Upload
thomas-lee-phd
View
51
Download
3
Embed Size (px)
Citation preview
VivoSecurity Inc., Los Altos, CA. Email: [email protected]
Carl Friedrich Gauss who discovered the Normal (Gaussian) distribution, which characterizes random events.
CYBER-‐LOSS MODELCalculate Maximum Financial Loss from Data BreachCommunicate cyber-‐exposure to the board and senior management; Calculate the value of incident response; Calculate insurance adequacy, guide insurance coverage.
Simple QuestionIt is a simple question—but hard to answer: how much money will your company lose in a largedata breach. The answer can inform the amount and kind of cyber insurance; it can demonstrate astrong understanding of risk to the board of directors and senior management; it can justifyinvestments into security controls and incident response.
A Cyber-‐Loss Model answers this question using factors that are predictive of the cost. Predictivefactors were discovered through a rigorous statistical analysis of historical industry data breaches.
6,600 10,000
$0
$500
$1,000
$1,500
$2,000
$2,500
$3,000
$3,500
$4,000
$4,500
$5,000
JB DT AA JS MK RS
Total Breach Co
stThousands
Six Experts
Affected:220,000Incident: Malicious OutsiderData: PIILawsuits:0
Expert guess(blue bars)
Model Prediction (green line) Actual Cost
(red line)
Expert Average
Much research shows that peopleare not good at estimating theimpact of rare events—and largedata breaches are rare events.
The graph to the right shows anexample from a study conductedwith Stanford University in whichwe asked industry experts toestimate the cost of known databreaches. Experts consistentlyguessed high, by an average of2000%. This is compared with ourmodel which was within 40% onaverage.
Six experts guess at the cost of a single data breach, compared with the Cyber-‐Loss Model.
Investigation
Notification
Call center
Remediation
o Business Losso Damage to personal credito Theft of money & goodso Credit card replacement costs
Business loss; theft of money & goods
Credit monitoring & privacy insurance.
Fines & settlements
Public & Other BusinessesBreach Company
Total costs
Mitigate
Transfer via suits
Costs Covered by the Cyber-‐Loss Model Re
sponse Costs
Damage c
osts
Term MeaningInvestigation Cost of investigating what happened in a data breach including data
that was exposed. Costs of updating agencies of investigationprogress.
Remediation Cost to preventing future data breach.
Notification Legal costs of notifying various government agencies and peopleaffected by the data breach.
Call Center Cost of hiring or expanding call centers to handle calls from peopleaffected by data breach.
Business Loss, theft of money & goods
Loss of business and customers , fraud costs, cost of goodspurchased with stolen cards
Credit Monitoring & Privacy Insurance
Cost of providing credit monitoring such as Experian, insurance tocover personal loss by people affected by the data breach.
Fines & Settlements Government fines, lawsuit awards and settlements, defense costs.
Glossary
The Cyer-‐Loss Model calculates the cost of a data breach exposing custodial data. Custodial data isany PII data which triggers reporting requirements of various government agencies (also known asrisk to confidentiality, in AppSec parlance). The model calculates Total Costs; below is a graphicalbreakdown of costs included in Total Costs.
VivoSecurity Inc, 1247 Russell Ave, Los Altos California; Contact: [email protected], (650) 919-‐3050
What is a Cyber-‐Loss Model?
The Cyber-‐LossModel is essentially a complex formula that can explain the variability in costof historical data breaches. It was trained upon a large set of data breaches and tested foraccuracy on a randomly selected set of validation cases. It was developed in the statisticallanguage R using standard statistical techniques such as linear regression and BayesianModel Averaging.
The Cyber-‐Loss Model is deployed in an easy to use Excel Spreadsheet which requires asmall number of variable inputs that have been found to be predictive of cost. Noinformation is needed about a company’s security posture.
What is Model Validation? Federal Reserve has created guidance for model management(SR11-‐7 & SR15-‐18). This guidance assures that models are developed following soundstatistical practices. Many banks have an internal validation process for establishingcompliance with Federal Reserves guidelines. Our Cyber-‐Loss Model complies with theFederal Reserve’s guidance and can pass a bank’s validation process.
The graphs below are a pro forma example of breach cost characterizations.Possible data breach cost is break down by incident and data type. The model alsoprovides a probability distribution for the range of costs, and the probability oflawsuits.
$0
$20
$40
$60
$80
$100
Mean Da
ta Breach Co
sts
Millions
Incident & Data Type
0%
20%
40%
60%
80%
100%
0 >0 1 2 3 4 5
Prob
ability
Number of Lawsuits
Model Outputs
$0 $5 $10
$15
$20
$25
Likelih
ood
Breach CostMillions
$19.8M80% Confidence Interval
Value of Incident Response Controls
Most companies would experience a cost of under $5M.
$0 $10
$20
$30
$40
$50
$60
$70
Prob
ability of B
reach Co
st
Breach CostMillions
For a given set of parameters, the cost follows a probability distribution, with the probabilitydeclining exponentially with cost. The 80% and 90% confidence intervals mark cost pointswhere 80% and 90% of data breaches, will fall below. But the difference between 80% and 90%is large and 10% of companies will experience costs which fall within this cost interval. Thisextra cost is driven primarily by incident response and a large cost interval justifies investmentsinto incident response activities.
80% Confidence 90% Confidence10% of breaches fall here.
Value of Incident Response.
Investigation
Notification
Fines & settlements
Breach Costs affected by Incident Response
Turn on logs to capturing information that can speed the investigation. Engaging a security firm early can save millions.
Engage a law firm early, negotiate costs and be prepared.
Reduce probability of alawsuit by engaging a lawfirm to review contractsand advertising promises.
What Does the Cyber-‐Loss Model Include?
VivoSecurity Inc, 1247 Russell Ave, Los Altos California; Contact: [email protected], (650) 919-‐3050
Included DetailDeployment Models are deployed as an easy to use Excel Spreadsheet.
Training We provide training on the use of the spreadsheet, how tothink about confidence intervals, and how to guide insurancepurchases.
Documentation We provide complete model documentation in the bank’s ownformat.1
Validation Support We provide support for the bank’s model validation team,including data turnover, troubleshooting R and SQL code, anddiscussions on modeling methodology. 1
Quarterly Maintenance We provide new data as it becomes available, model re-‐evaluation, all required validation documentation, validationteam support, re-‐deployment, and evidence of testing. 1
1. Required by banks and insurance companies, not recommended for other industries.
EvaluationBank receives themodel as an Excel spreadsheet and performs initial evaluation using approximatemodel inputs. VivoSecurity provides training for how to use the model, how to think aboutconfidence intervals and apply results to insurancepurchases.
Model Owner The owner (sponsor) of the risk model is decided. The owner might be, for example, the CFO orCROgroup. Themodel owner might draft documents to officially sponsor themodel as preparationfor model validation.
Validation Support
Data Owner
VivoSecurity produces SR11-‐7 compliant validation documentation, following the bank’s format.VivoSecurity then workswith thebank’s validation team to support validate activities.
Departments are identified that will produce validated numbers that will be entered into themodel. This might include creating and approving SQL to query systems and to generate thenumbers.
Insurance AdequacyThe model owner receives validated numbers from data owners and performs a model basedevaluation of insuranceadequacy. Considerations aredocumented and approved.
Adjust InsuranceInsurance coverage can be adjusted and premiums lowered using model based arguments andhistorical industry data. Note that neither carriers nor brokers have models as rigorous as ours,giving thebank an advantage in negotiations.
Document Considerations for insurance adequacy alongwith validated models and evidence of insuranceareincorporated into regulator reporting documentation, e.g., FR Y-‐14A.
Use CaseThe diagram below shows the process for a typical retail bank that uses the Cyber-‐Loss Model in satisfying regulatory requirements. Activitiesneed not proceed sequentially. For example, after amodel owner is determined, model validation (which takes themost time) can be performedconcurrently with other activities.
About VivoSecurity
VivoSecurity Inc, 1247 Russell Ave, Los Altos California; Contact: [email protected], (650) 919-‐3050
VivoSecurity provides data analytics and statistical modeling to companies in the financial andhigh tech industries. We are a Silicon Valley Startup since 2012, with PhD level scientists andstatisticians. We use advanced data analytic techniques to model the probability and cost ofcybersecurity events. We have strong cybersecurity domain knowledge, strong knowledge ofsoftware applications, strong knowledge of operating systems and hardware and a strongunderstanding of enterprise operations.
Model DescriptionPeer Risk Model Characterizes cyber risk in dollars in comparison with
peers.
Probability for Fraud, personal customers Calculates probability for a cyber attach that leads to fraud.
Probability for Fraud, corporate customers Calculates probability for a cyber attach that leads to fraud.
3rd party (vendor) Risk Calculates risk in dollars posed by 3rd party partners.
Additional Offerings