Upload
baldwin-doyle
View
213
Download
0
Embed Size (px)
Citation preview
SE571Security in Computing
Chap 9: Economics of Cybersecurity
SE571 Security in Computing Dr. Ogara2
Economics of Cybersecurity
Cybersecurity economics is a field that brings together elements of cybersecurity and economics to help decision-makers understand how people and organizations invest constrained resources in protecting their computer systems, networks, and data
SE571 Security in Computing Dr. Ogara3
Cybersecurity Investment Some questions worth asking
• How much should an organization invest in cybersecurity to protect assets of a given value?
• What is the likely impact of a security breach?
• What are the costs and benefits of sharing
information?
SE571 Security in Computing Dr. Ogara4
Factors that Influence Investments in Cybersecurity
SE571 Security in Computing Dr. Ogara5
Is Security Good for Business
How do you make a compelling argument about benefits of security to a business?
Problem is getting data to support your case
You must build a business case
Business Case – A proposal that justifies the use of resources
SE571 Security in Computing Dr. Ogara6
A business case should include: a description of the problem or need to be addressed by
the expenditure
a list of possible solutions
constraints on solving the problem
a list of underlying assumptions
analysis of each alternative, including risks, costs, and benefits
a summary of why the proposed investment is good for the organization
SE571 Security in Computing Dr. Ogara7
Evaluating existing/proposed investment in technology
Evaluating an existing or proposed investment in technology should be reported in several ways at once to form a “balanced scorecard” as follows:
• customer view - address issues such as customer satisfaction
• operational view - look at an organization’s core competencies
• financial view - consider measures such as ROI
• improvement view - assess how the investment will affect market leadership and added value
SE571 Security in Computing Dr. Ogara8
Determining Economic Value of Security Investments
What is the right approach and how many companies use them to assess value of cybersecurity?
• Net present value (18%)• Return on investment (ROI)(38%)• Internal rate of return (19%)(Source: CSI/FBI Computer Security Survey 2005 Report)
There are practical problems with these approaches
SE571 Security in Computing Dr. Ogara9
Net Present Value Is the present value (PV) of the benefits
minus the value of the initial investment
Compares value of dollar today to future value while taking into account inflation
Present value (PV) of an investment is the value today of a predicted future cash flow
SE571 Security in Computing Dr. Ogara10
Net Present Value It evaluates the effects of the proposed
investment over the life of the project
It provides a fair comparison for projects that turn profitable at different times in the future
It uses a discount rate or opportunity cost, corresponding to the rate of return expected from an equivalent investment in capital markets
SE571 Security in Computing Dr. Ogara11
Net Present Value The discount rate reflects how much
money an organization could make if it invested its money in the bank or a financial vehicle instead of in software technology.
SE571 Security in Computing Dr. Ogara12
Net Present Value Formula
• Bt and Ct are the benefits and costs anticipated from the investment in each time period t
• C0 is the initial investment, the discount rate (expected rate of return on investment) is k
• n is the number of time periods over which the investment’s costs and benefits are considered
• If NPV > 0, accept investment; NPV < 0 reject investment; NPV = 0, no added value
SE571 Security in Computing Dr. Ogara13
Example - NPV Calculations for Two Alternatives
Observation:• Choice 1 is better because of higher NPV• NPV approach is sensitive to timing of the cash flows – the
later the return the more the overall value is penalized
SE571 Security in Computing Dr. Ogara14
Internal Rate of Return (IRR) The internal rate of return (IRR) is derived
from the net present value
It is equal to the discount rate that makes the NPV equal to zero
Example: • An IRR of 4% and discounted rate is 12% is bad –
invest elsewhere• An IRR of 18% and discounted rate is 12%(less
than IRR) is good
SE571 Security in Computing Dr. Ogara15
Return on Investment (ROI) Are closely related to IRR and NPV
ROI looks back at how a company or organization has performed, whereas NPV and IRR project likely future performance of new investments
ROI = last period’s accounting profits (calculated from revenues and costs) /the cost of the investments required to generate those profits
SE571 Security in Computing Dr. Ogara16
Example – A Business Case for Web Application Security
Business case explains the ROI for an organization
Revenue • Increased revenue due to increased trust in the web site
Costs • Installation• Operation• Maintenance• Cost savings e.g. fewer security breaches • Cost avoidance e.g. fewer help desk calls • Improved efficiency e.g. ability to handle more customers • Effectiveness e.g. provide more services
SE571 Security in Computing Dr. Ogara17
Example – Building A Business Case for Web Application Security
Compliance• Failure to implement regulatory practices may
lead to fines, imprisonment and bad publicity• Failure to comply with agreed standards may
lead to lost business or competitive advantage
Risks• Failure to implement proposed security
measures may include: loss of market share, loss of productivity and legal exposure
SE571 Security in Computing Dr. Ogara18
Economic Impact of Cybersecurity
Understanding the nature of the cybersecurity threat requires knowing at least the following elements
number and types of assets needing protection number and types of vulnerabilities that exist in
a system number and types of likely threats to a system
SE571 Security in Computing Dr. Ogara19
Data to Justify Security Action National and global data
• Address both national and international concerns
Enterprise data• How do enterprises apply security technologies
against attacks and security breaches• How do enterprises balance security costs with
other economic demands
Technology data• Describes the threats against core infrastructure
technologies
SE571 Security in Computing Dr. Ogara20
Characteristics of data used for economic decision making
Accuracy • Close to actual values
Consistency • Data gathered under same conditions• Reporting organizations apply same rules
Timeliness• Current – reflect existing conditions
Reliability• Credible sources
SE571 Security in Computing Dr. Ogara21
Examples of data to support cybersecurity decision-making
CSI/FBI Computer Crime and Security Survey• Administered by Computer Security Institute and FBI (Ca)
Australian Computer Crime and Security Survey• Examines Australia’s private and public industry
cybersecurity threats, records the number of cyber incidents, and attempts to raise awareness of security issues and effective methods of attack prevention
Deloitte Touché Tohmatsu Global Security Survey• Focus on security practices of major global financial
institutions
SE571 Security in Computing Dr. Ogara22
Examples of data to support cybersecurity decision-making
Ernst and Young Global Information Security Survey• Surveys companies worldwide
Internet Crime Complaint Center (IC3)• Collaborative effort of FBI and National White Collar Crime
Center• PProvides information to national, state, and local law
enforcement agencies that are battling Internet crime
The Imation Data Protection Survey • Managed by Imation Corporation• Investigates how small and mid-size U.S. companies conduct
data backup, protection, and recovery.
SE571 Security in Computing Dr. Ogara23
How representative are these surveys?
Currently most reported data are derived from convenient surveys rather than carefully sampled populations
There is no consistency in terminology or counting rules from one survey to another
Thus makes it difficult to generalize the meaning of reported data and trends
SE571 Security in Computing Dr. Ogara24
How are these surveys different?
Classification of attack types• Each survey measures different things e.g.
one survey may report decrease in attacks of all types while another may report an increase
Types of respondents• Self-selected and not representative to a
larger population
SE571 Security in Computing Dr. Ogara25
How are these surveys different?
Comparability of categories• No standards in defining, tracking and
reporting security incidents and attacks• Data are characteristically different and
answers are based on opinions, interpretations and perception
• Example; “electronic attacks” (Australian Survey); “unauthorized use of computer systems” (CSI/FBI); accidental/malicious security incidence” (DTI Information Security Breaches Survey)
SE571 Security in Computing Dr. Ogara26
How are these surveys different?
Sources of attack• Rate of insider attack remained constant in
2005 (Australian Survey)• Rate is rising (Deloitte Survey)
Financial impact• Differences in nature of losses
SE571 Security in Computing Dr. Ogara27
Are there some consensus in these surveys?
Yes, for example;• Viruses, Trojan horses and worms pose
serious threat• Most business concerned about inside
attacks and abuse of access• Formal security policies and incidence
response plans are important• Lack of education and training are major
obstacle
SE571 Security in Computing Dr. Ogara28
How representative are these surveys?
Conclusion• The convenience surveys are therefore a
good start, but for serious, useful analysis, we need statistically valid surveys administered to the same population over a period of time
SE571 Security in Computing Dr. Ogara29
How can we address this problem?
Department of Justice and Homeland Security• Administered the National Computer Security
Survey in 2006• Survey was sent to thousands of businesses
across 37 industry sectors• intent is to provide “national and industry-
level estimates of the prevalence of computer security incidents
• Enable businesses to benchmark themselves with more credible data,
SE571 Security in Computing Dr. Ogara30
Department of Justice and Homeland Security
The survey included the following questions• The nature and extent of computer security
incidents• Monetary costs and other consequences of
these incidents • Incident details such as types of offenders
and reporting to authorities• Computer security measures used by
companies
SE571 Security in Computing Dr. Ogara31
Modeling Cybersecurity Transferring models
• Apply standard approaches in a certain discipline to solve problems in another discipline
• Examples:• Gordon and Loeb Model• Campbell et al Model• Gal-Or and Ghose Model
SE571 Security in Computing Dr. Ogara32
Transferring models Gordon and Loeb Model
• Uses accounting principles.• They consider 3 parameters: the loss
conditioned on a breach’s occurring, the probability of a threat’s occurring, and the vulnerability
SE571 Security in Computing Dr. Ogara33
Transferring models Campbell et al Model
• Models incorporate the “snowball effect accruing from the resultant loss of market share and stock market value”
• Nature of the breach affects the result• Unauthorized access to confidential data
produces highly significant negative market reaction
• Breach involving no confidential information produces no significant reaction
SE571 Security in Computing Dr. Ogara34
Transferring models Gal-Or and Ghose Model
• Apply game theory• Model explains costs and benefits of sharing
information about security breaches• In general, there are strong incentives to
share breach information, and the incentives become stronger as the firm size, industry size, and amount of competition grow
SE571 Security in Computing Dr. Ogara35
Models for decision making Some researchers look at other
disciplines to see how human aspects of decision making can be woven in economic models• Anthropology• Sociology• Psychology
SE571 Security in Computing Dr. Ogara36
Models for decision making Framing the issue Group behavior Organizational culture
SE571 Security in Computing Dr. Ogara37
Framing the issue The way a problem is framed can make a
big difference in the choices people make
Example:
• Cybersecurity investment choices are portrayed as risk avoidance or loss avoidance
Vs• Cybersecurity investment choices are described
as opportunities to establish a competitive edge as a totally trustworthy company
SE571 Security in Computing Dr. Ogara38
Group behavior Driven by group identity which leads
to team reasoning
Decision-makers do not act alone (are NOT driven by rational choice alone)
SE571 Security in Computing Dr. Ogara39
Group behavior They act as members of teams,
organizations, or business sectors
Individuals who are part of a team make decisions that meet collective objectives rather than individual ones
SE571 Security in Computing Dr. Ogara40
Credibility and trust The number and nature of
encounters among people also affects a decision
People are willing to pay more for goods and services they trust
Interpersonal relationships create and enhance trust
SE571 Security in Computing Dr. Ogara41
Credibility and trust Trust has an effect on both the beliefs
and the norms of others
In cybersecurity, trust is an interpersonal or social relationship that merits special attention
SE571 Security in Computing Dr. Ogara42
Organizational culture Driven by group identity which leads
to team reasoning
Decision-makers do not act alone (are NOT driven by rational choice alone)
SE571 Security in Computing Dr. Ogara43
Organizational culture They act as members of teams,
organizations, or business sectors
Individuals who are part of a team make decisions that meet collective objectives rather than individual ones
SE571 Security in Computing Dr. Ogara44
Characteristics of organizational culture
Dimensions of Organizational Culture (Hofstede and Hofstede 2005)
SE571 Security in Computing Dr. Ogara45
Symbols and Heroes Symbols are the words, gestures, pictures
and objects that carry specific meanings for a group of people using them to communicate e.g. PKI, IPSEC, and cryptographic algorithms jargons as corporate security group’s culture
Heroes of a culture are those people whose behaviors are highly prized, serving as role models for the others in the group e.g. ACM or IEEE Fellows
SE571 Security in Computing Dr. Ogara46
Rituals and Practices Rituals are activities performed by all
the group’s members that are socially essential but not necessary to the business e.g. group meetings to introduce new members are often ways of teaching the language and symbols to newcomers
Practices – consist of the above three characteristics
SE571 Security in Computing Dr. Ogara47
Values Values lie at the culture’s core. We
can think of values as “broad tendencies to prefer certain states of affairs over others
If developers, managers, or customers do not value security, they will neither adopt secure practices nor buy secure products
SE571 Security in Computing Dr. Ogara48
6 dimensions of organizational culture
Organizations cultures can be characterized by where they fit along six dimensions
The dimensions are polar opposite
Most organizations fall somewhere in the middle
These dimensions affect an organization’s cybersecurity economics
These dimensions reflect the underlying organizational values and hence the type of cybersecurity investment choices
SE571 Security in Computing Dr. Ogara49
6 dimensions of organizational culture
1. Process versus results2. Employee versus job3. Parochial versus professional4. Open versus closed5. Loose versus tight control6. Normative versus pragmatic
SE571 Security in Computing Dr. Ogara50
6 dimensions of organizational culture