Department of Computer Science and Engineering and the South Carolina Information Technology Institu - PowerPoint PPT Presentation

1 / 45
About This Presentation
Title:

Department of Computer Science and Engineering and the South Carolina Information Technology Institu

Description:

Total Loss (2006): $53,494,290 CSI/FBI Computer Crime and Security Survey ... antivirus softwares, -intrusion detection systems etc. So new approach was developed... – PowerPoint PPT presentation

Number of Views:94
Avg rating:3.0/5.0
Slides: 46
Provided by: bue6
Category:

less

Transcript and Presenter's Notes

Title: Department of Computer Science and Engineering and the South Carolina Information Technology Institu


1

The Economic Impact of Cyber Attacks The Global
Picture Chapter 9
2
Risk Assessment
3
Financial Loss
Dollar Amount Losses by Type
Total Loss (2006) 53,494,290 CSI/FBI Computer
Crime and Security Survey Computer Security
Institute
4
System Security Engineering
Specify System Architecture
Identify and Install Safeguards
Identify Threats, Vulnerabilities, Attacks
Prioritize Vulnerabilities
Estimate Risk
Risk is acceptably low
5
Security Protection
6
Allocating Resources
  • Limited resources
  • Acceptable level of risk
  • Tie technical risk to business risk

7
Making a Business Case
  • Description of the problem
  • List of possible solutions
  • Constraints on solving the problem
  • List of underlying assumptions
  • Analysis of each alternative, including risks,
    costs, and benefits
  • Summary of why the proposed investment is good

8
Influences on Cyber Security Investment Strategy
  • Regulatory requirements
  • Network history or IT staff knowledge
  • Client requirements
  • Results of internal or external audit
  • Response to current events
  • Response to compromised internal security
  • Reaction to external mandate or request

9
Determining Economic Value
  • Many different ways to determine value
  • Internal rate of return
  • Return on investment
  • Net present value
  • Investment analysis best way to allocate capital
    and human resources
  • Accounting measures are inappropriate for
    evaluating information security inverstments

10
Quantifying Security
  • Difficult problem
  • Not fully understood
  • Limited historical data to estimate likelihood
  • Attacks that are possible but havent happened
  • Threat estimation uses
  • Number and types of assets needing protection
  • Number and types of vulnerabilities that exist in
    a system
  • Number and types of likely threats to a system

11
Data to be Protected
  • National and global data
  • Enterprise data
  • Technology data

12
Real Cost of Cyber Attack
  • Damage of the target may not reflect the real
    amount of damage
  • Services may rely on the attacked service,
    causing a cascading and escalating damage
  • Need support for decision makers to
  • Evaluate risk and consequences of cyber attacks
  • Support methods to prevent, deter, and mitigate
    consequences of attacks

13
Jess-Based Modeling
  • Graphical tool to model system components,
    values,
  • dependencies, and
  • compensating rules

14
Cascading and Escalating Effects
  • Model cascading and escalating damage.

15
Presentation slides for research project on
Cyber insurance. Presented by Sarika
Saxena Recommended reading only.
  • A Framework for Using Insurance For Cyber-Risk
    Management
  • -Lawrence A. Gordon, Martin P. Loeb and Tashfeen
    Sohail
  • CSCE 824 - Spring 2005Secure Database Systems
  • Sarika Saxena
  • Department of Computer Science and Engineering,
    USC
  • April 14th 2005

16
ContentsHistory and FactsIntroduction Cyber
InsuranceUnique Characteristics Cyber
RisksInsurance companies, policy
issuesInsurance CoverageFramework for
Information securityFour step Decision
PlanConclusionsReferences
17
- Information Security Issues-Forefront of agenda
for Corporate Executives.- Brought into
importance in 2002 survey of CSI/FBIsurvey
(responses from 503 computer security
practitioners in U.S. corporations, government
agencies, financial institutions, medical
institutions and universities) - 90 respondents
detected security breach.- Average estimated
loss 2 M per organization.- 74 reported
internet connection as point of attack.- 223
respondents reported approximately 456 M
financial losses.
18
How did Cyber Insurance come into
existence?Traditional security measures- cannot
fully eliminate risk to security breaches with
associated losses-Passwords,-biometrics,-antivi
rus softwares,-intrusion detection systems
etcSo new approach was developed.
19
Cyber Insurance
  • -Deals with risks of substantial financial losses
    remaining after technical security measures have
    been instituted.
  • -Provides coverage against losses from computer
    network, intranet, internet (typically, place
    where data can flow electronically) related
    breaches.
  • -A firm may hedge its potential losses from Cyber
    Crime.

20
Unique Characteristics of cyber-risk
  • - Location A perpetrator may be thousands of
    miles away from business location.
  • - Degree Viruses damage can go beyond effects
    on data and software (business interruption,
    defamation etc).
  • - Visibility Commodity on internet is
    Information. Security breaches (firms sensitive
    information) often go undetected.

21
Insurance companies and policy issues
  • Companies
  • -AIG, Chubb, Fidelity and Deposit, Marsh, Lloyds
    of London etc
  • In designing new policies, issues addressed are
  • - Pricing
  • - Adverse Selection
  • - Moral Hazard

22
Pricing
  • - Traditionally relies on actuarial data
    constructed from voluminous historical records.
  • - Internet-relatively new, histories of e-crimes
    and related losses do not exist.
  • Insurance companies trying to quantify what some
    claim as unquantifiable risk.

23
How to quantify risk?
  • - Quantitative model- determine chance and
    frequency (e-crimes and related losses), the
    equivalent of actuarial tables can help. AIG etc
    are already building actuarial tables
  • - Private incident-response centers gathering,
    publishing statistical data on frequency of
    certain events that could expose risk.
  • - Government, research are also filling databases
    with information thats quickly growing large
    enough to detect trends and probabilities.
  • - CERT Coordination Center at Carnegie Mellon
    15, 167 incidents were reported in 2000, an
    increase from 9,859 in 1999. These reports could
    be mined for deeper statistical data.

24
Adverse Selection
  • Refers to problem that arises because a firm
    choosing to insure against a particular loss is
    likely to have private information not available
    to insurance company at the time of contracting.

25
How to deal with adverse Selection?
  • Security audit When offering insurance policy,
    insurance firms require an information security
    audit.
  • Identify High risk users Insurance firms
    identify these users and differentiate the
    premium for such users.
  • Example JS Wurzler offering policy to cover loss
    from hackers, adds a surcharge to firms using
    Microsofts NT software for internet operations.
  • Insurers consider Microsoft NT high-risk.

26
Moral Hazard
  • - Adverse Selection deals with insured's private
    information prior to contracting.
  • Moral Hazard deals with lack of incentives by the
    insured to take actions that reduce the
    probability of a loss subsequent to purchasing
    the insurance.

27
How to deal with Moral Hazard?
  • Deductibles The insured will suffer some loss
    if there occurs some security breach.
  • Provides monetary incentive for the insured to
    take actions that reduce the likelihood of the
    loss actually occurring.
  • Premium reductions Policies offer these
    reductions for taking actions to reduce the
    probability of a loss.
  • Example AIG offers discounts for firms using
    Invicta Networks security device for shifting
    Internet Protocol addresses.

28
What Cyber Insurance Covers?
  • - Computer networks, Internet, e-mail ,websites
    exposed damage, liabilities from unexpected
    sources like defamation, hacking, fraud or virus
    attack.   
  • - The costs of third party legal claims against
    you (the insured company) arising out of your
    e-activities (e-mail, e-commerce and your
    website).   
  • - Losses suffered as a result of viruses or
    hackers, even if your employees carry out or aid
    the attack.  
  • - Your liability due to your customers' credit
    card numbers being stolen, or the theft of your
    money during transactions on electronic
    networks.  
  •  

29
Continued Cyber Insurance Coverage
  • - Claims made against you by your employees for
    an unsuitable office environment due to
    disturbing e-mail content or website use, or due
    to breaches of confidentiality.   
  • - Financial losses suffered due to a business
    interruption, which prevents you from using your
    computer systems or trading via your website.   
  • - Damage to your computer network or any data you
    hold electronically arising from unauthorized
    access.  

30
Policies available
  • - Chubbs Cyber Security,
  • -AIGs NetAdvantage Security
  • - Hiscoxs Hackers Insurance
  • - Legion Indemnitys INSUREtrust
  • - Lloyds e-Comprehensive
  • - Marshs NetSecure
  • - St. Pauls Cybertech

31
First party Risks
  • Occurs when insured faces possibility of loss of
    profits due to
  • - Theft of trade secrets,
  • Destruction of the insureds property
  • ( software, hardware and data),
  • - Extortion from hackers.

32
Third Party risks
  • Faced by insured because of damages caused,
    directly or indirectly to another firm
    (individual).
  • Includes liabilities for
  • - A computer virus inadvertently forwarded,
  • - Failure to provide products (as contracted)
    because a hacker or virus stopped insureds
    delivery system,
  • - Contents placed on the companys web-site
    (infringement of copy-rights),
  • - Theft of information held about a third party
    such as credit card records.

33
Cyber-Risk Management Framework For Information
Security
  • - Process of assessing risk, taking steps to
    reduce risk to an acceptable level, and
    maintaining that level of risk.
  • - The value of the information vulnerable to
    threats also needs to be considered
  • Value-Vulnerability Grid
  • - Helps identify which information should receive
    the what level of security.
  • - It categorize information from high to low for
    both value and vulnerability

34
Value-Vulnerability Grid
35
Next, reduce information security risk to
acceptable level.- Vary from organization to
organization, based partly upon the location of
information in the V-V grid.Two steps to reduce
risk1. Invest in protecting against the risk of
actual security breaches by installing firewalls,
encryption, access control techniques.2.
Acquisition of Cyber-Risk Insurance.
36
  • 483 computer security practitioners in US
    corporations, government agencies, financial,
    medical institutions, universities participated.

37
(No Transcript)
38
Cyber-risk Management Framework for Information
security
  • Cyber-Risk Management Process

39
Decision Plan
40
Conduct Information risk audit
  • -Audit uncover firms information security risk
    exposure and place value on that exposure.
  • -Assure that intrusion detection systems are in
    place to provide documentation on breaches.

41
Assess current insurance coverage
  • Corporate executives review existing property and
    liability insurance policies.
  • Review focus on gaps in Internet-related
    coverage in the current policies.

42
Examine and Evaluate Available Policies
  • Better position to negotiate with their current
    insurance providers.
  • Consider a firms potential losses and the
    security measures in place.

43
Select a Policy
  • Select Policy appropriate for unique
    circumstances of a given firm.
  • Policy should have desired additional coverage
    at an acceptable price.
  • Companies should determine the portion of
    financial risk they want the insurance company to
    cover and the residual portion they willing to
    bear.

44
Conclusions
  • - Information security risk highlighted by hacker
    attacks on high-profile US Web-sites, computer
    viruses, thefts, that caused considerable
    financial damage.
  • - Companies invested heavily in security
    measures.
  • No amount of security can prevent all breaches.
  • Viable market has emerged for Cyber-Risk
    insurance to protect against financial losses.
  • Insurance companies are uncertain about how to
    price their products, considerable room for
    negotiating prices with agents.

45
References
  • http//www.computerworld.com.au/index.php/id10652
    7059relcomp1
  • http//www.irmi.com/Expert/Articles/2001/Rossi02.a
    spx
  • http//i.cmpnet.com/gocsi/db_area/pdfs/fbi/FBI2004
    .pdf
Write a Comment
User Comments (0)
About PowerShow.com