1

ECONOMIC ASPECTSOF DATA PROTECTION

South Eastern Europe Conference on Regional Security through Data Protection

BelgradeDecember 1-2, 2003

Daniel C. Hurley, Jr.Director, Critical Infrastructure Protection

U.S. Department of Commerce

»

2

Within the U.S. Government, the Department of Commerce is appropriate agency for addressing

economic security issues:

• Core mission incorporates CIP

• Historic ties with and understanding of industry

• Trust between Department and industry

• With DOC’s involvement, U. S. industry plays more effectively

3

Critical Infrastructure Assurance Challenges

• Vulnerabilities Increase with “Always On” Network Connections, Telecommuting, Lax Security Practices

• Viruses, DoS Attacks, Identity Theft and other Practices can Aid Terrorist Activity

• Lukewarm Corporate and Public Interest in InfoSec Awareness and Education, although that has changed somewhat post-September 11th

• FBI/CSI survey (2003) found about “90 percent of respondents detected computer security breaches in the past year, but only 34 percent reported those attacks to authorities.”

4

Costs of Computer Crime

• Costs: – 2003: $201 million

– 2002: $455 million

• Types: – Proprietary info ($70 million)

– denial of service ($65 million)

– financial fraud ($10.2 million; down from $116 million in 2002)

• Forms of attack: – virus incidents (82%)

– insider abuse (80%)Source: CSI/FBI 2003 Computer Crime and Security Survey

5

Examples of Recent Attacks

• Klez virus:• -- Clean up and lost productivity: $9 billion

• Code Red:– 1 million computers affected– Clean-up and lost productivity: $2.6 billion

• Love Bug: – 50 variants, 40 million computers affected– Clean-up and lost productivity: $8.8 billion

• NIMDA:– Clean-up and lost productivity: $1.2 billion

• Slammer: – Clean up and lost productivity: $1 billion +

6

“Business Case” for Cybersecurity

• There is a 21% Return on Investment for cyber security systems implemented early in network development

Source: CSO Magazine, 2002

• “The costs of a severe computer attack are likely to be greater than the preemptive investment in a cyber security program would have been.”

Source: National Strategy to Secure Cyber Space, February 2003

7

Premise

Infrastructure security can have a direct effect on shareholder value.

8

Shareholder Value Metrics

Gordon Growth Model

Investment Analyst View

Market Capitalization =

Free Cash Flow

Cost of - Growth of Free Equity Cash Flow

9

Shareholder Value Metrics

Gordon Growth Model

CEO ViewMarket Cap =

Increase Revenues, Reduce Expenses

Manage Risks, Grow Free Cash Flow

• Operational

• Credit

• Reputational

10

Risk Management is KeyFive-year cost of equity =

Stock Volatility

Corporate Credit Spread

Government Bond Rate

= 8%

= 1%

= 6%

15%

11

Shareholder Value Metrics: An Example

$2.0 billion market cap =

$100 million

15% - 10%

12

Shareholder Value Metrics: An Example

$1.67 billion market cap =

$100 million

16% - 10%

A 1% increase in cost of equity decreases market capitalization

by $333.3 million.

13

Simple Tenets of Business

• Survival: Keep the company in business: meet the needs of paying customers

• Fiduciary Responsibility: Protect the interest of shareholders and other investors– Retain and increase value; grow revenue and

earnings (ROI, ROE, Market Share, . . . )

• Do the above in compliance with applicable law and regulation

14

Ten Questions About Information Security

1. Accountability - What management system have we established to assure effective assignment of accountability for the security of our information and supporting technology resources?

2. Awareness - What has management done to ensure that all parties know, understand, and accept the importance of adhering to sound information security?

3. Ethics - What has management done to ensure that we are using our information assets and administering information security in an ethical manner?

15

Ten Questions About Information Security (continued)

4. Multidisciplinary Considerations - What has management done to ensure the perspectives and considerations of all interested and affected parties are considered and balanced in developing our information security policy?

5. Proportionality - What cost/benefit, risk, and due care analyses have been applied to the selection of our information security controls?

6. Integration - How has management coordinated and integrated information security with overall policies and procedures to create and maintain effective security throughout our information systems?

16

Ten Questions About Information Security (continued)

7. Timeliness - What capabilities do we have to ensure that failures involving information technology or its management will not endanger the organization, its supported business units, its neighbors, or their information assets, and will not impair their ability to operate?

8. Assessment - What capabilities do we have to ensure that risks associated with information and supporting technology resources are effectively assessed on an appropriate periodic basis, or as otherwise required, and managed accordingly?

17

Ten Questions About Information Security (continued)

9. Equity - How does management ensure that information security measures are fair and legal?

10. Information Sharing - How effectively does management share appropriate information with peer organizations and appropriate governmental entities?

18

Security Incentives - Internal

• Tone at the Top:– Mission, Values, Strategies, and Objectives– Results, Reputation, and Learning

• Assurance Objectives:– Availability, Capability, Functionality, Protectability,

and Accountability

• Management Practices:– Operations, Reporting, Compliance, and Safeguarding

of Assets– People, Technology, Processes, Investment, and

Communications

19

Systems Assurance and Control Model

20

Board and Executive Responsibilities for Information Security

• Tone at the Top– Ethics, Quality, Trust, Security, Reliability

• Board of Directors– Duty of care to ensure it receives sufficient

reliable evidence to govern the organization– Ask insightful questions and assess the

appropriateness of the answers– Duty and challenge to keep abreast of the myriad

subjects influencing business governance

21

The Audit Committee of the Board

• Reliability of information and its presentation in financial and other reports

• Ensuring regulatory compliance

• External and internal auditing– Selecting and retaining the auditors– Direct reporting relationship with the chairman

of the audit committee– Independence and objectivity

22

Audit Examples Review processes for systems design,

development, maintenance, and enhancements Review network operations and security Review change controls for systems, networks,

and information Select and Analyze data for verification of

controls or assessments of anomalies Review access controls for security and

accountability

23

Audit Examples Review business processes and supporting systems and

data Review effectiveness of specific activities such as

intrusion control Assess business continuity including participation in

recovery testing Assess sensitive activities such as incident response Consult in any area of security or controls to facilitate

improvement, efficiency

24

The Role of Private Insurance

• Government regulations generally promote behavior through negative reinforcement (e.g. fines, jail, etc.)

Versus

• Private Insurance generally promotes behavior through positive reinforcement (e.g. availability of insurance, lower premiums)

25

What are the Underwriter’s Obligations?

• Prevent or mitigate the Loss

• Risk Transfer the Loss

• Assist in post incident support and reputation re-building

26

What are the risks to manage?

• Legal Liability to Others: Security breaches, Web Content, Prof. E&O

• Loss or damage to my data

• Loss of revenue due to a DOS attack

• Loss or damage to Reputation

• Loss of Market capitalization and resulting Shareholder lawsuits

27

Value of Insurance

• Computer attacks hit with huge frequency and are causing substantial damage.

• The private insurance sector plays a unique role in motivating behavior by adjusting the price and availability of insurance.

• In addition to providing coverage, insurance firms should help to prevent the loss by aligning themselves with quality security technology companies, within a specialized unit.

28

Future Concerns - Examples

• Systemic issues not being addressed systemically– E.G., software patch management as a symptom

• People – the biggest concern– IT workforce shortfalls (including INFOSEC)– Lack of feedback of “good practices” in education process– Management awareness/education– Accountability– Citizen awareness/education/training (“K-life”) – cultural issue

• Disruptive technologies– Wireless– Miniaturization: e.g., Nanotechnology and MEMS– Moore’s Law: increasing power to individual at lower cost– Network enabled applications: e.g., Peer-to-peer sharing

29

CIPLessons Learned

• GLOBAL ECONOMIC BENEFITS OF CIP

• Economic Security is a motivating factor

• Complements law enforcement and national security objectives

• CONTINUOUS EDUCATION & AWARENESS NECESSARY

• Solutions involve people, not just technology and process

• INDUSTRY INTERACTION ESSENTIAL

• Facilitates issue identification

• Broadens analytic support

• Facilitates buy-in by industry

• Accelerates economic benefits to be derived

30

The Final Word . . .

• Effective information security management and monitoring practices can either be adopted and enforced by management, or they will eventually be mandated by regulation, legislation, lawsuits, and/or insurer requirements.

• Those who benefit most from effective security practices will be those early adopters who recognize them as good business practice and build them into the systems and processes as integral business components.

31

Information for This Presentation Was Provided By:

Charles LeGrand

Director of Technology Practices

The Institute of Internal Auditors

James McNulty

President & CEO, Chicago Mercantile Exchange, Inc.

Ty Sagalow

Chief Operating Officer

AIG Global eBusiness Solutions

The Information Technology Association of America (ITAA)

32

THANK YOU

Daniel C. Hurley, Jr.Director,

Critical Infrastructure Protection

U.S. Department of Commerce

www.ntia.doc.govdhurley@ntia.doc.gov

»