You are on page 1of 32

Risk Management on the Internet

A critical tool for businesses today.
• Communication:
– Clients
– Suppliers
– Partners
– Personal
Factors that increase the threat
• Broadband Technology
– ADSL, DSL, ISDN, Cable-Modem, etc.
• Economy Globalization
– A new era of interaction between nations,
economies and people.
• Increase in technology complexity.
• The complexity is directly proportional to
the bugs in the systems.
What are the risks on the Internet?

Key Cases & Events

Consequences of poor security

• Financial Loss
• Theft
– Intellectual Property
– Credit Card/Personal Information
• Virus
• Loss of Trust
• E-Graffiti
• Denial of Service
Consequences of poor security


• Virus I Love You – Caused financial loss in

excess of $10 billion, estimates Computer
• It is estimated that the attacks on Yahoo!,, eBay, CNN, & caused
$1.2 billions of lost revenue. (Source: The Yankee Group).
• Theft of credit card information have included
CD Universe (300,000), VISA USA (485,000)
and more recently a hacker accessed 5.6
million credit cards from a company that
processes transactions on behalf of merchants.
Abuse & Losses in Industry,
Goverment and Education...
• 90% detected intruders 90
in their systems. 80
• 70% reported serious
flaws in security:
– Theft of intellectual 40
and digital property.
– Financial fraud. 20
– Faulty service and 10
sabotage. 0
Intrusions Flaws

223 Respondents

Source: SF CSI
Abuse & Losses in Industry,
Goverment and Education...
223 Respondents • 80% acknowledged
80 financial losses due to
computer breaches.
• 44% were willing
and/or able to quantify
50 their financial losses.
40 • Losses Totaled
30 $455,848,000
Losses Quantify
Source: SF CSI
Hackers, Crackers, Script Kiddies
and Thieves
How money was lost
2002 CSI/FBI Computer Crime
$6.5 M + and Security Survey
$4.6 M +
Nota: Average Losses per ocurrence.

$541,000 $300,000


Theft of Financial Sabotage Unauthorized System

proprietary Fraud of insider penetration
information data networks access by an
How security has been handled
until now
The traditional security model
• Prevention
• Increased revenues
• Confidentiality “Trust”

“Implementing a robust security will

increase earnings, establish
confidentiality between your clients,
suppliers and partners”
Avoiding the threat is not sufficient
• Every security product has failed
• 98% of all respondents acknowledged having
anti-virus software, nevertheless 90% reported
cases of contamination by virus.
• 91% of all respondents have firewalls in
place, nevertheless 40% reported system
penetration, which has increased for the fourth
consecutive year.
-- Computer Security Institute / FBI, 2002
Lack of Security

• Consequences of…
– Loss of confidence in the market
– Reduction in the shareholding price
– Hiring additional personnel
– Difficulty when raising capital
Too Much Security

• Consequences of…
– Loss of revenue
– Creates obstacles for the clients
– Loss of image in the market
The perfect Balance

• Providing the right balance

between good security
measures, which allow the
right person to access the right
data at the right time.
A new security perspective
Manage the Risk

• Quantify the risk

– Evaluate probabilities
– Consequences of a disastrous
Manage the Risk…
• Take corrective measures
– Reduce the risk
• Diminish probabilities, consequences or both.
– Transfer the risk
• Acquire insurance policies to indemnify your
organization and third-party.
Manage the Risk…
• Effective use of security products to reduce
the risk.
• Why effective?
– These tools should be implemented when the
savings due to the reduction of the risk, justifies
the investment in the product.
Manage the Risk…
1. Safe $500,000

2. Safe $ 25,000 / Insurance

Policy $ 16,000
Safe Diamond
3. Safe $5,000 & Insurance $ 50,000
Policy $5,000 (requires a
Issues to consider when establishing a
global security strategy

• Accept part of the risk.

• Reduce part of the risk using security
products and procedures.
• Transfer part of the risk.
• Recruit adequate personnel based on
• Integration.
• Information security should NOT be
considered merely a technical
• Information security should be a
dynamic process that requires
constant supervision, not only by
technical personnel, but from
personnel in general.

Risk Management
on the Internet
• For additional information:
José Vicente Ortega