Sony And The Cost of Acceptable Risk

In light of the recent Sony compromise, it is important to pose the classic information security question: "What really is acceptable risk"?

Did the security posture of a global enterprise outweigh the current heartburn and future business risks associated?

Reviewing some of the compromised data for research purposes as well as working in the role of a community response unit with trusted partners has put a few things into perspective. Some of the likely costs of this compromise will fall into one of the ten likely scenarios:

  • 1) Sony will first pay for the initial incident response. Current industry rates are approximately 300-500/hr (per consultant) depending on response time, retainer.
  • 2) Ongoing security reviews, gap assessments, re-assessments, hiring of external security experts for security committee / counsel roles. This will likely occur for the next 12 - 36 months.
  • 3) In the breach data, there had been a minimum of six BAA contracts that appeared to have a HIPAA / HHS / Healthcare component. There will likely be business fines related with a degradation in these contracts. Cost unknown, but lets put a large number on this.
  • 4) Sony will have to pay HIPAA / HHS fines for PII at rest for federal requirements.
  • 5) California state and other state *(most in the U.S. at this time period ) related breach fines for PII fines.
  • 6) Ongoing credit monitoring for employees, business partners etc.
  • 7) Large losses will likely impact the current investments Sony had made in the movies leaked. Further losses will likely occur over the six to ten year time frame for intellectual property, talent, etc. (Eg, how they put things together, not the only the final product, but the components and processes leaked. Not cool.) There should be some actuarial data on the assets known, investments made etc. (Side-note, if you are an actuarial assessor, could you share some insights into this?) Generic estimation, hundreds of millions.
  • 8) Employee moral is likely completely demoralized at this time frame. Everyone knows how much everyone else makes. Not that this is the worst part of this, but you can assume the motivation to work at one's potential is greatly diminished.
  • 9) We can likely assume a few employee lawsuits to arise and be settled. (Not happy bob!)
  • 10) The cost of rebuilding the infrastructure, as well as the loss of talent of any employees that decide to move on.

Moving past Sony, we all have to humbly judge the log in our own eye as well and ask if we can all better our own environments.

Internally, we have been looking at all our data, systems and processes once again through the lens of this breach. What would we do if this happened to us? How can we further put more layers of protection in our systems to protect the valuables when a compromise occurs?