1 / 42

Is Security Worth It?

Is Security Worth It?. Alex Lauerman. Who is Alex?. FishNet Security Veracode TrustFoundry SecKC. Why am I talking?. Don’t like security being a checkbox I want security to be driven by its value Want to do better at the stock market Goal is to help understand cost of insecurity.

irina
Download Presentation

Is Security Worth It?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Is Security Worth It? Alex Lauerman

  2. Who is Alex? • FishNet Security • Veracode • TrustFoundry • SecKC

  3. Why am I talking? • Don’t like security being a checkbox • I want security to be driven by its value • Want to do better at the stock market • Goal is to help understand cost of insecurity

  4. What will I talk about? • Cost Factors of a Data Breach • Previous Research • My Research • Analysis of impact of data breach

  5. What is a data breach? • Accidental or intentional loss of: • Personally Identifiable Information • Financial Information • Confidential Company Information • Intellectual Property • Health Information

  6. What are the cost factors? • Incident Response • Communications • Compensation • Legal defense • Regulatory Fines • Indirect • Loss of productivity • Loss of customers • Lost competitive edge

  7. Ways to measure cost of breach • Fixed • Per Record (Variable) • Add factors individually • Estimate based on previous breach costs

  8. Sources of Breaches • datalossdb.org • databreaches.net • www.privacyrights.org • www.idtheftcenter.org • Google

  9. DataLossDB

  10. Information is Beautiful

  11. Previous Research • Ponemon • Gold standard in data breach costs • Brush Creek Partners – Cyber Liability Insurance • Academic Sources • Risk Centric Security (YouTube “Deconstructing Data Breach Cost”)

  12. Previous Research – Ponemon • Average cost of data breach $188/record (2013) • Average cost of data breach $201/record (2014) • Average number of records breached in US: 28,765 (2013) • “The results show that a probability of a material data breach involving a minimum of 10,000 records is more than 22 percent.” • “India and Brazil have the highest estimated probability of occurrence at 30 percent, while Germany has an approximate 2 percent rate of occurrence.”

  13. Previous Research – Ponemon • Total Average cost per US breach: $5,403,644 (2013) $5.85 (2014)

  14. Previous Research – Ponemon • Cost of data breach by size (2013)

  15. Previous Research – Ponemon • Cost of data breach by size (2014)

  16. Previous Research – Ponemon • Breakdown by industry

  17. Previous Research – Ponemon • Customer churn

  18. Previous Research – Ponemon • Cost of data breach per record – Causation or correlation? • Adobe example • Target example

  19. Research – Brush Creek Partners • Leverage Ponemon research • Insurance cost is based on revenue and line of business • Retail Inexpensive • Healthcare & Financial - Expensive (fines) • Encourage or require good security • <10% of companies have cyber liability insurance

  20. Previous Research – Risk Centric Security • Lots of charts • Direct Costs • DSW Shoes – ~$4.64 – 6.79 per record • TJX –: $1.90 – $2.12 per record • Heartland Payment Systems – $0.90 per record • Sony – $1.17 per record • Global Payments - $15.71 - $80 per record • South Carolina DoR - $3 - $5 per record

  21. Previous Research – Stock Prices • Gatzlaff • -.84% 1 day after a breach • TomášKlíma • Data breaches impact stock prices • Hovav • Financial revenue most impact • Vandal attacks have lower impact • DoS almost no affect • Cavusoglu • 2.1% decrease in value in two days following the breach • Morse • Abnormal negative stock price returns • SecurityNinja

  22. Delayed Impact - Target • Breach rumors Dec 18 • Announcement Dec 19th

  23. Efficient Market Hypothesis • Stock prices reflect the information available • We can use this to determine the affect of data breaches • “maybe the market isn’t quite as efficient as you think” – Charlie Munger in response to Efficient Market Hypothesis

  24. Quantitative Trading • Trading strategies based on quantitative analysis which rely on mathematical computations and number crunching to identify trading opportunities. --investopedia

  25. Quantitative Trading

  26. Quantitative Trading Example • Security that holds gold (GLD ETF) • Track gold miners (GDX ETF)

  27. Quantopian

  28. Quantopian Example

  29. Breach Trading Algorithm • Tracks stock prices in relation to the date of their security breaches

  30. Be warned

  31. 30-Day After Breach Transactions

  32. 30-Day Transactions List (SPY Indexed)

  33. 30-Day Algorithm (SPY Indexed)

  34. 30-Days After Breach – Stock Price

  35. 30-Days After Breach – Cost to Company

  36. Results – Market Capitalization

  37. How to trade with this info • Short sell a company immediately following a breach • A data breach may be worth more to people who invest with that information

  38. Tro LLC

  39. Tro LLC

  40. How to make business decisions with this • Need to understand factors • If your company is publically traded, factors should roughly add up to stock price • Use this algorithm to generate data for companies similar to yours

  41. How to make business decisions with this • Threat model your organization • What could go wrong? • Examine data and estimate impact

  42. Questions • Slides: trustfoundry.net • alex.lauerman@trustfoundry.net • @alexlauerman • 913.271.7789

More Related