Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Managing Security InvestmentPart I
Tyler Moore
Computer Science & Engineering Department, SMU, Dallas, TX
September 18, 2012
ReadingMarket Failures
Managing security investment
Outline
1 Reading
2 Market FailuresReview and other slidesAsymmetric information
3 Managing security investmentOverviewMeasuring security benefitsHigh-level investment metrics
2 / 32
ReadingMarket Failures
Managing security investment
Homework assignment
Turn in via Blackboard
Due Monday September 27 at 7pm
Office hours this week: this afternoon plus Friday 9-10am
4 / 32
ReadingMarket Failures
Managing security investment
Review and other slidesAsymmetric information
First Fundamental Theorem of Welfare Economics
Definition
(First Fundamental Theorem of Welfare Economics) Anycompetitive equilibrium leads to a Pareto efficient allocation ofresources.
This definition begs the question: under what circumstancesdo we get competitive equilibrium?
Assume complete markets (perfect information, no transactioncosts)Assume price-taking behavior (infinite buyers and sellers, nobarriers to entry)
Now we will discuss market failures, and explain whyinformation security suffers from many of them
6 / 32
Notes
Notes
Notes
Notes
ReadingMarket Failures
Managing security investment
Review and other slidesAsymmetric information
Last time
We discussed how monopolists behave (choosing prices orsupply to maximize their own profits)
Also talked about public goods
Non-rivalrous: individual consumption does not reduce what’savailable to othersNon-excludable: no practical way to exclude people fromconsuming
Let’s switch over to another slide deck to talk about otherissues
7 / 32
ReadingMarket Failures
Managing security investment
Review and other slidesAsymmetric information
Information Asymmetries
?
equilibrium
market price
p > 0
security s ≈ cost
E (s | p) p
s = 0 s = 1willingness to pay: p∗ = 3
2 s
unknown security: p = 32 E (s | p)
uniform distribution: p = 32 ·
p2 = 3
4 p < p !
→ The market for secure products collapses Akerlof, 1970; Anderson, 2001
8 / 32
ReadingMarket Failures
Managing security investment
OverviewMeasuring security benefitsHigh-level investment metrics
Motivation
It can be important to frame information security decisionsusing the language of business
⇒ Security investment decisions must balance expected costsand benefits
To model rational decisions, we start by simplifying ourassumptions of attacker behavior
X Strategic adversaryAttacker exogenously given, follows a probability of attackknown to the defenderIn this sense, we treat security like a safety problem
When is the simplified attacker model appropriate?
+ Indiscriminate attackers (e.g., phishing, scanning)- Targeted attackers (e.g., spear-phishing, adaptive attacks)
10 / 32
ReadingMarket Failures
Managing security investment
OverviewMeasuring security benefitsHigh-level investment metrics
Security cost and benefits
cost ofsecurity
$
benefit ofsecurity
$
direct / indirect
variable / fixed
onetime / recurring
sunk / recoverable
expectedprevented
losses
11 / 32
Notes
Notes
Notes
Notes
ReadingMarket Failures
Managing security investment
OverviewMeasuring security benefitsHigh-level investment metrics
Cost of security
Definition
(Cost of security, security level) The cost of security c is theamount spent to reach a security level s. No security investment(c = 0) implies s = 0, and for any c > 0, s increasesmonotonically in c .
Definition
(Effective security investment) If security investment is effective,the security level can be approximated by the cost of security, i.e.,s ≈ c .
When does the effective security investment definition apply?When not?
12 / 32
ReadingMarket Failures
Managing security investment
OverviewMeasuring security benefitsHigh-level investment metrics
Security benefit: reduction of losses incurred in the absence ofsecurity
In other words: take a small fixed loss now to reduce thechances of a large but uncertain future loss
We already have the tools to deal with uncertainty aboutoutcomes: expected utility!
13 / 32
ReadingMarket Failures
Managing security investment
OverviewMeasuring security benefitsHigh-level investment metrics
Expected utility (discrete)
E [U(a)] =∑o∈O
U(o) · P(o|a)
o
P(o|a
)
o1: no attack o2: attack
0.1
0.9
14 / 32
ReadingMarket Failures
Managing security investment
OverviewMeasuring security benefitsHigh-level investment metrics
Expected utility (continuous)
E [U(a)] =
∫ v
uU(x) · P(x |a)dx
o
P(o|a
)
u v15 / 32
Notes
Notes
Notes
Notes
ReadingMarket Failures
Managing security investment
OverviewMeasuring security benefitsHigh-level investment metrics
Loss distribution function
Definition
(Loss distribution function) Let Ls : R+ → [0, 1] be the family ofprobability distribution functions describing the monetary lossesincurred from insecurity for a given security level s.
L0 is the loss distribution function in the absence of securityinvestment
Benefit of security: Ls − L0
We use expected utility to compare outcomes for the lossfunctions
16 / 32
ReadingMarket Failures
Managing security investment
OverviewMeasuring security benefitsHigh-level investment metrics
Comparing loss functions (discrete)
E [U(L)] =∑o∈O
U(o) · L(o)
loss
L(l
oss)
$0 $2,000
0.2
0.8 L0
0.1
0.9Ls
17 / 32
ReadingMarket Failures
Managing security investment
OverviewMeasuring security benefitsHigh-level investment metrics
Annual loss expectancy
Definition
(ALE) The annual loss expectancy ALEs is the expected loss perperiod due to information security failures given security level s,
ALEs = E (Ls) =
∫ ∞0
x · Ls(x) dx .
Note that annual suggests a multi-period view. Even when thisisn’t the case, the ALE term is used
18 / 32
ReadingMarket Failures
Managing security investment
OverviewMeasuring security benefitsHigh-level investment metrics
Annual loss expectancy visualized
ALEs = E (Ls) =
∫ ∞0
x ·Ls(x) dx ALE0 = E (L0) =
∫ ∞0
x ·L0(x) dx
loss
L(l
oss)
Ls L0
19 / 32
Notes
Notes
Notes
Notes
ReadingMarket Failures
Managing security investment
OverviewMeasuring security benefitsHigh-level investment metrics
Metrics for security benefits
Definition
(EBIS) The expected benefit of information security EBISs is thedifference between the loss expectancy without security and theloss expectancy given security level s,
EBISs = ALE0 −ALEs
= E (L0)− E (Ls) =
∫ ∞0
x · (L0(x)− Ls(x)) dx .
20 / 32
ReadingMarket Failures
Managing security investment
OverviewMeasuring security benefitsHigh-level investment metrics
Metrics for security benefits
Definition
(ENBIS) The expected net benefit of information securityinvestment ENBISs is given by the expected benefit of informationsecurity minus the cost of the investment to reach security level s.
ENBISs = EBISs − c = ALE0 −ALEs − c ,
or, assuming effective security investment,
ENBISs = EBISs − s.
Straightforward investment rule: only invest if ENBISs > 0
21 / 32
ReadingMarket Failures
Managing security investment
OverviewMeasuring security benefitsHigh-level investment metrics
Bernoulli loss assumption
OK, so continuous loss distribution functions are nice, butthey can be difficult to analyze
Not to mention it can be hard to justify assumptions abouthow the loss distribution might be shaped
Simplified scenario
Two loss outcomes: {0, λ}λ > 0: fixed loss, occurs with ps = Ls(λ)With probability 1− ps = Ls(0), suffers no loss
22 / 32
ReadingMarket Failures
Managing security investment
OverviewMeasuring security benefitsHigh-level investment metrics
Metrics under Bernoulli loss assumption
ALEs =(ps · λ+ (1− ps) · 0
)︸ ︷︷ ︸E(Ls)
EBISs =(p0 · λ+ (1− p0) · 0
)︸ ︷︷ ︸E(L0)
−(ps · λ+ (1− ps) · 0
)︸ ︷︷ ︸E(Ls)
ENBISs =(p0 · λ+ (1− p0) · 0
)︸ ︷︷ ︸E(L0)
−(ps · λ+ (1− ps) · 0
)︸ ︷︷ ︸E(Ls)
−s
23 / 32
Notes
Notes
Notes
Notes
ReadingMarket Failures
Managing security investment
OverviewMeasuring security benefitsHigh-level investment metrics
Recall the GoDaddy DDoS example
Source: http://www.zdnet.com/anonymous-hacker-claims-godaddy-attack-outage-hits-millions-7000003925/
24 / 32
ReadingMarket Failures
Managing security investment
OverviewMeasuring security benefitsHigh-level investment metrics
Recall the GoDaddy DDoS example
Source: http://www.cnn.com/2012/09/11/tech/mobile/godaddy-response-outage/index.html
25 / 32
ReadingMarket Failures
Managing security investment
OverviewMeasuring security benefitsHigh-level investment metrics
Recall the GoDaddy DDoS example
no outage o1 outage o2
Action U(o1) P(o1|action) U(o2) P(o2|action) E [U(action)]
s λ ps E (Ls)− s
buy anti-DDoS -$100K .99999 - $100K - $100M .00001 - $101Kdon’t buy 0 .98999 - $100M .01001 - $1,001K
λ p0 E (L0)
26 / 32
ReadingMarket Failures
Managing security investment
OverviewMeasuring security benefitsHigh-level investment metrics
Metrics under Bernoulli loss assumption
ALEs =(ps · λ+ (1− ps) · 0
)︸ ︷︷ ︸E(Ls)
EBISs =(p0 · λ+ (1− p0) · 0
)︸ ︷︷ ︸E(L0)
−(ps · λ+ (1− ps) · 0
)︸ ︷︷ ︸E(Ls)
ENBISs =(p0 · λ+ (1− p0) · 0
)︸ ︷︷ ︸E(L0)
−(ps · λ+ (1− ps) · 0
)︸ ︷︷ ︸E(Ls)
−s
27 / 32
Notes
Notes
Notes
Notes
ReadingMarket Failures
Managing security investment
OverviewMeasuring security benefitsHigh-level investment metrics
Metrics under Bernoulli loss assumption & λ = 1
Things get simplified even more if we scale the loss to 1 (λ = 1)
ALEs = ps ,
EBISs = p0 − ps , and
ENBISs = p0 − ps − s
28 / 32
ReadingMarket Failures
Managing security investment
OverviewMeasuring security benefitsHigh-level investment metrics
Incorporating risk attitudes
ENBISs = ALE0 −ALEs − c = E (L0)− E (Ls)− c
=
∫ ∞0
x · L0(x) dx −∫ ∞
0x · Ls(x) dx − c ,
=
∫ ∞0
x · L0(x) dx −∫ ∞
0(x + c) · Ls(x) dx
But what if the agent has a risk-averse or risk-seeking utilityfunction?
29 / 32
ReadingMarket Failures
Managing security investment
OverviewMeasuring security benefitsHigh-level investment metrics
Incorporating risk attitudes
Definition
(ENUBIS (expected net utility benefit of information security))
ENUBISs = −∫ ∞
0U(−x) · L0(x) dx︸ ︷︷ ︸
expected utility withoutsecurity investment
+
∫ ∞0
U(−x − c) · Ls(x) dx︸ ︷︷ ︸expected utility withsecurity investment
.
30 / 32
ReadingMarket Failures
Managing security investment
OverviewMeasuring security benefitsHigh-level investment metrics
Return on security investment (ROSI)
cost ofsecurity
$
benefit ofsecurity
$
direct / indirect
variable / fixed
onetime / recurring
sunk / recoverable
expectedprevented
losses
ROSI1) = benefit of security−cost of securitycost of security
1)Return On Security Investment
31 / 32
Notes
Notes
Notes
Notes
ReadingMarket Failures
Managing security investment
OverviewMeasuring security benefitsHigh-level investment metrics
Return on security investment (ROSI)
Definition
(ROSI) The return on information security investment ROSIs isthe ratio of the expected net benefit over the cost of security,
ROSIs =ENBISs
c=
ALE0 −ALEs − c
c
32 / 32
Notes
Notes
Notes
Notes