Embed Size (px)
Citation preview
Privacy Data LossPrivacy Data LossAn Operational Risk An Operational Risk
ApproachApproach
Michael AielloMichael Aiello
Polytechnic UniversityPolytechnic University
FE675 Operational RiskFE675 Operational Risk
Private InformationPrivate Information
Customer Records (Paper or Electronic)Customer Records (Paper or Electronic) California Senate Bill 1386 requires California Senate Bill 1386 requires
institutions to disclose to their California institutions to disclose to their California customers’ if their information is exposed customers’ if their information is exposed to non-trusted 3to non-trusted 3rdrd parties. parties. Legal impactLegal impact Impact on ReputationImpact on Reputation
An event where a customer’s private An event where a customer’s private information is exposed should be information is exposed should be considered a loss event and accounted for considered a loss event and accounted for when calculating operational riskwhen calculating operational risk
Available DataAvailable Data
ChoicePoint data setChoicePoint data set May have interest in keeping counts May have interest in keeping counts
highhigh
Available DataAvailable Data
PrivacyRights.orgPrivacyRights.org May be more objective about eventsMay be more objective about events
ImpactImpact 232 days of data232 days of data 83 loss events (18 for financial sector)83 loss events (18 for financial sector) 35% chance of loss event each day.35% chance of loss event each day.
Incidents by Industry
Consumer Data, 3
Financial, 18
Government, 4
Medical Services, 8
Other, 5
University, 44
ImpactImpact One incident involving 40M records and another One incident involving 40M records and another
affecting affecting 4M (not counted in these statistics)4M (not counted in these statistics) 7M records compromised (4.3M for the financial sector)7M records compromised (4.3M for the financial sector) 18803 records lost per day18803 records lost per dayRecords exposed by Industry (winsorized)
Consumer Data, 163903
Financial, 4017750
Government, 222200
Medical Services, 248600
Other, 655300
University, 1725292
Impact By IncidentImpact By Incident Mostly “hacking” in both number of events Mostly “hacking” in both number of events
and impact of eventsand impact of events
Impact By IncidentImpact By Incident Mostly “hacking” in both number of events Mostly “hacking” in both number of events
and impact of eventsand impact of events
Operational Risk ApproachOperational Risk Approach
View Monthly snapshot of events and View Monthly snapshot of events and impactimpact
Understand probability of X events Understand probability of X events occurring in a given monthoccurring in a given month
Understand probability of Y customer Understand probability of Y customer records lost in a given monthrecords lost in a given month
Determine if these are independent.Determine if these are independent. Focus on the financial sectorFocus on the financial sector
Loss EventsLoss EventsLoss Events Per Month All Sectors
0
5
10
15
20
FEB MAR APR MAY J UN J UL AUG SEP
Loss Events Per Month Financial Sector Only
0
2
4
6
FEB MAR APR MAY JUN JUL AUG SEP
Records ExposedRecords ExposedRecords Exposed Per Month All Sectors
0
1,000,000
2,000,000
3,000,000
4,000,000
FEB MAR APR MAY JUN JUL AUG SEP
Records Exposed Per Month Financial Sector Only
0
1,000,000
2,000,000
3,000,000
FEB MAR APR MAY JUN JUL AUG SEP
RealizationRealization
There is no significant correlation There is no significant correlation between number of events and between number of events and number of records lost.number of records lost.
Must attempt to predict loss events Must attempt to predict loss events and amounts independently.and amounts independently.
Statistical Analysis – Exposure Statistical Analysis – Exposure EventsEvents
Histogram
0
0.5
1
1.5
2
2.5
3
3.5
2 5 7 9 11 12 14 16 18 20 22
Events
Co
un
t
Histogram
0
1
2
3
4
5
6
7
2 5 7 9 11 12 14 16 18 20 22
EventsC
ou
nt
All Sectors Financial Sector
Statistical Analysis – Exposure Statistical Analysis – Exposure EventsEvents
All Sectors Financial Sector
Normal Estimate
0
0.05
0.1
0.15
0.2
0.25
0.3
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
Events
Pro
bab
ilit
y
Normal Estimate
0
0.02
0.04
0.06
0.08
0.1
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
Events
Pro
bab
ilit
y
Statistical Analysis – Exposure Statistical Analysis – Exposure EventsEvents
All Sectors Financial Sector
Kernel Density Estimate
0
0.01
0.02
0.03
0.04
0.05
0.06
0.07
0.08
0.09
0.1
-10 -5 0 5 10 15 20 25 30
Events
Pro
bab
ilit
y
Kernel Density Estimate
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
-4 -2 0 2 4 6 8 10
Events
Pro
bab
ilit
y
Statistical Analysis – Records Statistical Analysis – Records ExposedExposed
All Sectors Financial Sector
Histogram
012345678
0 1000000 2000000 3000000 4000000 5000000 More
Records Exposed
Co
un
t
Histogram
0
1
2
3
4
5
0 1000000 2000000 3000000 4000000 5000000
Records ExposedC
ou
nt
Statistical Analysis – Records Statistical Analysis – Records ExposedExposed
All Sectors Financial Sector
Normal Estimate
00.000000050.0000001
0.000000150.0000002
0.000000250.0000003
0.000000350.0000004
Normal Estimate
00.00000005
0.00000010.00000015
0.00000020.00000025
0.00000030.00000035
0.00000040.00000045
-113
4447
-599
436.
58
-644
26.2
11
4705
84.1
62
1005
594.
53
1540
604.
91
2075
615.
28
2610
625.
65
3145
636.
02
3680
646.
4
4215
656.
77
Pro
bab
ility
Statistical Analysis – Records Statistical Analysis – Records ExposedExposed
All Sectors Financial Sector
Kernel Density Estimate
0
0.0000001
0.0000002
0.0000003
0.0000004
0.0000005
0.0000006
0.0000007
-2000000 -1000000 0 1000000 2000000 3000000 4000000 5000000
Records Exposed
Pro
bab
ilit
y
Kernel Density Estimate
0
0.0000001
0.0000002
0.0000003
0.0000004
0.0000005
0.0000006
-2000000 -1000000 0 1000000 2000000 3000000 4000000 5000000
ConclusionsConclusions Significant problem of costumer data Significant problem of costumer data
exposure across industries that exposure across industries that handle such datahandle such data
Minimal relationship between # of Minimal relationship between # of events and records lostevents and records lost
The incident and loss curves for the The incident and loss curves for the finance sector are similar to the finance sector are similar to the industry as a wholeindustry as a whole This type of comparison may help in the This type of comparison may help in the
understanding the financial sector’s risk understanding the financial sector’s risk (particularly with small data sets)(particularly with small data sets)
ConcernsConcerns
Validity of raw dataValidity of raw data Trends in legislation enforcement (more?)Trends in legislation enforcement (more?) Amount of customer information is not a function Amount of customer information is not a function
of the gross revenue of an institutionof the gross revenue of an institution Reputational Risk = Hazard + Outrage. Outrage Reputational Risk = Hazard + Outrage. Outrage
of an individual may be significantly less if of an individual may be significantly less if millions of records were exposed as opposed to millions of records were exposed as opposed to only a few.only a few. Orders of magnitude difference in amount of lost data Orders of magnitude difference in amount of lost data
may only have minimal impact. may only have minimal impact. Impact may vary by type of data lost.Impact may vary by type of data lost.
