tag:blogger.com,1999:blog-4088979.post5456682203378635549..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Forget Pre-Incident Cost, How Much Did Your Last Incident Cost?Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger13125tag:blogger.com,1999:blog-4088979.post-18437382901737705052010-05-30T06:28:59.140-04:002010-05-30T06:28:59.140-04:00@Martin,
My slightly provocative question was aime...@Martin,<br />My slightly provocative question was aimed at the perception that security incidents will always be identified and have measurable cost. <br /><br />Lost productivity is the only measure I can imagine which can be reliably tracked.The Ubiquitous Mr. Lovegroovehttps://www.blogger.com/profile/16715623535008048201noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-69593912537646230472010-05-28T10:21:49.295-04:002010-05-28T10:21:49.295-04:00Brilliant Topic!
eDiscovery Solutions Group (www....Brilliant Topic!<br /><br />eDiscovery Solutions Group (www.ediscoverysolutionsgroup.com) actually has an incident management system that can track cost and therefore address this requirement.Charles Skamserhttp:///www.ediscoverysolutionsgroup.comnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-29835948457456779372010-05-25T16:21:58.675-04:002010-05-25T16:21:58.675-04:00I want to offer an approach that might bridge the ...I want to offer an approach that might bridge the approaches.<br /><br />I'm a big fan of measuring/estimating <b>TOTAL</b> costs of information security, including costs of prevention, detection, forensics, backup/recovery, incident response, help desk, security management, etc.<br /><br />But I think this needs to be projected forward. The best way to do this is to look at <b>BUDGETED</b> costs, especially outside the security department. It takes some effort to tease out costs related to security (using cost drivers) but it's possible.<br /><br />But this only works for the frequent and expected costs. TJX and Heartland do not budget in the future for all the costs that they incurred in their past (infamous) breaches.<br /><br />There's no way around it -- you need to have some way of roughly estimating low probability, high impact costs, and your "willingness to pay" to avoid them.<br /><br />Such a method is outlined in this presentation: http://meritology.com/resources/Total%20Cost%20of%20Cyber%20(In)security.ppt<br /><br />But let me be clear -- this method is not yet ready for mainstream use. There are serious unsolved research problems. But I think they can be solved, at least to an acceptable level.Russell Thomashttp://newschoolsecurity.com/author/russell/noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-33213263077575580772010-05-25T16:14:48.326-04:002010-05-25T16:14:48.326-04:00RT,
I thought it was obvious that the purpose of ...RT,<br /><br />I thought it was obvious that the purpose of determining historical cost would be as an input for future decision making? The point I was trying to emphasize is that too many managers start backwards in my opinion, creating fantasies about future costs but never having measured past costs.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-31787697149088758642010-05-25T16:03:39.540-04:002010-05-25T16:03:39.540-04:00While it may feel comforting to only measure histo...While it may feel comforting to only measure historical costs of incidents (if you can get the data), it is simply inconsistent with rational economic decision-making.<br /><br /><br />ALL economic decisions are based on estimates of future cashflows, discounted for the time-value of money. If you can't estimate the cash flows, at least within some range, then you can't make rational economic decisions. Period.<br /><br />Historical costs are only meaningful as input to future cost estimates.<br /><br />By "rational economic decisions", I mean choices between security spending and other corporate spending, choices between spending now vs. spending later, choices between alternative security practices or policies or investments.<br /><br />Now, you may be suggesting exactly this -- that information security is beyond the reach of economic rationality, and therefore we should fall back on other methods such as guidelines, heuristics, etc. that we can only <b>hope</b> will lead to better decisions and better results than simple-minded methods (hunch, impluse, fad-following, blind-leading-the-blind, etc.).<br /><br />Lastly, I'd like to point out that historical costs associated with "brand, reputation, and other 'goodwill' items" play out over time, often many years. Thus the full costs won't be recognized if the incident is recent. This is the challenge that the Ponemon survey faces. They "solve" it by using some rule-of-thumb formulas for number of customers lost, cost to replace a customer, etc. but that is simply a way of forecasting future costs.<br /><br />For more on this, you might look at the blog post I wrote recently about the general problem of incorporating the time dimension in security metrics: http://newschoolsecurity.com/2010/05/getting-the-time-dimension-right/Russell Thomashttp://newschoolsecurity.com/author/russell/noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-42847266812761022302010-05-25T14:22:59.138-04:002010-05-25T14:22:59.138-04:00All -
Something I forgot to mention -
For some ...All -<br /><br />Something I forgot to mention - <br /><br />For some breaches, fines and legal settlements can be significant, expecially when PCI contracts apply -<br /><br />It was just announced in the press that Heartland and MasterCard had reached a tentative settlement for $41M over that breach.<br /><br />With regard to brand, reputation, competitive advantage, stock price - I would forget about trying to quantify these things - it's too difficult, and such data as there are do not support any particular conclusion.<br /><br />Patrick Florer<br />Dallas, TexasAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-28469640159318807402010-05-25T11:44:05.137-04:002010-05-25T11:44:05.137-04:00Richard,
Having done a fair bit of research into ...Richard,<br /><br />Having done a fair bit of research into some of the bigger breaches - TJX and Heartland, for example - one of the things that becomes clear is the the cost of a breach unfolds over a period of years.<br /><br />If you look at the SEC 10-K filings from TJX for 2007, 2008, and 2009, you will see that the while actual costs are recorded as such, there is also a reserve created that goes up and down in value as things are settled, estimates of future liability are resolved, etc.<br /><br />The same seems to be true of Heartland.<br /><br />I am not sure what the statute of limitations is with regard to a data breach - maybe a lawyer could respond, if one is following this discussion.<br /><br />Patrick Florer<br />Dallas, TexasAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-54669760731767432872010-05-25T10:37:22.528-04:002010-05-25T10:37:22.528-04:00Your list is a good start, the first three are int...Your list is a good start, the first three are internal metrics which are good. The fourth "brand, reputation, .." is external but harder to measure, however its worth pursuing. Some other external metrics that are worth gathering - how many customers did you lose (which in some cases is hard to tell), how much $ loss did your customer suffer (which in some cases you can get a very good idea of)gunnarhttp://1raindrop.typepad.comnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-86595102505190785042010-05-25T09:47:45.650-04:002010-05-25T09:47:45.650-04:00@Lovegroove Your org either has extremely draconia...@Lovegroove Your org either has extremely draconian web policies, is extremely small, or you're just like Google, Adobe, etc. who didn't realize they'd been hacked for years. I suppose it's also possible that your definition of "note-worthy" is very different than most.Martinhttps://www.blogger.com/profile/03975313410819886706noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-7637998986911176132010-05-25T09:43:27.061-04:002010-05-25T09:43:27.061-04:00My org has had a fair amount of success justifying...My org has had a fair amount of success justifying security by adding another point which is very straightforward to measure: the amount of employee time lost while the asset is remediated. In other words, treat all incidents as having a DoS component for the asset involved. Even re-imaging machines takes an hour or two to get the employee back to work. Multiply that times the billable consultant rate for your employees, and you have something concrete to start with.Martinhttps://www.blogger.com/profile/03975313410819886706noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-63711901869720717592010-05-25T06:31:02.912-04:002010-05-25T06:31:02.912-04:00itinsecurity, that's basically my point. If y...itinsecurity, that's basically my point. If you can't figure out a way to estimate post-incident cost, you need another way to measure incidents altogether.Richard Bejtlichhttps://www.blogger.com/profile/13512184196416665417noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-10753210524959437212010-05-25T04:24:45.336-04:002010-05-25T04:24:45.336-04:00Well, sounds like a great idea. However, what make...Well, sounds like a great idea. However, what makes you think it's easier to estimate actual loss, than to predict it?<br /><br />In particular I am thinking about the last three items on your list:<br />Value of data, Value of brand, and whatever else you can imagine.<br /><br />While it conceptually makes more sense, I don't quite see how it is going to be easier or better, given the "intangible unknowns" of the equation.itinsecurityhttps://www.blogger.com/profile/10129725210078939594noreply@blogger.comtag:blogger.com,1999:blog-4088979.post-76814985181090811372010-05-25T03:57:44.374-04:002010-05-25T03:57:44.374-04:00And what about those enterprises that are yet to e...And what about those enterprises that are yet to experience a note worthy incident?The Ubiquitous Mr. Lovegroovehttps://www.blogger.com/profile/16715623535008048201noreply@blogger.com