Economics of Information Security - A Review

Transcription

1 Economics of Security and Privacy (BMEVIHIAV15) Mark Felegyhazi assistant professor CrySyS Lab. BME Department of Telecommunications (Híradástechnikai Tanszék) mfelegyhazi(atat)crysys(dot)hu

2 Information security investment trends information security awareness increased companies are confident in their investment major obstacles CEO insufficient funding CISO lack of strategy, understanding and integration more security tools applied IPS/IDS, web security tools, malicious code detection incidents are detected PricewaterhouseCoopers, 2012 Global State of Information Security Survey,

3 Information security investment trends security spending increased in prevention detection web technologies biggest risks advanced persistent threat (APT) mobile devices partners are a security problem (more in Chapter 5) security spending decreased in identity management disaster recovery dedicated personnel people background check, inventory check privacy policies PricewaterhouseCoopers, 2012 Global State of Information Security Survey,

4 Risk management phases risk governance (RG) risk mgmt context define criteria - profile definition - requirements resources risk assessment (RA) risk analysis - identification - estimation risk evaluation risk monitoring and review (RM) monitoring communication awareness risk treatment (RT) prevent mitigate transfer accept 4

5 5 Budget constraints risks impact and priorities security budget calculate benefits decide which defenses to implement questions: How much to invest in security? Where to invest the best? issues knowing options and controls measure effectiveness (ROSI)

6 6 Modeling security investments What is the optimal security investment? risk-neutral firm single stage single threat Gordon, L.A. and Loeb, M.P., The economics of information security investment, ACM Transactions on Information and System Security (TISSEC), vol 5 nr 4, 2002

7 7 Modeling security investments λ, loss due to a security breach Assumption: λ is fixed λ is not critical (risk-neutrality changes) 0 < t < 1, threat probability 0 < v < 1, vulnerability of information vulnerability vs. availability abstracted L=v*t*λ, expected loss (no investment) firms control v (but not t) Gordon, L.A. and Loeb, M.P., The economics of information security investment, ACM Transactions on Information and System Security (TISSEC), vol 5 nr 4, 2002

8 8 Modeling security investments (cont d) z security investment S(z,v), sec. investment function - in reality, discrete function - marginal productivity decreases assumptions on S(z,v) A1: S(z, 0) = 0 for all z A2: S(0, v) = 0 for all v A3: For all v (0, 1), and all z, S(z,v) is a convex function of z Gordon, L.A. and Loeb, M.P., The economics of information security investment, ACM Transactions on Information and System Security (TISSEC), vol 5 nr 4, 2002

9 9 Analysis Utility function L = (v-s(z,v))tλ, expected loss (with sec. investment) U = (v-s(z,v))tλ z optimal investment, z*(v) =? two classes of security breach functions S1(z,v) = v/(αz + 1) β where α > 0, β 1 are measures of the productivity of information security (i.e., for a given (v, z), the probability of a security breach is decreasing in both α and β) S2(z,v) = v αz+1 where α > 0, is a measure of the productivity of information security Gordon, L.A. and Loeb, M.P., The economics of information security investment, ACM Transactions on Information and System Security (TISSEC), vol 5 nr 4, 2002

10 10 Results S1 Gordon, L.A. and Loeb, M.P., The economics of information security investment, ACM Transactions on Information and System Security (TISSEC), vol 5 nr 4, 2002

11 11 Results S1 invest in high-risk vulnerabilities Gordon, L.A. and Loeb, M.P., The economics of information security investment, ACM Transactions on Information and System Security (TISSEC), vol 5 nr 4, 2002

12 12 Results S2 Gordon, L.A. and Loeb, M.P., The economics of information security investment, ACM Transactions on Information and System Security (TISSEC), vol 5 nr 4, 2002

13 13 Results S2 invest in mid-range vulnerabilities Gordon, L.A. and Loeb, M.P., The economics of information security investment, ACM Transactions on Information and System Security (TISSEC), vol 5 nr 4, 2002

14 14 Results summary Main result: For S1 and S2, the optimal security investment is less than 37% of the expected loss z*(v) < (1/e) vl forget vulnerabilities key is to expected benefit depends on the productivity of security investments Critiques? comments? Gordon, L.A. and Loeb, M.P., The economics of information security investment, ACM Transactions on Information and System Security (TISSEC), vol 5 nr 4, 2002

15 G&L extensions original model 37% maximum investment is incorrect other security investment functions logistic function and more 340 Inf Syst Front (2006) 8: Fig. 1 Six classes of security breach probability functions S(z, v) when v=1/2 Fig. 2 Expected net benefit of investment in security for the six classes when v=1/2 Hausken, K., Returns to information security investment: The effect of alternative case is z=0. information 2 For comparative purposes, the first (boxes) for classes I and II first increases toward a maximum, and security breach functions on optimal investment and sensitivity to vulnerability, and second (stars) curves show the classes I and II when thereafter decreases. Information Systems Frontiers, vol. 8 nr. 5, 2006 α=1/2, β=1. These decrease convexly in Fig. 1, and approach zero asymptotically. Figure 2 shows how ENBIS class III The maximization III ðz; vþ=@z ¼ 0 for gives 15

16 positive investment that causes ENBIS>0. Inserting +=0.02, φ=1, L=16 into v ¼ 41 ð + Þ=Lφ gives v= Solving ENBIS III (z III* (v))=0 numerically with respect to v, to determine when the two lines in Eq. 4 G&L extensions more investment is needed Fig. 4 Optimal investment z*(v) for the six classes the first curv when v>0.41 increases to decreases for since it give when z=0. T Dividing z exceeds 1/e. The decrease seen from Eq pression wher sarily decreas Proposition 2 S(z, v) is of c isfying A1, A tion of the ex satisfy z III* ðþ v Hausken, K., Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability, Information Systems Frontiers, vol. 8 nr. 5,

17 Timing investments security investments according to the value (previous model) uncertainty estimating probabilities is hard defer investments until breach happens wait-and-see approach analogous to real options in business investment decisions empirical study some claim: easiest way to get top management s approval not need to be real, pentesting/audits are sufficient correlation between breach severity and approved budget Gordon, L.A. and Loeb, M.P. and Lucyshyn, W., Information Security Expenditures and Real Options: A Wait-and-See Approach, Computer Security Journal, vol. 19 nr. 2,

18 Timing investments Gordon, L.A. and Loeb, M.P. and Lucyshyn, W., Information Security Expenditures and Real Options: A Wait-and-See Approach, Computer Security Journal, vol. 19 nr. 2,

19 Iterated security investments security is a dynamic process formal model of security investment timing How much to spend? Where to invest and when? Böhme, R. and Moore, T., The iterated weakest link, IEEE Security and Privacy vol 8 nr 1,

20 Security investment with uncertainty perfect info true cost of attacks uncertainty true cost of attacks Böhme, R. and Moore, T., The iterated weakest link, IEEE Security and Privacy vol 8 nr 1,

21 Iterated Weakest Link (IWL) model true cost of attack expected cost of attack Böhme, R. and Moore, T., The iterated weakest link, IEEE Security and Privacy vol 8 nr 1,

22 Iterated Weakest Link (IWL) model proactive defense (k 1 ) Böhme, R. and Moore, T., The iterated weakest link, IEEE Security and Privacy vol 8 nr 1,

23 Iterated Weakest Link (IWL) model proactive defense (k 1 ) reactive defense Böhme, R. and Moore, T., The iterated weakest link, IEEE Security and Privacy vol 8 nr 1,

24 Iterated Weakest Link (IWL) model defense variable: - proactive defense proactive defense (k 1 ) reactive defense Böhme, R. and Moore, T., The iterated weakest link, IEEE Security and Privacy vol 8 nr 1,

25 IWL Total profit a asset r return if no attack [0,1] z loss due to attack [0,1] σ attack cost uncertainty 1 unit defense cost proactive defense (k 1 ) reactive defense t benefit a(r-z) a(r-z) a(r-z) ar ar ar cost Böhme, R. and Moore, T., The iterated weakest link, IEEE Security and Privacy vol 8 nr 1,

26 Reactive defense summary attack intensity security spending ROSI reactive defense compared to proactive Böhme, R. and Moore, T., The iterated weakest link, IEEE Security and Privacy vol 8 nr 1,

27 Pentesting model true cost of attack expected cost of attack Böhme, R. and Felegyhazi, M., Optimal information security investment with penetration testing, GameSec

28 Pentesting model proactive defense (k 1 ) Böhme, R. and Felegyhazi, M., Optimal information security investment with penetration testing, GameSec

29 Pentesting model proactive defense (k 1 ) reactive defense Böhme, R. and Felegyhazi, M., Optimal information security investment with penetration testing, GameSec

30 Pentesting model defense variables: - proactive defense - penetration testing proactive defense (k 1 ) reactive defense Böhme, R. and Felegyhazi, M., Optimal information security investment with penetration testing, GameSec

31 yes no nature Extensive form solution 1. commission pentest? 2. test successful? 3. attacked? 4. defend? T 2 T 1 T 2 T 1 1. pente Extended Decision... Tree T 2 T 1 T 2 T 1 T 2 T 1 T 2 T 1 T 2 T 1 Model penetration testing as cost of information gathering. T. 2 T 1 Security Metrics and Security Investment Models 2. succe attack 4. defen 1. p 2. s Böhme, R. and Felegyhazi, M., Optimal information... security investment with penetration testing, GameSec

32 Pentesting model a asset r return if no attack [0,1] z loss due to attack [0,1] σ attack cost uncertainty 1 unit defense cost c cost of pentesting proactive defense (k 1 ) reactive defense t benefit a(r-z) ar ar ar ar ar cost 4+c 6+c Böhme, R. and Felegyhazi, M., Optimal information security investment with penetration testing, GameSec 2010

33 Pentesting helps - costs k k k a z a z a z K K p =1 K p = 1 /2 k k k 0 t 0 c t 0 c t Fig. 3. Comparison of costs in scenario without (left) and with pentesting (p = 1, center) for infinitesimally manyböhme, rounds; R. and costs Felegyhazi, are proportional M., Optimal toinformation areas; thesecurity success probability p defines the slopeinvestment of the gradient with penetration towardstesting, reaching GameSec the secure 2010 level K (center versus right); note that K is amark random Felegyhazi, CrySyS variable Lab, unknown to the decision maker 33

34 Pentesting helps total profit Solution with Penetration Testing optimal k 1 with pentest profit optimal k 1 without pentest m 1 initial defense k 1 Security Metrics and Security Investment Mark Models Felegyhazi, CrySyS Lab, 34

35 Return on pentesting (ROPT) ROPT = loss (security + no pentesting) loss (security + pentesting) avg. security investment ROPT [%-pts. of security investment] uncertainty σ c =0.5 c =5 c =10 Fig. 5. Profile of return on penetration testing (ROPT) as uncertainty increases for varying cost of pentesting (c =0.5 is half Mark of Felegyhazi, the cost per CrySyS protection Lab, measure and round) 35

36 Pentesting summary reactive defense compared to proactive penetration testing compared to reactive w/o pentesting attack intensity security spending ROSI ROPT Böhme, R. and Felegyhazi, M., Optimal information security investment with penetration testing, GameSec

37 Reading for next time R Bohme, G Schwartz, Modeling cyber-insurance: Towards a unifying framework, WEIS 2010 optional: Gordon and Loeb, A framework for using insurance for cyber-risk management, Communications of the ACM 2003 R Bohme, G Kataria, Models and measures for correlation in cyber-insurance, WEIS 2005 Ogut, H. and Menon, N. and Raghunathan, S., Cyber insurance and IT security investment: Impact of interdependent risk, WEIS 2005 Intermediaries and regulation 37