Upload
tracey-goodman
View
216
Download
0
Tags:
Embed Size (px)
Citation preview
Return On Return On Security Security
InvestmentInvestmentTaz DaughtreyTaz Daughtrey
Becky NearyBecky Neary
James Madison UniversityJames Madison University
EDUCAUSE Security Professionals WorkshopEDUCAUSE Security Professionals Workshop
May 18, 2004May 18, 2004Copyright Taz Daughtrey 2004. This work is the intellectual property of the author. Permission is granted for this Copyright Taz Daughtrey 2004. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.otherwise or to republish requires written permission from the author.
Return On Security Return On Security InvestmentInvestment
Taz DaughtreyTaz DaughtreyAssociate DirectorAssociate Director
Becky NearyBecky NearyStudent Assistant Student Assistant
Institute for Infrastructure and Information Assurance
www.jmu.edu/iiiawww.jmu.edu/iiiaJames Madison UniversityJames Madison University
Harrisonburg, VirginiaHarrisonburg, Virginia
ASSETS
THREATS
VULNERABILITIES
COUNTERMEASURES
INVESTMENTS
EVALUATION
ASSETS
COUNTERMEASURES
THREATS
INVESTMENTS
VULNERABILITIES
EVALUATION
CONFIDENTIALITY: Preserving authorized restrictions on access and disclosure.
INTEGRITY: Guarding against improper modification or destruction
AVAILABILITY: Ensuring timely and reliable access and use
FIPS PUBLICATION 199, Standards for Security Categorization of Federal Information and Information Systems
Achieving Security ObjectivesAchieving Security Objectives
A loss of confidentiality is the unauthorized disclosure of information.
A loss of integrity is the unauthorized modification or destruction of information.
A loss of availability is the disruption of access to or use of information or an information system.
FIPS PUBLICATION 199, Standards for Security Categorization of Federal Information and Information Systems
Not Achieving Security: Not Achieving Security: ConsequencesConsequences
RReturneturn RReturn eturn OOn n IInvestment = nvestment = ------------------------------
IInvestmentnvestment
““How much to spend?” How much to spend?” “Where to spend it?”“Where to spend it?”
R R eturneturn
O O nn
S S ecurityecurity
I I nvestmentnvestment
Risk ManagementRisk Management
Risk Exposure =Risk Exposure =
ProbabilityProbability of occurrence of occurrence
XX
ConsequenceConsequence of occurrence of occurrence
Risk ManagementRisk Management
Risk AvoidanceRisk Avoidance reducingreducing probability probability
of occurrenceof occurrence
Risk MitigationRisk Mitigation reducing reducing consequenceconsequence
of occurrenceof occurrence
Risk AvoidanceRisk Avoidance
XX
ConsequenceConsequence of occurrence of occurrence
Risk Exposure =Risk Exposure =
ProbabilityProbability of of occurrenceoccurrence
Risk MitigationRisk Mitigation
Risk Exposure =Risk Exposure =
ProbabilityProbability of occurrence of occurrence
XX
ConsequenceConsequence of occurrence of occurrence
RReturneturn RReturn eturn OOn n IInvestment = nvestment = ------------------------------
IInvestmentnvestment
RReduction in eduction in RRisk isk EExposurexposureR O S IR O S I = ---------------------------------- = ----------------------------------
IInvestment in nvestment in CCountermeasuresountermeasures
Costs of Costs of achieving securityachieving security
COST OF SECURITYCOST OF SECURITY
Costs of Costs of notnot achieving securityachieving security
Prevention
Appraisal
Detection
Containment
Recovery
Remediation
Pay me Pay me nownow, or pay me , or pay me laterlater
"A small security review up front might cost $100,000, while an emergency response to an incident after the fact could run $350,000 to $500,000."
.
Return on Security Return on Security InvestmentInvestment
known vulnerabilities
unexploitedexploited
Return on Security Return on Security InvestmentInvestment
known vulnerabilities
= 2437exploited
According to one study,
last year …
= 50
2%
Return on Security Return on Security InvestmentInvestment
known vulnerabilities
= 4200exploited
According to another source …
= 16
Less than half of 1%
““How much to spend?” How much to spend?” “Where to spend it?”“Where to spend it?”
R R eturneturn
O O nn
S S ecurityecurity
I I nvestmentnvestment
ConclusionConclusion
We all face a real and growing threat We all face a real and growing threat to our critical infrastructuresto our critical infrastructures
Best defensive approaches combine Best defensive approaches combine attention to cyber and physical attention to cyber and physical aspectsaspects
Significant achievements can be Significant achievements can be orchestrated through collaborationsorchestrated through collaborations
Return On Security Return On Security InvestmentInvestment
Taz DaughtreyTaz DaughtreyJames Madison UniversityJames Madison University
540 568 2778540 568 2778
[email protected]@jmu.edu