is security worth it?
DESCRIPTION
Is Security Worth It?. Alex Lauerman. Who is Alex?. FishNet Security Veracode TrustFoundry SecKC. Why am I talking?. Don’t like security being a checkbox I want security to be driven by its value Want to do better at the stock market Goal is to help understand cost of insecurity. - PowerPoint PPT PresentationTRANSCRIPT
Is Security Worth It?Alex Lauerman
Who is Alex?
• FishNet Security
• Veracode
• TrustFoundry
• SecKC
Why am I talking?
• Don’t like security being a checkbox• I want security to be driven by its value
• Want to do better at the stock market
• Goal is to help understand cost of insecurity
What will I talk about?
• Cost Factors of a Data Breach
• Previous Research
• My Research
• Analysis of impact of data breach
What is a data breach?
• Accidental or intentional loss of:• Personally Identifiable Information• Financial Information• Confidential Company Information• Intellectual Property
• Health Information
What are the cost factors?• Incident Response
• Communications
• Compensation
• Legal defense
• Regulatory Fines
• Indirect
• Loss of productivity
• Loss of customers
• Lost competitive edge
Ways to measure cost of breach
• Fixed
• Per Record (Variable)
• Add factors individually
• Estimate based on previous breach costs
Sources of Breaches
• datalossdb.org
• databreaches.net
• www.privacyrights.org
• www.idtheftcenter.org
DataLossDB
Information is Beautiful
Previous Research
• Ponemon
• Gold standard in data breach costs
• Brush Creek Partners – Cyber Liability Insurance
• Academic Sources
• Risk Centric Security (YouTube “Deconstructing Data Breach Cost”)
Previous Research – Ponemon
• Average cost of data breach $188/record (2013)
• Average cost of data breach $201/record (2014)
• Average number of records breached in US: 28,765 (2013)
• “The results show that a probability of a material data breach involving a minimum of 10,000 records is more than 22 percent.”
• “India and Brazil have the highest estimated probability of occurrence at 30 percent, while Germany has an approximate 2 percent rate of occurrence.”
Previous Research – Ponemon• Total Average cost per US breach: $5,403,644 (2013) $5.85 (2014)
Previous Research – Ponemon• Cost of data breach by size (2013)
Previous Research – Ponemon• Cost of data breach by size (2014)
Previous Research – Ponemon• Breakdown by industry
Previous Research – Ponemon• Customer churn
Previous Research – Ponemon
• Cost of data breach per record – Causation or correlation?
• Adobe example
• Target example
Research – Brush Creek Partners
• Leverage Ponemon research
• Insurance cost is based on revenue and line of business• Retail Inexpensive• Healthcare & Financial - Expensive (fines)
• Encourage or require good security
• <10% of companies have cyber liability insurance
Previous Research – Risk Centric Security
• Lots of charts
• Direct Costs
• DSW Shoes – ~$4.64 – 6.79 per record
• TJX –: $1.90 – $2.12 per record
• Heartland Payment Systems – $0.90 per record
• Sony – $1.17 per record
• Global Payments - $15.71 - $80 per record
• South Carolina DoR - $3 - $5 per record
Previous Research – Stock Prices• Gatzlaff
• -.84% 1 day after a breach
• Tomáš Klíma
• Data breaches impact stock prices
• Hovav
• Financial revenue most impact
• Vandal attacks have lower impact
• DoS almost no affect
• Cavusoglu
• 2.1% decrease in value in two days following the breach
• Morse
• Abnormal negative stock price returns
• SecurityNinja
Delayed Impact - Target• Breach rumors Dec 18
• Announcement Dec 19th
Efficient Market Hypothesis• Stock prices reflect the information available
• We can use this to determine the affect of data breaches
• “maybe the market isn’t quite as efficient as you think” – Charlie Munger in response to Efficient Market Hypothesis
Quantitative Trading• Trading strategies based on quantitative analysis which rely on
mathematical computations and number crunching to identify trading opportunities. --investopedia
Quantitative Trading
Quantitative Trading Example• Security that holds gold (GLD ETF)
• Track gold miners (GDX ETF)
Quantopian
Quantopian Example
Breach Trading Algorithm• Tracks stock prices in relation to the date of their security breaches
Be warned
30-Day After Breach TransactionsDATE SECURITY TRANSACTI
ON#
SHARESPRICE $
AMOUNTCHANGE
2007-01-16
TJX BUY 6688 $14.84 $99,216.48 -3.7%
2007-02-19
TJX SELL -6688 $14.29 ($95,538.08)
2009-01-19
HPY BUY 6464 $14.22 $91,918.08 -45.1%
2009-02-19
HPY SELL -6464 $7.80 ($50,419.20)
2011-03-16
EMC BUY 3952 $25.59 $101,131.68
4.3%
2011-04-18
EMC SELL -3952 $26.68 ($105,439.36)
2011-04-25
SNE BUY 3324 $29.80 $99,055.20 -10.0%
2011-05-26
SNE SELL -3324 $26.83 ($89,182.92)
2011-08-29
VDSI BUY 13458 $7.03 $94,609.74 -27.9%
2011-09-29
VDSI SELL -13458 $5.07 ($68,218.60)
2013-10-02
ADBE BUY 1940 $50.91 $98,765.40 7.5%
2013-11-04
ADBE SELL -1940 $54.75 ($106,215.00)
2013-12-18
TGT BUY 1573 $62.17 $97,793.41 -5.2%
2014-01-21
TGT SELL -1573 $58.96 ($92,744.08)
30-Day Transactions List (SPY Indexed)DATE SECURITY TRANSACT
ION#
SHARESPRICE $
AMOUNT2007-01-16
TJX BUY 6688 $14.84 $99,216.48
2007-01-16
SPY SELL -699 $142.97 ($99,936.03)
2007-02-19
TJX SELL -6688 $14.29 ($95,538.08)
2007-02-19
SPY BUY 699 $146.13 $102,144.87
2009-01-19
SPY SELL -1176 $80.59 ($94,773.84)
2009-01-19
HPY BUY 6464 $14.22 $91,918.08
2009-02-19
SPY BUY 1176 $77.44 $91,069.44
2009-02-19
HPY SELL -6464 $7.80 ($50,419.20)
2011-03-16
EMC BUY 3952 $25.59 $101,131.68
2011-03-16
SPY SELL -792 $127.77 ($101,193.84)
2011-04-18
EMC SELL -3952 $26.68 ($105,439.36)
2011-04-18
SPY BUY 792 $131.32 $104,005.44
30-Day Algorithm (SPY Indexed)
30-Days After Breach – Stock Price
SECURITY CHANGE
S&P 500
BENCHMARKED RETURN
Adobe 7.5% 5.1% 2.4%
EMC 4.3% 2.7% 1.6%
Heartland Payment Systems -45.1% -4.1% -41.1%
Lockheed Martin 2.7% -3.0% 5.7%
Sony -10.0% -1.0% -9.0%
Target -5.2% 1.5% -6.7%
TJX -3.7% 2.1% -5.8%
Vasco Data Security -27.9% -7.0% -20.9%
Average -9.67% -9.22%
Median -4.44% -6.26%
30-Days After Breach – Cost to Company
SECURITY BENCHMARK
MARKET CAP (B)
ADJUSTED COST (B)
Adobe 2.4% 29.6 0.716
EMC 1.6% 52.08 0.821
Heartland Payment Systems -41.1% 1.45 -0.596
Lockheed Martin 5.7% 52.74 3.019
Sony -9.0% 18.14 -1.630
Target -6.7% 37.44 -2.503
TJX -5.8% 41.03 -2.393
Vasco Data Security -20.9% 0.45 -0.094Average -9.22% 29.12 -0.332Median -6.26% 33.52 -0.344
Results – Market Capitalization
1 Day 30 Days
90 Days
180 Days
365 Days
Algorithm -44.4% -70.1% -44.0% -62.1% -58.3%
Average per stock -5.5% -8.76% -5.5% -7.76% -7.28%
How to trade with this info
• Short sell a company immediately following a breach
• A data breach may be worth more to people who invest with that information
Tro LLC
Tro LLC
How to make business decisions with this
• Need to understand factors
• If your company is publically traded, factors should roughly add up to stock price
• Use this algorithm to generate data for companies similar to yours
How to make business decisions with this
• Threat model your organization• What could go wrong?
• Examine data and estimate impact
Questions
• Slides: trustfoundry.net
• @alexlauerman
• 913.271.7789