SlideShare a Scribd company logo

Data Security Metricsa Value Based Approach

Flaskdata.io, profile picture
Flaskdata.io

This document discusses data security metrics and a value-based approach. It introduces common objections to data security investments and argues that anything can be measured. It then outlines why metrics are important for data security and why quantifying risk is beneficial. The document describes typical data security metrics and provides an example of a quantitative risk model. Finally, it discusses measurement methods and how continuous improvement is important.

1 of 16
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Data security metrics and a value based approach Licensed under the Creative Commons Attribution License Danny Lieberman dannyl@controlpolicy.com www.controlpolicy.com
Why? “I don't need data security, we outsource our IT to one of the big banks” “It's never happened to us before” “You can't estimate asset value” “We encourage risk taking” “I don't take risks” True quotes from real people
Agenda • Introduction and welcome • What is data security? • Anything can be measured • Why metrics? • Why quantify risk? • Measurement methods • Continuous improvement • Questions and answers
Introduction • Our mission today – Tools to help make your work easier – Share ideas
What the heck is data security? • Security – Ensure we can survive & add value • Physical, information, systems, people • Data security – Protect data directly in all realms
Anything can be measured All exact science is based on approximation. If a man tells you he knows a thing exactly, then you can be safe in inferring that you are speaking to an inexact man. Bertrand Russell
Data security metrics • Dimensions – organization, channel and content • Typical metrics – % of employees that signed the AUP – % Webmail traffic/all mail traffic – % Office files by Webmail/Employees – No. of revenue transactions – Cost of security for operational/revenue systems – Cost of security for customer service systems – Cost of security for FnA systems – Value of assets in Euro – Total value at risk of assets
Why do we need metrics? • Recognize this? The easy part of information security (running the appliance, discovering vulnerabilities, fixing things and producing reports) Ignores the hard stuff; quantification and Ignorance is never better than prioritization of your actions based on financial value of assets and knowledge measurement of threat impact Enrico Fermi
Why bother quantifying risk? • Why not qualitative metrics? When was the last time a customer paid a “qualitative price” ?
Quantitative risk model(*) Value at Risk Metrics =Threat Damage to Asset value, Asset x Asset Value x Threat damage to Threat Probability asset, Threat probability (*) PTA -Practical threat analysis risk model
Quantitative risk model benefits • Run security like you run your business – Quantify and prioritize actions in Euro/USD – Justify data security investments • Measure improvement – Reduced risk – Lower costs
Measurement methods • Hand sampling – Small samples of employees, routers... • The “Rule of 5” • Expert estimates – The CFO • Pros at asset valuation • Test equipment
Test equipment Management Provisioning Events Reporting Policies Data Document Forensics Warehouse Server Detection point Interception Received: from [172.16.1.35] Session Decoders (-80-230-224- Message Policies ID:<437C5FDE.9080> Countermeasures “Send me more files today.
Continuous improvement
Coming attractions • Sep 10: Selecting data security technology • Sep 17: Selling data security technology • Sep 24: Write a 2 page procedure • Oct 1: Home(land) security • Oct 8: SME data security http://www.controlpolicy.com/workshops
Learn more • Presentation materials and resources http://www.controlpolicy.com/data-security-workshops

More Related Content

PDF
M&A security - E-crime Congress 2017
EQS Group
 
PDF
Fns Incident Management Powered By En Case
tbeckwith
 
PDF
Mergers and Acquisition Security - Areas of Interest
Matthew Rosenquist
 
PDF
Chapter 12 iso 27001 awareness
newbie2019
 
PPTX
TA security
kesavars
 
PPT
The Datacenter Security Continuum
Martin Hingley
 
PDF
Incident response methodology
Piyush Jain
 
PPSX
Cyber Security Awareness Month 2017- Nugget2
Chinatu Uzuegbu
 
M&A security - E-crime Congress 2017
EQS Group
 
Fns Incident Management Powered By En Case
tbeckwith
 
Mergers and Acquisition Security - Areas of Interest
Matthew Rosenquist
 
Chapter 12 iso 27001 awareness
newbie2019
 
TA security
kesavars
 
The Datacenter Security Continuum
Martin Hingley
 
Incident response methodology
Piyush Jain
 
Cyber Security Awareness Month 2017- Nugget2
Chinatu Uzuegbu
 

What's hot (18)

PPSX
Cyber Security Awareness Month 2017-Nugget 3
Chinatu Uzuegbu
 
PPTX
Data Protection Top Ten Concerns
healthcareisi
 
PPTX
The TTPs of hard hat incident response
Hinne Hettema
 
PPTX
NZISF Talk: Six essential security services
Hinne Hettema
 
PPTX
Red team vs Penetration Testing
avioren1979
 
PDF
Chapter 15 incident handling
newbie2019
 
PDF
A case for Managed Detection and Response
Digital Transformation EXPO Event Series
 
PDF
GDPR: The Application Security Twist
Security Innovation
 
PDF
Vendor Cybersecurity Governance: Scaling the risk
Sarah Clarke
 
PPTX
Incident Response in the age of Nation State Cyber Attacks
Resilient Systems
 
PPTX
Information Secuirty Vulnerability Management
tschraider
 
PDF
Even In 2014, Attackers are on steroid on Cloud, since the IT spending on Web...
Sreejesh Madonandy
 
PDF
Remote Deposit Capture Risk Management & FFIEC Complaince
JTLeekley
 
PDF
End User Brochure
proitsolutions
 
PPT
Internal Risk Management
Barry Caplin
 
PPSX
4 Operations Security
Alfred Ouyang
 
PDF
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
PDF
Dynamic Log Analysis™ Business Value Sheet
Clear Technologies
 
Cyber Security Awareness Month 2017-Nugget 3
Chinatu Uzuegbu
 
Data Protection Top Ten Concerns
healthcareisi
 
The TTPs of hard hat incident response
Hinne Hettema
 
NZISF Talk: Six essential security services
Hinne Hettema
 
Red team vs Penetration Testing
avioren1979
 
Chapter 15 incident handling
newbie2019
 
A case for Managed Detection and Response
Digital Transformation EXPO Event Series
 
GDPR: The Application Security Twist
Security Innovation
 
Vendor Cybersecurity Governance: Scaling the risk
Sarah Clarke
 
Incident Response in the age of Nation State Cyber Attacks
Resilient Systems
 
Information Secuirty Vulnerability Management
tschraider
 
Even In 2014, Attackers are on steroid on Cloud, since the IT spending on Web...
Sreejesh Madonandy
 
Remote Deposit Capture Risk Management & FFIEC Complaince
JTLeekley
 
End User Brochure
proitsolutions
 
Internal Risk Management
Barry Caplin
 
4 Operations Security
Alfred Ouyang
 
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Dynamic Log Analysis™ Business Value Sheet
Clear Technologies
 
Ad

Viewers also liked (7)

PPTX
The Tao of GRC
Flaskdata.io
 
PDF
Data Security For SMB - Fly first class on a budget
Flaskdata.io
 
PDF
Selling Data Security Technology
Flaskdata.io
 
PPTX
Grc tao.4
Flaskdata.io
 
PDF
Will Web 2.0 applications break the cloud?
Flaskdata.io
 
PPTX
Pathcare: Patient-issue oriented healthcare
Flaskdata.io
 
PPTX
Quick user guide to the Clear Clinica Cloud EDC system
Flaskdata.io
 
The Tao of GRC
Flaskdata.io
 
Data Security For SMB - Fly first class on a budget
Flaskdata.io
 
Selling Data Security Technology
Flaskdata.io
 
Grc tao.4
Flaskdata.io
 
Will Web 2.0 applications break the cloud?
Flaskdata.io
 
Pathcare: Patient-issue oriented healthcare
Flaskdata.io
 
Quick user guide to the Clear Clinica Cloud EDC system
Flaskdata.io
 
Ad

Similar to Data Security Metricsa Value Based Approach (20)

PPTX
MIS: Information Security Management
Jonathan Coleman
 
PPTX
Data Security Solutions @ISACA LV Chapter Meeting 15.05.2013 SIEM based …
Andris Soroka
 
PDF
Security For Free
gwarden
 
PPTX
Database development and security certification and accreditation plan pitwg
John M. Kennedy
 
PDF
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
TI Safe
 
PPTX
Information Security Cost Effective Managed Services
Jorge Sebastiao
 
PPTX
Fernando Imperiale - Security Intelligence para PYMES
Fernando M. Imperiale
 
PPTX
IBM - Security Intelligence para PYMES
Fernando M. Imperiale
 
PPTX
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON
 
PPTX
Security Analytics Beyond Cyber
Phil Huggins FBCS CITP
 
PDF
Today's Cyber Challenges: Methodology to Secure Your Business
JoAnna Cheshire
 
PDF
Security Awareness Training
Daniel P Wallace
 
PPTX
Cyber Security Needs and Challenges
Happiest Minds Technologies
 
PPTX
Stay Ahead of Threats with Advanced Security Protection - Fortinet
MarcoTechnologies
 
PDF
Helicopter Assessments - Improve your Customer Data Security!
Dahamoo GmbH
 
PPTX
Ta Security
jothsna
 
PDF
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
Skoda Minotti
 
PDF
Fully Integrated Defense Operation
Rob Fry
 
PPT
Isys20261 lecture 01
Wiliam Ferraciolli
 
PDF
2012 Data Center Security
Szymon Dowgwillowicz-Nowicki
 
MIS: Information Security Management
Jonathan Coleman
 
Data Security Solutions @ISACA LV Chapter Meeting 15.05.2013 SIEM based …
Andris Soroka
 
Security For Free
gwarden
 
Database development and security certification and accreditation plan pitwg
John M. Kennedy
 
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
TI Safe
 
Information Security Cost Effective Managed Services
Jorge Sebastiao
 
Fernando Imperiale - Security Intelligence para PYMES
Fernando M. Imperiale
 
IBM - Security Intelligence para PYMES
Fernando M. Imperiale
 
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON
 
Security Analytics Beyond Cyber
Phil Huggins FBCS CITP
 
Today's Cyber Challenges: Methodology to Secure Your Business
JoAnna Cheshire
 
Security Awareness Training
Daniel P Wallace
 
Cyber Security Needs and Challenges
Happiest Minds Technologies
 
Stay Ahead of Threats with Advanced Security Protection - Fortinet
MarcoTechnologies
 
Helicopter Assessments - Improve your Customer Data Security!
Dahamoo GmbH
 
Ta Security
jothsna
 
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
Skoda Minotti
 
Fully Integrated Defense Operation
Rob Fry
 
Isys20261 lecture 01
Wiliam Ferraciolli
 
2012 Data Center Security
Szymon Dowgwillowicz-Nowicki
 

More from Flaskdata.io (12)

PDF
Flaskdata - Observability for clinical data
Flaskdata.io
 
PDF
The travel industry does real-time. Why doesn't clinical research?
Flaskdata.io
 
PDF
Flaskdata.io automated monitoring for clinical trials
Flaskdata.io
 
PPTX
How to write secure code
Flaskdata.io
 
PDF
The insights that will help your medtech clinical trial succeed
Flaskdata.io
 
PDF
2017 02-05 en-eu-data-security_v2
Flaskdata.io
 
PPTX
Killed by code 2015
Flaskdata.io
 
PPTX
Killed by code 2015
Flaskdata.io
 
PPTX
Killed by code - mobile medical devices
Flaskdata.io
 
PPT
Data Security For Compliance 2
Flaskdata.io
 
PDF
Homeland Security - strengthening the weakest link
Flaskdata.io
 
PDF
Writing An Effective Security Procedure in 2 pages or less and make it stick
Flaskdata.io
 
Flaskdata - Observability for clinical data
Flaskdata.io
 
The travel industry does real-time. Why doesn't clinical research?
Flaskdata.io
 
Flaskdata.io automated monitoring for clinical trials
Flaskdata.io
 
How to write secure code
Flaskdata.io
 
The insights that will help your medtech clinical trial succeed
Flaskdata.io
 
2017 02-05 en-eu-data-security_v2
Flaskdata.io
 
Killed by code 2015
Flaskdata.io
 
Killed by code 2015
Flaskdata.io
 
Killed by code - mobile medical devices
Flaskdata.io
 
Data Security For Compliance 2
Flaskdata.io
 
Homeland Security - strengthening the weakest link
Flaskdata.io
 
Writing An Effective Security Procedure in 2 pages or less and make it stick
Flaskdata.io
 

Data Security Metricsa Value Based Approach

  • 1. Data security metrics and a value based approach Licensed under the Creative Commons Attribution License Danny Lieberman dannyl@controlpolicy.com www.controlpolicy.com
  • 2. Why? “I don't need data security, we outsource our IT to one of the big banks” “It's never happened to us before” “You can't estimate asset value” “We encourage risk taking” “I don't take risks” True quotes from real people
  • 3. Agenda • Introduction and welcome • What is data security? • Anything can be measured • Why metrics? • Why quantify risk? • Measurement methods • Continuous improvement • Questions and answers
  • 4. Introduction • Our mission today – Tools to help make your work easier – Share ideas
  • 5. What the heck is data security? • Security – Ensure we can survive & add value • Physical, information, systems, people • Data security – Protect data directly in all realms
  • 6. Anything can be measured All exact science is based on approximation. If a man tells you he knows a thing exactly, then you can be safe in inferring that you are speaking to an inexact man. Bertrand Russell
  • 7. Data security metrics • Dimensions – organization, channel and content • Typical metrics – % of employees that signed the AUP – % Webmail traffic/all mail traffic – % Office files by Webmail/Employees – No. of revenue transactions – Cost of security for operational/revenue systems – Cost of security for customer service systems – Cost of security for FnA systems – Value of assets in Euro – Total value at risk of assets
  • 8. Why do we need metrics? • Recognize this? The easy part of information security (running the appliance, discovering vulnerabilities, fixing things and producing reports) Ignores the hard stuff; quantification and Ignorance is never better than prioritization of your actions based on financial value of assets and knowledge measurement of threat impact Enrico Fermi
  • 9. Why bother quantifying risk? • Why not qualitative metrics? When was the last time a customer paid a “qualitative price” ?
  • 10. Quantitative risk model(*) Value at Risk Metrics =Threat Damage to Asset value, Asset x Asset Value x Threat damage to Threat Probability asset, Threat probability (*) PTA -Practical threat analysis risk model
  • 11. Quantitative risk model benefits • Run security like you run your business – Quantify and prioritize actions in Euro/USD – Justify data security investments • Measure improvement – Reduced risk – Lower costs
  • 12. Measurement methods • Hand sampling – Small samples of employees, routers... • The “Rule of 5” • Expert estimates – The CFO • Pros at asset valuation • Test equipment
  • 13. Test equipment Management Provisioning Events Reporting Policies Data Document Forensics Warehouse Server Detection point Interception Received: from [172.16.1.35] Session Decoders (-80-230-224- Message Policies ID:<437C5FDE.9080> Countermeasures “Send me more files today.
  • 15. Coming attractions • Sep 10: Selecting data security technology • Sep 17: Selling data security technology • Sep 24: Write a 2 page procedure • Oct 1: Home(land) security • Oct 8: SME data security http://www.controlpolicy.com/workshops
  • 16. Learn more • Presentation materials and resources http://www.controlpolicy.com/data-security-workshops