Copyright © 2015 Tomohisa Ishikawa All rights reserved. International Workshop on CyberSecurity...
-
Upload
estella-cannon -
Category
Documents
-
view
216 -
download
2
Transcript of Copyright © 2015 Tomohisa Ishikawa All rights reserved. International Workshop on CyberSecurity...
Copyright © 2015 Tomohisa Ishikawa All rights reserved.
International Workshop on CyberSecurity with UNSW, 2015 July 8th
How much is your phone-number, living address or date of your birth ?
Compensation for leaking personal identity information
Kouichi SAKURAI (CSC@KyushuUniv. & ISIT )
jointwork with
Tomohisa ISHIKAWA
(External PhD-student of Kyushu Univ.
CISSP, CISA, CISM, QSA, CFE)
Copyright © 2015 Tomohisa Ishikawa All rights reserved. 2
Recent Incident around Personal Information Leakage
• Japan Pension Service [JP. 2015/May, Advanced Persistent Threat]• Benesse [JP. Education, 2014/July, a kind of Insider Threat]• Target [US. Retails, 2014/Jan. POS/IoT Malware]
Cyber Risk Insurance
• 2012/Apr. from AIU/AIG-JP• Yet a small business at 2015/Mar.
• 2015/Feb. from Tokyo Marine & Nichido Fire Insurance Co., Ltd.
Compensation in Personal Identifiable Information Leakage
• JNSA Damage Operation(JO) Model for Individual Information Leak [JP.2003]• Application of JO-model and its limitation (Gap from Real)
Todays’ talk
Copyright © 2015 Tomohisa Ishikawa All rights reserved. 3
Information Breach in Japan Pension Service
• Typical targeted attack but catastrophic harm 1. Targeted E-mail2. PCs in JPS are infected by Malware3. Attackers gain the critical info. Via infected PC4. The confidential info. is leaked. 450,000-people-infor [no password]
3. The Compensation in Real World and Analysis
Japan Pension Service Information Breach 2015 May
Copyright © 2015 Tomohisa Ishikawa All rights reserved. 4
Example : Benesse 2014 July
• A Famous educational company.• A staff bring out the 35M client’s data for gaining money• Benesse pay 500 Yen gift card for all victims, and total cost
for compensation is more than 20 billion yen.
The some of victims have “collective lawsuit”[ 集団訴訟 ].
• The participants in collective lawsuit request 55,000 Yen per person as the compensation.(5,000 Yen is the fee of lawyers.)
3. The Compensation in Real World and Analysis
The Compensation in Real World
Copyright © 2015 Tomohisa Ishikawa All rights reserved. 5
Example : Target ( Retails ) 2014 JAN.
• Information breach caused by POS malware• 70M customers’ personal info. leaked• 40M customers’ credit card info. leaked
• Many Class Action (= The type of collective lawsuit)
• In Feb. 2015, the total cost of countermeasure is $191M.
• In March 2015, Target agree in court to pay $10M in data breach lawsuit and target compensate up to $10,000 for the damage o victims.
3. The Compensation in Real World and Analysis
The Compensation in Real World
Copyright © 2015 Tomohisa Ishikawa All rights reserved. 6
Cyber Insurance in Japan
• Example : Tokio Marine PII Leakage Insurance 2015 Feb.• Legal Compensation Cost + Incident Response Cost
• Legal Compensation Cost : Support the cost related to legal issue• Coverage : 5M ~ 10B Yen
• Incident Response Cost : Support the cost for incident response• Coverage : 1M ~ 1B Yen
3. The Compensation in Real World and Analysis
Cyber Insurance
Copyright © 2015 Tomohisa Ishikawa All rights reserved. 7
Physical Insurance [Long history, Matured]
• Car/Vehicle [against Accidents/for Repearing]• Travel [against theft/robbery]• Health [against Sick/for Medical Doctor]
Cyber Insurance
• For what ?• Related to Price of our personal information
• Phone number• E-Mail-address• Birthday• Health Condition, etc…
INSURANCE
Copyright © 2015 Tomohisa Ishikawa All rights reserved. 8
The Compensation in Real World
• In Japan, the regulation of compensation for personal identifiable information leakage does not exist YET.
• Past example and civil trials decide the compensation.• Not so long history yet
• Sugahara, Harada(2013)A study on the compensation by company/organization when privacy and personal information are compromised
• Conducting Questionnaire Research• Basic personal information such as cell phone and purchase info.
is cheap, and the majority is within 1,000 yen.
3. The Compensation in Real World and Analysis
The Compensation in Real World
Copyright © 2015 Tomohisa Ishikawa All rights reserved. 9
Our Research : 39 Cases Study ( 2002~2015 )• Average : 2,259 yen ( The Average of JO Model : More than 40,000
Yen )
• According to our graphical analysis, majority of compensations are 500 yen ~ 1000 yen.
The Analysis of Compensation in Real World PART1
3. The Compensation in Real World and Analysis
0
2,000
4,000
6,000
8,000
10,000
12,000
2001/04 2004/01 2006/10 2009/07 2012/04 2014/12 2017/09
グラフタイトル
In this graph, more than 10,000 yen are plotted as 10,000 yen.
Copyright © 2015 Tomohisa Ishikawa All rights reserved. 10
If we see specific cases ( High compensation ・ Civil Trial )…• In civil trial case, more than 5,000 yen is paid, only financial
institution and civil trial case pay more than 10,000 yen
The Analysis of Compensation in Real World PART1
Year Company Actual Cost JO model
2002 TBC 35,000 Yen 66,000 Yen
2007 JAL Labor Union 10,000 Yen 606,000 Yen
2009 Mitsubishi UFJ Securities 10,000 Yen 180,000 Yen
2009 Alico Japan 10,000 Yen 26,000 Yen
Year Company Actual Cost JO model
1998 Uzi City 15,000 Yen 66,000 Yen
1998 Waseda University 5,000 Yen 606,000 Yen
2002 TBC 35,000 Yen 66,000 Yen
2004 Yahoo BB! 6,000 Yen 12,000 Yen
2007 JAL Labor Union 10,000 Yen 606,000 Yen
High Comp.
Lawsuit
3. The Compensation in Real World and Analysis
Copyright © 2015 Tomohisa Ishikawa All rights reserved. 11
ROSI (Return On Security Investment)
• It evaluates cost-effective security
• Basic Concept : Security Investment < ALE = SLE × ALO
• ALE : Annual Loss Expectancy
• SLE : Single Loss Expectancy
• ALO : Annual Rate of Occurrence
ROSI is very popular concept in security consultation,
but it is hard to estimate each parameter (SLE &
ALO).
Related Research (ROSI)
1. Introduction
Copyright © 2015 Tomohisa Ishikawa All rights reserved. 12
Security Financial Model
1. ROSI (Return On Security Investment)
2. JO Model ⇒ Explain Later
• With above model, security managers calculate the cost of security incident and compensation fee. Also, choose the risk management strategy (risk acceptance, risk avoidance, risk reduction, risk transference).
• Cyber insurance is currently have become popular, and it is a major method as a risk transference. ( Latham & Watkins point out that insurance is useful as “last line of defense”. )
• Latham & Watkins(2014)• Cyber insurance: A last line of defense when technology fails.
Related Research
1. Introduction
Copyright © 2015 Tomohisa Ishikawa All rights reserved. 13
What is JO Model?
• JNSA Damage Operation Model for Individual Information Leak• JNSA developed this model in 2003.• It is commonly used index in actual security consultation
because of the convenience of this model
About JNSA
• Japan Network Security Association• JNSA promotes security support and security research to each
organization, and they publishes a lot of research paper.• Also, JNSA holds CTF SECurity CONtest (famous CTF in Japan).
What is JO Model?
2. What is JO Model?
Copyright © 2015 Tomohisa Ishikawa All rights reserved. 14
Evaluation Equation
Estimated Compensation Cost ( each person )
= VALUE of Personal Info. Leaked
× Social Responsibility Degree
× Post Incident Response Appraisal
What is JO Model?
2. What is JO Model?
Copyright © 2015 Tomohisa Ishikawa All rights reserved. 15
Factor 1 : Value of Personal Information Leaked
The Factors of JO Model
2. What is JO Model?
Estimated Compensation Cost ( each person )
= Value of Personal Info. Leaked× Social Responsibility Degree× Post Incident Response Appraisal
Value of Personal Info. Leaked= Value of Basic Info.× Degree of Info. Sensitivity× Degree of Ease in Identifying Individual
Value of Basic Info. : 500 Yen
Degree of Info. Sensitivity :
Degree of Ease in Identifying Individual
Degree of Ease in Identifying Individual
Name AND Address 6
Name OR ( Address + Phone
Number)3
Others 1
Copyright © 2015 Tomohisa Ishikawa All rights reserved. 16
Factor 2: Social Responsibility Degree
Estimated Compensation Cost ( each person )
= Value of Personal Info. Leaked× Social Responsibility Degree× Post Incident Response Appraisal
The Factors of JO Model
2. What is JO Model?
Social Responsibility Degree
Higher than Normal 2
Normal 1
Public sector, leading company, and the industry defined by “Basic Policies related to the Protection of Personal Information” are included.
Copyright © 2015 Tomohisa Ishikawa All rights reserved. 17
Factor3 : Social Responsibility Degree
Estimated Compensation Cost ( each person )
= Value of Personal Info. Leaked× Social Responsibility Degree× Post Incident Response Appraisal
The Factors of JO Model
2. What is JO Model?
Post Incident Response Appraisal
Inappropriate 2
Normal 1It is judged based on qualitative reasons such as “response speed” and “the existence of the inquiry.”
Copyright © 2015 Tomohisa Ishikawa All rights reserved. 18
Case Study : JINS Inc. (March 2013)
• Optician's shops• Card information leakage happened by SQL Injection
• Name + Card Number ( PAN )+ Security Code + Expiration• The possibility of 12,036 records leaked → Actually 2,059 records• JINS pays 1,000 Yen gift card + the cost of reissuing payment card• Actual costs are approximately 18 million yen
Application of JO Model
2. What is JO Model?
• On Top of That…• Investigation costs by PFI ( PFI
Forensic Investigator ) , and the cost for satisfying PCI DSS standards, the cost of customer support and inquiry is accumulated.
Copyright © 2015 Tomohisa Ishikawa All rights reserved. 19
Case Study : JINS Inc.
Estimated Compensation Cost ( each person ) = Value of Personal Info. Leaked× Social Responsibility Degree× Post Incident Response Appraisal
Application of JO Model
2. What is JO Model?
Since car information is leaked, “Degree of Ease in Identifying the Individual” is defined as 3.
Copyright © 2015 Tomohisa Ishikawa All rights reserved. 20
Application of JO Model
2. What is JO Model?
39,000=
Case Study : JINS Inc. ⇒ 39,000 Yen
Estimated Compensation Cost ( each person ) = Value of Personal Info. Leaked : 39,000× Social Responsibility Degree : 1× Post Incident Response Appraisal : 1
Copyright © 2015 Tomohisa Ishikawa All rights reserved. 21
Gap Analysis between JO Model and Actual Compensation
• There is an enormous gap between JO model estimated costs and actual compensation.
The Analysis of Compensation in Real World PART2
0
5,000
10,000
15,000
20,000
25,000
30,000
35,000
40,000
45,000
50,000
3. The Compensation in Real World and Analysis
But, more than 50,000 yen are plotted as 50,000 yen.
Copyright © 2015 Tomohisa Ishikawa All rights reserved. 22
The Compensation in Real World
• In Japan, the regulation of compensation for personal identifiable information leakage does not exist in Japan.
• Past example and civil trials decide the compensation.
• Sugahara, Harada(2013)A study on the compensation by company/organization when privacy and personal information are compromised
• Conducting Questionnaire Research• Basic personal information such as cell phone and purchase info.
is cheap, and the majority is within 1,000 yen.
3. The Compensation in Real World and Analysis
The Compensation in Real World
Copyright © 2015 Tomohisa Ishikawa All rights reserved. 23
This Research…
• Show huge gaps between JO model and actual compensation costs even though society have become sensitive to personal identifiable information leakage.
• Even now, the average compensation cost is 3,138 yen, and the majority is within 500 yen to 1000 yen. Also, only financial institution or the judgment of civil trials leads more than 5,000 yen compensation.
Cyber Assurance covers too small in Real world Incident
• Support the cost for incident response • Coverage : 1M ~ 1B Yen
• Benesse did pay 500 Yen gift card for all victims• total cost for compensation is more than 20 billion yen.
Wrap-Up
4. Wrap-Up
Thank you for your attention, now Q&A
Actuary Math
Cyber Actuary Economics
“Personal Data in CyberSpace
Gas/Oil in Internet world”
by Makoto SHIROTA
Copyright © 2015 Tomohisa Ishikawa All rights reserved.
A Study of Compensation in Personal Identifiable Information Leakage
Tomohisa Ishikawa ( CISSP, CISA, CISM, QSA, CFE )
Kouichi Sakurai ( Kyushu University )
Copyright © 2015 Tomohisa Ishikawa All rights reserved. 26
1. Introduction
2. What is JO Model?
3. The Compensation in Real World and Analysis
4. Wrap-Up
Copyright © 2015 Tomohisa Ishikawa All rights reserved. 27
1. Introduction
2. What is JO Model?
3. The Compensation in Real World and Analysis
4. Wrap-Up
Copyright © 2015 Tomohisa Ishikawa All rights reserved. 28
The Motivation (Personal Interest)
• One of our interests is “The calculation model of compensation in personal identifiable information leakage” and modeling related to computer security. ( It is major issues in security consultation )
The objectives
• The evaluation of compensation calculation model• This research evaluates JO model that is used as
compensation calculation model in Japan from 2003. • Even though society became sensitive in 2014, there is a
gap between JO model and actual compensation, and this research have consideration.
The Background of Research
1. Introduction
Copyright © 2015 Tomohisa Ishikawa All rights reserved. 29
Security Financial Model
1. ROSI (Return On Security Investment)
2. CyberTab
3. JO Model
Related Research
1. Introduction
Copyright © 2015 Tomohisa Ishikawa All rights reserved. 30
ROSI (Return On Security Investment)
• It evaluates cost-effective security
• Basic Concept : Security Investment < ALE = SLE × ALO
• ALE : Annual Loss Expectancy
• SLE : Single Loss Expectancy
• ALO : Annual Rate of Occurrence
ROSI is very popular concept in security consultation, but it
is hard to estimate each parameter (SLE & ALO).
Related Research (ROSI)
1. Introduction
Copyright © 2015 Tomohisa Ishikawa All rights reserved. 31
Security Financial Model
1. ROSI (Return On Security Investment)
2. CyberTab
3. JO Model
CyberTab is…
• Developed by The Economist Intelligence Unit.
• Cost calculation model of incident response against a particular
threat.
• Useful because it points out the cost of legal, PR department that
usually we tend to forget to consider.
Related Research (CyberTab)
1. Introduction
Copyright © 2015 Tomohisa Ishikawa All rights reserved. 35
Security Financial Model
1. ROSI (Return On Security Investment)
2. CyberTab
3. JO Model ⇒ Explain Later
• Based on the above model, security managers calculate the cost of security incident and compensation fee. Also, they choose the risk management strategy(risk acceptance, risk avoidance, risk reduction, risk transference).
• Cyber insurance is currently have become popular, and it is a major method as a risk transference. ( Latham & Watkins pointed out that insurance is useful as “last line of defense”. )
• Latham & Watkins(2014) Cyber insurance: A last line of defense when technology fails.
Related Research
1. Introduction
Copyright © 2015 Tomohisa Ishikawa All rights reserved. 36
1. Introduction
2. What is JO Model?
3. The Compensation in Real World and Analysis
4. Wrap-Up
Copyright © 2015 Tomohisa Ishikawa All rights reserved. 37
What is JO Model?
• JNSA Damage Operation Model for Individual Information Leak• JNSA developed this model in 2003.• It is commonly used index in actual security consultation
because of the convenience of this model
About JNSA
• Japan Network Security Association• JNSA promotes security support and security research to each
organization, and they publishes a lot of research paper.• Also, JNSA holds CTF SECCON (famous CTF in Japana).
What is JO Model?
2. What is JO Model?
Copyright © 2015 Tomohisa Ishikawa All rights reserved. 38
Evaluation Equation
Estimated Compensation Cost ( each person )
= Value of Personal Info. Leaked
× Social Responsibility Degree
× Post Incident Response Appraisal
What is JO Model?
2. What is JO Model?
Copyright © 2015 Tomohisa Ishikawa All rights reserved. 39
Factor 1 : Value of Personal Information Leaked
The Factors of JO Model
2. What is JO Model?
Estimated Compensation Cost ( each person )
= Value of Personal Info. Leaked× Social Responsibility Degree× Post Incident Response Appraisal
Value of Personal Info. Leaked= Value of Basic Info.× Degree of Info. Sensitivity× Degree of Ease in Identifying Individual
Value of Basic Info. : 500 Yen
Degree of Info. Sensitivity :
Degree of Ease in Identifying Individual
Degree of Ease in Identifying Individual
Name AND Address 6
Name OR ( Address + Phone
Number)3
Others 1
Copyright © 2015 Tomohisa Ishikawa All rights reserved. 40
Factor 2: Social Responsibility Degree
Estimated Compensation Cost ( each person )
= Value of Personal Info. Leaked× Social Responsibility Degree× Post Incident Response Appraisal
The Factors of JO Model
2. What is JO Model?
Social Responsibility Degree
Higher than Normal 2
Normal 1
Public sector, leading company, and the industry defined by “Basic Policies related to the Protection of Personal Information” are included.
Copyright © 2015 Tomohisa Ishikawa All rights reserved. 41
Factor3 : Social Responsibility Degree
Estimated Compensation Cost ( each person )
= Value of Personal Info. Leaked× Social Responsibility Degree× Post Incident Response Appraisal
The Factors of JO Model
2. What is JO Model?
Post Incident Response Appraisal
Inappropriate 2
Normal 1It is judged based on qualitative reasons such as “response speed” and “the existence of the inquiry.”
Copyright © 2015 Tomohisa Ishikawa All rights reserved. 42
Case Study : JINS Inc. (March 2013)
• Optician's shops• Card information leakage happened by SQL Injection
• Name + Card Number ( PAN )+ Security Code + Expiration• The possibility of 12,036 records leaked → Actually 2,059 records• JINS pays 1,000 Yen gift card + the cost of reissuing payment card• Actual costs are approximately 18 million yen
Application of JO Model
2. What is JO Model?
• On Top of That…• Investigation costs by PFI ( PFI
Forensic Investigator ) , and the cost for satisfying PCI DSS standards, the cost of customer support and inquiry is accumulated.
Copyright © 2015 Tomohisa Ishikawa All rights reserved. 43
Case Study : JINS Inc.
Estimated Compensation Cost ( each person ) = Value of Personal Info. Leaked× Social Responsibility Degree× Post Incident Response Appraisal
Application of JO Model
2. What is JO Model?
Since car information is leaked, “Degree of Ease in Identifying the Individual” is defined as 3.
Copyright © 2015 Tomohisa Ishikawa All rights reserved. 44
Application of JO Model
2. What is JO Model?
39,000=
Case Study : JINS Inc. ⇒ 39,000 Yen
Estimated Compensation Cost ( each person ) = Value of Personal Info. Leaked : 39,000× Social Responsibility Degree : 1× Post Incident Response Appraisal : 1
Copyright © 2015 Tomohisa Ishikawa All rights reserved. 45
1. Introduction
2. What is JO Model?
3. The Compensation in Real World and Analysis
4. Wrap-Up
Copyright © 2015 Tomohisa Ishikawa All rights reserved. 46
The Compensation in Real World
• In Japan, the regulation of compensation for personal identifiable information leakage does not exist in Japan.
• Past example and civil trials decide the compensation.
• Sugahara, Harada(2013)A study on the compensation by company/organization when privacy and personal information are compromised
• Conducting Questionnaire Research• Basic personal information such as cell phone and purchase info.
is cheap, and the majority is within 1,000 yen.
3. The Compensation in Real World and Analysis
The Compensation in Real World
Copyright © 2015 Tomohisa Ishikawa All rights reserved. 47
Example : Benesse
• A Famous educational company.• A staff bring out the 35M client’s data for gaining money• Benesse pay 500 Yen gift card for all victims, and total cost
for compensation is more than 20 billion yen.
The some of victims have collective lawsuit.
• The participants in collective lawsuit request 55,000 Yen per person as the compensation.(5,000 Yen is the fee of lawyers.)
3. The Compensation in Real World and Analysis
The Compensation in Real World
Copyright © 2015 Tomohisa Ishikawa All rights reserved. 48
Example : Target ( Retails )• Information breach caused by POS malware• 70M customers’ personal info. leaked• 40M customers’ credit card info. leaked
• Many Class Action (= The type of collective lawsuit)
• In Feb. 2015, the total cost of countermeasure is $191M.
• In March 2015, Target agree in court to pay $10M in data breach lawsuit and target compensate up to $10,000 for the damage o victims.
3. The Compensation in Real World and Analysis
The Compensation in Real World
Copyright © 2015 Tomohisa Ishikawa All rights reserved. 49
Information Breach in Japan Pension Service
• Typical targeted attack but catastrophic harm 1. Targeted E-mail2. PCs in JPS are infected by Malware3. Attackers gain the critical info. Via infected PC4. The confidential info. is leaked.
3. The Compensation in Real World and Analysis
Japan Pension Service Information Breach
Copyright © 2015 Tomohisa Ishikawa All rights reserved. 50
Cyber Insurance in Japan
• Example : Tokio Marine PII Leakage Insurance• Legal Compensation Cost + Incident Response Cost
• Legal Compensation Cost : Support the cost related to legal issue• Coverage : 5M ~ 10B Yen
• Incident Response Cost : Support the cost for incident response• Coverage : 1M ~ 1B Yen
3. The Compensation in Real World and Analysis
Cyber Insurance
Copyright © 2015 Tomohisa Ishikawa All rights reserved. 51
Our Research : 39 Cases Research ( 2002~2015 )• Average : 2,259 yen ( The Average of JO Model : More than 40,000
Yen )
• According to our graphical analysis, majority of compensations are 500 yen ~ 1000 yen.
The Analysis of Compensation in Real World PART1
3. The Compensation in Real World and Analysis
0
2,000
4,000
6,000
8,000
10,000
12,000
2001/04 2004/01 2006/10 2009/07 2012/04 2014/12 2017/09
グラフタイトル
In this graph, more than 10,000 yen are plotted as 10,000 yen.
Copyright © 2015 Tomohisa Ishikawa All rights reserved. 52
If we see specific cases ( High compensation ・ Civil Trial )…• In civil trial case, more than 5,000 yen is paid, only financial
institution and civil trial case pay more than 10,000 yen
The Analysis of Compensation in Real World PART1
Year Company Actual Cost JO model
2002 TBC 35,000 Yen 66,000 Yen
2007 JAL Labor Union 10,000 Yen 606,000 Yen
2009 Mitsubishi UFJ Securities 10,000 Yen 180,000 Yen
2009 Alico Japan 10,000 Yen 26,000 Yen
Year Company Actual Cost JO model
1998 Uzi City 15,000 Yen 66,000 Yen
1998 Waseda University 5,000 Yen 606,000 Yen
2002 TBC 35,000 Yen 66,000 Yen
2004 Yahoo BB! 6,000 Yen 12,000 Yen
2007 JAL Labor Union 10,000 Yen 606,000 Yen
High Comp.
Lawsuit
3. The Compensation in Real World and Analysis
Copyright © 2015 Tomohisa Ishikawa All rights reserved. 53
Gap Analysis between JO Model and Actual Compensation
• There is an enormous gap between JO model estimated costs and actual compensation.
The Analysis of Compensation in Real World PART2
0
5,000
10,000
15,000
20,000
25,000
30,000
35,000
40,000
45,000
50,000
3. The Compensation in Real World and Analysis
But, more than 50,000 yen are plotted as 50,000 yen.
Copyright © 2015 Tomohisa Ishikawa All rights reserved. 54
1. Introduction
2. What is JO Model?
3. The Compensation in Real World and Analysis
4. Wrap-Up
Copyright © 2015 Tomohisa Ishikawa All rights reserved. 55
2 Purpose of JO model
• Operational Model• Normative Model
Proposal as a Normative Model• Searchability : Information extraction with SNS ・ OSINT• Cancelability : The ease of changing information ( ex. birthday )• Retrievability : The coverage of the information leaked
Consideration of Personal Identifiable Information Leakage
4. Wrap-Up
Copyright © 2015 Tomohisa Ishikawa All rights reserved. 56
In this Research…
• This research verifies huge gaps between JO model and actual compensation costs even though society have become sensitive to personal identifiable information leakage.
• Even now, the average compensation cost is 3,138 yen, and the majority is within 500 yen to 1000 yen. Also, only financial institution or the judgment of civil trials leads more than 5,000 yen compensation.
Wrap-Up
4. Wrap-Up