Presentation is loading. Please wait.

Presentation is loading. Please wait.

Is Security Worth It? Alex Lauerman. Who is Alex? FishNet Security Veracode TrustFoundry SecKC.

Similar presentations

Presentation on theme: "Is Security Worth It? Alex Lauerman. Who is Alex? FishNet Security Veracode TrustFoundry SecKC."— Presentation transcript:

1 Is Security Worth It? Alex Lauerman

2 Who is Alex? FishNet Security Veracode TrustFoundry SecKC

3 Why am I talking? Don’t like security being a checkbox I want security to be driven by its value Want to do better at the stock market Goal is to help understand cost of insecurity

4 What will I talk about? Cost Factors of a Data Breach Previous Research My Research Analysis of impact of data breach

5 What is a data breach? Accidental or intentional loss of: Personally Identifiable Information Financial Information Confidential Company Information Intellectual Property Health Information

6 What are the cost factors? Incident Response Communications Compensation Legal defense Regulatory Fines Indirect Loss of productivity Loss of customers Lost competitive edge

7 Ways to measure cost of breach Fixed Per Record (Variable) Add factors individually Estimate based on previous breach costs

8 Sources of Breaches Google

9 DataLossDB

10 Information is Beautiful

11 Previous Research Ponemon Gold standard in data breach costs Brush Creek Partners – Cyber Liability Insurance Academic Sources Risk Centric Security (YouTube “Deconstructing Data Breach Cost”)

12 Previous Research – Ponemon Average cost of data breach $188/record (2013) Average cost of data breach $201/record (2014) Average number of records breached in US: 28,765 (2013) “The results show that a probability of a material data breach involving a minimum of 10,000 records is more than 22 percent.” “India and Brazil have the highest estimated probability of occurrence at 30 percent, while Germany has an approximate 2 percent rate of occurrence.”

13 Previous Research – Ponemon Total Average cost per US breach: $5,403,644 (2013) $5.85 (2014)

14 Previous Research – Ponemon Cost of data breach by size (2013)

15 Previous Research – Ponemon Cost of data breach by size (2014)

16 Previous Research – Ponemon Breakdown by industry

17 Previous Research – Ponemon Customer churn

18 Previous Research – Ponemon Cost of data breach per record – Causation or correlation? Adobe example Target example

19 Research – Brush Creek Partners Leverage Ponemon research Insurance cost is based on revenue and line of business Retail Inexpensive Healthcare & Financial - Expensive (fines) Encourage or require good security <10% of companies have cyber liability insurance

20 Previous Research – Risk Centric Security Lots of charts Direct Costs DSW Shoes – ~$4.64 – 6.79 per record TJX –: $1.90 – $2.12 per record Heartland Payment Systems – $0.90 per record Sony – $1.17 per record Global Payments - $15.71 - $80 per record South Carolina DoR - $3 - $5 per record

21 Previous Research – Stock Prices Gatzlaff -.84% 1 day after a breach Tomáš Klíma Data breaches impact stock prices Hovav Financial revenue most impact Vandal attacks have lower impact DoS almost no affect Cavusoglu 2.1% decrease in value in two days following the breach Morse Abnormal negative stock price returns SecurityNinja

22 Delayed Impact - Target Breach rumors Dec 18 Announcement Dec 19th

23 Efficient Market Hypothesis Stock prices reflect the information available We can use this to determine the affect of data breaches “maybe the market isn’t quite as efficient as you think” – Charlie Munger in response to Efficient Market Hypothesis

24 Quantitative Trading Trading strategies based on quantitative analysis which rely on mathematical computations and number crunching to identify trading opportunities. --investopedia

25 Quantitative Trading

26 Quantitative Trading Example Security that holds gold (GLD ETF) Track gold miners (GDX ETF)

27 Quantopian

28 Quantopian Example

29 Breach Trading Algorithm Tracks stock prices in relation to the date of their security breaches

30 Be warned

31 30-Day After Breach Transactions DATESECURITYTRANSACTION# SHARESPRICE$ AMOUNTCHANGE 2007-01-16TJXBUY6688$14.84$99,216.48-3.7% 2007-02-19TJXSELL-6688$14.29($95,538.08) 2009-01-19HPYBUY6464$14.22$91,918.08-45.1% 2009-02-19HPYSELL-6464$7.80($50,419.20) 2011-03-16EMCBUY3952$25.59$101,131.684.3% 2011-04-18EMCSELL-3952$26.68($105,439.36) 2011-04-25SNEBUY3324$29.80$99,055.20-10.0% 2011-05-26SNESELL-3324$26.83($89,182.92) 2011-08-29VDSIBUY13458$7.03$94,609.74-27.9% 2011-09-29VDSISELL-13458$5.07($68,218.60) 2013-10-02ADBEBUY1940$50.91$98,765.407.5% 2013-11-04ADBESELL-1940$54.75($106,215.00) 2013-12-18TGTBUY1573$62.17$97,793.41-5.2% 2014-01-21TGTSELL-1573$58.96($92,744.08)

32 30-Day Transactions List (SPY Indexed) DATESECURITYTRANSACTION# SHARESPRICE$ AMOUNT 2007-01-16TJXBUY6688$14.84$99,216.48 2007-01-16SPYSELL-699$142.97($99,936.03) 2007-02-19TJXSELL-6688$14.29($95,538.08) 2007-02-19SPYBUY699$146.13$102,144.87 2009-01-19SPYSELL-1176$80.59($94,773.84) 2009-01-19HPYBUY6464$14.22$91,918.08 2009-02-19SPYBUY1176$77.44$91,069.44 2009-02-19HPYSELL-6464$7.80($50,419.20) 2011-03-16EMCBUY3952$25.59$101,131.68 2011-03-16SPYSELL-792$127.77($101,193.84) 2011-04-18EMCSELL-3952$26.68($105,439.36) 2011-04-18SPYBUY792$131.32$104,005.44

33 30-Day Algorithm (SPY Indexed)

34 30-Days After Breach – Stock Price SECURITYCHANGES&P 500BENCHMARKED RETURN Adobe7.5%5.1%2.4% EMC4.3%2.7%1.6% Heartland Payment Systems-45.1%-4.1%-41.1% Lockheed Martin2.7%-3.0%5.7% Sony-10.0%-1.0%-9.0% Target-5.2%1.5%-6.7% TJX-3.7%2.1%-5.8% Vasco Data Security-27.9%-7.0%-20.9% Average-9.67%-9.22% Median-4.44%-6.26%

35 30-Days After Breach – Cost to Company SECURITYBENCHMARKMARKET CAP (B) ADJUSTED COST (B) Adobe2.4%29.60.716 EMC1.6%52.080.821 Heartland Payment Systems-41.1%1.45-0.596 Lockheed Martin5.7%52.743.019 Sony-9.0%18.14-1.630 Target-6.7%37.44-2.503 TJX-5.8%41.03-2.393 Vasco Data Security-20.9%0.45-0.094 Average-9.22% 29.12-0.332 Median-6.26% 33.52-0.344

36 Results – Market Capitalization 1 Day30 Days90 Days180 Days365 Days Algorithm-44.4%-70.1%-44.0%-62.1%-58.3% Average per stock -5.5%-8.76%-5.5%-7.76%-7.28%

37 How to trade with this info Short sell a company immediately following a breach A data breach may be worth more to people who invest with that information

38 Tro LLC


40 How to make business decisions with this Need to understand factors If your company is publically traded, factors should roughly add up to stock price Use this algorithm to generate data for companies similar to yours

41 How to make business decisions with this Threat model your organization What could go wrong? Examine data and estimate impact

42 Questions Slides: @alexlauerman 913.271.7789

Download ppt "Is Security Worth It? Alex Lauerman. Who is Alex? FishNet Security Veracode TrustFoundry SecKC."

Similar presentations

Ads by Google