Download presentation
Presentation is loading. Please wait.
Published byBrendan Webb Modified over 9 years ago
1
Is Security Worth It? Alex Lauerman
2
Who is Alex? FishNet Security Veracode TrustFoundry SecKC
3
Why am I talking? Don’t like security being a checkbox I want security to be driven by its value Want to do better at the stock market Goal is to help understand cost of insecurity
4
What will I talk about? Cost Factors of a Data Breach Previous Research My Research Analysis of impact of data breach
5
What is a data breach? Accidental or intentional loss of: Personally Identifiable Information Financial Information Confidential Company Information Intellectual Property Health Information
6
What are the cost factors? Incident Response Communications Compensation Legal defense Regulatory Fines Indirect Loss of productivity Loss of customers Lost competitive edge
7
Ways to measure cost of breach Fixed Per Record (Variable) Add factors individually Estimate based on previous breach costs
8
Sources of Breaches datalossdb.org databreaches.net www.privacyrights.org www.idtheftcenter.org Google
9
DataLossDB
10
Information is Beautiful
11
Previous Research Ponemon Gold standard in data breach costs Brush Creek Partners – Cyber Liability Insurance Academic Sources Risk Centric Security (YouTube “Deconstructing Data Breach Cost”)
12
Previous Research – Ponemon Average cost of data breach $188/record (2013) Average cost of data breach $201/record (2014) Average number of records breached in US: 28,765 (2013) “The results show that a probability of a material data breach involving a minimum of 10,000 records is more than 22 percent.” “India and Brazil have the highest estimated probability of occurrence at 30 percent, while Germany has an approximate 2 percent rate of occurrence.”
13
Previous Research – Ponemon Total Average cost per US breach: $5,403,644 (2013) $5.85 (2014)
14
Previous Research – Ponemon Cost of data breach by size (2013)
15
Previous Research – Ponemon Cost of data breach by size (2014)
16
Previous Research – Ponemon Breakdown by industry
17
Previous Research – Ponemon Customer churn
18
Previous Research – Ponemon Cost of data breach per record – Causation or correlation? Adobe example Target example
19
Research – Brush Creek Partners Leverage Ponemon research Insurance cost is based on revenue and line of business Retail Inexpensive Healthcare & Financial - Expensive (fines) Encourage or require good security <10% of companies have cyber liability insurance
20
Previous Research – Risk Centric Security Lots of charts Direct Costs DSW Shoes – ~$4.64 – 6.79 per record TJX –: $1.90 – $2.12 per record Heartland Payment Systems – $0.90 per record Sony – $1.17 per record Global Payments - $15.71 - $80 per record South Carolina DoR - $3 - $5 per record
21
Previous Research – Stock Prices Gatzlaff -.84% 1 day after a breach Tomáš Klíma Data breaches impact stock prices Hovav Financial revenue most impact Vandal attacks have lower impact DoS almost no affect Cavusoglu 2.1% decrease in value in two days following the breach Morse Abnormal negative stock price returns SecurityNinja
22
Delayed Impact - Target Breach rumors Dec 18 Announcement Dec 19th
23
Efficient Market Hypothesis Stock prices reflect the information available We can use this to determine the affect of data breaches “maybe the market isn’t quite as efficient as you think” – Charlie Munger in response to Efficient Market Hypothesis
24
Quantitative Trading Trading strategies based on quantitative analysis which rely on mathematical computations and number crunching to identify trading opportunities. --investopedia
25
Quantitative Trading
26
Quantitative Trading Example Security that holds gold (GLD ETF) Track gold miners (GDX ETF)
27
Quantopian
28
Quantopian Example
29
Breach Trading Algorithm Tracks stock prices in relation to the date of their security breaches
30
Be warned
31
30-Day After Breach Transactions DATESECURITYTRANSACTION# SHARESPRICE$ AMOUNTCHANGE 2007-01-16TJXBUY6688$14.84$99,216.48-3.7% 2007-02-19TJXSELL-6688$14.29($95,538.08) 2009-01-19HPYBUY6464$14.22$91,918.08-45.1% 2009-02-19HPYSELL-6464$7.80($50,419.20) 2011-03-16EMCBUY3952$25.59$101,131.684.3% 2011-04-18EMCSELL-3952$26.68($105,439.36) 2011-04-25SNEBUY3324$29.80$99,055.20-10.0% 2011-05-26SNESELL-3324$26.83($89,182.92) 2011-08-29VDSIBUY13458$7.03$94,609.74-27.9% 2011-09-29VDSISELL-13458$5.07($68,218.60) 2013-10-02ADBEBUY1940$50.91$98,765.407.5% 2013-11-04ADBESELL-1940$54.75($106,215.00) 2013-12-18TGTBUY1573$62.17$97,793.41-5.2% 2014-01-21TGTSELL-1573$58.96($92,744.08)
32
30-Day Transactions List (SPY Indexed) DATESECURITYTRANSACTION# SHARESPRICE$ AMOUNT 2007-01-16TJXBUY6688$14.84$99,216.48 2007-01-16SPYSELL-699$142.97($99,936.03) 2007-02-19TJXSELL-6688$14.29($95,538.08) 2007-02-19SPYBUY699$146.13$102,144.87 2009-01-19SPYSELL-1176$80.59($94,773.84) 2009-01-19HPYBUY6464$14.22$91,918.08 2009-02-19SPYBUY1176$77.44$91,069.44 2009-02-19HPYSELL-6464$7.80($50,419.20) 2011-03-16EMCBUY3952$25.59$101,131.68 2011-03-16SPYSELL-792$127.77($101,193.84) 2011-04-18EMCSELL-3952$26.68($105,439.36) 2011-04-18SPYBUY792$131.32$104,005.44
33
30-Day Algorithm (SPY Indexed)
34
30-Days After Breach – Stock Price SECURITYCHANGES&P 500BENCHMARKED RETURN Adobe7.5%5.1%2.4% EMC4.3%2.7%1.6% Heartland Payment Systems-45.1%-4.1%-41.1% Lockheed Martin2.7%-3.0%5.7% Sony-10.0%-1.0%-9.0% Target-5.2%1.5%-6.7% TJX-3.7%2.1%-5.8% Vasco Data Security-27.9%-7.0%-20.9% Average-9.67%-9.22% Median-4.44%-6.26%
35
30-Days After Breach – Cost to Company SECURITYBENCHMARKMARKET CAP (B) ADJUSTED COST (B) Adobe2.4%29.60.716 EMC1.6%52.080.821 Heartland Payment Systems-41.1%1.45-0.596 Lockheed Martin5.7%52.743.019 Sony-9.0%18.14-1.630 Target-6.7%37.44-2.503 TJX-5.8%41.03-2.393 Vasco Data Security-20.9%0.45-0.094 Average-9.22% 29.12-0.332 Median-6.26% 33.52-0.344
36
Results – Market Capitalization 1 Day30 Days90 Days180 Days365 Days Algorithm-44.4%-70.1%-44.0%-62.1%-58.3% Average per stock -5.5%-8.76%-5.5%-7.76%-7.28%
37
How to trade with this info Short sell a company immediately following a breach A data breach may be worth more to people who invest with that information
38
Tro LLC
40
How to make business decisions with this Need to understand factors If your company is publically traded, factors should roughly add up to stock price Use this algorithm to generate data for companies similar to yours
41
How to make business decisions with this Threat model your organization What could go wrong? Examine data and estimate impact
42
Questions Slides: trustfoundry.net alex.lauerman@trustfoundry.net @alexlauerman 913.271.7789
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.