Licensed under the Creative Commons Attribution LicenseDanny Lieberman

dannyl@controlpolicy.com www.controlpolicy.com

Data security metrics and a value based approach

Why?

“I don't need data security, we outsource our IT to one of the big banks”

“It's never happened to us before”

“You can't estimate asset value”

“We encourage risk taking”

“I don't take risks”

True quotes from real people

Agenda

• Introduction and welcome

• What is data security?

• Anything can be measured

• Why metrics?

• Why quantify risk?

• Measurement methods

• Continuous improvement

• Questions and answers

Introduction

• Our mission today– Tools to help make your work easier– Share ideas

What the heck is data security?

• Security– Ensure we can survive & add value

• Physical, information, systems, people

• Data security– Protect data directly in all realms

Anything can be measured

All exact science is based on approximation.

If a man tells you he knows a thing exactly, then you can be safe in

inferring that you are speaking to an inexact man.

Bertrand Russell

Data security metrics

• Dimensions– organization, channel and content

• Typical metrics– % of employees that signed the AUP– % Webmail traffic/all mail traffic– % Office files by Webmail/Employees– No. of revenue transactions– Cost of security for operational/revenue systems– Cost of security for customer service systems– Cost of security for FnA systems– Value of assets in Euro– Total value at risk of assets

Why do we need metrics?

• Recognize this?The easy part of information security (running the appliance, discovering vulnerabilities, fixing things and

producing reports)

Ignores the hard stuff; quantification and prioritization of your actions based on financial value of assets and measurement of threat impact

Ignorance is never better than knowledge

Enrico Fermi

Why bother quantifying risk?

• Why not qualitative metrics?

When was the last time a customer paid a “qualitative price” ?

Quantitative risk model(*)

MetricsAsset value, Threat damage to asset,Threat probability

Value at Risk=Threat Damage to Asset x Asset Value x Threat Probability

(*)PTA -Practical threat analysis risk model

Quantitative risk model benefits

• Run security like you run your business– Quantify and prioritize actions in Euro/USD– Justify data security investments

• Measure improvement– Reduced risk– Lower costs

Measurement methods

• Hand sampling– Small samples of employees, routers...

• The “Rule of 5”

• Expert estimates– The CFO

• Pros at asset valuation

• Test equipment

Data Warehouse

Document Server

Session

Detection point

Decoders

Policies

Interception

Countermeasures

Received: from [172.16.1.35]

(-80-230-224-Message ID:<437C5FDE.9080>

“Send me more

files today.

Management

Provisioning

Events

Reporting

Policies

Forensics

Test equipment

Continuous improvement

Coming attractions

• Sep 10: Selecting data security technology

• Sep 17: Selling data security technology• Sep 24: Write a 2 page procedure• Oct 1: Home(land) security• Oct 8: SME data security

http://www.controlpolicy.com/workshops

Learn more

• Presentation materials and resources

http://www.controlpolicy.com/data-security-workshops