1
00:00:02,360 --> 00:00:10,120
Walk into the module devoted to the issue of cyber attack risk assessment and damage analysis to start

2
00:00:10,180 --> 00:00:20,760
let's perform a simple simulation security solutions should be cost effective I.T. Security spendings.

3
00:00:20,760 --> 00:00:29,170
As with other spending should be motivated and pay for itself in one way or another Arties systems administrators

4
00:00:29,170 --> 00:00:34,390
and people responsible for eyeteeth systems security have a hard time explaining the cost effectiveness

5
00:00:34,390 --> 00:00:35,580
of such spending.

6
00:00:37,850 --> 00:00:43,730
Just ask your CEO or manager for $10000 for an anti-spam filter and you'll hear that there are better

7
00:00:43,730 --> 00:00:45,730
ways to spend such an amount of money.

8
00:00:51,150 --> 00:00:58,580
Let's try to perform a simple cost effective analysis of allowing spam or viruses.

9
00:00:58,670 --> 00:01:07,780
We all assume the following scenario we work for a company where the average yearly salary is $60000.

10
00:01:07,790 --> 00:01:11,330
There are 260 working days in a year.

11
00:01:11,400 --> 00:01:16,420
Let's suppose that getting rid of a virus that somehow managed to infect a computer takes two hours.

12
00:01:17,710 --> 00:01:24,900
This is a rather optimistic scenario but it's also even doe getting rid of a computer virus means a

13
00:01:24,900 --> 00:01:28,090
two hour break in work for the user of the infected computer.

14
00:01:31,110 --> 00:01:38,590
At the same time these are the two hours of work of an I.T. specialist who performs the operation.

15
00:01:38,630 --> 00:01:44,210
If we divide the average salary by the number of working days in a year and then multiply the result

16
00:01:44,210 --> 00:01:52,650
by the sum of the time consumed we will get the cost of getting rid of a virus from one computer.

17
00:01:52,690 --> 00:01:59,570
If we assume that the company owns 500 computers and only 5 percent of these are infected by the computer

18
00:01:59,570 --> 00:02:04,340
virus once a month which again is a rather optimistic assumption.

19
00:02:05,060 --> 00:02:09,510
We have to multiply the result we got last time by 500 times 5 percent.

20
00:02:11,680 --> 00:02:17,570
Will give us the monthly eyeteeth service cost which includes the cleaning of viruses only.

21
00:02:17,630 --> 00:02:22,910
This is a direct cost of recovering computers from a virus infection.

22
00:02:22,980 --> 00:02:27,990
If the people who decide where the money goes were presenting with the data above their decision might

23
00:02:27,990 --> 00:02:29,060
be a little different.

24
00:02:30,750 --> 00:02:35,670
You can say that the company will actually save ten thousand dollars a year by investing 10000 in the

25
00:02:35,670 --> 00:02:38,260
security on a one off basis.

26
00:02:40,110 --> 00:02:44,040
Such investment it would pay off after only one year.

27
00:02:44,050 --> 00:02:50,520
This is the kind of talk a business user would understand after hearing such arguments.

28
00:02:50,550 --> 00:02:51,840
They would probably concede

29
00:03:00,260 --> 00:03:05,780
name of this module is to convince you the people who are responsible for I.T. systems security and

30
00:03:05,780 --> 00:03:13,920
your companies that risk assessment and valuation is one of the elements of a successful security policy.

31
00:03:13,930 --> 00:03:16,090
We need to balance profit and loss

32
00:03:19,300 --> 00:03:24,660
what you can see in the slide is a graphic representation of a common problem.

33
00:03:24,730 --> 00:03:30,250
The red line represents potential profits the attackers gain from breaking into computer systems.

34
00:03:31,780 --> 00:03:35,700
The green line represents the amount of money spent on the protection of these systems.

35
00:03:37,620 --> 00:03:43,700
99 percent of company computer systems fall into the lowest cost range which is the closest to the profit

36
00:03:43,700 --> 00:03:47,070
X-ists within this cost range.

37
00:03:47,220 --> 00:03:52,560
You can afford only the most basic security solutions.

38
00:03:52,570 --> 00:03:59,930
These would include operating system updates real time antivirus scanner network connection firewall

39
00:04:00,620 --> 00:04:03,930
as well as a firewall for the network protection as such.

40
00:04:04,010 --> 00:04:07,070
Probably a software based one.

41
00:04:07,100 --> 00:04:14,410
The cost of implementing such solutions is relative and so is the cost of defeating them at the end

42
00:04:14,410 --> 00:04:15,760
of the range.

43
00:04:15,820 --> 00:04:22,050
There is a point of departure we aim at a situation where the curve which represents the cost of the

44
00:04:22,050 --> 00:04:28,230
security system increases slower than the one which represents the profit from breaking it.

45
00:04:28,260 --> 00:04:33,210
If we reach the point where we have to spend less on the security system than the potential profit from

46
00:04:33,210 --> 00:04:37,090
breaking it the problem of cybercrime will cease to exist.

47
00:04:38,640 --> 00:04:41,200
Unfortunately this is impossible to achieve.

48
00:04:43,370 --> 00:04:50,420
Just as in the real world the spending on security devices police private protection services etc. will

49
00:04:50,420 --> 00:04:53,870
always be greater than the costs of carrying out a burglary.

50
00:04:53,930 --> 00:05:01,290
Our homes are relatively safe not only because it isn't profitable to break into most of them but also

51
00:05:01,290 --> 00:05:05,310
because burglars viewed the potential punishment as part of the cost component.

52
00:05:06,800 --> 00:05:11,020
When it comes to cyber crimes the cost of punishment is still relatively low.

53
00:05:13,220 --> 00:05:18,530
Until this changes our goal is to deliver the highest level of security for the lowest cost possible

54
00:05:22,920 --> 00:05:26,210
before moving on to discuss one of the risk assessment models.

55
00:05:26,640 --> 00:05:35,210
Let's consider one more example a bullet proof vest is an example of direct protection because of the

56
00:05:35,210 --> 00:05:36,850
specific quality of the vest.

57
00:05:36,860 --> 00:05:43,930
We can believe that it will protect us from the torso wounds that would otherwise be fatal.

58
00:05:43,930 --> 00:05:47,650
This is definitely a considerable profit.

59
00:05:47,720 --> 00:05:52,050
Nevertheless few people wear a bulletproof vest on a daily basis.

60
00:05:54,220 --> 00:06:00,100
In the case of an attack the profit is great and so are the cost of the protection.

61
00:06:00,250 --> 00:06:05,470
The first is heavy uncomfortable and non becoming.

62
00:06:05,640 --> 00:06:12,080
The risk of getting shot is relatively low therefore it's not efficient to invest in such protection

63
00:06:12,080 --> 00:06:17,270
because it's costs both direct and indirect are high and its profits are low.