Presentation on theme: "1 Security Policy and Financial Costs (original slides from Josh Kaplan, Stephanie Losi, and Eric Chang)"— Presentation transcript:
1 Security Policy and Financial Costs (original slides from Josh Kaplan, Stephanie Losi, and Eric Chang)
2 How NOT to sell… “IT relies on, more than anything, fear, uncertainty, and doubt to sell security—in other words, FUD. The thinking is, if you scare them, they will spend.” - Scott Berinato, CIO Magazine
3 Summarizing the actual costs incurred by 14 organizations that lost confidential customer information and had regulatory requirement to publicly notify affected individuals. The PGP/Ponemon Survey
8 This Study Was Long Overdue Why has it been so hard to quantify the cost of security breaches? –No real efforts have been made to deal with these issues until several years ago. –The PGP/Ponemon survey provides a strong benchmark for actual quantification. Can an organization use these findings to address such cost implications?
11 Decide What You Are Going to Do In terms of costs, you must determine: What are you going to measure? –Staffing and technology costs? –Projected costs of an incident? –Probabilities of an incident? –Effects on customers and suppliers? –Etc. How are you going to measure it? –There will be a lot of acronyms here! –DON’T PANIC
12 What Are You Going to Measure? Lost productivity Loss of revenue during outages Loss of data (temporary or permanent) Compromise of data (disclosure or modification) Repair costs Loss of reputation Source: CMU, Infosec World 2003
13 Also, Think About This… Are you going to measure indirect losses To your customers and suppliers? To your shareholders? To your reputation? These are real losses!
14 Let Me Measure It, Already! One of the simplest ways to calculate ROI is called “payback” To calculate payback: Add up the costs of an investment in security (hardware, software, salaries, training, upgrades, etc.) over several years Calculate the benefits of the investment over that same time period. For security, this calculation will be based on losses that do NOT occur.
15 Payback Example The security manager at XYZ Corp., which employs 50 people, wants to implement a company-wide, 2-day-per-year security training program for all employees for the next 3 years. He decides to use the payback method to justify his investment to the CEO.
16 Payback Example Year 0Year 1Year 2Year 3 Staffing$10,000$60,000$62,400$64,896 Opportunity Cost-$16,016$16,656$17,322 Reduced Insider Threat -$30,000 Reduced Social Engineering -$45,000 Reduced Password Cracking -$90,000 Total Per Year$10,000$88,984$85,944$82,782 Total Payback$247,710
17 The Importance of Expected Value Expected value can be used to calculate the benefits of a security investment. EV = (probability of X) * (cost of X) In security terms, since we are dealing with probabilities of loss, this can also be viewed as the annualized loss expectancy (ALE) Source: CMU, Infosec World 2003
18 Here’s a Concrete Example The chance of a breach due to password cracking was 90% per year before the training program. The cost of such a breach averaged $150,000. Therefore, the expected cost per year was: (.90) * ($150,000) = $135,000 The training program is expected to reduce the chance of a breach due to password cracking to 30% per year. The cost of such a breach remains the same, so the expected cost per year is now: (.30) * ($150,000) = $45,000
19 Enter NPV and IRR NPV = Net Present Value NPV takes into account a discount rate. In other words, $90,000 tomorrow is worth less than $90,000 today. We see this in everyday life all the time. NPV = Σ Cash Flow / (1+rate) t
20 This Time Using NPV… Let’s look at the example from before, but this time we will use NPV with a discount rate of 10% to calculate the value of the security investment.
21 NPV Example Year 0Year 1Year 2Year 3 Staffing$10,000$54,545$51,570$48,757 Opportunity Cost0 $14,560$13,765$13,014 Reduced Insider Threat 0$27,272$24,793$22,539 Reduced Social Engineering 0$40,909$37,190$33,809 Reduced Password Cracking 0$81,818$74,380$67,618 Total PV Per Yr $10,000$80,894$71,028$62,195 NPV$204,117
22 Making a Decision For example, what if XYZ Corp. is considering buying an experimental firewall that costs $600,000 but will save the company $250,000 per year for 3 years by reducing intrusions? It will cost $50,000 to train XYZ staff to use the firewall and $25,000 per year for upgrades and maintenance.
23 Payback Says Yes Year 0Year 1Year 2Year 3 Experimental Firewall$600,000$25,000$25,000$25,000 Staff Training $50,000--- Reduced Intrusions -$250,000 Total Per Year $650,000$225,000 Total Payback $25,000
24 NPV Says No Year 0Year 1Year 2Year 3 Experimental Firewall$600,000$22,727$20,661$18,783 Staff Training $50,000--- Reduced Intrusions -$227,272$206,612$187,829 Total PV Per Yr $650,000$204,545$185,951$169,046 NPV $90,458
25 Advantages of NPV Often, this is what CFOs and CEOs are looking for — it’s what they know. Other departments often use the NPV metric. NPV is designed for calculating the value of uncertain gains and losses.
26 One More Measure One more measure you may want to consider using is IRR, the internal rate of return. This is the rate that causes the NPV of the project to be zero (neither a profit nor a loss).
27 How IRR Works For example, if a security investment requires you to spend $100 today and will result in savings of $105 in the next year, its IRR is: 0 = -$100 + $105/(1+IRR) 1 IRR = 0.05 = 5 percent How did we do this? Remember the NPV formula: NPV = Σ Cash Flow / (1+rate) t The IRR is simply the point at which the NPV equals zero, so plug in 0 on the left side of the equation and solve for the IRR.
28 The IRR Rule This leads to a simple rule that can help with many investment decisions if you choose to use IRR: As long as a project is not mutually exclusive with another project, you can accept the project if its IRR is greater than the discount rate (which is an economic factor that you, as the company, cannot control), and reject the project if its IRR is less than the discount rate.
29 However, Remember This… As stated earlier in our presentation: Gordon and Loeb found that the optimal amount to spend on security never exceeds 37% of the expected loss resulting from a breach. Therefore, in the real world, you might not accept a project with a zero or slightly positive NPV. This also makes IRR less useful.
30 To Sum Up Decide what you are going to measure. Decide on a method of measuring it. State which method you are going to use in your security policy. STICK WITH THAT METHOD!
31 One Last Note Remember those indirect costs we discussed earlier? Often, the positive effects of a security investment—or the negative effects of a breach—on customers, suppliers, and shareholders cannot be precisely measured. There is no easy solution to this problem, but you should be aware that intangible benefits and costs can and do exist. It might help to view them as analogous to the “goodwill” often represented on corporate balance sheets.
32 A Few Good References CSI/FBI Computer Crime and Security Survey –Gordon, Loeb, Lucyshyn, and Richardson Managing Cybersecurity Resources: A Cost-Benefit AnalysisManaging Cybersecurity Resources: A Cost-Benefit Analysis –Lawrence A. Gordon and Martin P. Loeb The Economics of Information Security Investment –Lawrence A. Gordon and Martin P. Loeb Finally, a Real Return on Security Spending –Scott Berinato, CIO Magazine
33 Some More Good References Economics and Security Resource Page –Ross Anderson Return on Information Security Investment –Adrian Mizzi Corporate Finance (7 th Edition)Corporate Finance (7 th Edition) –Ross, Westerfield, and Jaffe Security in Computing (3 rd Edition)Security in Computing (3 rd Edition) –Charles P. Pfleeger