data security metricsa value based approach
DESCRIPTION
In this Security management workshop, we introduce finance and business unit managers to a value-based approach for reducing security costs and minimizing Value at RiskTRANSCRIPT
Licensed under the Creative Commons Attribution LicenseDanny Lieberman
[email protected] www.controlpolicy.com
Data security metrics and a value based approach
Why?
“I don't need data security, we outsource our IT to one of the big banks”
“It's never happened to us before”
“You can't estimate asset value”
“We encourage risk taking”
“I don't take risks”
True quotes from real people
Agenda
• Introduction and welcome
• What is data security?
• Anything can be measured
• Why metrics?
• Why quantify risk?
• Measurement methods
• Continuous improvement
• Questions and answers
Introduction
• Our mission today– Tools to help make your work easier– Share ideas
What the heck is data security?
• Security– Ensure we can survive & add value
• Physical, information, systems, people
• Data security– Protect data directly in all realms
Anything can be measured
All exact science is based on approximation.
If a man tells you he knows a thing exactly, then you can be safe in
inferring that you are speaking to an inexact man.
Bertrand Russell
Data security metrics
• Dimensions– organization, channel and content
• Typical metrics– % of employees that signed the AUP– % Webmail traffic/all mail traffic– % Office files by Webmail/Employees– No. of revenue transactions– Cost of security for operational/revenue systems– Cost of security for customer service systems– Cost of security for FnA systems– Value of assets in Euro– Total value at risk of assets
Why do we need metrics?
• Recognize this?The easy part of information security (running the appliance, discovering vulnerabilities, fixing things and
producing reports)
Ignores the hard stuff; quantification and prioritization of your actions based on financial value of assets and measurement of threat impact
Ignorance is never better than knowledge
Enrico Fermi
Why bother quantifying risk?
• Why not qualitative metrics?
When was the last time a customer paid a “qualitative price” ?
Quantitative risk model(*)
MetricsAsset value, Threat damage to asset,Threat probability
Value at Risk=Threat Damage to Asset x Asset Value x Threat Probability
(*)PTA -Practical threat analysis risk model
Quantitative risk model benefits
• Run security like you run your business– Quantify and prioritize actions in Euro/USD– Justify data security investments
• Measure improvement– Reduced risk– Lower costs
Measurement methods
• Hand sampling– Small samples of employees, routers...
• The “Rule of 5”
• Expert estimates– The CFO
• Pros at asset valuation
• Test equipment
Data Warehouse
Document Server
Session
Detection point
Decoders
Policies
Interception
Countermeasures
Received: from [172.16.1.35]
(-80-230-224-Message ID:<437C5FDE.9080>
“Send me more
files today.
Management
Provisioning
Events
Reporting
Policies
Forensics
Test equipment
Continuous improvement
Coming attractions
• Sep 10: Selecting data security technology
• Sep 17: Selling data security technology• Sep 24: Write a 2 page procedure• Oct 1: Home(land) security• Oct 8: SME data security
http://www.controlpolicy.com/workshops
Learn more
• Presentation materials and resources
http://www.controlpolicy.com/data-security-workshops