Copyright © 2015 Tomohisa Ishikawa All rights reserved. International Workshop on CyberSecurity...

Copyright © 2015 Tomohisa Ishikawa All rights reserved.

International Workshop on CyberSecurity with UNSW, 2015 July 8th

　　 How much is your phone-number, living address or date of your birth ?

Compensation for leaking personal identity information

Kouichi SAKURAI (CSC@KyushuUniv. & ISIT )

jointwork with

Tomohisa ISHIKAWA

(External PhD-student of Kyushu Univ.

CISSP, CISA, CISM, QSA, CFE)

Copyright © 2015 Tomohisa Ishikawa All rights reserved. 2

Recent Incident around Personal Information Leakage

• Japan Pension Service [JP. 2015/May, Advanced Persistent Threat]• Benesse [JP. Education, 2014/July, a kind of Insider Threat]• Target [US. Retails, 2014/Jan. POS/IoT Malware]

Cyber Risk Insurance

• 2012/Apr. from AIU/AIG-JP• Yet a small business at 2015/Mar.

• 2015/Feb. from Tokyo Marine & Nichido Fire Insurance Co., Ltd.

Compensation in Personal Identifiable Information Leakage

• JNSA Damage Operation(JO) Model for Individual Information Leak [JP.2003]• Application of JO-model and its limitation (Gap from Real)

Todays’ talk


Information Breach in Japan Pension Service

• Typical targeted attack but catastrophic harm 1. Targeted E-mail2. PCs in JPS are infected by Malware3. Attackers gain the critical info. Via infected PC4. The confidential info. is leaked. 450,000-people-infor [no password]

3. The Compensation in Real World and Analysis

Japan Pension Service Information Breach 2015 May


Example : Benesse 2014 July

• A Famous educational company.• A staff bring out the 35M client’s data for gaining money• Benesse pay 500 Yen gift card for all victims, and total cost

for compensation is more than 20 billion yen.

The some of victims have “collective lawsuit”[ 集団訴訟 ].

• The participants in collective lawsuit request 55,000 Yen per person as the compensation.(5,000 Yen is the fee of lawyers.)


The Compensation in Real World


Example : Target （ Retails ） 2014 JAN.

• Information breach caused by POS malware• 70M customers’ personal info. leaked• 40M customers’ credit card info. leaked

• Many Class Action (= The type of collective lawsuit)

• In Feb. 2015, the total cost of countermeasure is $191M.

• In March 2015, Target agree in court to pay $10M in data breach lawsuit and target compensate up to $10,000 for the damage o victims.


The Compensation in Real World 　


Cyber Insurance in Japan

• Example ： Tokio Marine PII Leakage Insurance 2015 Feb.• Legal Compensation Cost + Incident Response Cost

• Legal Compensation Cost ： Support the cost related to legal issue• Coverage ： 5M ～ 10B Yen

• Incident Response Cost ： Support the cost for incident response• Coverage ： 1M ～ 1B Yen


Cyber Insurance


Physical Insurance [Long history, Matured]

• Car/Vehicle [against Accidents/for Repearing]• Travel [against theft/robbery]• Health [against Sick/for Medical Doctor]

Cyber Insurance

• For what ?• Related to Price of our personal information

• Phone number• E-Mail-address• Birthday• Health Condition, etc…

INSURANCE



• In Japan, the regulation of compensation for personal identifiable information leakage does not exist YET.

• Past example and civil trials decide the compensation.• Not so long history yet

• Sugahara, Harada(2013)A study on the compensation by company/organization when privacy and personal information are compromised

• Conducting Questionnaire Research• Basic personal information such as cell phone and purchase info.

is cheap, and the majority is within 1,000 yen.




Our Research ： 39 Cases Study （ 2002~2015 ）• Average ： 2,259 yen （ The Average of JO Model ： More than 40,000

Yen ）

• According to our graphical analysis, majority of compensations are 500 yen ~ 1000 yen.

The Analysis of Compensation in Real World PART1


0

2,000

4,000

6,000

8,000

10,000

12,000

2001/04 2004/01 2006/10 2009/07 2012/04 2014/12 2017/09

グラフタイトル

In this graph, more than 10,000 yen are plotted as 10,000 yen.


If we see specific cases （ High compensation ・ Civil Trial ）…• In civil trial case, more than 5,000 yen is paid, only financial

institution and civil trial case pay more than 10,000 yen


Year Company Actual Cost JO model

2002 TBC 35,000 Yen 66,000 Yen

2007 JAL Labor Union 10,000 Yen 606,000 Yen

2009 Mitsubishi UFJ Securities 10,000 Yen 180,000 Yen

2009 Alico Japan 10,000 Yen 26,000 Yen


1998 Uzi City 15,000 Yen 66,000 Yen

1998 Waseda University 5,000 Yen 606,000 Yen

2002 TBC 35,000 Yen 66,000 Yen

2004 Yahoo BB! 6,000 Yen 12,000 Yen


High Comp.

Lawsuit



ROSI (Return On Security Investment)

• It evaluates cost-effective security

• Basic Concept : Security Investment < ALE = SLE × ALO

• ALE : Annual Loss Expectancy

• SLE : Single Loss Expectancy

• ALO : Annual Rate of Occurrence

ROSI is very popular concept in security consultation,

but it is hard to estimate each parameter (SLE &

ALO).

Related Research (ROSI)

1. Introduction


Security Financial Model

1. ROSI (Return On Security Investment)

2. JO Model 　⇒ Explain Later

• With above model, security managers calculate the cost of security incident and compensation fee. Also, choose the risk management strategy (risk acceptance, risk avoidance, risk reduction, risk transference).

• Cyber insurance is currently have become popular, and it is a major method as a risk transference. （ Latham & Watkins point out that insurance is useful as “last line of defense”. ）

• Latham & Watkins(2014)• Cyber insurance: A last line of defense when technology fails.

Related Research

1. Introduction


What is JO Model?

• JNSA Damage Operation Model for Individual Information Leak• JNSA developed this model in 2003.• It is commonly used index in actual security consultation

because of the convenience of this model

About JNSA

• Japan Network Security Association• JNSA promotes security support and security research to each

organization, and they publishes a lot of research paper.• Also, JNSA holds CTF SECurity CONtest (famous CTF in Japan).

What is JO Model?

2. What is JO Model?


Evaluation Equation

Estimated Compensation Cost （ each person ）

= VALUE of Personal Info. Leaked

× Social Responsibility Degree

× Post Incident Response Appraisal

What is JO Model?



Factor 1 ： Value of Personal Information Leaked

The Factors of JO Model



= Value of Personal Info. Leaked× Social Responsibility Degree× Post Incident Response Appraisal

Value of Personal Info. Leaked= Value of Basic Info.× Degree of Info. Sensitivity× Degree of Ease in Identifying Individual

Value of Basic Info. ： 500 Yen

Degree of Info. Sensitivity ：

Degree of Ease in Identifying Individual


Name AND Address 6

Name OR （ Address + Phone

Number）3

Others 1


Factor ２： Social Responsibility Degree





Social Responsibility Degree

Higher than Normal 2

Normal 1

Public sector, leading company, and the industry defined by “Basic Policies related to the Protection of Personal Information” are included.


Factor3 ： Social Responsibility Degree





Post Incident Response Appraisal

Inappropriate 2

Normal 1It is judged based on qualitative reasons such as “response speed” and “the existence of the inquiry.”


Case Study ： JINS Inc. (March 2013)

• Optician's shops• Card information leakage happened by SQL Injection

• Name + Card Number （ PAN ）＋ Security Code ＋ Expiration• The possibility of 12,036 records leaked → Actually 2,059 records• JINS pays 1,000 Yen gift card + the cost of reissuing payment card• Actual costs are approximately 18 million yen

Application of JO Model


• On Top of That…• Investigation costs by PFI （ PFI

Forensic Investigator ） , and the cost for satisfying PCI DSS standards, the cost of customer support and inquiry is accumulated.


Case Study ： JINS Inc.

Estimated Compensation Cost （ each person ） = Value of Personal Info. Leaked× Social Responsibility Degree× Post Incident Response Appraisal



Since car information is leaked, “Degree of Ease in Identifying the Individual” is defined as 3.




39,000=

Case Study ： JINS Inc. ⇒ 39,000 Yen

Estimated Compensation Cost （ each person ） = Value of Personal Info. Leaked : 39,000× Social Responsibility Degree : 1× Post Incident Response Appraisal : 1


Gap Analysis between JO Model and Actual Compensation

• There is an enormous gap between JO model estimated costs and actual compensation.


0

5,000

10,000

15,000

20,000

25,000

30,000

35,000

40,000

45,000

50,000


But, more than 50,000 yen are plotted as 50,000 yen.



• In Japan, the regulation of compensation for personal identifiable information leakage does not exist in Japan.

• Past example and civil trials decide the compensation.







This Research…

• Show huge gaps between JO model and actual compensation costs even though society have become sensitive to personal identifiable information leakage.

• Even now, the average compensation cost is 3,138 yen, and the majority is within 500 yen to 1000 yen. Also, only financial institution or the judgment of civil trials leads more than 5,000 yen compensation.

Cyber Assurance covers too small in Real world Incident

• Support the cost for incident response 　• Coverage ： 1M ～ 1B Yen

• Benesse did pay 500 Yen gift card for all victims• total cost for compensation is more than 20 billion yen.

Wrap-Up

4. Wrap-Up

Thank you for your attention, now Q&A

Actuary Math

Cyber Actuary Economics

“Personal Data in CyberSpace

Gas/Oil in Internet world”

by Makoto SHIROTA

Copyright © 2015 Tomohisa Ishikawa All rights reserved.

A Study of Compensation in Personal Identifiable Information Leakage

Tomohisa Ishikawa （ CISSP, CISA, CISM, QSA, CFE ）

Kouichi Sakurai （ Kyushu University ）


1. Introduction



4. Wrap-Up


The Motivation (Personal Interest)

• One of our interests is “The calculation model of compensation in personal identifiable information leakage” and modeling related to computer security. （ It is major issues in security consultation ）

The objectives

• The evaluation of compensation calculation model• This research evaluates JO model that is used as

compensation calculation model in Japan from 2003. • Even though society became sensitive in 2014, there is a

gap between JO model and actual compensation, and this research have consideration.

The Background of Research

1. Introduction




2. CyberTab

3. JO Model

Related Research

1. Introduction


ROSI (Return On Security Investment)

• It evaluates cost-effective security

• Basic Concept : Security Investment < ALE = SLE × ALO

• ALE : Annual Loss Expectancy

• SLE : Single Loss Expectancy

• ALO : Annual Rate of Occurrence

ROSI is very popular concept in security consultation, but it

is hard to estimate each parameter (SLE & ALO).

Related Research (ROSI)

1. Introduction




2. CyberTab

3. JO Model

CyberTab is…

• Developed by The Economist Intelligence Unit.

• Cost calculation model of incident response against a particular

threat.

• Useful because it points out the cost of legal, PR department that

usually we tend to forget to consider.

Related Research (CyberTab)

1. Introduction




2. CyberTab

3. JO Model 　⇒ Explain Later

• Based on the above model, security managers calculate the cost of security incident and compensation fee. Also, they choose the risk management strategy(risk acceptance, risk avoidance, risk reduction, risk transference).

• Cyber insurance is currently have become popular, and it is a major method as a risk transference. （ Latham & Watkins pointed out that insurance is useful as “last line of defense”. ）

• Latham & Watkins(2014) Cyber insurance: A last line of defense when technology fails.

Related Research

1. Introduction


1. Introduction



4. Wrap-Up


What is JO Model?

• JNSA Damage Operation Model for Individual Information Leak• JNSA developed this model in 2003.• It is commonly used index in actual security consultation

because of the convenience of this model

About JNSA

• Japan Network Security Association• JNSA promotes security support and security research to each

organization, and they publishes a lot of research paper.• Also, JNSA holds CTF SECCON (famous CTF in Japana).

What is JO Model?



Evaluation Equation


= Value of Personal Info. Leaked

× Social Responsibility Degree

× Post Incident Response Appraisal

What is JO Model?



Factor 1 ： Value of Personal Information Leaked





Value of Personal Info. Leaked= Value of Basic Info.× Degree of Info. Sensitivity× Degree of Ease in Identifying Individual

Value of Basic Info. ： 500 Yen

Degree of Info. Sensitivity ：



Name AND Address 6

Name OR （ Address + Phone

Number）3

Others 1


Factor ２： Social Responsibility Degree





Social Responsibility Degree

Higher than Normal 2

Normal 1

Public sector, leading company, and the industry defined by “Basic Policies related to the Protection of Personal Information” are included.


Factor3 ： Social Responsibility Degree





Post Incident Response Appraisal

Inappropriate 2

Normal 1It is judged based on qualitative reasons such as “response speed” and “the existence of the inquiry.”


Case Study ： JINS Inc. (March 2013)

• Optician's shops• Card information leakage happened by SQL Injection

• Name + Card Number （ PAN ）＋ Security Code ＋ Expiration• The possibility of 12,036 records leaked → Actually 2,059 records• JINS pays 1,000 Yen gift card + the cost of reissuing payment card• Actual costs are approximately 18 million yen



• On Top of That…• Investigation costs by PFI （ PFI

Forensic Investigator ） , and the cost for satisfying PCI DSS standards, the cost of customer support and inquiry is accumulated.


Case Study ： JINS Inc.

Estimated Compensation Cost （ each person ） = Value of Personal Info. Leaked× Social Responsibility Degree× Post Incident Response Appraisal



Since car information is leaked, “Degree of Ease in Identifying the Individual” is defined as 3.




39,000=

Case Study ： JINS Inc. ⇒ 39,000 Yen

Estimated Compensation Cost （ each person ） = Value of Personal Info. Leaked : 39,000× Social Responsibility Degree : 1× Post Incident Response Appraisal : 1


1. Introduction



4. Wrap-Up



• In Japan, the regulation of compensation for personal identifiable information leakage does not exist in Japan.

• Past example and civil trials decide the compensation.







Example : Benesse

• A Famous educational company.• A staff bring out the 35M client’s data for gaining money• Benesse pay 500 Yen gift card for all victims, and total cost

for compensation is more than 20 billion yen.

The some of victims have collective lawsuit.

• The participants in collective lawsuit request 55,000 Yen per person as the compensation.(5,000 Yen is the fee of lawyers.)




Example : Target （ Retails ）• Information breach caused by POS malware• 70M customers’ personal info. leaked• 40M customers’ credit card info. leaked

• Many Class Action (= The type of collective lawsuit)

• In Feb. 2015, the total cost of countermeasure is $191M.

• In March 2015, Target agree in court to pay $10M in data breach lawsuit and target compensate up to $10,000 for the damage o victims.




Information Breach in Japan Pension Service

• Typical targeted attack but catastrophic harm 1. Targeted E-mail2. PCs in JPS are infected by Malware3. Attackers gain the critical info. Via infected PC4. The confidential info. is leaked.


Japan Pension Service Information Breach


Cyber Insurance in Japan

• Example ： Tokio Marine PII Leakage Insurance• Legal Compensation Cost + Incident Response Cost

• Legal Compensation Cost ： Support the cost related to legal issue• Coverage ： 5M ～ 10B Yen

• Incident Response Cost ： Support the cost for incident response• Coverage ： 1M ～ 1B Yen


Cyber Insurance


Our Research ： 39 Cases Research （ 2002~2015 ）• Average ： 2,259 yen （ The Average of JO Model ： More than 40,000

Yen ）

• According to our graphical analysis, majority of compensations are 500 yen ~ 1000 yen.



0

2,000

4,000

6,000

8,000

10,000

12,000

2001/04 2004/01 2006/10 2009/07 2012/04 2014/12 2017/09

グラフタイトル

In this graph, more than 10,000 yen are plotted as 10,000 yen.


If we see specific cases （ High compensation ・ Civil Trial ）…• In civil trial case, more than 5,000 yen is paid, only financial

institution and civil trial case pay more than 10,000 yen



2002 TBC 35,000 Yen 66,000 Yen


2009 Mitsubishi UFJ Securities 10,000 Yen 180,000 Yen

2009 Alico Japan 10,000 Yen 26,000 Yen


1998 Uzi City 15,000 Yen 66,000 Yen

1998 Waseda University 5,000 Yen 606,000 Yen

2002 TBC 35,000 Yen 66,000 Yen

2004 Yahoo BB! 6,000 Yen 12,000 Yen


High Comp.

Lawsuit



Gap Analysis between JO Model and Actual Compensation

• There is an enormous gap between JO model estimated costs and actual compensation.


0

5,000

10,000

15,000

20,000

25,000

30,000

35,000

40,000

45,000

50,000


But, more than 50,000 yen are plotted as 50,000 yen.


1. Introduction



4. Wrap-Up


2 Purpose of JO model

• Operational Model• Normative Model

Proposal as a Normative Model• Searchability ： Information extraction with SNS ・ OSINT• Cancelability ： The ease of changing information （ ex. birthday ）• Retrievability ： The coverage of the information leaked

Consideration of Personal Identifiable Information Leakage

4. Wrap-Up


In this Research…

• This research verifies huge gaps between JO model and actual compensation costs even though society have become sensitive to personal identifiable information leakage.

• Even now, the average compensation cost is 3,138 yen, and the majority is within 500 yen to 1000 yen. Also, only financial institution or the judgment of civil trials leads more than 5,000 yen compensation.

Wrap-Up

4. Wrap-Up

Q&A

Thank you for your time & attention Feel Free to Contact Us

Copyright © 2015 Tomohisa Ishikawa All rights reserved. International Workshop on CyberSecurity...

Documents

Transcript of Copyright © 2015 Tomohisa Ishikawa All rights reserved. International Workshop on CyberSecurity...