Measuring the value of information security programs is difficult and a problem for the entire industry. Come join us for a 3 part series discussing the challenges, how Intel is taking a practical approach, and where the future may take information security metrics.

Last week, Matthew Rosenquist & I discussed why measuring ROSI is important, and the very difficult challenges in doing so. In this second of the three part series, we will discuss a practical approach to determine value of information security initiatives. Joining Matt & myself this week from Costa Rica is Enrique Herrera, who will discuss an actual Intel case study.

The show is 30 minutes, starting tomorrow (May 29) at 10:30 PDT. To listen in, go to the OpenPort home page, and a little ways down on the left side you'll find the BlogTalk Radio link. Take that link and follow the instructions. You don't need an account to listen or participate in the discussion. If you can't make it live, you can also find the recorded sessions there too, after the show.

See you there!

Return On Security Investment - BlogTalk Radio
Thursday, May 29, 2008
10:30 AM PDT / 1:30 EDT
http://communities.intel.com/index.jspa

In the summer of 2002 I received a phone call from one of Intel’s senior information security experts, Brian Willis. Brian had just returned from an event in Washington D.C. that he was very excited about. Gartner and the U.S. Naval War College had hosted a three-day seminar-style war game called “Digital Pearl Harbor.” The purpose of the war game was to involve industry for the first time in investigating the possibilities for catastrophic attack of and through the U.S. internet system. They had invited a number of private corporations to participate in this new methodology, and Brian attended as Intel’s representative.

At the time I was working on some risk modeling techniques, so Brian figured I’d be interested in what he had learned. He called and started with, “We have to do this!” He described the event and the possibilities he saw for Intel. The event was very successful and provided much valuable information to the sponsors as defenders, but Brian saw a different aspect. As an “attacker” in the game, he saw how easily and dynamically the attackers in cyberspace were able to build their own systems, business as well as technological, and emphasize their own priorities. The visibility that the game gave into this process came as a bit of a surprise to him and other participants, and Brian recognized how valuable this perspective was to understanding risks facing any defender.

So we decided to stage something similar at Intel, but focusing on the attacker viewpoint rather than the defenders. Although this is somewhat different than a classical war game, we kept the basic process (and the name “war game”) to keep it different from other risk assessment methods. It wasn’t easy to come up with our own game. At the time, there was very little about war gaming that wasn’t based on military objectives, and it was almost all from the defender’s point of view. I even called the U.S. Naval War College; they were very interested and supportive but had little they could share. But through the collective effort of many people, by the summer of 2003 we had put together our own Intel Digital Wargame. The game event itself lasted for two days, and involved nearly every Intel business unit organized in six cells spread across three U.S. cities. It was wildly successful, beyond our expectations, and all the participants said it was exhausting but also both the most instructive and the most fun event they had attended in a long time.

Since then, we have conducted a number of smaller games and continue to have good success with the process. Along the way we have refined it, although we consider it still very much a work in progress. The paper published here is a detailed description of our current process. If war gaming sounds interesting to you, or you are already doing something similar, I hope this will be of use to you. In any case, I would like to hear of your thoughts or experiences or best practices in this area, as we are always looking to learn and improve.

Wargames: Serious Play that Tests Enterprise Security Assumptions

Within enterprise and large network we are seeing diverse set of users and computer and keeping the network secure is becoming a challenging job.

In response to this within a corporate network, Intel IT initiated the on-connect authentication (OCA) program, locking down and enabling security on network access ports using 802.1x standards and port security. 802.1x standard has been around for long time but recently it has picked up the momentum and for a big network it is not a very easy job to deploy and maintain. In a two-site pilot deployment, we gained insights, formulated best known practices, and developed automated tools and a strategy for an efficient global rollout to lock down every single access port at Intel. I hope you find our experience useful to you and I would also like to hear your experience on this.


Update: My white paper is now posted. Check it out and let me know your thoughts Securing the Corporate Network at the Network Edge

Note, this conversation occurred in the SecurityMetrics email discussion group and is a repost of select dialogue. Thanks to all the contributors who granted me permission to post their comments.

Will the recent data breach settlement by TJX be a landmark case, setting the precedent for future lawsuits?

_http://www.boston.com/business/globe/articles/2007/09/22/tjx_offers_deal_to_end_data_breach_suit/_

This lawsuit focused on 45.7 million credit and debit card numbers that were stolen from TJX by hackers. The company will settle the case by offering $30 store vouchers, which equates to a value of the customer's time at $10 per hour. TJX will hold a "customer appreciation" 15% sale and will also offer credit monitoring and identity theft insurance to some customers. The total costs to TJX for this incident are around $256 million.

The Math of Liability Settlements

The discussion group was alight with the paltry $30 restitution per customer.

Dan Geer shed some light on the numbers by citing a legal precedent for liability and doing the math.

Given P = the probability of loss
L = the amount of said loss
B = the cost of adequate precautions
Then Liability whenever B < PL
So, taking data from the published FTC study[2] of 2003 where they said that 4.6% of the US population had had an identity theft problem and that in solving it the affected had expended 300 million hours and 5 billion dollars, and using the then Federal minimum wage, we'd thus have:

This leads to the question of whether $30.11/yr/consumer is enough to prevent identity theft, as defined by the FTC, and if it is, then liability would ensue.
This is close enough, excluding increases in minimum wage, to the $30 figure in the press report to make me wonder if the TJX folks have been reading the same stuff I've been reading.

Impacts on Stock Price

The TJX stock has seemingly not been adversely affected.

Bill Frank noted:

I just looked up TJX stock price. It's within two points of it's all time high at $30.16. It surely dipped when the story was new. But it seems to have completely recovered.
For one of the worst security breaches of all time, it does not look like there will be any permanent damage (to TJX).

Matthew Rosenquist:

Sadly, this does not surprise me. Until the distain of such breaches becomes personally embraced by the general populace, such incidents probably will not have a significant impact. I think it will be a slow curve as society begins to alter its perspective on how data-loss events affect 'others' and begin to comprehend that it very well could and does affect them. And that they are empowered to prevent being victimized, through the simple choice of where to spend their money and whom they choose to expose their PII/PHI and financial records. Only then will it change spending habits, investing choices, and ultimately begin a cascade effect with the economy directly surrounding organizations which allow, through ignorance or indifference, such losses.
Today is a sad day, but tomorrow will be a little better as the pain will continue to grow and slowly manifest change in the herd.
After some posts recommending more governmental regulations I threw out a couple of points:
1. I believe the free market system, with its inherent checks and balances, will prevail. But the key is fixating on the real issue: Money. Follow the money.... How much will this cost the TJX consumer? How much higher prices will the need to pay for the mismanagement by TJX officers? This is the real metric (IMHO). This will determine the velocity by which the curve will occur (see my previous ranting on this thread). bq.
2. The math (disclaimer: will someone with a bigger brain check my numbers, which are ballpark anyways - just for illustration purposes):
TJX estimates total losses for the security incident: $256M
TJX estimated Sales Revenue: $18000M
TJX estimated Sales Net Profit: $738M (I chose to use Net instead of Gross, but use whatever you believe is right)
TJX estimated profit margin: ~4%

In order to recoup the $256M in Net Profit, they would need to sell an additional $6400M in product ($256M / 4%), or INCREASE prices by ~25% without selling more. For those TJX customers, are you okay in eventually paying ~25% more for the same products, due to poor management practices of the retailer? (Yes, it is the decision of the management to decide how much they want to recoup, but you get the point).
...yes these are rough numbers, for discussion purposes only. The point is somebody has to pay. It will be the customers. Let's have a bright person do the math and show the customers what they are going to have to eat, as part of the cost of doing business with TJX (substitute company name of any organization who allows a data breach).

Bill Frank:

Matthew, the only metric that really counts is the stock price.
I see your math if the point is to recoup the money lost. But too often the stock price ignores one-off events. The point is that the stock price has recovered even though they lost $250 million because the incident is seen as a one-time event that will not have any effect on earnings going forward.

Matthew Rosenquist:

Bill, you make a good point. My contentions are that due to a lack of realistic and understandable metrics both the consumer as well as investor does not have sufficient data to comprehend the future ramifications, hence the propensity of classifying these issues as one-time events. Which time will prove, they are not. Basically, the customer and investor do not know how to react. They are pensive due to a lack of understanding and experience. We are all on a path of learning. Empowering people with insights, understanding, and a strategic view is the role of metrics. In this case, I see the true power of metrics as a tool to help escalate the learning curve. I believe sometime in the future such a breach would cause significant backlash by the consumer and reflect in the stock price. We just are not there yet.

Anton Chuvakin:

I feel that there is something very wrong with this math... just not sure what exactly. My guess is that if you increase your price by 25% in this business, you'd be gone within a quarter (see narrow margins, cutthroat competition, etc) So they probably won't. Can somebody then explain, who pays?

Matthew Rosenquist:

Yes, there is something wrong, but I use it for illustrative purposes only. The missing link is the decision by management on how much loss they are willing to accept. If they choose to eat the entire $256M, then they do not need to raise prices at all. On the other end of the spectrum, if they want all $256M back, then they have to raise prices. An increase by ~25% for one year would come close, although realistically, they would spread out the pain over several years so as to be only a slight increase over a longer period of time.
The key is what management decides, either consciously or unconsciously, to be an Acceptable Loss.
Note: I grabbed the company's financial data, including the margin figures, from yahoo.com/finance

Susan Bradley:

But isn't the free market system working now? The one that has Russian/Asian hackers/Spammers/Phishers sneaking into our servers, causing breaches now working quite nicely now?
Look at the free market system of software (and I'm not talking Microsoft here). Show me an accounting application that natively has encryption surrounding the PII data in it? Granted I hang in the SMB space, but do you guys in enterprise see movement up there or am I just not looking in the right places for vendors making changes reacting to PII losses?
If the free market system was working ...then why does my Bank of America have computer terminals that look like DOS on their desktops? Of course then again why am I still banking at them and not moving to Wells Fargo where they are at least running Win2k last I looked? Aren't I guilty of not shopping for the most secure bank when BoA lost a few PII here and there? I haven't taken my business elsewhere as a result. Shouldn't I?
I myself am guilty of this "bare minimum" view as I was on a virtual committee for the 'minimum' security standards for all sized entities organized by CISecurity.org and I couldn't (wouldn't) push for two factor authentication being a defacto standard since I didn't feel that the industry was mature enough to be a standard yet for SMBs.
So while the free market industry for the spammers, phishers, etc seems to be quite robust, are the applications responding to the free market of checks and balances?

Matthew Rosenquist:

I believe the system is working, albeit not as fast as we all would like. As proof, we have dramatic changes and tension in the system. Neither side (good guys/bad guys) is completely winning but both are rapidly changing and evolving. The information security industry has skyrocketed in the past 5 years. So has cyber crime. In this dance each side is looking for advantages and continually adapting to their respective opposition. Change is afoot. Other areas of cyber security are much farther on the maturity curve than privacy and data breach security.
Security will continually seek to mitigate losses in the most cost efficient manner. In doing so, the industry will change as well as the expectations of security. In the end, we are not trying to make everything impervious to attack, instead we are seeking to achieve and maintain the optimal level of security which balances the cost of security with the loss prevented to reach an acceptable level of loss. This is a wildly gyrating target as new vulnerabilities, threats, changes to environments, etc. are constantly changing. Adaptation is in small steps. I doubt we will wake up tomorrow to have every application using encryption. The cost is just too high and we would be overshooting the optimal level of security. Eventually however, the most critical applications will use encryption.