Magazine • Surveyed 2,196 security practitioners in 2002, looking at the impact of business size • Key findings: • Security spending per user and per machine decreases as organization size increases • Allocating money for security does not reduce the probability of being attack but does help detect losses • Most organizations do not have a security culture or an incident response pan

  26. Are the data representative? • Surveys measure different things • Some have conflicting results • We can't know the level of expertise of the respondents in many cases • Regular users vs. security officers • Surveys were mostly voluntary • People who care about security or have recently had an incident are more likely to respond • Categories are inconsistent • "Electronic attacks" vs. "security incidents" • Are these the same things?

  27. Measuring financial impact • Some of these surveys say that costs are going up • Others say cost is going down • The ICSA 2004 survey claimed that "respondents in our survey historically underestimate costs by a factor of 7 to 10" • How do they even know that? • Conclusions: • Viruses are bad • Phishing is bad • We should have better training and policies • We should have better surveys

  28. Upcoming

  29. Next time… • Modeling security

  30. Reminders • Keep reading Chapter 9 • Keep working on Project 3 Phase 1 • Ack! Actually due on Thursday, April 17, unlike originally stated

More Related