Upload
cfg
View
476
Download
1
Tags:
Embed Size (px)
Citation preview
Achieving Durable Security :Being Honest About What You Can Really Do.
Thomas Whipp MSc MEng CISSP CPP CBCIHead of RiskOval Ltd
Where are the risks?
Thinking differently
about security
What are the real costs of
your strategy?Where are you starting from?
Presentation Overview
Where are you starting from?
Your Information?
ExcelSQL
Emails Memory Sticks
Printers
Scanned Images
Mobile Phones
Your Business
Costs Value for Money?
Who’s budget?
Will it really be spent?
Capital Vs.
RevenuePolitics PreventionDetectionIncident
ResponseWill it work?Displacement
Where are the risks?
Script Kiddies
Who is out there?
HacktavistsCriminalsIndustrialEspionage
State Sponsored
TechnicalAttacks
SocialEngineering
Thinking Differently About Security
Rational Choice Theory
? How much will I get
? How likely am I to be caught
? How large is the punishment
Evaluation of risk and return
Uses
A good model for planned offences
Typically acquisitive in nature
Largely fails to explain expressive offences
Routine activity theory
Lack of a capable guardian
Motivated offender
Can be used to explain
everyday type crimes
Situational PreventionRonald v Clarke
Key Concerns 5 Main mechanisms
Crime not criminalityEvent drivenNear not
distant causeHow not why Increase the effort
Increase the risk
Reduce the rewardsReduce
provocationsRemove excuses
Examples:
Defensible SpaceOscar Newman
Key PointsTerritoriality (key behaviour to
encourage)
Natural surveillance
Image MilieuThinking point:
Is it worth allowing some personalisation at the desktop?
Displacement
A key criteria used to assess physical security initiatives
Putting in a control
May not reduce offending
May simply move it elsewhere
Disinhibition
Strong sense of
anonymity
Disassociation from the ‘real
world’
Lack of a sense of consequence
Leads to significant changes in behaviour
Key challenge for InfoSec
awareness but also situational
controls
What are the real costs of your strategy?
Covering your bases...Spreading the costs
Prevention
Detection
Response
Residual
Choosing a Strategy...What are the options?
Process Product
Service Architecture
Any option can deliver an
effective control if implemented
properly
Risks to Strategy...
Choosing a Strategy...Controls and their true costs
Process Product Service Architecture0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
PoliticalEffortRevenueCapital
Tom Whipp MSc MEng CISSP CPP CBCI Head of Risk, Oval Ltd
Tel: 01924 433081Mbl: 07500 796391Email: [email protected]