SlideShare une entreprise Scribd logo

Social Media Risk Metrics

Iftach Ian Amit
Iftach Ian Amit

Risk metric frameworks cover most of the elements that organizations deal with from an operational perspective. We have identified a gap in those, in which social media activities are not represented well (albeit being the highest growing attack vector). In this talk we’ll present a social media risk metric framework that allows organizations to measure and track both individuals as well as 3rd party entities risk to the organization.

Technologie
1  sur  47
Télécharger pour lire hors ligne
The Newest Element of Risk Metrics: Social Media Ian Amit @iiamit
Spot the problem
Basic Motivation - hottest/easiest vector! • “… in previous years, we saw phishing messages come and go and reported that the overall effectiveness of phishing campaigns was between 10 and 20%. This year, we noted that some of these stats went higher, with 23% of recipients now opening phishing messages and 11% clicking on attachments. Some stats were lower, though, with a slight decline in users actually going to phishing sites and giving up passwords.” • “For two years, more than two-thirds of incidents that comprise the Cyber-Espionage pattern have featured phishing.” • 2015 DBIR
Why do I want this? (1)
Why do I want this? (1)
Why do I want this? (2)
Why do I want this? (3) • Are you engaged in a “controversial” practice? Financial Services DIB Healthcare Pharma Agribusiness LEA Energy
Coming up with a solution…
Let’s create a framework!
The solution should provide:
How feasible is it? Sentiment Analysis and German Elections “Twitter can be seen as a valid real- time indicator of political sentiment.”
http://www.aaai.org/ocs/index.php/ICWSM/ICWSM10/paper/viewFile/1441/1852
Goal, Question, Metric Victor Basili Goals establish what we want to accomplish. Questions help us understand how to meet the goal. They address context. Metrics identify the measurements that are needed to answer the questions. Goal 1 Goal 2 Q1 Q2 Q3 Q4 Q5 M1 M2 M3 M4 M5 M6 M7
GQM Example: Patch Management Patching Scorecard Goal 1: Comprehensive Goal 2: Timely Goal 3: Cost Efficient
Goal 1: Comprehensive %Coverage by Asset category %Coverage by Risk Unix Windows Server Desktop OS Compo Likelihood Impact By Asset Category By Location (DMZ, Se By Business Unit By Asset Category By Location (DMZ, Semi-
Goal 2: Timely What should our Priorities be for timeliness? What is Policy for timeliness? What other Considerations for Timeliness? What is time to patc What is time to pat What % are Late by What are our Repeat Offende likelih Impac
corecard Goal 2: Timely Goal 3: Cost Efficient Cost Risk Reduction Hour per Asset spent Patching By Asset Category By Location (DMZ, Semi-Pub, Internal) By Cost Per Hour Hour per Asset, by ALE per Hour Hour per asset category
GQM for SMRM • Goal: Provide a social media risk scorecard for a person/ organization. • Questions: How would one’s OA affect the likelihood of a threat? How would one’s OA affects the impact of a threat, and the areas of impact? How does unsanctioned presence of someone affect said threats? • Metrics: Provide a qualitative* approach to measuring the overall risk, as well as specific aspects of the social media presence. *And when we say qualitative we lie a little bit…
More Goals! • Provide a measurable way to quantify risk associated with online activity of the organization and it's employees. • Provide another measure for quantifying risk of working with 3rd parties and contractors. • Create a score for executives to measure their social media exposure (from an exec protection perspective, insider trading, etc...) • Create a score for measuring and comparing intra and extra industry social media risk ratings • Be able to quantify the effect of changing controls, processes and policies on the risk associated with social media.
Enter, SMRM!
Is the individual risky?
Is the individual risky?
Is the individual risky?
Is the individual risky?
Scorecard Development • Started with the basics, comparative measurements… • Qualitative approach dictates trying to leave quantitative elements out (which we kind’a try to). So the compromise was to provide a fairly detailed breakdown of elements, and instead of measuring them on a scale, only indicate presence (1 or 0). • Aggregation didn't work (per-se), Averaging would not take into account the full magnitude of the largest elements, MAX() would not factor in contribution from smaller ones. We have to provide more accurate weights…
Scoring Approach • Ended up with providing a weighting system for the major elements and their importance to the organization (context?!). • Given X points to distribute between Y elements. Weight = Y’/X where Y’ is the number of points given to each element. • Sum(Y’…Y’’)=1 • Apply weighting to the scorecard to get weighted risk score. (where weights are appropriate for the organization’s operational context).
Scorecard Status Likelihood Manifestation Impact # online threats
Personal Scorecard Status Likelihood Manifestation Impact # online threats Likelihood Manifestation Impact # online threats Corporate Malicious Content Negative Sentiment Information Leaks
What Data do I Need? Size # of monitored assets Geography Chatter Impersonations Sentiment
How can you do it?
Step 1 None at all None but public information Volitional Enforced
Step 2
Step 3
Step 4 Collect <ALL> the data E T L
Scraping Twitter Scraping: http://knightlab.northwestern.edu/2014/03/15/a-beginners-guide-to-collecting-twitter-data-and-a- bit-of-web-scraping/ <link rel="alternate" type="application/json+oembed" href="https:// api.twitter.com/1/statuses/oembed.json?id=623493258958606336" title="Guy Fieri, CISO on Twitter: &quot;Which is more dangerous @nudehaberdasher, @0xcharlie, @a_greenberg stunt in the wild, or Nationalist Attribution Rhetoric from @taosecurity?&quot;">
Step 5 Store the data MARCUS SAYS 
 BIG DATA
Step 6 Analysis
Example of Using SA for Subjective Rating Warning - subjectivity ahead!
Step 6b Big data magic
Step 7 Scorecard
DEMO
Where can you get it? • The Society of Information Risk Analysts • http://www.societyinforisk.org • As well as on the SMRM site: • http://risk-metrics.com/
Take-away 1. Check what is your current social media security policy (if you have one). 2. Do you have a current risk model that incorporates social media as part of it (attack surface / information leak / intelligence) 3. Measure your current social media risk posture for key individuals in your organization. • And then in 2-3 months - measure again to see whether any changes you have implemented in light of the initial measurement had the right impact.
Thank you! Questions? @iiamit
References Sentiment analysis and german elections: http://www.aaai.org/ocs/index.php/ICWSM/ICWSM10/paper/viewFile/ 1441/1852 Analyze tone of text: https://tone-analyzer-demo.mybluemix.net/ Analyze personality based on text: https://watson-pi-demo.mybluemix.net/ Sentiment analysis (list from http://breakthroughanalysis.com/2012/01/08/what-are-the-most-powerful-open-source- sentiment-analysis-tools/) Python NLTK (Natural Language Toolkit), http://www.nltk.org/, but see also http://text-processing.com/demo/ sentiment/ R, TM (text mining) module, http://cran.r-project.org/web/packages/tm/index.html, including tm.plugin.sentiment. RapidMiner, http://rapid-i.com/content/view/184/196/. GATE, te General Architecture for Text Engineering, http://gate.ac.uk/sentiment/. Apache UIMA is the Unstructured Information Management Architecture, http://uima.apache.org/ — also sentiment classifiers for the WEKA data-mining workbench, http://www.cs.waikato.ac.nz/ml/weka/. See http://www.unal.edu.co/ diracad/einternacional/Weka.pdf for one example. Stanford NLP tools, http://www-nlp.stanford.edu/software/ LingPipe, (pseudo-open source). See http://alias-i.com/lingpipe/demos/tutorial/sentiment/read-me.html.

Recommandé

From your Pocket to your Heart and Back
From your Pocket to your Heart and BackFrom your Pocket to your Heart and Back
From your Pocket to your Heart and Back
Iftach Ian Amit
 
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
EC-Council
 
Risk Analysis Webinar
Risk Analysis WebinarRisk Analysis Webinar
Risk Analysis Webinar
Jody Keyser
 
Information Security Risk Quantification
Information Security Risk QuantificationInformation Security Risk Quantification
Information Security Risk Quantification
Joel Baese
 
Introduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information RiskIntroduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information Risk
Osama Salah
 
Risk Analysis for Dummies
Risk Analysis for DummiesRisk Analysis for Dummies
Risk Analysis for Dummies
William L. McGill
 
#2 Human Factor and System_Dessy Aliandrina
#2 Human Factor and System_Dessy Aliandrina#2 Human Factor and System_Dessy Aliandrina
#2 Human Factor and System_Dessy Aliandrina
Sociopreneur Indonesia
 
Introduction to Open FAIR
Introduction to Open FAIRIntroduction to Open FAIR
Introduction to Open FAIR
"Apolonio \"Apps\"" Garcia
 

Recommandé

From your Pocket to your Heart and Back
From your Pocket to your Heart and BackFrom your Pocket to your Heart and Back
From your Pocket to your Heart and Back
Iftach Ian Amit
 
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
EC-Council
 
Risk Analysis Webinar
Risk Analysis WebinarRisk Analysis Webinar
Risk Analysis Webinar
Jody Keyser
 
Information Security Risk Quantification
Information Security Risk QuantificationInformation Security Risk Quantification
Information Security Risk Quantification
Joel Baese
 
Introduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information RiskIntroduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information Risk
Osama Salah
 
Risk Analysis for Dummies
Risk Analysis for DummiesRisk Analysis for Dummies
Risk Analysis for Dummies
William L. McGill
 
#2 Human Factor and System_Dessy Aliandrina
#2 Human Factor and System_Dessy Aliandrina#2 Human Factor and System_Dessy Aliandrina
#2 Human Factor and System_Dessy Aliandrina
Sociopreneur Indonesia
 
Introduction to Open FAIR
Introduction to Open FAIRIntroduction to Open FAIR
Introduction to Open FAIR
"Apolonio \"Apps\"" Garcia
 
An Economic Approach to Info Security
An Economic Approach to Info SecurityAn Economic Approach to Info Security
An Economic Approach to Info Security
Ed Bellis
 
Economically driven Cyber Risk Management
Economically driven Cyber Risk ManagementEconomically driven Cyber Risk Management
Economically driven Cyber Risk Management
Osama Salah
 
ISACA Reporting relevant IT risks to stakeholders
ISACA Reporting relevant IT risks to stakeholdersISACA Reporting relevant IT risks to stakeholders
ISACA Reporting relevant IT risks to stakeholders
Marc Vael
 
Crash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative AnalysisCrash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative Analysis
"Apolonio \"Apps\"" Garcia
 
Ethical Dilemmas in AI/ML-based systems
Ethical Dilemmas in AI/ML-based systemsEthical Dilemmas in AI/ML-based systems
Ethical Dilemmas in AI/ML-based systems
Dr. Kim (Kyllesbech Larsen)
 
AI for Finance
AI for FinanceAI for Finance
AI for Finance
Dr. Kim (Kyllesbech Larsen)
 
How do we Humans feel about AI?
How do we Humans feel about AI?How do we Humans feel about AI?
How do we Humans feel about AI?
Dr. Kim (Kyllesbech Larsen)
 
Data Natives 2015: Predictive Applications are Going to Steal Your Job: this ...
Data Natives 2015: Predictive Applications are Going to Steal Your Job: this ...Data Natives 2015: Predictive Applications are Going to Steal Your Job: this ...
Data Natives 2015: Predictive Applications are Going to Steal Your Job: this ...
Lars Trieloff
 
Business Reasons for Predictive Applications
Business Reasons for Predictive ApplicationsBusiness Reasons for Predictive Applications
Business Reasons for Predictive Applications
Lars Trieloff
 
Smart life 3.0
Smart life 3.0Smart life 3.0
Smart life 3.0
Dr. Kim (Kyllesbech Larsen)
 
Stay Safe and Healthy with Computer Vision
Stay Safe and Healthy with Computer VisionStay Safe and Healthy with Computer Vision
Stay Safe and Healthy with Computer Vision
NUS-ISS
 
Unravel COVID-19 From a Systems Thinking Lens
Unravel COVID-19 From a Systems Thinking LensUnravel COVID-19 From a Systems Thinking Lens
Unravel COVID-19 From a Systems Thinking Lens
NUS-ISS
 
Justifying IT Security: Managing Risk
Justifying IT Security: Managing Risk Justifying IT Security: Managing Risk
Justifying IT Security: Managing Risk
judythornell
 
How can algorithms be biased?
How can algorithms be biased?How can algorithms be biased?
How can algorithms be biased?
Software Guru
 
Building a Social Media Analysis & Response Team (SMART) for Healthcare
Building a Social Media Analysis & Response Team (SMART) for HealthcareBuilding a Social Media Analysis & Response Team (SMART) for Healthcare
Building a Social Media Analysis & Response Team (SMART) for Healthcare
Christopher Tarantino, MEP CMCP CHEC-III
 
Ivanti - Continuous Vulnerability Management
Ivanti - Continuous Vulnerability ManagementIvanti - Continuous Vulnerability Management
Ivanti - Continuous Vulnerability Management
Ivanti
 
Marcus Ranum on Bad Idea Zombies
Marcus Ranum on Bad Idea Zombies Marcus Ranum on Bad Idea Zombies
Marcus Ranum on Bad Idea Zombies
David Strom
 
2011 shrm poll_2011_september_11_ten_years_later_final
2011 shrm poll_2011_september_11_ten_years_later_final2011 shrm poll_2011_september_11_ten_years_later_final
2011 shrm poll_2011_september_11_ten_years_later_final
shrm
 
Agile metrics
Agile metricsAgile metrics
Agile metrics
Ankit Tandon
 
TRENDSETTING
TRENDSETTINGTRENDSETTING
TRENDSETTING
Brieffin Consulting
 
Media Kit 2016 / 2017 Creativelena.com
Media Kit 2016 / 2017 Creativelena.comMedia Kit 2016 / 2017 Creativelena.com
Media Kit 2016 / 2017 Creativelena.com
Kreativ Reisen Österreich / Creativelena.com
 
OWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia ModeOWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia Mode
Christian Folini
 

Contenu connexe

Tendances

Justifying IT Security: Managing Risk
Justifying IT Security: Managing Risk Justifying IT Security: Managing Risk
Justifying IT Security: Managing Risk
judythornell
 
Building a Social Media Analysis & Response Team (SMART) for Healthcare
Building a Social Media Analysis & Response Team (SMART) for HealthcareBuilding a Social Media Analysis & Response Team (SMART) for Healthcare
Building a Social Media Analysis & Response Team (SMART) for Healthcare
Christopher Tarantino, MEP CMCP CHEC-III
 
2011 shrm poll_2011_september_11_ten_years_later_final
2011 shrm poll_2011_september_11_ten_years_later_final2011 shrm poll_2011_september_11_ten_years_later_final
2011 shrm poll_2011_september_11_ten_years_later_final
shrm
 

Tendances (18)

An Economic Approach to Info Security
An Economic Approach to Info SecurityAn Economic Approach to Info Security
An Economic Approach to Info Security
 
Economically driven Cyber Risk Management
Economically driven Cyber Risk ManagementEconomically driven Cyber Risk Management
Economically driven Cyber Risk Management
 
ISACA Reporting relevant IT risks to stakeholders
ISACA Reporting relevant IT risks to stakeholdersISACA Reporting relevant IT risks to stakeholders
ISACA Reporting relevant IT risks to stakeholders
 
Crash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative AnalysisCrash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative Analysis
 
Ethical Dilemmas in AI/ML-based systems
Ethical Dilemmas in AI/ML-based systemsEthical Dilemmas in AI/ML-based systems
Ethical Dilemmas in AI/ML-based systems
 
AI for Finance
AI for FinanceAI for Finance
AI for Finance
 
How do we Humans feel about AI?
How do we Humans feel about AI?How do we Humans feel about AI?
How do we Humans feel about AI?
 
Data Natives 2015: Predictive Applications are Going to Steal Your Job: this ...
Data Natives 2015: Predictive Applications are Going to Steal Your Job: this ...Data Natives 2015: Predictive Applications are Going to Steal Your Job: this ...
Data Natives 2015: Predictive Applications are Going to Steal Your Job: this ...
 
Business Reasons for Predictive Applications
Business Reasons for Predictive ApplicationsBusiness Reasons for Predictive Applications
Business Reasons for Predictive Applications
 
Smart life 3.0
Smart life 3.0Smart life 3.0
Smart life 3.0
 
Stay Safe and Healthy with Computer Vision
Stay Safe and Healthy with Computer VisionStay Safe and Healthy with Computer Vision
Stay Safe and Healthy with Computer Vision
 
Unravel COVID-19 From a Systems Thinking Lens
Unravel COVID-19 From a Systems Thinking LensUnravel COVID-19 From a Systems Thinking Lens
Unravel COVID-19 From a Systems Thinking Lens
 
Justifying IT Security: Managing Risk
Justifying IT Security: Managing Risk Justifying IT Security: Managing Risk
Justifying IT Security: Managing Risk
 
How can algorithms be biased?
How can algorithms be biased?How can algorithms be biased?
How can algorithms be biased?
 
Building a Social Media Analysis & Response Team (SMART) for Healthcare
Building a Social Media Analysis & Response Team (SMART) for HealthcareBuilding a Social Media Analysis & Response Team (SMART) for Healthcare
Building a Social Media Analysis & Response Team (SMART) for Healthcare
 
Ivanti - Continuous Vulnerability Management
Ivanti - Continuous Vulnerability ManagementIvanti - Continuous Vulnerability Management
Ivanti - Continuous Vulnerability Management
 
Marcus Ranum on Bad Idea Zombies
Marcus Ranum on Bad Idea Zombies Marcus Ranum on Bad Idea Zombies
Marcus Ranum on Bad Idea Zombies
 
2011 shrm poll_2011_september_11_ten_years_later_final
2011 shrm poll_2011_september_11_ten_years_later_final2011 shrm poll_2011_september_11_ten_years_later_final
2011 shrm poll_2011_september_11_ten_years_later_final
 

En vedette

OWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia ModeOWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia Mode
Christian Folini
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
Peter Hlavaty
 
Goal Setting PowerPoint
Goal Setting PowerPointGoal Setting PowerPoint
Goal Setting PowerPoint
emurfield
 

En vedette (20)

Agile metrics
Agile metricsAgile metrics
Agile metrics
 
TRENDSETTING
TRENDSETTINGTRENDSETTING
TRENDSETTING
 
Media Kit 2016 / 2017 Creativelena.com
Media Kit 2016 / 2017 Creativelena.comMedia Kit 2016 / 2017 Creativelena.com
Media Kit 2016 / 2017 Creativelena.com
 
OWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia ModeOWASP ModSecurity Core Rules Paranoia Mode
OWASP ModSecurity Core Rules Paranoia Mode
 
Building A Social Media Presence for Centers and Educational Developers
Building A Social Media Presence for Centers and Educational DevelopersBuilding A Social Media Presence for Centers and Educational Developers
Building A Social Media Presence for Centers and Educational Developers
 
German embassy vossen -Social Media Plan
German embassy vossen -Social Media PlanGerman embassy vossen -Social Media Plan
German embassy vossen -Social Media Plan
 
Breaking Bad CSP
Breaking Bad CSPBreaking Bad CSP
Breaking Bad CSP
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
 
Individual and team goals
Individual and team goalsIndividual and team goals
Individual and team goals
 
Importance of goal
Importance of goalImportance of goal
Importance of goal
 
Setting SMART Goals
Setting SMART GoalsSetting SMART Goals
Setting SMART Goals
 
How a Smart Leader Sets SMART Goals
How a Smart Leader Sets SMART GoalsHow a Smart Leader Sets SMART Goals
How a Smart Leader Sets SMART Goals
 
Goal Setting PowerPoint
Goal Setting PowerPointGoal Setting PowerPoint
Goal Setting PowerPoint
 
2016 Digital Yearbook
2016 Digital Yearbook2016 Digital Yearbook
2016 Digital Yearbook
 
Goal setting ppt
Goal setting pptGoal setting ppt
Goal setting ppt
 
Goal Setting PowerPoint PPT Content Modern Sample
Goal Setting PowerPoint PPT Content Modern SampleGoal Setting PowerPoint PPT Content Modern Sample
Goal Setting PowerPoint PPT Content Modern Sample
 
How to Use Social Media to Influence the World
How to Use Social Media to Influence the WorldHow to Use Social Media to Influence the World
How to Use Social Media to Influence the World
 
2017 Digital Yearbook
2017 Digital Yearbook2017 Digital Yearbook
2017 Digital Yearbook
 
Leader's Guide to Motivate People at Work
Leader's Guide to Motivate People at WorkLeader's Guide to Motivate People at Work
Leader's Guide to Motivate People at Work
 
Digital in 2016
Digital in 2016Digital in 2016
Digital in 2016
 

Similaire à Social Media Risk Metrics

Effective Training and Policy Takes the Fear out of Social Networking - Shawn...
Effective Training and Policy Takes the Fear out of Social Networking - Shawn...Effective Training and Policy Takes the Fear out of Social Networking - Shawn...
Effective Training and Policy Takes the Fear out of Social Networking - Shawn...
sdavis532
 
How To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat IntelligenceHow To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat Intelligence
Resilient Systems
 
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copyBest_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
Stephanie McVitty
 
Running Head VULNERABILITY ASSESSMENT SUMMARY REPORT 1VULNER
Running Head VULNERABILITY ASSESSMENT SUMMARY REPORT 1VULNERRunning Head VULNERABILITY ASSESSMENT SUMMARY REPORT 1VULNER
Running Head VULNERABILITY ASSESSMENT SUMMARY REPORT 1VULNER
MalikPinckney86
 
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
PECB
 
Journal+Feature-InsiderThreat
Journal+Feature-InsiderThreatJournal+Feature-InsiderThreat
Journal+Feature-InsiderThreat
Anthony Buenger
 

Similaire à Social Media Risk Metrics (20)

Cybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfCybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdf
 
Effective Cybersecurity Communication Skills
Effective Cybersecurity Communication SkillsEffective Cybersecurity Communication Skills
Effective Cybersecurity Communication Skills
 
MITRE ATTACKcon Power Hour - January
MITRE ATTACKcon Power Hour - JanuaryMITRE ATTACKcon Power Hour - January
MITRE ATTACKcon Power Hour - January
 
Effective Training and Policy Takes the Fear out of Social Networking - Shawn...
Effective Training and Policy Takes the Fear out of Social Networking - Shawn...Effective Training and Policy Takes the Fear out of Social Networking - Shawn...
Effective Training and Policy Takes the Fear out of Social Networking - Shawn...
 
Let's TOC: Navigate the Cybersecurity Conversation with Dominique Singer
Let's TOC: Navigate the Cybersecurity Conversation with Dominique SingerLet's TOC: Navigate the Cybersecurity Conversation with Dominique Singer
Let's TOC: Navigate the Cybersecurity Conversation with Dominique Singer
 
disinformation risk management: leveraging cyber security best practices to s...
disinformation risk management: leveraging cyber security best practices to s...disinformation risk management: leveraging cyber security best practices to s...
disinformation risk management: leveraging cyber security best practices to s...
 
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
 
Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...
Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...
Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...
 
Insider threats
Insider threatsInsider threats
Insider threats
 
How To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat IntelligenceHow To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat Intelligence
 
Data Driven Risk Management
Data Driven Risk ManagementData Driven Risk Management
Data Driven Risk Management
 
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copyBest_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
Best_of_Breed_3-24-2015_How_to_Achieve_ABAC_Today copy
 
Running Head VULNERABILITY ASSESSMENT SUMMARY REPORT 1VULNER
Running Head VULNERABILITY ASSESSMENT SUMMARY REPORT 1VULNERRunning Head VULNERABILITY ASSESSMENT SUMMARY REPORT 1VULNER
Running Head VULNERABILITY ASSESSMENT SUMMARY REPORT 1VULNER
 
Be More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small BusinessBe More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small Business
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
 
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
 
Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...
 
Journal+Feature-InsiderThreat
Journal+Feature-InsiderThreatJournal+Feature-InsiderThreat
Journal+Feature-InsiderThreat
 

Plus de Iftach Ian Amit

"Cyber" security - all good, no need to worry?
"Cyber" security - all good, no need to worry?"Cyber" security - all good, no need to worry?
"Cyber" security - all good, no need to worry?
Iftach Ian Amit
 
Seeing Red In Your Future?
Seeing Red In Your Future?Seeing Red In Your Future?
Seeing Red In Your Future?
Iftach Ian Amit
 
Passwords good badugly181212-2
Passwords good badugly181212-2Passwords good badugly181212-2
Passwords good badugly181212-2
Iftach Ian Amit
 
Cheating in Computer Games
Cheating in Computer GamesCheating in Computer Games
Cheating in Computer Games
Iftach Ian Amit
 
Telecommunication basics dc9723
Telecommunication basics dc9723Telecommunication basics dc9723
Telecommunication basics dc9723
Iftach Ian Amit
 
Stuxnet - the worm and you
Stuxnet - the worm and youStuxnet - the worm and you
Stuxnet - the worm and you
Iftach Ian Amit
 

Plus de Iftach Ian Amit (20)

Cyber Risk Quantification - CyberTLV
Cyber Risk Quantification - CyberTLVCyber Risk Quantification - CyberTLV
Cyber Risk Quantification - CyberTLV
 
Devsecops at Cimpress
Devsecops at CimpressDevsecops at Cimpress
Devsecops at Cimpress
 
BSidesTLV Closing Keynote
BSidesTLV Closing KeynoteBSidesTLV Closing Keynote
BSidesTLV Closing Keynote
 
ISTS12 Keynote
ISTS12 KeynoteISTS12 Keynote
ISTS12 Keynote
 
Painting a Company Red and Blue
Painting a Company Red and BluePainting a Company Red and Blue
Painting a Company Red and Blue
 
"Cyber" security - all good, no need to worry?
"Cyber" security - all good, no need to worry?"Cyber" security - all good, no need to worry?
"Cyber" security - all good, no need to worry?
 
Armorizing applications
Armorizing applicationsArmorizing applications
Armorizing applications
 
Seeing Red In Your Future?
Seeing Red In Your Future?Seeing Red In Your Future?
Seeing Red In Your Future?
 
Hacking cyber-iamit
Hacking cyber-iamitHacking cyber-iamit
Hacking cyber-iamit
 
Passwords good badugly181212-2
Passwords good badugly181212-2Passwords good badugly181212-2
Passwords good badugly181212-2
 
Bitcoin
BitcoinBitcoin
Bitcoin
 
Sexy defense
Sexy defenseSexy defense
Sexy defense
 
Cyber state
Cyber stateCyber state
Cyber state
 
Advanced Data Exfiltration - the way Q would have done it
Advanced Data Exfiltration - the way Q would have done itAdvanced Data Exfiltration - the way Q would have done it
Advanced Data Exfiltration - the way Q would have done it
 
Infecting Python Bytecode
Infecting Python BytecodeInfecting Python Bytecode
Infecting Python Bytecode
 
Exploiting Second life
Exploiting Second lifeExploiting Second life
Exploiting Second life
 
Dtmf phreaking
Dtmf phreakingDtmf phreaking
Dtmf phreaking
 
Cheating in Computer Games
Cheating in Computer GamesCheating in Computer Games
Cheating in Computer Games
 
Telecommunication basics dc9723
Telecommunication basics dc9723Telecommunication basics dc9723
Telecommunication basics dc9723
 
Stuxnet - the worm and you
Stuxnet - the worm and youStuxnet - the worm and you
Stuxnet - the worm and you
 

Dernier

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
Overkill Security
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 

Dernier (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 

Social Media Risk Metrics

  • 1. The Newest Element of Risk Metrics: Social Media Ian Amit @iiamit
  • 3. Basic Motivation - hottest/easiest vector! • “… in previous years, we saw phishing messages come and go and reported that the overall effectiveness of phishing campaigns was between 10 and 20%. This year, we noted that some of these stats went higher, with 23% of recipients now opening phishing messages and 11% clicking on attachments. Some stats were lower, though, with a slight decline in users actually going to phishing sites and giving up passwords.” • “For two years, more than two-thirds of incidents that comprise the Cyber-Espionage pattern have featured phishing.” • 2015 DBIR
  • 4. Why do I want this? (1)
  • 5. Why do I want this? (1)
  • 6. Why do I want this? (2)
  • 7. Why do I want this? (3) • Are you engaged in a “controversial” practice? Financial Services DIB Healthcare Pharma Agribusiness LEA Energy
  • 8. Coming up with a solution…
  • 9. Let’s create a framework!
  • 11. How feasible is it? Sentiment Analysis and German Elections “Twitter can be seen as a valid real- time indicator of political sentiment.”
  • 13. Goal, Question, Metric Victor Basili Goals establish what we want to accomplish. Questions help us understand how to meet the goal. They address context. Metrics identify the measurements that are needed to answer the questions. Goal 1 Goal 2 Q1 Q2 Q3 Q4 Q5 M1 M2 M3 M4 M5 M6 M7
  • 14. GQM Example: Patch Management Patching Scorecard Goal 1: Comprehensive Goal 2: Timely Goal 3: Cost Efficient
  • 15. Goal 1: Comprehensive %Coverage by Asset category %Coverage by Risk Unix Windows Server Desktop OS Compo Likelihood Impact By Asset Category By Location (DMZ, Se By Business Unit By Asset Category By Location (DMZ, Semi-
  • 16. Goal 2: Timely What should our Priorities be for timeliness? What is Policy for timeliness? What other Considerations for Timeliness? What is time to patc What is time to pat What % are Late by What are our Repeat Offende likelih Impac
  • 17. corecard Goal 2: Timely Goal 3: Cost Efficient Cost Risk Reduction Hour per Asset spent Patching By Asset Category By Location (DMZ, Semi-Pub, Internal) By Cost Per Hour Hour per Asset, by ALE per Hour Hour per asset category
  • 18. GQM for SMRM • Goal: Provide a social media risk scorecard for a person/ organization. • Questions: How would one’s OA affect the likelihood of a threat? How would one’s OA affects the impact of a threat, and the areas of impact? How does unsanctioned presence of someone affect said threats? • Metrics: Provide a qualitative* approach to measuring the overall risk, as well as specific aspects of the social media presence. *And when we say qualitative we lie a little bit…
  • 19. More Goals! • Provide a measurable way to quantify risk associated with online activity of the organization and it's employees. • Provide another measure for quantifying risk of working with 3rd parties and contractors. • Create a score for executives to measure their social media exposure (from an exec protection perspective, insider trading, etc...) • Create a score for measuring and comparing intra and extra industry social media risk ratings • Be able to quantify the effect of changing controls, processes and policies on the risk associated with social media.
  • 25.
  • 26. Scorecard Development • Started with the basics, comparative measurements… • Qualitative approach dictates trying to leave quantitative elements out (which we kind’a try to). So the compromise was to provide a fairly detailed breakdown of elements, and instead of measuring them on a scale, only indicate presence (1 or 0). • Aggregation didn't work (per-se), Averaging would not take into account the full magnitude of the largest elements, MAX() would not factor in contribution from smaller ones. We have to provide more accurate weights…
  • 27. Scoring Approach • Ended up with providing a weighting system for the major elements and their importance to the organization (context?!). • Given X points to distribute between Y elements. Weight = Y’/X where Y’ is the number of points given to each element. • Sum(Y’…Y’’)=1 • Apply weighting to the scorecard to get weighted risk score. (where weights are appropriate for the organization’s operational context).
  • 29. Personal Scorecard Status Likelihood Manifestation Impact # online threats Likelihood Manifestation Impact # online threats Corporate Malicious Content Negative Sentiment Information Leaks
  • 30. What Data do I Need? Size # of monitored assets Geography Chatter Impersonations Sentiment
  • 31. How can you do it?
  • 32. Step 1 None at all None but public information Volitional Enforced
  • 35. Step 4 Collect <ALL> the data E T L
  • 36. Scraping Twitter Scraping: http://knightlab.northwestern.edu/2014/03/15/a-beginners-guide-to-collecting-twitter-data-and-a- bit-of-web-scraping/ <link rel="alternate" type="application/json+oembed" href="https:// api.twitter.com/1/statuses/oembed.json?id=623493258958606336" title="Guy Fieri, CISO on Twitter: &quot;Which is more dangerous @nudehaberdasher, @0xcharlie, @a_greenberg stunt in the wild, or Nationalist Attribution Rhetoric from @taosecurity?&quot;">
  • 37. Step 5 Store the data MARCUS SAYS 
 BIG DATA
  • 39. Example of Using SA for Subjective Rating Warning - subjectivity ahead!
  • 40.
  • 43. DEMO
  • 44. Where can you get it? • The Society of Information Risk Analysts • http://www.societyinforisk.org • As well as on the SMRM site: • http://risk-metrics.com/
  • 45. Take-away 1. Check what is your current social media security policy (if you have one). 2. Do you have a current risk model that incorporates social media as part of it (attack surface / information leak / intelligence) 3. Measure your current social media risk posture for key individuals in your organization. • And then in 2-3 months - measure again to see whether any changes you have implemented in light of the initial measurement had the right impact.
  • 47. References Sentiment analysis and german elections: http://www.aaai.org/ocs/index.php/ICWSM/ICWSM10/paper/viewFile/ 1441/1852 Analyze tone of text: https://tone-analyzer-demo.mybluemix.net/ Analyze personality based on text: https://watson-pi-demo.mybluemix.net/ Sentiment analysis (list from http://breakthroughanalysis.com/2012/01/08/what-are-the-most-powerful-open-source- sentiment-analysis-tools/) Python NLTK (Natural Language Toolkit), http://www.nltk.org/, but see also http://text-processing.com/demo/ sentiment/ R, TM (text mining) module, http://cran.r-project.org/web/packages/tm/index.html, including tm.plugin.sentiment. RapidMiner, http://rapid-i.com/content/view/184/196/. GATE, te General Architecture for Text Engineering, http://gate.ac.uk/sentiment/. Apache UIMA is the Unstructured Information Management Architecture, http://uima.apache.org/ — also sentiment classifiers for the WEKA data-mining workbench, http://www.cs.waikato.ac.nz/ml/weka/. See http://www.unal.edu.co/ diracad/einternacional/Weka.pdf for one example. Stanford NLP tools, http://www-nlp.stanford.edu/software/ LingPipe, (pseudo-open source). See http://alias-i.com/lingpipe/demos/tutorial/sentiment/read-me.html.