1 ECONOMIC ASPECTS OF DATA PROTECTION South Eastern Europe Conference on Regional Security through...
-
Upload
milton-ramsey -
Category
Documents
-
view
216 -
download
0
Transcript of 1 ECONOMIC ASPECTS OF DATA PROTECTION South Eastern Europe Conference on Regional Security through...
1
ECONOMIC ASPECTSOF DATA PROTECTION
South Eastern Europe Conference on Regional Security through Data Protection
BelgradeDecember 1-2, 2003
Daniel C. Hurley, Jr.Director, Critical Infrastructure Protection
U.S. Department of Commerce
»
2
Within the U.S. Government, the Department of Commerce is appropriate agency for addressing
economic security issues:
• Core mission incorporates CIP
• Historic ties with and understanding of industry
• Trust between Department and industry
• With DOC’s involvement, U. S. industry plays more effectively
3
Critical Infrastructure Assurance Challenges
• Vulnerabilities Increase with “Always On” Network Connections, Telecommuting, Lax Security Practices
• Viruses, DoS Attacks, Identity Theft and other Practices can Aid Terrorist Activity
• Lukewarm Corporate and Public Interest in InfoSec Awareness and Education, although that has changed somewhat post-September 11th
• FBI/CSI survey (2003) found about “90 percent of respondents detected computer security breaches in the past year, but only 34 percent reported those attacks to authorities.”
4
Costs of Computer Crime
• Costs: – 2003: $201 million
– 2002: $455 million
• Types: – Proprietary info ($70 million)
– denial of service ($65 million)
– financial fraud ($10.2 million; down from $116 million in 2002)
• Forms of attack: – virus incidents (82%)
– insider abuse (80%)Source: CSI/FBI 2003 Computer Crime and Security Survey
5
Examples of Recent Attacks
• Klez virus:• -- Clean up and lost productivity: $9 billion
• Code Red:– 1 million computers affected– Clean-up and lost productivity: $2.6 billion
• Love Bug: – 50 variants, 40 million computers affected– Clean-up and lost productivity: $8.8 billion
• NIMDA:– Clean-up and lost productivity: $1.2 billion
• Slammer: – Clean up and lost productivity: $1 billion +
6
“Business Case” for Cybersecurity
• There is a 21% Return on Investment for cyber security systems implemented early in network development
Source: CSO Magazine, 2002
• “The costs of a severe computer attack are likely to be greater than the preemptive investment in a cyber security program would have been.”
Source: National Strategy to Secure Cyber Space, February 2003
7
Premise
Infrastructure security can have a direct effect on shareholder value.
8
Shareholder Value Metrics
Gordon Growth Model
Investment Analyst View
Market Capitalization =
Free Cash Flow
Cost of - Growth of Free Equity Cash Flow
9
Shareholder Value Metrics
Gordon Growth Model
CEO ViewMarket Cap =
Increase Revenues, Reduce Expenses
Manage Risks, Grow Free Cash Flow
• Operational
• Credit
• Reputational
10
Risk Management is KeyFive-year cost of equity =
Stock Volatility
Corporate Credit Spread
Government Bond Rate
= 8%
= 1%
= 6%
15%
11
Shareholder Value Metrics: An Example
$2.0 billion market cap =
$100 million
15% - 10%
12
Shareholder Value Metrics: An Example
$1.67 billion market cap =
$100 million
16% - 10%
A 1% increase in cost of equity decreases market capitalization
by $333.3 million.
13
Simple Tenets of Business
• Survival: Keep the company in business: meet the needs of paying customers
• Fiduciary Responsibility: Protect the interest of shareholders and other investors– Retain and increase value; grow revenue and
earnings (ROI, ROE, Market Share, . . . )
• Do the above in compliance with applicable law and regulation
14
Ten Questions About Information Security
1. Accountability - What management system have we established to assure effective assignment of accountability for the security of our information and supporting technology resources?
2. Awareness - What has management done to ensure that all parties know, understand, and accept the importance of adhering to sound information security?
3. Ethics - What has management done to ensure that we are using our information assets and administering information security in an ethical manner?
15
Ten Questions About Information Security (continued)
4. Multidisciplinary Considerations - What has management done to ensure the perspectives and considerations of all interested and affected parties are considered and balanced in developing our information security policy?
5. Proportionality - What cost/benefit, risk, and due care analyses have been applied to the selection of our information security controls?
6. Integration - How has management coordinated and integrated information security with overall policies and procedures to create and maintain effective security throughout our information systems?
16
Ten Questions About Information Security (continued)
7. Timeliness - What capabilities do we have to ensure that failures involving information technology or its management will not endanger the organization, its supported business units, its neighbors, or their information assets, and will not impair their ability to operate?
8. Assessment - What capabilities do we have to ensure that risks associated with information and supporting technology resources are effectively assessed on an appropriate periodic basis, or as otherwise required, and managed accordingly?
17
Ten Questions About Information Security (continued)
9. Equity - How does management ensure that information security measures are fair and legal?
10. Information Sharing - How effectively does management share appropriate information with peer organizations and appropriate governmental entities?
18
Security Incentives - Internal
• Tone at the Top:– Mission, Values, Strategies, and Objectives– Results, Reputation, and Learning
• Assurance Objectives:– Availability, Capability, Functionality, Protectability,
and Accountability
• Management Practices:– Operations, Reporting, Compliance, and Safeguarding
of Assets– People, Technology, Processes, Investment, and
Communications
19
Systems Assurance and Control Model
20
Board and Executive Responsibilities for Information Security
• Tone at the Top– Ethics, Quality, Trust, Security, Reliability
• Board of Directors– Duty of care to ensure it receives sufficient
reliable evidence to govern the organization– Ask insightful questions and assess the
appropriateness of the answers– Duty and challenge to keep abreast of the myriad
subjects influencing business governance
21
The Audit Committee of the Board
• Reliability of information and its presentation in financial and other reports
• Ensuring regulatory compliance
• External and internal auditing– Selecting and retaining the auditors– Direct reporting relationship with the chairman
of the audit committee– Independence and objectivity
22
Audit Examples Review processes for systems design,
development, maintenance, and enhancements Review network operations and security Review change controls for systems, networks,
and information Select and Analyze data for verification of
controls or assessments of anomalies Review access controls for security and
accountability
23
Audit Examples Review business processes and supporting systems and
data Review effectiveness of specific activities such as
intrusion control Assess business continuity including participation in
recovery testing Assess sensitive activities such as incident response Consult in any area of security or controls to facilitate
improvement, efficiency
24
The Role of Private Insurance
• Government regulations generally promote behavior through negative reinforcement (e.g. fines, jail, etc.)
Versus
• Private Insurance generally promotes behavior through positive reinforcement (e.g. availability of insurance, lower premiums)
25
What are the Underwriter’s Obligations?
• Prevent or mitigate the Loss
• Risk Transfer the Loss
• Assist in post incident support and reputation re-building
26
What are the risks to manage?
• Legal Liability to Others: Security breaches, Web Content, Prof. E&O
• Loss or damage to my data
• Loss of revenue due to a DOS attack
• Loss or damage to Reputation
• Loss of Market capitalization and resulting Shareholder lawsuits
27
Value of Insurance
• Computer attacks hit with huge frequency and are causing substantial damage.
• The private insurance sector plays a unique role in motivating behavior by adjusting the price and availability of insurance.
• In addition to providing coverage, insurance firms should help to prevent the loss by aligning themselves with quality security technology companies, within a specialized unit.
28
Future Concerns - Examples
• Systemic issues not being addressed systemically– E.G., software patch management as a symptom
• People – the biggest concern– IT workforce shortfalls (including INFOSEC)– Lack of feedback of “good practices” in education process– Management awareness/education– Accountability– Citizen awareness/education/training (“K-life”) – cultural issue
• Disruptive technologies– Wireless– Miniaturization: e.g., Nanotechnology and MEMS– Moore’s Law: increasing power to individual at lower cost– Network enabled applications: e.g., Peer-to-peer sharing
29
CIPLessons Learned
• GLOBAL ECONOMIC BENEFITS OF CIP
• Economic Security is a motivating factor
• Complements law enforcement and national security objectives
• CONTINUOUS EDUCATION & AWARENESS NECESSARY
• Solutions involve people, not just technology and process
• INDUSTRY INTERACTION ESSENTIAL
• Facilitates issue identification
• Broadens analytic support
• Facilitates buy-in by industry
• Accelerates economic benefits to be derived
30
The Final Word . . .
• Effective information security management and monitoring practices can either be adopted and enforced by management, or they will eventually be mandated by regulation, legislation, lawsuits, and/or insurer requirements.
• Those who benefit most from effective security practices will be those early adopters who recognize them as good business practice and build them into the systems and processes as integral business components.
31
Information for This Presentation Was Provided By:
Charles LeGrand
Director of Technology Practices
The Institute of Internal Auditors
James McNulty
President & CEO, Chicago Mercantile Exchange, Inc.
Ty Sagalow
Chief Operating Officer
AIG Global eBusiness Solutions
The Information Technology Association of America (ITAA)
32
THANK YOU
Daniel C. Hurley, Jr.Director,
Critical Infrastructure Protection
U.S. Department of Commerce
»