Managing Security Investment Part IV Tyler Moore Computer Science - - PDF document

Managing Security Investment

Part IV Tyler Moore

Computer Science & Engineering Department, SMU, Dallas, TX

September 27, 2012

Baseline investment models Information security risk management Measuring the security level

Outline

1

Baseline investment models Linear breach probability function Exponential breach probability function Investment models in R

2

Information security risk management Risk acceptance Risk mitigation Risk avoidance

3

Measuring the security level

2 / 27 Baseline investment models Information security risk management Measuring the security level Linear breach probability function Exponential breach probability function Investment models in R

Linear breach probability function

Let’s start with the simplest possible model

1 We use the Bernoulli loss assumption

Two outcomes {0, λ} 0 : 1 − ps, λ : ps

2 We assume security investment is effective

c = λs For unit loss λ = 1: c = s

3 We can even use a linear breach probability function

S(s, v) = v · (1 − s) for s ∈ [0, 1].

4 / 27 Baseline investment models Information security risk management Measuring the security level Linear breach probability function Exponential breach probability function Investment models in R

Linear breach probability function

S(s, v) = v · (1 − s) for s ∈ [0, 1]

0.0 0.2 0.4 0.6 0.8 1.0 0.0 0.2 0.4 0.6 0.8 1.0

Linear breach probability function

Security level s Vulnerability level v v=1 v=1/2 v=1/4

5 / 27

Notes Notes Notes Notes

Baseline investment models Information security risk management Measuring the security level Linear breach probability function Exponential breach probability function Investment models in R

One final simplification

We reduce the action space to just two possibilities – secure (s = 0) and insecure (s = 1) State Security s = c/λ Probability of loss p Expected loss E(λ) Insecure v λv Secure 1 What are the trade-offs between using a linear breach probability function and the one used in the Gordon-Loeb model?

6 / 27 Baseline investment models Information security risk management Measuring the security level Linear breach probability function Exponential breach probability function Investment models in R

Exponential breach probability function

If diminishing marginal returns is important to include in the model, and we want to retain the Bernoulli loss assumption, then the breach probability function should be convex But the complexity of Gordon-Loeb’s function SI(c, v) =

v (αc+1)β can be hard to justify

We can use a simpler model with one variable for tuning the security productivity instead of two: S(s, v) = vβ−s We require β > 1, and also require S(s, 0) = 0 for all s and S(0, v) = v, as in the Gordon-Loeb model

7 / 27 Baseline investment models Information security risk management Measuring the security level Linear breach probability function Exponential breach probability function Investment models in R

Exponential breach probability function, visualized

Probability of loss p 1

1 2 1 4

Security level s 1 2 3 4 5 β = 2 β = 8 β = 5

4

v = 1

2

v = 1

8 / 27 Baseline investment models Information security risk management Measuring the security level Linear breach probability function Exponential breach probability function Investment models in R

Optimal security investment

We can compute the optimal security investment s∗ using the first-order condition of the ENBIS δs(ENBIS(s∗)) = 0 δs

• v − S(s, v) − s
• = 0

δs

• v − vβ−s − s
• = 0 ,

which has an analytical solution for v > 0: s = log (v log(β)) log(β) Why is this a reasonable first-order condition? Why does it lead to

• ptimal investment?

9 / 27

Notes Notes Notes Notes

Baseline investment models Information security risk management Measuring the security level Linear breach probability function Exponential breach probability function Investment models in R

A visual explanation of the FOC

λv Security investment c EBIS ENBIS = EBIS − c c

45◦

c∗ maxc ENBIS

10 / 27 Baseline investment models Information security risk management Measuring the security level Linear breach probability function Exponential breach probability function Investment models in R

Another way to maximize benefit

δs(EBIS(s∗)) = 1 which is equivalent to δs(ENBIS(s∗)) = 0 Why? Substitute ENBIS(s∗) = EBIS(s∗) − s∗ δs(EBIS(s∗) − s∗) = 0 δs(EBIS(s∗)) − δs(s∗) = 0 δs(EBIS(s∗)) − 1 = 0 δs(EBIS(s∗)) = 1

11 / 27 Baseline investment models Information security risk management Measuring the security level Linear breach probability function Exponential breach probability function Investment models in R

One more caveat

Some values of β will be negative for the investment condition In particular, s∗ < 0 for β ∈

• 1, e1/v

Consequently, we set the optimal security level as follows: s∗ = max log (v log(β)) log(β) , 0

• If β ∈
• 1, e1/v

, we say that the organization is indefensible The security investment must become more productive to justify any investment

12 / 27 Baseline investment models Information security risk management Measuring the security level Linear breach probability function Exponential breach probability function Investment models in R

How optimal investment varies

Optimal security level s∗

λ 2 λ 4

Security productivity β

1 5 10 20 30 40 50 60 v = 1 indefensible (v = 1) λ/e (Gordon–Loeb rule of thumb) v = 1

2

indefensible (v = 1

2)

v = 1

4

e2

13 / 27

Notes Notes Notes Notes

Baseline investment models Information security risk management Measuring the security level Linear breach probability function Exponential breach probability function Investment models in R

Investment models in R

Let’s first review how to make the plot for the linear breach probability function Then let’s explore how optimal investment varies for the exponential breach probability Today’s code: http://lyle.smu.edu/~tylerm/courses/ econsec/code/secinv3.R

14 / 27 Baseline investment models Information security risk management Measuring the security level Risk acceptance Risk mitigation Risk avoidance

Information security risk management

Just as it can be useful to translate infosec risks and defenses into the language of investment (ROSI, NPV, etc.), one must also be aware of terminology from risk management As IT becomes essential to many businesses, border between information security investment and general risk management has blurred

16 / 27 Baseline investment models Information security risk management Measuring the security level Risk acceptance Risk mitigation Risk avoidance

Risk management terminology overview

Risk analysis identification quantification Risk man- agement acceptance mitigation avoidance transfer Risk monitoring validation documentation

17 / 27 Baseline investment models Information security risk management Measuring the security level Risk acceptance Risk mitigation Risk avoidance

Risk acceptance

After risks are identified and quantified, they must be “managed” The simplest option is to do nothing Such “risk acceptance” is prudent when:

1

Worst-case loss is small enough to be paid from proceeds or reserves

2

Probability of occurrence is smaller than other business risks that threaten the organization’s survival

This is why the security policies for start-ups are often weaker than for entrenched firms

18 / 27

Notes Notes Notes Notes

Baseline investment models Information security risk management Measuring the security level Risk acceptance Risk mitigation Risk avoidance

Risk mitigation

If risk is too big and probable to be accepted, risk mitigation aims to reduce the probability and severity of a loss This is where security investment comes in Recall that the optimal level of investment normally leaves residual risk that must be dealt with using acceptance, avoidance, or transfer

19 / 27 Baseline investment models Information security risk management Measuring the security level Risk acceptance Risk mitigation Risk avoidance

Risk avoidance

Aims to reduce the probability and severity of loss, as in risk mitigation However, rather than use technology, here one forgoes risky activities This introduces opportunity costs of lost business

• pportunities

Example: online merchant refusing overseas orders due to high fraud risk Example: company disconnects database with customers’ personal information online Question: what are the opportunity costs in these cases?

20 / 27 Baseline investment models Information security risk management Measuring the security level Risk acceptance Risk mitigation Risk avoidance

Risk transfer

The final option is to buy an insurance contract to recover any future losses incurred This is only available in limited circumstances Why has the cyber-insurance market remained small?

Difficulty in quantifying losses Even when possible, many firms would rather keep quiet than share with an insurance company Externalities mean that the costs of insecurity are often borne by others Correlated risk is prevalent

21 / 27 Baseline investment models Information security risk management Measuring the security level Risk acceptance Risk mitigation Risk avoidance

Risk management example: credit card issuers

Credit card issuers regularly manage fraud

1 Risk acceptance: fraud is paid from the payment fees charged

to merchants

2 Risk mitigation: install anti-fraud technology (raises costs of

security)

3 Risk avoidance: downgrade high-risk cardholders to debit or

require online verification (leads to lost business)

4 Risk transfer: structure consumer credit risk and sell it on the

market (repackaged as low-risk debt)

22 / 27

Notes Notes Notes Notes

Baseline investment models Information security risk management Measuring the security level

Measuring the security level

The security investment models we’ve discussed directly map security costs onto benefits However, it can be more accurately thought of as a two-step mapping

1

Security is mapped to a security level

Deterministic Defined by available technology

2

Security level is mapped to benefit

Probabilistic (depends on attacker behavior) Defined by firm’s risk exposure

24 / 27 Baseline investment models Information security risk management Measuring the security level

Security production function as 2-step mapping

Cost of security Security level

Security productivity

Benefit of security

Security productivity Risk mitigation Risk avoidance

25 / 27 Baseline investment models Information security risk management Measuring the security level

2-step mapping makes measurement easier

To validate a direct mapping from cost to benefit, one must find many companies choosing among the same sets of technologies AND with similar risk profiles Using two-step mapping, we can directly measure how cost relates to security level, usually without regard to the risk facing a firm We still need measurements mapping from the security level to benefits, which can still be hard to find

26 / 27 Baseline investment models Information security risk management Measuring the security level

Security indicators measure the security level

How can we measure the security level? Unlike cost and benefit, which are directly measured in monetary terms, the security level is latent Consequently we need indirect measures of the security level Definition (Security indicator) A security indicator is a observable signal conveying information about the security level. Security indicators abound: http://benchmarks.cisecurity.

• rg/en-us/?route=downloads.metrics

27 / 27

Notes Notes Notes Notes