Achieving Durable Security :Being Honest About What You Can Really Do.

Thomas Whipp MSc MEng CISSP CPP CBCIHead of RiskOval Ltd

Where are the risks?

Thinking differently

about security

What are the real costs of

your strategy?Where are you starting from?

Presentation Overview

Where are you starting from?

Your Information?

ExcelSQL

Emails Memory Sticks

Printers

Scanned Images

Mobile Phones

Your Business

Costs Value for Money?

Who’s budget?

Will it really be spent?

Capital Vs.

RevenuePolitics PreventionDetectionIncident

ResponseWill it work?Displacement

Where are the risks?

Script Kiddies

Who is out there?

HacktavistsCriminalsIndustrialEspionage

State Sponsored

TechnicalAttacks

SocialEngineering

Thinking Differently About Security

Rational Choice Theory

? How much will I get

? How likely am I to be caught

? How large is the punishment

Evaluation of risk and return

Uses

A good model for planned offences

Typically acquisitive in nature

Largely fails to explain expressive offences

Routine activity theory

Lack of a capable guardian

Motivated offender

Can be used to explain

everyday type crimes

Situational PreventionRonald v Clarke

Key Concerns 5 Main mechanisms

Crime not criminalityEvent drivenNear not

distant causeHow not why Increase the effort

Increase the risk

Reduce the rewardsReduce

provocationsRemove excuses

Examples:

Defensible SpaceOscar Newman

Key PointsTerritoriality (key behaviour to

encourage)

Natural surveillance

Image MilieuThinking point:

Is it worth allowing some personalisation at the desktop?

Displacement

A key criteria used to assess physical security initiatives

Putting in a control

May not reduce offending

May simply move it elsewhere

Disinhibition

Strong sense of

anonymity

Disassociation from the ‘real

world’

Lack of a sense of consequence

Leads to significant changes in behaviour

Key challenge for InfoSec

awareness but also situational

controls

What are the real costs of your strategy?

Covering your bases...Spreading the costs

Prevention

Detection

Response

Residual

Choosing a Strategy...What are the options?

Process Product

Service Architecture

Any option can deliver an

effective control if implemented

properly

Risks to Strategy...

Choosing a Strategy...Controls and their true costs

Process Product Service Architecture0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

PoliticalEffortRevenueCapital

Tom Whipp MSc MEng CISSP CPP CBCI Head of Risk, Oval Ltd

Tel:       01924 433081Mbl:      07500 796391Email:   tom.whipp@theovalgroup.com