COST BENEFIT ANALYSIS OF IMPROVED PATCHING WINDOW USING FAIR

This study by the FAIR Institute in 2016 analyzes the costs and benefits of enhancing patching windows for improved cybersecurity measures. It delves into the practical implications and real-world impact through a detailed case study. The findings offer valuable insights for organizations aiming to strengthen their defense against cyber risks.

• Cost-Benefit Analysis
• Patching Window
• Case Study
• Cybersecurity
• Risk Management

pick_mo Follow

Uploaded on Feb 16, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. COST BENEFIT ANALYSIS OF IMPROVED PATCHING WINDOW USING FAIR CASE STUDY SHARED COURTESY OF RISKLENS 1 CONFIDENTIAL - FAIR INSTITUTE 2016

2. ANALYSIS SCOPING RISK SCENARIO DESCRIPTION Lack of timely application patching introduces threats to the ERP system and restricted data (auditors uncovered that the actual patching window exceeded the patching policy) ASSET(S) DESCRIPTION ERP Patching Process LOSS TYPE Confidentiality THREAT(S) DESCRIPTION Advanced Persistent Threat (APT) 2 CONFIDENTIAL - FAIR INSTITUTE 2016

3. ANALYSIS SCOPING Assessing Risk Reduction Through Comparison of Scenarios Analyzed and quantified the risk for the ERP patching process in the current state Analyzed and quantified the risk for the ERP patching process if the patching window was reduced 3 CONFIDENTIAL - FAIR INSTITUTE 2016

4. ANALYSIS RESULTS RISK = Frequency x Magnitude of future loss. We express risk in terms of loss exposure. Annualized Reduction in Loss Exposure (Risk) Analysis Minimum Average Maximum CHANGE Current State $0 $85.0M $1.4B Average Annualized Risk Reduction 49.5M Improved Patching Process $0 $35.5M $1.2B Min / Max values represent the absolute minimum of simulation results. 4 CONFIDENTIAL - FAIR INSTITUTE 2016

5. ANALYSIS RESULTS ERP Impact Assumption Single Loss Event Scenario (ML = Most Likely) 5 CONFIDENTIAL - FAIR INSTITUTE 2016

6. ERP AND SAP PATCHING Average Annualized Loss Exposure Reduction in Vulnerability* Analysis Vulnerability CHANGE Current State 80% Reduce Vulnerability by approx. 55% Improved Patching Process 25% Vulnerability does not incorporate the susceptibility of underlying infrastructure components. *Vulnerability = what percentage of attacks would become loss events 6 CONFIDENTIAL - FAIR INSTITUTE 2016

7. INTERPRETING RESULTS Both Scenarios Threat event frequency for each is a calibrated estimate taking into account input from the Security Operations Center (SOC) Vulnerability is measured as it relates only to the patch, not applied to the system within each time window Primary loss is based on data provided by the incident response team Secondary loss is derived from a lookup table build based on data provided by the business units Secondary loss magnitude is modeled based on confidential data and IP data Frequency of fallout is assumed to be at or near 100% of events because of the nature of the data involved and of the profile of the threat community 7 CONFIDENTIAL - FAIR INSTITUTE 2016

8. INTERPRETING RESULTS Current State Scenario Resistance strength is measured here by looking at the backlog of patches outstanding Future Forecasted Scenario Resistance Strength is measured here by assuming all missing patches in the backlog are resolved Minimum resistance strength represents patches that live longer in the time window M/L expresses at any given time during the 90 day patch window how bad the missing patches are Max represents the least damaging patches that are more recent in the time window 8 CONFIDENTIAL - FAIR INSTITUTE 2016

9. ANALYSIS LEVERAGED THE FAIR MODEL Risk Loss Event Frequency Loss Magnitude Threat Event Frequency Vulnerability Primary Loss Secondary Loss Contact Frequency Probability of Action Threat Capability Resistance Strength Loss Event Frequency Loss Magnitude 9 CONFIDENTIAL - FAIR INSTITUTE 2016

10. THE FAIR MODEL Risk Loss Event Frequency Loss Magnitude Threat Event Frequency Vulnerability Primary Loss Secondary Loss Contact Frequency Probability of Action Threat Capability Resistance Strength Loss Event Frequency Loss Magnitude 10 CONFIDENTIAL - FAIR INSTITUTE 2016

11. THE FAIR MODEL Risk Loss Event Frequency Loss Magnitude Threat Event Frequency Vulnerability Primary Loss Secondary Loss Contact Frequency Probability of Action Threat Capability Resistance Strength Loss Event Frequency Loss Magnitude 11 CONFIDENTIAL - FAIR INSTITUTE 2016

12. ANALYSIS INPUT PRIMARY LOSSES Incident response Investigation SECONDARY LOSSES Notification / credit monitoring Regulatory notification Possible fines / judgments Customer service requests Potential litigation Loss of current/future customers (reputation) Card replacement 12 CONFIDENTIAL - FAIR INSTITUTE 2016

13. DECISION SUPPORT / ROI THE RISK ANALYSIS SUPPORTED Forecasting risk reduction that can be achieved by consistently patching within 90-day window down from 180 days Risk-based rationale for cleaning up current backlog Using metrics to resolve a conflicting discussion between auditors and IT about the value of reducing the patch window and meeting the requirements of the patching policy Cost to Reduce Patch Window Projected Risk Reduction Analysis demonstrated that risk quantification can be integrated into customer s risk analysis process While this new patching process will increase operational costs, the forecasted risk reduction is multiple times greater. 13 CONFIDENTIAL - FAIR INSTITUTE 2016