300 likes | 381 Vues
Week 12 – Monday. CS363. Last time. What did we talk about last time? Security policies Physical security Lock picking. Questions?. Project 3. Security Presentation. Graham Welsh. Making a Business Case for Security. Making a business case.
E N D
Week 12 – Monday CS363
Last time • What did we talk about last time? • Security policies • Physical security • Lock picking
Security Presentation Graham Welsh
Making a business case • If you do IT, you may need to make a case for spending money on security • For your own benefit (because it justifies your position) • For the business's benefit (because a security problem could be costly) • You shouldn't lie or exaggerate • Your proposal should be based on real improvements that are likely to cost the company less in the long run • You should use business language so that the proposal can be compared to other non-security and non-IT proposals
Elements of a business case • A business case is a proposal that justifies an expenditure, usually including: • A description of the problem you're trying to solve • A list of possible solutions • Constraints on solving the problem • A list of assumptions • Analysis of each alternative • Risks • Costs • Benefits • A summary of why your proposal is best
Investment perspectives • Research suggests that investments should be considered from the following perspectives: • Customer – keeping customers happy • Operational – keeping your business running smoothly • Financial – return on investment or share price • Improvement – affect on market leadership • Companies tend to focus only on the financial perspective because it is the easiest to measure
Influences that lead to security investment • Companies can be reluctant to invest in security • Surveys suggest that these are the motivating influences:
Determining economic value • Businesses care about money • But there are several different ways to evaluate the economic value of a decision • Net present value • Internal rate of return • Return on investment • Is spending this money now a good idea? We could invest it instead • Measuring IT impact in general is difficult • People only see how their life is changed after the fact
Net present value • Net present value (NPV) of a proposal is the present value of benefits minus the value of the initial investment • NPV looks at the lifetime of a project • Example: • Spending $100 today could earn a profit of $200 in 5 years • But, investing $100 could yield $170 in 5 years • NPV = $200 - $170 = $30 • A positive NPV is a good proposal, and a negative is not
Formally calculating NPV • In order to calculate the NPV in general, you have to have an idea of the rate of return if you were investing your money typically • This rate is called the discount rate or opportunity cost • Business people always think about what their money could be doing other than your project • C0 is the initial investment • Bt is the benefit in time period t • Ct is the cost in time period t • k is the discount rate • n is the number of time periods
Return on investment • The internal rate of return (IRR) is the discount rate that makes NPV zero • In other words, how good of an investment is your proposal? • Return on investment (ROI) is the last period's profits divided by the cost of the investments needed to realize the profits • ROI is a measure of how the company has performed • IRR and NPV are estimates of future performance
Economic decisions • The accounting ideas from the previous section depend on measuring the benefits of security • Difficult • We can relatively easily list: • Assets needing protection • Vulnerabilities in a system • Threats to a system • But what is the impact when an attack happens?
Data for justification • We need data to make decisions • National and global data about security measures how cybersecurity affects national and international economies • Enterprise data lets us see how companies are preventing and recovering from attacks and how much it costs • Technology data outlines the attacks that are possible or common • The data needs to be: • Accurate • Consistent • Timely • Reliable
Survey results • We will list the results from a number of surveys, starting with the Information Security Breaches Survey (ISBS) from 2006 about cost of security incidents in the UK
CSI/FBI Computer Crime and Security Survey • 5,000 information security practitioners surveyed in 2005, 699 responded • Key findings: • Viruses are the largest source of financial loss • Unauthorized access went up, replacing DoS as the second greatest source of loss • The total dollar amount of financial loss from cyber crime is decreasing • Companies are reporting intrusions less because of negative publicity • 87% of respondents conduct security audits, increased from 82% in the previous survey
Australian Computer Crime and Security Survey • 540 security officers surveyed in 2005, 188 responded • Key findings: • 35% experienced attacks that affected CIA in 2005, 49% in 2004, and 42% in 2003 • Insider attacks stayed at a constant 37% over three years • Viruses were the most prevalent attack • DoS caused the most financial loss • 37% of respondents used security standards in 2003 but 65% used them in 2005
Deloitte Touche Tohmatsu Global Security Survey • Given in 2005 • Key findings: • Organizations have improved security, making them less attractive to hackers • Humans are the weakest link, falling prey to phishing and pharming • 17% of respondents think government regulations are very effective, and 50% think they are effective • Chief information security officers are reporting to the highest levels of the organization more and more
Ernst and Young Global Information Security Survey • Given in 2004 • Key findings: • 1 in 5 respondents strongly agreed that their organization put information security as a priority • Lack of security awareness by users is the top problem • But only 28% of respondents put raising employee awareness as a top initiative • Top concerns were viruses, Trojans, and worms with employee misconduct a distant second • Less than half of the respondents provide ongoing employee security training • 1 in 4 thought their information security departments were successful at meeting organizational needs
Internet Crime Complaint Center • 231,000 complaints in 2005 • Key findings: • Almost 100,000 complaints were referred to law enforcement • Most cases involved fraud with a total loss of $182 million and a median loss of $424 per complainant • Internet auction fraud at 62.7% was the most common • Nondelivered merchandise or nonpayment was 16% • Credit card fraud was 7% • More than 75% of perpetrators were male • Half lived in CA, NY, FL, TX, IL, PA, or OH • For every dollar lost by a woman, $1.86 was lost by a man • Super Bowl ticket scams, phishing attempts, reshipping, eBay account takeovers, natural disaster fraud, and international lottery scams had high activity
Imation Data Protection Survey • Surveyed 204 information technology and storage managers in 2004 • Key findings: • Most companies have no formal data backup or storage procedures, relying on individual initiative • E-mail viruses are the main reason companies change their data protection procedures • Regular testing of disaster recovery procedures is not a common practice
Information Security Magazine • Surveyed 2,196 security practitioners in 2002, looking at the impact of business size • Key findings: • Security spending per user and per machine decreases as organization size increases • Allocating money for security does not reduce the probability of being attack but does help detect losses • Most organizations do not have a security culture or an incident response pan
Are the data representative? • Surveys measure different things • Some have conflicting results • We can't know the level of expertise of the respondents in many cases • Regular users vs. security officers • Surveys were mostly voluntary • People who care about security or have recently had an incident are more likely to respond • Categories are inconsistent • "Electronic attacks" vs. "security incidents" • Are these the same things?
Measuring financial impact • Some of these surveys say that costs are going up • Others say cost is going down • The ICSA 2004 survey claimed that "respondents in our survey historically underestimate costs by a factor of 7 to 10" • How do they even know that? • Conclusions: • Viruses are bad • Phishing is bad • We should have better training and policies • We should have better surveys
Next time… • Modeling security
Reminders • Keep reading Chapter 9 • Keep working on Project 3 Phase 1 • Ack! Actually due on Thursday, April 17, unlike originally stated