1 Security Policy and Financial Costs (original slides from Josh Kaplan, Stephanie Losi, and Eric Chang)

1

Security Policy and Financial Costs

(original slides from Josh Kaplan, Stephanie Losi, and Eric Chang)

2

How NOT to sell…

• “IT relies on, more than anything, fear, uncertainty, and doubt to sell security—in other words, FUD. The thinking is, if you scare them, they will spend.”

- Scott Berinato, CIO Magazine

3

• Summarizing the actual costs incurred by 14 organizations that lost confidential customer information and had regulatory requirement to publicly notify affected individuals.

The PGP/Ponemon Survey

4

Participating Organizations

5

How Do Customers React?

6

Customer Turnover

7

How Much Does This Really Cost?

8

This Study Was Long Overdue

• Why has it been so hard to quantify the cost of security breaches?– No real efforts have been made to deal with

these issues until several years ago.– The PGP/Ponemon survey provides a strong

benchmark for actual quantification.

• Can an organization use these findings to address such cost implications?

9

A Proposed Methodology

10

Example: Regulatory Compliance

11

Decide What You Are Going to Do

In terms of costs, you must determine:• What are you going to measure?

– Staffing and technology costs?– Projected costs of an incident?– Probabilities of an incident?– Effects on customers and suppliers?– Etc.

• How are you going to measure it?– There will be a lot of acronyms here!– DON’T PANIC

12

What Are You Going to Measure?

• Lost productivity

• Loss of revenue during outages

• Loss of data (temporary or permanent)

• Compromise of data (disclosure or modification)

• Repair costs

• Loss of reputation

Source: CMU, Infosec World 2003

13

Also, Think About This…

Are you going to measure indirect losses

• To your customers and suppliers?

• To your shareholders?

• To your reputation?

These are real losses!

14

Let Me Measure It, Already!

One of the simplest ways to calculate ROI is called “payback”

To calculate payback:• Add up the costs of an investment in security

(hardware, software, salaries, training, upgrades, etc.) over several years

• Calculate the benefits of the investment over that same time period. For security, this calculation will be based on losses that do NOT occur.

15

Payback Example

The security manager at XYZ Corp., which employs 50 people, wants to implement a company-wide, 2-day-per-year security training program for all employees for the next 3 years. He decides to use the payback method to justify his investment to the CEO.

16

Payback Example

Year 0 Year 1 Year 2 Year 3

Staffing $10,000$10,000 $60,000$60,000 $62,400$62,400 $64,896$64,896

Opportunity Cost - $16,016 $16,656 $17,322

Reduced Insider Threat

- $30,000 $30,000 $30,000

Reduced Social Engineering

- $45,000 $45,000 $45,000

Reduced Password Cracking

- $90,000 $90,000 $90,000

Total Per Year $10,000 $88,984 $85,944 $82,782

Total Payback $247,710

17

The Importance of Expected Value

Expected value can be used to calculate the benefits of a security investment.

EV = (probability of X) * (cost of X)

In security terms, since we are dealing with probabilities of loss, this can also be viewed as the annualized loss expectancy (ALE)

Source: CMU, Infosec World 2003

18

Here’s a Concrete Example

• The chance of a breach due to password cracking was 90% per year before the training program. The cost of such a breach averaged $150,000. Therefore, the expected cost per year was:

(.90) * ($150,000) = $135,000

• The training program is expected to reduce the chance of a breach due to password cracking to 30% per year. The cost of such a breach remains the same, so the expected cost per year is now:

(.30) * ($150,000) = $45,000

19

Enter NPV and IRR

NPV = Net Present Value• NPV takes into account a discount rate.• In other words, $90,000 tomorrow is worth

less than $90,000 today.• We see this in everyday life all the time.

NPV = Σ Cash Flow / (1+rate)t

20

This Time Using NPV…

• Let’s look at the example from before, but this time we will use NPV with a discount rate of 10% to calculate the value of the security investment.

21

NPV Example

Year 0 Year 1 Year 2 Year 3

Staffing $10,000$10,000 $54,545$54,545 $51,570$51,570 $48,757$48,757

Opportunity Cost 0 $14,560 $13,765 $13,014

Reduced Insider Threat

0 $27,272 $24,793 $22,539

Reduced Social Engineering

0 $40,909 $37,190 $33,809

Reduced Password Cracking

0 $81,818 $74,380 $67,618

Total PV Per Yr $10,000 $80,894 $71,028 $62,195

NPV $204,117

22

Making a Decision

For example, what if XYZ Corp. is considering buying an experimental firewall that costs $600,000 but will save the company $250,000 per year for 3 years by reducing intrusions? It will cost $50,000 to train XYZ staff to use the firewall and $25,000 per year for upgrades and maintenance.

23

Payback Says Yes

Year 0 Year 1 Year 2 Year 3

Experimental Firewall

$600,000$600,000 $25,000$25,000 $25,000$25,000 $25,000$25,000

Staff Training $50,000 - - -

Reduced Intrusions

- $250,000 $250,000 $250,000

Total Per Year $650,000 $225,000 $225,000 $225,000

Total Payback $25,000

24

NPV Says No

Year 0 Year 1 Year 2 Year 3

Experimental Firewall

$600,000$600,000 $22,727$22,727 $20,661$20,661 $18,783$18,783

Staff Training $50,000 - - -

Reduced Intrusions

- $227,272 $206,612 $187,829

Total PV Per Yr $650,000 $204,545 $185,951 $169,046

NPV $90,458

25

Advantages of NPV

• Often, this is what CFOs and CEOs are looking for — it’s what they know.

• Other departments often use the NPV metric.

• NPV is designed for calculating the value of uncertain gains and losses.

26

One More Measure

• One more measure you may want to consider using is IRR, the internal rate of return.

• This is the rate that causes the NPV of the project to be zero (neither a profit nor a loss).

27

How IRR Works

For example, if a security investment requires you to spend $100 today and will result in savings of $105 in the next year, its IRR is:

0 = -$100 + $105/(1+IRR)1

IRR = 0.05 = 5 percentHow did we do this? Remember the NPV formula: NPV = Σ Cash Flow / (1+rate)t

The IRR is simply the point at which the NPV equals zero, so plug in 0 on the left side of the equation and solve for the IRR.

28

The IRR Rule

This leads to a simple rule that can help with many investment decisions if you choose to use IRR:

• As long as a project is not mutually exclusive with another project, you can accept the project if its IRR is greater than the discount rate (which is an economic factor that you, as the company, cannot control), and reject the project if its IRR is less than the discount rate.

29

However, Remember This…

As stated earlier in our presentation:

• Gordon and Loeb found that the optimal amount to spend on security never exceeds 37% of the expected loss resulting from a breach. Therefore, in the real world, you might not accept a project with a zero or slightly positive NPV.

• This also makes IRR less useful.

30

To Sum Up

• Decide what you are going to measure.

• Decide on a method of measuring it.

• State which method you are going to use in your security policy.

• STICK WITH THAT METHOD!

31

One Last Note

• Remember those indirect costs we discussed earlier?

• Often, the positive effects of a security investment—or the negative effects of a breach—on customers, suppliers, and shareholders cannot be precisely measured.

• There is no easy solution to this problem, but you should be aware that intangible benefits and costs can and do exist.

• It might help to view them as analogous to the “goodwill” often represented on corporate balance sheets.

32

A Few Good References

• CSI/FBI Computer Crime and Security Survey– Gordon, Loeb, Lucyshyn, and Richardson

• Managing Cybersecurity Resources: A Cost-Benefit Analysis– Lawrence A. Gordon and Martin P. Loeb

• The Economics of Information Security Investment– Lawrence A. Gordon and Martin P. Loeb

• Finally, a Real Return on Security Spending– Scott Berinato, CIO Magazine

33

Some More Good References

• Economics and Security Resource Page– Ross Anderson

• Return on Information Security Investment– Adrian Mizzi

• Corporate Finance (7th Edition)– Ross, Westerfield, and Jaffe

• Security in Computing (3rd Edition)– Charles P. Pfleeger