Is Security Worth It?Alex Lauerman

Who is Alex?

• FishNet Security

• Veracode

• TrustFoundry

• SecKC

Why am I talking?

• Don’t like security being a checkbox• I want security to be driven by its value

• Want to do better at the stock market

• Goal is to help understand cost of insecurity

What will I talk about?

• Cost Factors of a Data Breach

• Previous Research

• My Research

• Analysis of impact of data breach

What is a data breach?

• Accidental or intentional loss of:• Personally Identifiable Information• Financial Information• Confidential Company Information• Intellectual Property

• Health Information

What are the cost factors?• Incident Response

• Communications

• Compensation

• Legal defense

• Regulatory Fines

• Indirect

• Loss of productivity

• Loss of customers

• Lost competitive edge

Ways to measure cost of breach

• Fixed

• Per Record (Variable)

• Add factors individually

• Estimate based on previous breach costs

Sources of Breaches

• datalossdb.org

• databreaches.net

• www.privacyrights.org

• www.idtheftcenter.org

• Google

DataLossDB

Information is Beautiful

Previous Research

• Ponemon

• Gold standard in data breach costs

• Brush Creek Partners – Cyber Liability Insurance

• Academic Sources

• Risk Centric Security (YouTube “Deconstructing Data Breach Cost”)

Previous Research – Ponemon

• Average cost of data breach $188/record (2013)

• Average cost of data breach $201/record (2014)

• Average number of records breached in US: 28,765 (2013)

• “The results show that a probability of a material data breach involving a minimum of 10,000 records is more than 22 percent.”

• “India and Brazil have the highest estimated probability of occurrence at 30 percent, while Germany has an approximate 2 percent rate of occurrence.”

Previous Research – Ponemon• Total Average cost per US breach: $5,403,644 (2013) $5.85 (2014)

Previous Research – Ponemon• Cost of data breach by size (2013)

Previous Research – Ponemon• Cost of data breach by size (2014)

Previous Research – Ponemon• Breakdown by industry

Previous Research – Ponemon• Customer churn

Previous Research – Ponemon

• Cost of data breach per record – Causation or correlation?

• Adobe example

• Target example

Research – Brush Creek Partners

• Leverage Ponemon research

• Insurance cost is based on revenue and line of business• Retail Inexpensive• Healthcare & Financial - Expensive (fines)

• Encourage or require good security

• <10% of companies have cyber liability insurance

Previous Research – Risk Centric Security

• Lots of charts

• Direct Costs

• DSW Shoes – ~$4.64 – 6.79 per record

• TJX –: $1.90 – $2.12 per record

• Heartland Payment Systems – $0.90 per record

• Sony – $1.17 per record

• Global Payments - $15.71 - $80 per record

• South Carolina DoR - $3 - $5 per record

Previous Research – Stock Prices• Gatzlaff

• -.84% 1 day after a breach

• Tomáš Klíma

• Data breaches impact stock prices

• Hovav

• Financial revenue most impact

• Vandal attacks have lower impact

• DoS almost no affect

• Cavusoglu

• 2.1% decrease in value in two days following the breach

• Morse

• Abnormal negative stock price returns

• SecurityNinja

Delayed Impact - Target• Breach rumors Dec 18

• Announcement Dec 19th

Efficient Market Hypothesis• Stock prices reflect the information available

• We can use this to determine the affect of data breaches

• “maybe the market isn’t quite as efficient as you think” – Charlie Munger in response to Efficient Market Hypothesis

Quantitative Trading• Trading strategies based on quantitative analysis which rely on

mathematical computations and number crunching to identify trading opportunities.  --investopedia

Quantitative Trading

Quantitative Trading Example• Security that holds gold (GLD ETF)

• Track gold miners (GDX ETF)

Quantopian

Quantopian Example

Breach Trading Algorithm• Tracks stock prices in relation to the date of their security breaches

Be warned

30-Day After Breach TransactionsDATE SECURITY TRANSACTI

ON#

SHARESPRICE $

AMOUNTCHANGE

2007-01-16

TJX BUY 6688 $14.84 $99,216.48 -3.7%

2007-02-19

TJX SELL -6688 $14.29 ($95,538.08)

2009-01-19

HPY BUY 6464 $14.22 $91,918.08 -45.1%

2009-02-19

HPY SELL -6464 $7.80 ($50,419.20)

2011-03-16

EMC BUY 3952 $25.59 $101,131.68

4.3%

2011-04-18

EMC SELL -3952 $26.68 ($105,439.36)

2011-04-25

SNE BUY 3324 $29.80 $99,055.20 -10.0%

2011-05-26

SNE SELL -3324 $26.83 ($89,182.92)

2011-08-29

VDSI BUY 13458 $7.03 $94,609.74 -27.9%

2011-09-29

VDSI SELL -13458 $5.07 ($68,218.60)

2013-10-02

ADBE BUY 1940 $50.91 $98,765.40 7.5%

2013-11-04

ADBE SELL -1940 $54.75 ($106,215.00)

2013-12-18

TGT BUY 1573 $62.17 $97,793.41 -5.2%

2014-01-21

TGT SELL -1573 $58.96 ($92,744.08)

30-Day Transactions List (SPY Indexed)DATE SECURITY TRANSACT

ION#

SHARESPRICE $

AMOUNT2007-01-16

TJX BUY 6688 $14.84 $99,216.48

2007-01-16

SPY SELL -699 $142.97 ($99,936.03)

2007-02-19

TJX SELL -6688 $14.29 ($95,538.08)

2007-02-19

SPY BUY 699 $146.13 $102,144.87

2009-01-19

SPY SELL -1176 $80.59 ($94,773.84)

2009-01-19

HPY BUY 6464 $14.22 $91,918.08

2009-02-19

SPY BUY 1176 $77.44 $91,069.44

2009-02-19

HPY SELL -6464 $7.80 ($50,419.20)

2011-03-16

EMC BUY 3952 $25.59 $101,131.68

2011-03-16

SPY SELL -792 $127.77 ($101,193.84)

2011-04-18

EMC SELL -3952 $26.68 ($105,439.36)

2011-04-18

SPY BUY 792 $131.32 $104,005.44

30-Day Algorithm (SPY Indexed)

30-Days After Breach – Stock Price

SECURITY CHANGE

S&P 500

BENCHMARKED RETURN

Adobe 7.5% 5.1% 2.4%

EMC 4.3% 2.7% 1.6%

Heartland Payment Systems -45.1% -4.1% -41.1%

Lockheed Martin 2.7% -3.0% 5.7%

Sony -10.0% -1.0% -9.0%

Target -5.2% 1.5% -6.7%

TJX -3.7% 2.1% -5.8%

Vasco Data Security -27.9% -7.0% -20.9%

Average -9.67% -9.22%

Median -4.44% -6.26%

30-Days After Breach – Cost to Company

SECURITY BENCHMARK

MARKET CAP (B)

ADJUSTED COST (B)

Adobe 2.4% 29.6 0.716

EMC 1.6% 52.08 0.821

Heartland Payment Systems -41.1% 1.45 -0.596

Lockheed Martin 5.7% 52.74 3.019

Sony -9.0% 18.14 -1.630

Target -6.7% 37.44 -2.503

TJX -5.8% 41.03 -2.393

Vasco Data Security -20.9% 0.45 -0.094Average -9.22% 29.12 -0.332Median -6.26% 33.52 -0.344

Results – Market Capitalization

1 Day 30 Days

90 Days

180 Days

365 Days

Algorithm -44.4% -70.1% -44.0% -62.1% -58.3%

Average per stock -5.5% -8.76% -5.5% -7.76% -7.28%

How to trade with this info

• Short sell a company immediately following a breach

• A data breach may be worth more to people who invest with that information

Tro LLC

Tro LLC

How to make business decisions with this

• Need to understand factors

• If your company is publically traded, factors should roughly add up to stock price

• Use this algorithm to generate data for companies similar to yours

How to make business decisions with this

• Threat model your organization• What could go wrong?

• Examine data and estimate impact

Questions

• Slides: trustfoundry.net

• alex.lauerman@trustfoundry.net

• @alexlauerman

• 913.271.7789