Presentation is loading. Please wait.

Presentation is loading. Please wait.

USING FAIR, DOES TRAINING HELP REDUCE SPEAR PHISHING RISK? CASE STUDY SHARED COURTESY OF RISKLENS CONFIDENTIAL - FAIR INSTITUTE 2016 1.

Published byDarlene Richardson Modified over 8 years ago

Similar presentations

Presentation on theme: "USING FAIR, DOES TRAINING HELP REDUCE SPEAR PHISHING RISK? CASE STUDY SHARED COURTESY OF RISKLENS CONFIDENTIAL - FAIR INSTITUTE 2016 1."— Presentation transcript:

1 USING FAIR, DOES TRAINING HELP REDUCE SPEAR PHISHING RISK? CASE STUDY SHARED COURTESY OF RISKLENS CONFIDENTIAL - FAIR INSTITUTE 2016 1

2 ANALYSIS SCOPING CONFIDENTIAL - FAIR INSTITUTE 2016 2 Understand if training can reduce risk associated with spear and regular phishing RISK SCENARIO DESCRIPTION Sensitive customer data (PII & potentially HIPAA) stored on internal systems ASSET(S) DESCRIPTION LOSS TYPE Targeted spear and regular phishing attacks by external threats THREAT(S) DESCRIPTION Confidentiality

3 ANALYSIS SCOPING CONFIDENTIAL - FAIR INSTITUTE 2016 3 Assessing Risk Reduction By Comparison of Scenarios Assessed current state’s risk based on known controls in place today* Assessed how much risk there would be, given the implementation of a phishing awareness/training program *ASSUMPTION: Current state included various email filtering/gateway controls that reduce the number of phishing emails that arrive in an employee’s inbox.

4 ANALYSIS RESULTS CONFIDENTIAL - FAIR INSTITUTE 2016 4 ANNUALIZED REDUCTION IN LOSS EXPOSURE (RISK) RISK = Frequency x Magnitude of future loss. We express risk in terms of loss exposure. AnalysisMinimum*AverageMaximum*CHANGE Current State $4K$4K$400K$400K$2.3M Average loss exposure reduction $15K w/ Awareness Training $2K$385K$2.2M *Min represents the more probable 10th percentile of simulation results. *Max represents the more probable 90th percentile of simulation results.

5 ANALYSIS RESULTS CONFIDENTIAL - FAIR INSTITUTE 2016 5 Estimated Loss Exposure for a Single Event * There is an additional probability assigned to the likelihood; when a phishing email campaign is successful, the threat actor is able to leverage that foothold to identify, obtain, and exfiltrate sensitive data successfully.

6 ANALYSIS RESULTS CONFIDENTIAL - FAIR INSTITUTE 2016 6 AWARENESS AND TRAINING Reduce the probability that any phishing emails that get through the email gateway and filtering would be opened and some action taken by an employee AWARENESS CAMPAIGN Estimated* to reduce probability of employee action by 8-25% Important Note: We defined a phishing campaign as a “threat event”. A single spear or regular phishing campaign often includes many individual emails. *using an uncertain distribution Interpret Results

7 ANALYSIS RESULTS CONFIDENTIAL - FAIR INSTITUTE 2016 7 Why Is Change So Small? Industry data on phishing campaigns show 90% success probability 99% if run a second time It only takes one employee taking action for the threat to gain a foothold in the network.

8 ANALYSIS LEVERAGED THE FAIR MODEL CONFIDENTIAL - FAIR INSTITUTE 2016 8 Risk Contact Frequency Probability of Action Threat Capability Resistance Strength Loss Event Frequency Loss Magnitude Threat Event Frequency VulnerabilityPrimary LossSecondary Loss Loss Event Frequency Loss Magnitude

9 THE FAIR MODEL CONFIDENTIAL - FAIR INSTITUTE 2016 9 Risk Contact Frequency Probability of Action Threat Capability Resistance Strength Loss Event Frequency Loss Magnitude Threat Event Frequency VulnerabilityPrimary LossSecondary Loss Loss Event Frequency Loss Magnitude

10 ANALYSIS CONSIDERATIONS CONFIDENTIAL - FAIR INSTITUTE 2016 10 Frequency of phishing campaign emails landing in employee inboxes Estimating the resistance of the workstation based on configuration/patching The probability that an employee will take action on the email by clicking links opening attachments providing sensitive information

11 THE FAIR MODEL CONFIDENTIAL - FAIR INSTITUTE 2016 11 Risk Contact Frequency Probability of Action Threat Capability Resistance Strength Loss Event Frequency Loss Magnitude Threat Event Frequency VulnerabilityPrimary LossSecondary Loss Loss Event Frequency Loss Magnitude

12 ANALYSIS INPUT CONFIDENTIAL - FAIR INSTITUTE 2016 12 Incident response Investigation PRIMARY LOSSES Notification / credit monitoring Regulatory notification Possible fines / judgments Customer service requests Potential litigation Loss of current/future customers (reputation) Card replacement SECONDARY LOSSES

13 DECISION SUPPORT / ROI CONFIDENTIAL - FAIR INSTITUTE 2016 13 Training did not show any material reduction of risk associated with phishing campaigns Management decided to pursue an alternative phishing-related control, email sandboxing, over training Sandboxing has higher costs, but the risk reduction was far more significant (separate analysis conducted) THIS ANALYSIS SUPPORTED MANAGEMENT’S PRIORITIZATION

Download ppt "USING FAIR, DOES TRAINING HELP REDUCE SPEAR PHISHING RISK? CASE STUDY SHARED COURTESY OF RISKLENS CONFIDENTIAL - FAIR INSTITUTE 2016 1."

Similar presentations

Research Needs of The Restaurant Industry Chapter 26 Research Methodologies.

Research Needs of The Restaurant Industry Chapter 26 Research Methodologies.
Business Continuity Planning Presentation to Management.

Business Continuity Planning Presentation to Management.
Planning: Processes and Techniques

Planning: Processes and Techniques
Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.

Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
Project Management Gaafar 2007 / 1 This Presentation is uses information from PMBOK Guide 2000 Project Management Risk Management* Dr. Lotfi Gaafar.

Project Management Gaafar 2007 / 1 This Presentation is uses information from PMBOK Guide 2000 Project Management Risk Management* Dr. Lotfi Gaafar.
© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Privacy Management for a Global Enterprise.

© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Privacy Management for a Global Enterprise.
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Planning and Strategic Management

Planning and Strategic Management
1 In the news……….  Piracy a Marketing Opportunity for Record Labels  Fantasy Wagering Sites  www.gasbuddy.com www.gasbuddy.com.

1 In the news……….  Piracy a Marketing Opportunity for Record Labels  Fantasy Wagering Sites 
COMP8130 and COMP4130 Adrian Marshall Verification and Validation Risk Management Adrian Marshall.

COMP8130 and COMP4130 Adrian Marshall Verification and Validation Risk Management Adrian Marshall.
Planning and Strategic Management

Planning and Strategic Management
Planning and Strategic Management

Planning and Strategic Management
Www.pace2020.com | See the possibilities… Customer Relationship Management Overview Fusion 08 Matt Resong.

| See the possibilities… Customer Relationship Management Overview Fusion 08 Matt Resong.
MODULE 4 MARKETING STRATEGY A2 Marketing and Accounting and Finance Marketing Decision-making.

MODULE 4 MARKETING STRATEGY A2 Marketing and Accounting and Finance Marketing Decision-making.
Foster and sustain the environmental and economic well being of the coast by linking people, information, and technology. Center Mission Coastal Hazards.

Foster and sustain the environmental and economic well being of the coast by linking people, information, and technology. Center Mission Coastal Hazards.
EASTERN MICHIGAN UNIVERSITY Continuity of Operations Planning (COOP)

EASTERN MICHIGAN UNIVERSITY Continuity of Operations Planning (COOP)
 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,

 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,

Similar presentations

Ads by Google