Chap 9: Economics of Cybersecurity. SE571 Security in Computing Dr. Ogara 2 Cybersecurity economics is a field that brings together elements of cybersecurity

SE571Security in Computing

Chap 9: Economics of Cybersecurity

SE571 Security in Computing Dr. Ogara2

Economics of Cybersecurity

Cybersecurity economics is a field that brings together elements of cybersecurity and economics to help decision-makers understand how people and organizations invest constrained resources in protecting their computer systems, networks, and data


Cybersecurity Investment Some questions worth asking

• How much should an organization invest in cybersecurity to protect assets of a given value?

• What is the likely impact of a security breach?

• What are the costs and benefits of sharing

information?


Factors that Influence Investments in Cybersecurity


Is Security Good for Business

How do you make a compelling argument about benefits of security to a business?

Problem is getting data to support your case

You must build a business case

Business Case – A proposal that justifies the use of resources


A business case should include: a description of the problem or need to be addressed by

the expenditure

a list of possible solutions

constraints on solving the problem

a list of underlying assumptions

analysis of each alternative, including risks, costs, and benefits

a summary of why the proposed investment is good for the organization


Evaluating existing/proposed investment in technology

Evaluating an existing or proposed investment in technology should be reported in several ways at once to form a “balanced scorecard” as follows:

• customer view - address issues such as customer satisfaction

• operational view - look at an organization’s core competencies

• financial view - consider measures such as ROI

• improvement view - assess how the investment will affect market leadership and added value


Determining Economic Value of Security Investments

What is the right approach and how many companies use them to assess value of cybersecurity?

• Net present value (18%)• Return on investment (ROI)(38%)• Internal rate of return (19%)(Source: CSI/FBI Computer Security Survey 2005 Report)

There are practical problems with these approaches


Net Present Value Is the present value (PV) of the benefits

minus the value of the initial investment

Compares value of dollar today to future value while taking into account inflation

Present value (PV) of an investment is the value today of a predicted future cash flow


Net Present Value It evaluates the effects of the proposed

investment over the life of the project

It provides a fair comparison for projects that turn profitable at different times in the future

It uses a discount rate or opportunity cost, corresponding to the rate of return expected from an equivalent investment in capital markets


Net Present Value The discount rate reflects how much

money an organization could make if it invested its money in the bank or a financial vehicle instead of in software technology.


Net Present Value Formula

• Bt and Ct are the benefits and costs anticipated from the investment in each time period t

• C0 is the initial investment, the discount rate (expected rate of return on investment) is k

• n is the number of time periods over which the investment’s costs and benefits are considered

• If NPV > 0, accept investment; NPV < 0 reject investment; NPV = 0, no added value


Example - NPV Calculations for Two Alternatives

Observation:• Choice 1 is better because of higher NPV• NPV approach is sensitive to timing of the cash flows – the

later the return the more the overall value is penalized


Internal Rate of Return (IRR) The internal rate of return (IRR) is derived

from the net present value

It is equal to the discount rate that makes the NPV equal to zero

Example: • An IRR of 4% and discounted rate is 12% is bad –

invest elsewhere• An IRR of 18% and discounted rate is 12%(less

than IRR) is good


Return on Investment (ROI) Are closely related to IRR and NPV

ROI looks back at how a company or organization has performed, whereas NPV and IRR project likely future performance of new investments

ROI = last period’s accounting profits (calculated from revenues and costs) /the cost of the investments required to generate those profits


Example – A Business Case for Web Application Security

Business case explains the ROI for an organization

Revenue • Increased revenue due to increased trust in the web site

Costs • Installation• Operation• Maintenance• Cost savings e.g. fewer security breaches • Cost avoidance e.g. fewer help desk calls • Improved efficiency e.g. ability to handle more customers • Effectiveness e.g. provide more services


Example – Building A Business Case for Web Application Security

Compliance• Failure to implement regulatory practices may

lead to fines, imprisonment and bad publicity• Failure to comply with agreed standards may

lead to lost business or competitive advantage

Risks• Failure to implement proposed security

measures may include: loss of market share, loss of productivity and legal exposure


Economic Impact of Cybersecurity

Understanding the nature of the cybersecurity threat requires knowing at least the following elements

number and types of assets needing protection number and types of vulnerabilities that exist in

a system number and types of likely threats to a system


Data to Justify Security Action National and global data

• Address both national and international concerns

Enterprise data• How do enterprises apply security technologies

against attacks and security breaches• How do enterprises balance security costs with

other economic demands

Technology data• Describes the threats against core infrastructure

technologies


Characteristics of data used for economic decision making

Accuracy • Close to actual values

Consistency • Data gathered under same conditions• Reporting organizations apply same rules

Timeliness• Current – reflect existing conditions

Reliability• Credible sources


Examples of data to support cybersecurity decision-making

CSI/FBI Computer Crime and Security Survey• Administered by Computer Security Institute and FBI (Ca)

Australian Computer Crime and Security Survey• Examines Australia’s private and public industry

cybersecurity threats, records the number of cyber incidents, and attempts to raise awareness of security issues and effective methods of attack prevention

Deloitte Touché Tohmatsu Global Security Survey• Focus on security practices of major global financial

institutions


Examples of data to support cybersecurity decision-making

Ernst and Young Global Information Security Survey• Surveys companies worldwide

Internet Crime Complaint Center (IC3)• Collaborative effort of FBI and National White Collar Crime

Center• PProvides information to national, state, and local law

enforcement agencies that are battling Internet crime

The Imation Data Protection Survey • Managed by Imation Corporation• Investigates how small and mid-size U.S. companies conduct

data backup, protection, and recovery.


How representative are these surveys?

Currently most reported data are derived from convenient surveys rather than carefully sampled populations

There is no consistency in terminology or counting rules from one survey to another

Thus makes it difficult to generalize the meaning of reported data and trends


How are these surveys different?

Classification of attack types• Each survey measures different things e.g.

one survey may report decrease in attacks of all types while another may report an increase

Types of respondents• Self-selected and not representative to a

larger population



Comparability of categories• No standards in defining, tracking and

reporting security incidents and attacks• Data are characteristically different and

answers are based on opinions, interpretations and perception

• Example; “electronic attacks” (Australian Survey); “unauthorized use of computer systems” (CSI/FBI); accidental/malicious security incidence” (DTI Information Security Breaches Survey)



Sources of attack• Rate of insider attack remained constant in

2005 (Australian Survey)• Rate is rising (Deloitte Survey)

Financial impact• Differences in nature of losses


Are there some consensus in these surveys?

Yes, for example;• Viruses, Trojan horses and worms pose

serious threat• Most business concerned about inside

attacks and abuse of access• Formal security policies and incidence

response plans are important• Lack of education and training are major

obstacle


How representative are these surveys?

Conclusion• The convenience surveys are therefore a

good start, but for serious, useful analysis, we need statistically valid surveys administered to the same population over a period of time


How can we address this problem?

Department of Justice and Homeland Security• Administered the National Computer Security

Survey in 2006• Survey was sent to thousands of businesses

across 37 industry sectors• intent is to provide “national and industry-

level estimates of the prevalence of computer security incidents

• Enable businesses to benchmark themselves with more credible data,


Department of Justice and Homeland Security

The survey included the following questions• The nature and extent of computer security

incidents• Monetary costs and other consequences of

these incidents • Incident details such as types of offenders

and reporting to authorities• Computer security measures used by

companies


Modeling Cybersecurity Transferring models

• Apply standard approaches in a certain discipline to solve problems in another discipline

• Examples:• Gordon and Loeb Model• Campbell et al Model• Gal-Or and Ghose Model


Transferring models Gordon and Loeb Model

• Uses accounting principles.• They consider 3 parameters: the loss

conditioned on a breach’s occurring, the probability of a threat’s occurring, and the vulnerability


Transferring models Campbell et al Model

• Models incorporate the “snowball effect accruing from the resultant loss of market share and stock market value”

• Nature of the breach affects the result• Unauthorized access to confidential data

produces highly significant negative market reaction

• Breach involving no confidential information produces no significant reaction


Transferring models Gal-Or and Ghose Model

• Apply game theory• Model explains costs and benefits of sharing

information about security breaches• In general, there are strong incentives to

share breach information, and the incentives become stronger as the firm size, industry size, and amount of competition grow


Models for decision making Some researchers look at other

disciplines to see how human aspects of decision making can be woven in economic models• Anthropology• Sociology• Psychology


Models for decision making Framing the issue Group behavior Organizational culture


Framing the issue The way a problem is framed can make a

big difference in the choices people make

Example:

• Cybersecurity investment choices are portrayed as risk avoidance or loss avoidance

Vs• Cybersecurity investment choices are described

as opportunities to establish a competitive edge as a totally trustworthy company


Group behavior Driven by group identity which leads

to team reasoning

Decision-makers do not act alone (are NOT driven by rational choice alone)


Group behavior They act as members of teams,

organizations, or business sectors

Individuals who are part of a team make decisions that meet collective objectives rather than individual ones


Credibility and trust The number and nature of

encounters among people also affects a decision

People are willing to pay more for goods and services they trust

Interpersonal relationships create and enhance trust


Credibility and trust Trust has an effect on both the beliefs

and the norms of others

In cybersecurity, trust is an interpersonal or social relationship that merits special attention


Organizational culture Driven by group identity which leads

to team reasoning

Decision-makers do not act alone (are NOT driven by rational choice alone)


Organizational culture They act as members of teams,

organizations, or business sectors

Individuals who are part of a team make decisions that meet collective objectives rather than individual ones


Characteristics of organizational culture

Dimensions of Organizational Culture (Hofstede and Hofstede 2005)


Symbols and Heroes Symbols are the words, gestures, pictures

and objects that carry specific meanings for a group of people using them to communicate e.g. PKI, IPSEC, and cryptographic algorithms jargons as corporate security group’s culture

Heroes of a culture are those people whose behaviors are highly prized, serving as role models for the others in the group e.g. ACM or IEEE Fellows


Rituals and Practices Rituals are activities performed by all

the group’s members that are socially essential but not necessary to the business e.g. group meetings to introduce new members are often ways of teaching the language and symbols to newcomers

Practices – consist of the above three characteristics


Values Values lie at the culture’s core. We

can think of values as “broad tendencies to prefer certain states of affairs over others

If developers, managers, or customers do not value security, they will neither adopt secure practices nor buy secure products


6 dimensions of organizational culture

Organizations cultures can be characterized by where they fit along six dimensions

The dimensions are polar opposite

Most organizations fall somewhere in the middle

These dimensions affect an organization’s cybersecurity economics

These dimensions reflect the underlying organizational values and hence the type of cybersecurity investment choices



1. Process versus results2. Employee versus job3. Parochial versus professional4. Open versus closed5. Loose versus tight control6. Normative versus pragmatic



Documents

Chap 9: Economics of Cybersecurity. SE571 Security in Computing Dr. Ogara 2 Cybersecurity economics is a field that brings together elements of cybersecurity