Presentation is loading. Please wait.

Presentation is loading. Please wait.

COST BENEFIT ANALYSIS OF IMPROVED PATCHING WINDOW USING FAIR

Published byBelinda Mason Modified over 5 years ago

Similar presentations

Presentation on theme: "COST BENEFIT ANALYSIS OF IMPROVED PATCHING WINDOW USING FAIR"— Presentation transcript:

1 COST BENEFIT ANALYSIS OF IMPROVED PATCHING WINDOW USING FAIR
Case Study Shared courtesy of RiskLens CONFIDENTIAL - FAIR INSTITUTE 2016

2 CONFIDENTIAL - FAIR INSTITUTE 2016
ANALYSIS SCOPING Lack of timely application patching introduces threats to the ERP system and restricted data (auditors uncovered that the actual patching window exceeded the patching policy) RISK SCENARIO DESCRIPTION ERP Patching Process ASSET(S) DESCRIPTION Confidentiality LOSS TYPE Advanced Persistent Threat (APT) THREAT(S) DESCRIPTION CONFIDENTIAL - FAIR INSTITUTE 2016

3 CONFIDENTIAL - FAIR INSTITUTE 2016
ANALYSIS SCOPING Assessing Risk Reduction Through Comparison of Scenarios Analyzed and quantified the risk for the ERP patching process in the current state Analyzed and quantified the risk for the ERP patching process if the patching window was reduced CONFIDENTIAL - FAIR INSTITUTE 2016

4 Average Annualized Risk Reduction 49.5M Improved Patching Process
ANALYSIS RESULTS RISK = Frequency x Magnitude of future loss. We express risk in terms of loss exposure. Annualized Reduction in Loss Exposure (Risk) Analysis Minimum Average Maximum CHANGE Current State $0 $85.0M $1.4B Average Annualized
Risk Reduction 49.5M Improved Patching Process $35.5M $1.2B Min / Max values represent the absolute minimum of simulation results. CONFIDENTIAL - FAIR INSTITUTE 2016

5 ANALYSIS RESULTS ERP Impact Assumption
Single Loss Event Scenario (ML = Most Likely) CONFIDENTIAL - FAIR INSTITUTE 2016

6 Reduce Vulnerability by approx. 55% Improved Patching Process
ERP AND SAP PATCHING Average Annualized Loss Exposure Reduction in Vulnerability* Analysis Vulnerability CHANGE Current State 80% Reduce Vulnerability by approx. 55% Improved Patching Process 25% Vulnerability does not incorporate the susceptibility of underlying infrastructure components. *Vulnerability = what percentage of attacks would become loss events CONFIDENTIAL - FAIR INSTITUTE 2016

7 CONFIDENTIAL - FAIR INSTITUTE 2016
INTERPRETING RESULTS Both Scenarios Threat event frequency for each is a calibrated estimate taking into account input from the Security Operations Center (SOC) Vulnerability is measured as it relates only to the patch, not applied to the system within each time window Primary loss is based on data provided by the incident response team Secondary loss is derived from a lookup table build based on data provided by the business units Secondary loss magnitude is modeled based on confidential data and IP data Frequency of fallout is assumed to be at or near 100% of events because of the nature of the data involved and of the profile of the threat community CONFIDENTIAL - FAIR INSTITUTE 2016

8 CONFIDENTIAL - FAIR INSTITUTE 2016
INTERPRETING RESULTS Current State Scenario Resistance strength is measured here by looking at the backlog of patches outstanding Future Forecasted Scenario Resistance Strength is measured here by assuming all missing patches in the backlog are resolved Minimum resistance strength represents patches that live longer in the time window M/L expresses at any given time during the 90 day patch window how bad the missing patches are Max represents the least damaging patches that are more recent in the time window CONFIDENTIAL - FAIR INSTITUTE 2016

9 ANALYSIS LEVERAGED THE FAIR MODEL
Risk Loss Event Frequency Loss Magnitude Threat Event Frequency Vulnerability Primary Loss Secondary Loss Contact Frequency Probability of Action Threat Capability Resistance Strength Loss Event Frequency Loss Magnitude CONFIDENTIAL - FAIR INSTITUTE 2016

10 Threat Event Frequency
THE FAIR MODEL Risk Loss Event Frequency Loss Magnitude Threat Event Frequency Vulnerability Primary Loss Secondary Loss Contact Frequency Probability of Action Threat Capability Resistance Strength Loss Event Frequency Loss Magnitude CONFIDENTIAL - FAIR INSTITUTE 2016

11 Threat Event Frequency
THE FAIR MODEL Risk Loss Event Frequency Loss Magnitude Threat Event Frequency Vulnerability Primary Loss Secondary Loss Contact Frequency Probability of Action Threat Capability Resistance Strength Loss Event Frequency Loss Magnitude CONFIDENTIAL - FAIR INSTITUTE 2016

12 CONFIDENTIAL - FAIR INSTITUTE 2016
ANALYSIS INPUT Incident response Investigation PRIMARY LOSSES Notification / credit monitoring Regulatory notification Possible fines / judgments Customer service requests Potential litigation Loss of current/future customers (reputation) Card replacement SECONDARY LOSSES CONFIDENTIAL - FAIR INSTITUTE 2016

13 CONFIDENTIAL - FAIR INSTITUTE 2016
DECISION SUPPORT / ROI Forecasting risk reduction that can be achieved by consistently patching within 90-day window down from 180 days Risk-based rationale for cleaning up current backlog Using metrics to resolve a conflicting discussion between auditors and IT about the value of reducing the patch window and meeting the requirements of the patching policy THE RISK ANALYSIS SUPPORTED Analysis demonstrated that risk quantification can be integrated into customer’s risk analysis process While this new patching process will increase operational costs, the forecasted risk reduction is multiple times greater. CONFIDENTIAL - FAIR INSTITUTE 2016

Download ppt "COST BENEFIT ANALYSIS OF IMPROVED PATCHING WINDOW USING FAIR"

Similar presentations

1 www.vita.virginia.gov IT Risk Management in Government Jonathan Smith Sr. Risk Manager Commonwealth Security and Risk Management October 1, 2013 www.vita.virginia.gov.

1 IT Risk Management in Government Jonathan Smith Sr. Risk Manager Commonwealth Security and Risk Management October 1,
Primary Benefit Types Value Discipline Benefits – Operating Excellence Reduce Cost Reduce Risk – Product Leadership Increase Revenue – Customer Intimacy.

Primary Benefit Types Value Discipline Benefits – Operating Excellence Reduce Cost Reduce Risk – Product Leadership Increase Revenue – Customer Intimacy.
Discovery – The Next Generation!: Business Context of Risk Presentation to the North London Branch British Computer Society 19 March, 2008 Dr. Victoria.

Discovery – The Next Generation!: Business Context of Risk Presentation to the North London Branch British Computer Society 19 March, 2008 Dr. Victoria.
University of Florida Incident Tracking and Reporting Kathy Bergsma

University of Florida Incident Tracking and Reporting Kathy Bergsma
Service Design – Section 4.5 Service Continuity Management.

Service Design – Section 4.5 Service Continuity Management.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Chapter 3: The Internal Organization: Resources, Capabilities, Core Competencies and Competitive Advantages Overview: Importance of understanding internal.

Chapter 3: The Internal Organization: Resources, Capabilities, Core Competencies and Competitive Advantages Overview: Importance of understanding internal.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
2008 General Meeting Assemblée générale 2008 Toronto, Ontario 2008 General Meeting Assemblée générale 2008 Toronto, Ontario Canadian Institute of Actuaries.

2008 General Meeting Assemblée générale 2008 Toronto, Ontario 2008 General Meeting Assemblée générale 2008 Toronto, Ontario Canadian Institute of Actuaries.
1 Copyright © 2014 PPM 2000 Inc. SINGAPRORE, AUGUST 2014 Denis O’Sullivan, CPP INCIDENT MANAGEMENT TECHNOLOGY CHALLENGES.

1 Copyright © 2014 PPM 2000 Inc. SINGAPRORE, AUGUST 2014 Denis O’Sullivan, CPP INCIDENT MANAGEMENT TECHNOLOGY CHALLENGES.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.
B RITISH B ANKERS' A SSOCIATION Operational Risk & the Regulatory Environment Simon Hills Director - Prudential Capital team.

B RITISH B ANKERS' A SSOCIATION Operational Risk & the Regulatory Environment Simon Hills Director - Prudential Capital team.
Slide 1 Using Models Introduced in ISA-d99.00.01 Standard: Security of Industrial Automation and Control Systems (IACS) Rahul Bhojani ISA SP99 WG4 Meeting.

Slide 1 Using Models Introduced in ISA-d Standard: Security of Industrial Automation and Control Systems (IACS) Rahul Bhojani ISA SP99 WG4 Meeting.
GBA 573 - IT Project Management Final Project - Establishment of a Project Management Management Office 10 July, 2003.

GBA IT Project Management Final Project - Establishment of a Project Management Management Office 10 July, 2003.
2006 General Meeting Assemblée générale 2006 Chicago, Illinois 2006 General Meeting Assemblée générale 2006 Chicago, Illinois Canadian Institute of Actuaries.

2006 General Meeting Assemblée générale 2006 Chicago, Illinois 2006 General Meeting Assemblée générale 2006 Chicago, Illinois Canadian Institute of Actuaries.
Risk Assessment and Management. Objective To enable an organisation mission accomplishment, by better securing the IT systems that store, process, or.

Risk Assessment and Management. Objective To enable an organisation mission accomplishment, by better securing the IT systems that store, process, or.
Auditing IT Vulnerabilities IT vulnerabilities are weaknesses or exposures in IT assets or processes that may lead to a business risk or security risk.

Auditing IT Vulnerabilities IT vulnerabilities are weaknesses or exposures in IT assets or processes that may lead to a business risk or security risk.
Ch 10 - Risk Management Learning Objectives You should be able to: List and describe risk management processes, inputs, outputs, and tools List and describe.

Ch 10 - Risk Management Learning Objectives You should be able to: List and describe risk management processes, inputs, outputs, and tools List and describe.
© 2008 Morningstar, Inc. All rights reserved. 3/1/2008 LCN200803-2013997 Role of Immediate Annuities in Retirement.

© 2008 Morningstar, Inc. All rights reserved. 3/1/2008 LCN Role of Immediate Annuities in Retirement.

Similar presentations

Ads by Google