USING FAIR, DOES TRAINING HELP REDUCE SPEAR PHISHING RISK? CASE STUDY SHARED COURTESY OF RISKLENS CONFIDENTIAL - FAIR INSTITUTE 2016 1.

Slides:

Advertisements

Similar presentations

Research Needs of The Restaurant Industry Chapter 26 Research Methodologies.

Advertisements

Business Continuity Planning Presentation to Management.

Planning: Processes and Techniques

Cyber Liability- Risks, Exposures and Risk Transfer for a Data Breach June 11, 2013.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

Project Management Gaafar 2007 / 1 This Presentation is uses information from PMBOK Guide 2000 Project Management Risk Management* Dr. Lotfi Gaafar.

© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Privacy Management for a Global Enterprise.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

Planning and Strategic Management

1 In the news……….  Piracy a Marketing Opportunity for Record Labels  Fantasy Wagering Sites 

COMP8130 and COMP4130 Adrian Marshall Verification and Validation Risk Management Adrian Marshall.

Planning and Strategic Management

Planning and Strategic Management

| See the possibilities… Customer Relationship Management Overview Fusion 08 Matt Resong.

MODULE 4 MARKETING STRATEGY A2 Marketing and Accounting and Finance Marketing Decision-making.

Foster and sustain the environmental and economic well being of the coast by linking people, information, and technology. Center Mission Coastal Hazards.

EASTERN MICHIGAN UNIVERSITY Continuity of Operations Planning (COOP)

 Jonathan Trull, Deputy State Auditor, Colorado Office of the State Auditor  Travis Schack, Colorado’s Information Security Officer  Chris Ingram,

PRM 702 Project Risk Management Lecture #28

Cyber crime on the rise. Recent cyber attacks How it happens? Distributed denial of service Whaling Rootkits Keyloggers Trojan horses Botnets Worms Viruses.

Did You Hear That Alarm? The impacts of hitting the information security snooze button.

What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.

Introduction to Management

Slide 1 Using Models Introduced in ISA-d Standard: Security of Industrial Automation and Control Systems (IACS) Rahul Bhojani ISA SP99 WG4 Meeting.

Section Topics Establish a framework for assessing risk

Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.

OPERATIONAL RISK MANAGEMENT. The Benefits of Risk Management Reduction in Material and Property Damage. Effective Mission Accomplishment. Reduction in.

April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

Stochastic modeling for the quantification of risk and quality incidents in the bulk materials supply chain Saxon Ryan Dr. Gretchen A. Mosher Iowa State.

GSHRM Conference Cyber Security Education Shri Cockroft, CISO Piedmont Healthcare, Inc. September 21, 2015.

Organization and Implementation of a National Regulatory Program for the Control of Radiation Sources Management Systems Part II.

Introduction to Management LECTURE 17: Introduction to Management MGT

Integrated Risk Management Charles Yoe, PhD Institute for Water Resources 2009.

CHALLENGES OF MANAGING STATE DATA SYSTEMS. 70CONTRIBUTINGORGANIZATIONS 79,790 SECURITY INCIDENTS 2,122 CONFIRMED DATA BREACHES 61 COUNTRIES REPRESENTED.

Ch 10 - Risk Management Learning Objectives You should be able to: List and describe risk management processes, inputs, outputs, and tools List and describe.

Florida Operations Level Hazardous Materials Training Unit 1 Program Introduction and Response Plans.

Credit risk vs. Market risk Credit risk is the risk that a borrower or counterparty may fail to fulfill an obligation whereas market risk is the risk to.

INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.

Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Corporate Governance and Information Security (InfoSec)

February 2, 2016 | Chicago NFA Cybersecurity Workshop.

Chapter 3: Business Continuity Planning. Planning for Business Continuity Assess risks to business processes Minimize impact from disruptions Maintain.

CST 481/598 Many thanks to Jeni Li.  Risk matrix or cube  Cost effectiveness analysis  Annualized Loss Expectancy  Multi-Attribute Risk Assessment.

ENABLING A COST/ BENEFIT ANALYSIS OF IMPLEMENTING ENCRYPTION- AT-REST USING FAIR CASE STUDY SHARED COURTESY OF RISKLENS CONFIDENTIAL - FAIR INSTITUTE 2016.

COST BENEFITS OF IMPLEMENTING CREDIT CARD DATABASE TOKENIZATION USING FAIR CASE STUDY SHARED COURTESY OF RISKLENS CONFIDENTIAL - FAIR INSTITUTE

E-Commerce E-Commerce Security?? Instructor: Safaa S.Y. Dalloul E-Business Level Try to be the Best.

INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.

If the primary determinant of a firm's profitability is the attractiveness of the industry in which it operates, an important secondary determinant.

Marketing Management Dawn Iacobucci © 2010 South-Western, a part of Cengage Learning.

This courseware is copyrighted © 2016 gtslearning. No part of this courseware or any training material supplied by gtslearning International Limited to.

BizSmart Lunch & Learn Webinar Information Security and Protecting your business With the increased risk of some sort of cyber- attack over the past few.

Business Continuity Planning 101

Quantifying Cyber Security Risk in Dollars and Cents to Optimize Budgets CRM008 Speakers: Chris Cooper, VP, Operational Risk Officer; RGA Reinsurance Company.

Managing Project Risk – A simplified approach Presented by : Damian Leonard.

Information Security Program

PHISHING Hi, The comms team asked if I could refresh everyone about Phishing after a fairly successful phishing circulated last week that led to.

HOW MUCH RISK IS ASSOCIATED WITH IT HYGIENE USING FAIR?

2016 Data Breach Investigations Report

Responding to Intrusions

COST BENEFIT ANALYSIS OF IMPROVED PATCHING WINDOW USING FAIR

Cyber Protections: First Step, Risk Assessment

CSI Survey 2007 Tiffany Gorman

Managing Change and Other Keys to Successful Implementation

Software Project Management (SPM)

Business Impact Analysis 101

Cybersecurity Threat Assessment

Effective Risk Management in Decision Making Process

Anatomy of a Common Cyber Attack

Presentation transcript:

USING FAIR, DOES TRAINING HELP REDUCE SPEAR PHISHING RISK? CASE STUDY SHARED COURTESY OF RISKLENS CONFIDENTIAL - FAIR INSTITUTE

ANALYSIS SCOPING CONFIDENTIAL - FAIR INSTITUTE Understand if training can reduce risk associated with spear and regular phishing RISK SCENARIO DESCRIPTION Sensitive customer data (PII & potentially HIPAA) stored on internal systems ASSET(S) DESCRIPTION LOSS TYPE Targeted spear and regular phishing attacks by external threats THREAT(S) DESCRIPTION Confidentiality

ANALYSIS SCOPING CONFIDENTIAL - FAIR INSTITUTE Assessing Risk Reduction By Comparison of Scenarios Assessed current state’s risk based on known controls in place today* Assessed how much risk there would be, given the implementation of a phishing awareness/training program *ASSUMPTION: Current state included various filtering/gateway controls that reduce the number of phishing s that arrive in an employee’s inbox.

ANALYSIS RESULTS CONFIDENTIAL - FAIR INSTITUTE ANNUALIZED REDUCTION IN LOSS EXPOSURE (RISK) RISK = Frequency x Magnitude of future loss. We express risk in terms of loss exposure. AnalysisMinimum*AverageMaximum*CHANGE Current State $4K$4K$400K$400K$2.3M Average loss exposure reduction $15K w/ Awareness Training $2K$385K$2.2M *Min represents the more probable 10th percentile of simulation results. *Max represents the more probable 90th percentile of simulation results.

ANALYSIS RESULTS CONFIDENTIAL - FAIR INSTITUTE Estimated Loss Exposure for a Single Event * There is an additional probability assigned to the likelihood; when a phishing campaign is successful, the threat actor is able to leverage that foothold to identify, obtain, and exfiltrate sensitive data successfully.

ANALYSIS RESULTS CONFIDENTIAL - FAIR INSTITUTE AWARENESS AND TRAINING Reduce the probability that any phishing s that get through the gateway and filtering would be opened and some action taken by an employee AWARENESS CAMPAIGN Estimated* to reduce probability of employee action by 8-25% Important Note: We defined a phishing campaign as a “threat event”. A single spear or regular phishing campaign often includes many individual s. *using an uncertain distribution Interpret Results

ANALYSIS RESULTS CONFIDENTIAL - FAIR INSTITUTE Why Is Change So Small? Industry data on phishing campaigns show 90% success probability 99% if run a second time It only takes one employee taking action for the threat to gain a foothold in the network.

ANALYSIS LEVERAGED THE FAIR MODEL CONFIDENTIAL - FAIR INSTITUTE Risk Contact Frequency Probability of Action Threat Capability Resistance Strength Loss Event Frequency Loss Magnitude Threat Event Frequency VulnerabilityPrimary LossSecondary Loss Loss Event Frequency Loss Magnitude

THE FAIR MODEL CONFIDENTIAL - FAIR INSTITUTE Risk Contact Frequency Probability of Action Threat Capability Resistance Strength Loss Event Frequency Loss Magnitude Threat Event Frequency VulnerabilityPrimary LossSecondary Loss Loss Event Frequency Loss Magnitude

ANALYSIS CONSIDERATIONS CONFIDENTIAL - FAIR INSTITUTE Frequency of phishing campaign s landing in employee inboxes Estimating the resistance of the workstation based on configuration/patching The probability that an employee will take action on the by clicking links opening attachments providing sensitive information

THE FAIR MODEL CONFIDENTIAL - FAIR INSTITUTE Risk Contact Frequency Probability of Action Threat Capability Resistance Strength Loss Event Frequency Loss Magnitude Threat Event Frequency VulnerabilityPrimary LossSecondary Loss Loss Event Frequency Loss Magnitude

ANALYSIS INPUT CONFIDENTIAL - FAIR INSTITUTE Incident response Investigation PRIMARY LOSSES Notification / credit monitoring Regulatory notification Possible fines / judgments Customer service requests Potential litigation Loss of current/future customers (reputation) Card replacement SECONDARY LOSSES

DECISION SUPPORT / ROI CONFIDENTIAL - FAIR INSTITUTE Training did not show any material reduction of risk associated with phishing campaigns Management decided to pursue an alternative phishing-related control, sandboxing, over training Sandboxing has higher costs, but the risk reduction was far more significant (separate analysis conducted) THIS ANALYSIS SUPPORTED MANAGEMENT’S PRIORITIZATION