Justifying Spam and Virus Security Investments: A Case Study. Hemantha Herath 1 and Tejaswini Herath 2

Transcription

1 Justfyng Spam and E-mal Vrus Securty Investments: A Case Study Hemantha Herath 1 and Tejaswn Herath 2 Abstract: Our paper nvestgates the problem of justfyng securty nvestments concernng spam and emal vrus usng real lfe data from a mdsze North Amercan unversty. We formulate the spam and emal vrus securty problem as a captal budgetng problem usng operatng characterstc (ROC) curves n a decson theoretc framework. Pror research has nvestgated the optmal confguraton n a detecton system focusng on hackng. In a corporate settng when makng the case for nformaton securty not only the technology specfc detecton costs but other costs (captal expendtures, operatng costs and opportunty costs) have to be consdered. We contrbute to the current lterature by nvestgatng the spam emal and vrus problem and demonstratng how theoretcal research can really be appled n practce through a real lfe case study. 1. Introducton Investments n nformaton securty have been recognzed as an mportant ssue by both practtoners and academcs alke. However, what should be the Return on Securty Investments (ROSI) and the approprate level of nvestments has been a controversal topc (Cavusoglu et. al. 2004). The return on securty nvestment or the loss wthout securty nvestments s hard to quantfy due to dffculty n defnng and measurng the full array of benefts. The mpact of nformaton securty breach may well be fnancal, n the form of costs (ncreased nsurance costs, equpment rental/purchase for recovery, overtme costs, etc.), loss of productvty, revenue (drect loss of 1 Correspondng author, Assocate Professor of Manageral Accountng, epartment of Accountng, Faculty of Busness, Taro Hall 240, 500 Glenrdge Avenue, St. Catharnes, Ontaro, Canada L2S 3A1.; Tel: (905) Ext. 3519; Fax: (905) ; E-mal: [email protected] 2 octoral student, epartment of MIS, State Unversty of New York at Buffalo, NY, USA 1

2 downtme, lost future revenues), and fnancal performance (credt ratng, stock prce). However, more serous are the dffcult to quantfy or the hdden costs such as damaged reputaton that may have a negatve mpact on customer, suppler, fnancal market, banks and busness allance relatonshps (Camp and Wolfram 2004). espte of the controversy surroundng ROSI, t s wdely recognzed that organzatons have become so dependant on computer based and telecommuncaton ntensve nformaton systems that dsrupton of ether may cause outcomes rangng from nconvenence to catastrophe. As e-commerce contnues to grow, so wll cyber crme and the need for IT securty. Informaton securty whch once was consdered as just overhead costs s now wdely recognzed as an mportant nvestment of busness operatons (Cagnem, 2001). Corporate spendng on nformaton securty contnues to grow sgnfcantly. Ths has resulted n a growng stream of research n nformaton securty. Gordon and Loeb ( 2002) however, pont out that much of nformaton securty research has focused on techncal aspects of nformaton securty (such as encrypton, bandwdth, ntruson detecton software and securty archtecture) or behavoral aspects of reducng nformaton securty breaches whle there has been very lttle research devoted to the economc aspects of nformaton securty. Along wth the tradtonal approaches mentoned n numerous textbooks, several researchers have nvestgated economcs of nformaton securty. The semnal research n ths area can be dentfed wth the work of Gordon and Loeb (2002, 2003) and Cavusoglu and Raghunathan (2004), Cavusoglu et.al (2005). As dscussed n Cavusoglu (2004), researchers have consdered dfferent approaches to determne the effectve level of IT securty nvestments. For example, Hoo (2000) provdes a tradtonal decson analytc framework to evaluate dfferent IT securty polces based on cost-beneft tradeoffs. He consders not only the costs of securty 2

3 controls and expected loss from securty breaches but also addtonal profts expected from new opportuntes. Longstaff et.al (2000) show that nvestment n systematc rsk assessment reduces the lkelhood of ntrusons yeldng benefts much hgher than the nvestment cost. Gordon and Loeb (2002) propose a model to dentfy the optmal level of securty nvestment (an nteror optmal soluton) based on the dentfcaton of potental securty volatons n terms of ther damage and lkelhood. They argue that allocaton of funds to nformaton securty should be smlar or at least based on cost and beneft terms smlar to allocatng funds to any other actvtes usng captal budgetng technques such as net present value (NPV) or more advanced real opton technques and/or game theory. Cavusoglu and Raghunathan (2004), Cavusoglu et.al. 2004, 2005) explore the optmal confguraton of detecton software by usng decson and game theory approaches. Ther framework s more rgorous snce t allows features specfc to IT technologes to be consdered. Whle these studes provde valuable nsght nto dfferent securty vulnerabltes ncludng hackng there s no one sze ft all type model soluton. For example, the game theory approach tres to analyze the optmal securty nvestment problem as a game between a hacker and the organzaton. It s unque to stuatons of ntrusons where a hacker has a motve aganst a partcular organzaton. However, n a scenaro such as the securty problem of spam and e-mal vrus, whch ths paper focuses on, the malcous user may not have a motve aganst a partcular organzaton. Then t may be more approprate to treat the securty problem as a game aganst nature. In a spam and vrus emal securty scenaro the game theoretc approach may not be the best approach but decson theoretc methods seem more approprate. Our paper nvestgates the problem of justfyng IT securty nvestments concernng spam and emal vrus securty usng real lfe data from a mdsze North Amercan unversty. We 3

4 formulate the spam and emal vrus securty the problem as a captal budgetng problem usng operatng characterstc (ROC) curves n a decson theoretc framework as n Ulvla and Gaffney (2004) and Cavusoglu and Raghunathan (2004). Cavusoglu and Raghunathan (2004), focus on fndng the optmal confguraton (.e. optmal qualty parameters) n a detecton system. In a corporate settng when makng the case for nformaton securty not only the technology specfc detecton costs but other costs (captal expendtures, operatng costs and opportunty costs) have to be consdered. We contrbute to the current lterature n two ways, frst, by nvestgatng spam and emal vrus securty problem. Second, demonstratng how theoretcal research can really be appled n practce through a real lfe case study. The paper s as follows. Secton 2 starts wth the case example by provdng a bref descrpton of an unversty emal servce archtecture currently n place and confguraton alternatves. Secton 3 summarzes pror work that dentfes specfc features of nformaton technology securty. In secton 4 we ncorporate these confguraton specfc characterstcs n a captal budgetng model that can be used to make the case for nvestments n IT securty nvestments. Secton 5 provdes an applcaton example wth real data and secton 6 concludes. 2. Exstng Unversty Emal Servce Archtecture The north amercan unversty (hereafter referred to as NAU) consdered n ths study s a mdsze unversty wth over 18,000 full and part tme students wth approxmately 1200 staff and faculty. We consder the e-mal servces at ths unversty as our applcaton case study. Many recent surveys report that vruses pose a sgnfcant threat to nformaton technology systems. The 2004 ecrme watch survey reports that vrus and other malcous codes were the most frequent type of electronc crmes (77%) experenced by organzatons. SPAM 4

5 and phshng e-mals also ranked hgh n the lst of electronc crmes commtted. A recent CSI/FBI survey (2004) notes that, although attacks on computer systems have declned steadly n last few years, vrus attacks remans hghest compared other types of attacks causng maxmum dollar losses. Whle there are varous sources for vrus propagaton, the 2004 ICSA survey shows that vrus propagaton by e-mal pose the greatest threat. As llustrated n Table 1 n recent years emal vectors contnues to be the prmary means of vrus spread. Table 1: Vrus Propagaton Vrus Source E-mal Attachment 9% 26% 32% 56% 87% 83% 86% 88% Internet ownloads 10% 16% 9% 11% 1% 13% 11% 16% Web Browsng 0% 5% 2% 3% 0% 7% 4% 4% on t Know 15% 7% 5% 9% 2% 1% 1% 3% Other Vector 0% 5% 1% 1% 1% 2% 3% 11% Software strbuton 0% 3% 3% 0% 1% 2% 0% 0% skette 71% 84% 64% 27% 7% 1% 0% 0% Source: ICSA Labs 9 th Annual Computer Vrus Prevalence Survey, 2004 In addton to the drect damage the vrus e-mals pose, spam e-mals also adversely affect organzatons. Spam e-mals affect the productvty of the employees, e-mal server storage space and have bandwdth mplcatons. Organzatons contnue to deal wth these problems usng several mechansms. For example, organzatons may use dfferent e-mal server archtectures dependng resource avalablty and securty levels. Fgure 1 depcts the archtecture used for e-mal servces at NAU. 5

6 SMTP server E-mal flterng software Freeware Grey Lst Clam Ant Vrus Unversty e-mal On-campus and Off-campus users Internet through ISP Frewall Spam Home Spam Assassn Mmedefang Outsde e-mal Gmal, Yahoo Fgure 1: E-mal servces archtecture All ncomng e-mals wth NAU e-mal address passes through a frewall. Along wth other actvtes, the frewall checks the e-mal (as well as web) traffc for any potental vrus nfectons. The allowed-to-pass (ATP) through e-mal traffc s then dverted to SMTP server. The emals are stored on the SMTP server tll they are retreved by the e-mal recpent. Several flters are confgured to dentfy malcous or spam e-mal. Snce all organzatonal e-mals are fltered, the locaton of a recpent whether on-ste (at unversty premses) or off-ste does not make dfference. However, e-mals receved on thrd party e-mal servces such as Yahoo, GMal, Hotmal and others, do not get scanned and therefore ncrease NAU s systems vulnerablty. In Table 2 we tabulate e-mal transactons data for a two day perod from NAU system for ts exstng confguraton whch we call Opton II. As seen there are 238 detected vrus nfectons n a span of two days. These along wth other non-productve e-mals such as SPAM and phshng, pose a sgnfcant productvty as well as IT securty ssue to NAU. 6

7 Table 2: NAU E-mal Statstcs (October 24-26, 2005) Outgong Incomng Total e-mal transactons Incomng Vrus 298 Spam 9924 Reject Longform User Grey Trplet (Whte, Black, New) and Msc Passed Accepted Mal n Archtecture for e-mal Securty In Fgure 2 we show the e-mal flterng process at NAU. All external traffc ncludng e- mal and web traffc passes through the frewall. The unauthorzed traffc fltered by the frewall s dropped and remander s passed to approprate servers. E-mal traffc whch s routed to SMTP server can orgnate from both known and unknown sources. E-mals from unknown sources are subject to extra scrutny. E-mals consdered malcous are dropped and others grey lsted for further nvestgaton. One type of nvestgaton to verfy authentcty ncludes requestng the sendng machne to resend the e-mal message wthn a specfed tme (say 20 mnutes). If the resent emal s agan receved by the NAU server wthn the stpulated tme then the sender s assumed to be authentc. That message s removed from grey lst and delvered to the ntended recpent. However, f the sender s not authentc and the messages are not resent as majorty tmes n case of spam, then the messages are dropped. Other flters have dfferent processes for verfyng authentcty. Based on the confguraton that allows the extent of montorng, a sgnal score s calculated and compared aganst a threshold to classfy an emal as 7

8 harmful or harmless. rop 1 E-mal Pass Frewall 2 Un-known sources Pass 3 Consdered malcous rop Known sources 4 Pass Grey Lst 5 6 Harmful 7 Harmless 8 Harmful 9 Harmless 10 - Montor the sgnal score - Take acton based on score and threshold Fgure 2: NAU Emal Flterng Process 2.3 Securty Confguraton Alternatves There are many flters avalable as freeware, whch are qute effectve. However, these flters need to be confgured and that requres sklled labor. ependng on the level of the securty desred the labor hours allocated to confguratons may vary. Off-the-shelf products are also avalable whch need relatvely less number of, nearly neglgble, hours to mplement. However, the cost of the product as well as the level of securty t provdes may dffer from an n-house developed confguraton. At the tme of nvestng n IT securty at NAU, several optons were avalable to the 8

9 decson makers as shown n Fgure 3. These nclude opton I (low level of securty confguraton), opton II (medum level of securty confguraton), opton III (hgh level of securty confguraton) and opton IV (off-the shelf box). The decson makers also had to argue the case for whch confguraton would be the best gven NAU s budget, as many other unverstes NAU operates on a tght annual budget. Fgure 3 shows captal expendture costs n the mplementaton phase. Next sectons detals how IT nvestment planers could make the case for justfyng IT securty spendng. Grey Lst Clam Ant Vrus Spam Home Cost = Hardware (20,000)+ Labor (500 hrs) Hardware + Freeware Grey Lst Clam Ant Vrus Spam Home Spam Assassn Mmedefang Cost = Hardware (20,000)+ Labor (1000 hrs) E-mal flterng solutons Grey Lst Clam Ant Vrus Spam Home Spam Assassn Mmedefang AddFl1 AddFl2 AddFl3 AddFl4 Cost = Hardware (20,000)+ Labor (1300 hrs) Out of Box Soluton Cost = Soluton (45,000)+ Labor (mnmum) Fgure 3: Confguraton Alternatves 3. Pror Related Research 9

10 We follow the recevng operatng characterstc (ROC) approach by Ulvla and Gaffney (2004) Cavusoglu and Raghunathan (2004) for comparng the effectveness (or qualty profle) of dfferent confguraton of the emal gateways. The approach s based on classcal statstcal theory where the ROC curve provdes the relatonshp between the two classfcaton errors n a detecton system. The two error classfcatons are false postve whch occurs when the system classfes an authorzed transacton as malcous and false negatve where a malcous transacton s classfed as authorzed. We use smlar notaton used by above authors to be consstent 3. Let s be a numercal score used by detecton software based on transacton data and t the threshold score. The system classfes a transacton as a malcous/fraudulent f s > t. The numercal scores for authorzed (normal) transactons sn and unauthorzed (fraudulent) transacton s F s assumed to follow exponental dstrbutons wth parameters λ N and λ. efne F λ r λf = as the rato of mean score N of normal transactons to that of fraudulent transactons. Then the relatonshp between the qualty parameters of the detecton system, probablty of detecton P and probablty of false postve P F s gven by the ROC curve as P = r P F transacton as H 0 and an unauthorzed transacton as H1 then,. Notce that f one denotes an authorzed P = Pr( H 1 H1s P F = Pr( H 1 H 0 s true). There s also the error of a false negatve gven by 1 P = Pr( H 0 H1s true) but, ths s taken care of by P tself. true) and The decson tree for confgurng a detecton system s shown n Fgure 4. The detecton uses the scored transactons to provde sgnal to flag the state of the transacton as an unauthorzed transacton a sgnal (.e. wth probablty x ) or not classfed as unauthorzed a no sgnal 3 To avod confuson, for the numercal score, we use s here nstead of x as x s also used for the probablty of a sgnal. 10

11 (.e. wth probablty 1 x ). Let ψ denote the proporton of malcous emals, then the probablty of a sgnal and no-sgnal are gven by: P(no - sgnal) P(sgnal) = F = F x = P ψ + P (1 ψ ).(1) 1 x = (1 P ) ψ + (1 P )(1 ψ ).(2) Usng the Baye s rule then one can obtan the followng posteror probabltes P(malcous sgnal) = η1 = Pψ P ψ + P (1 ψ ) F.(3) P(malcous no - sgnal) = η2 = (1 P (1 P ) ψ ) ψ + (1 P F )(1 ψ ).(4) Costs Authorzed c 1 1 η 1 B Sgnal Grey lsted or dropped s>t x Malcous η 1 c Emal transactons A No Sgnal Authorzed s<t 1 x C Authorzed 1 η 2 0 η 2 Malcous d Fgure 4: Probablty tree for a gven Confguraton We assume that f the detector sgnals a fraud then t s nvestgated and f t does not sgnal t s not nvestgated. Ths s a smplfyng assumpton but can be relaxed as n Cavusoglu 11

12 and Raghunathan (2004) where a decson wll be taken n both sgnal and no-sgnal state whether or not to nvestgate. The costs pertanng to the termnal states are shown n Fgure 4. We defne ( c ) as the cost of an nvestgaton for correctly sgnaled malcous e-mals, ( c 1 ) as opportunty cost of lost productvty plus the cost to nvestgate f an authorzed transacton s ncorrectly sgnaled as malcous, and ( d ) as the damage from an undetected fraud. Usng equatons 1, 2, 3 and 4 and takng the expected values at each node n the probablty tree and foldng back we compute the expected cost of the detecton system confguraton as a functon of the qualty parameters P and P F of the system gven by E ( C ) cp ψ + d(1 P ) ψ + c1p (1 ψ ).(5) = F Ths result s dentcal to the frm s expected cost under Regon 2 n Cavusoglu and Raghunathan (2004), pg 137. Our smplfcaton, whether or not to nvestgate dd not mpact the cost snce Regons (1) and (3) are of no nterest to system evaluators as proved n Cavusoglu and Raghunathan (2004). In Cavusoglu and Raghunathan (2004), under the decson theory approach, the optmal confguraton (.e. optmal qualty parameters) s found by mnmzng Equaton 5. Whle ths approach provdes the corner soluton of the confguraton t does not consder how the nformaton systems budget would affect the system confguraton or the captal budgetng problem. In the next secton, we ncorporate confguraton specfc characterstcs n a captal budgetng model that can be used to make the case for nvestments n IT securty nvestments. 4. Investment Model Every securty system has costs and requres tradeoffs. Most securty costs money, sometmes substantal amounts; but other tradeoffs may be more mportant, rangng from matter 12

13 of nconvenence and comfort to ssues nvolvng basc freedoms lke prvacy. These cost/beneft tradeoffs have to be consdered when undertakng securty nvestments. Typcally the benefts of nformaton securty nvestments wll ntally ncrease but may eventually reduce snce the probablty of breach wll reduce as level of nformaton securty nvestments ncrease. The cost of nformaton on the other hand may ntally ncrease slowly but may ncrease at a hgher rate due to access restrcton placed by more controls at hgher levels of secured IT envronments. 4.1 efnton of Terms and Varables : Index for project 4 s : Level of nformaton securty (expressed as an ndex) assocated wth project I : Base level of nformaton securty nvestment cost 0 I : Informaton securty nvestment cost assocated wth project Bˆ : Beneft (cost savngs) assocated wth preventng a securty breach by nvestng n s level of nformaton securty Ĉ : Total nformaton securty related cost (excludng nvestment costs) a 0 : Annual avodable fxed operatng costs pertanng to project a 1 : Varable cost per unt level of nformaton securty pertanng to project a 2 : Quadratc cost term reflectng ncreasng margnal cost per unt level of nformaton securty pertanng to project C : Cost of a securty breach f no nformaton securty nvestment s made B Pr( o s ) : Securty breach probablty functon (probablty that a breach wll occur gven a level of nformaton securty nvestment s ) k : dscount rate r : rsk-free rate τ : corporate tax rate f s ) : net annual after tax cash flows pertanng to project ( 4.2 Level of Securty Investment: The nvestment cost assocated wth a securty nvestment wll nclude the hardware cost and one-tme IT labor cost for confguraton and system set up. We argue that the systems desgners have the flexblty to confgure the detecton systems dependng on how much they 4 We use the term project and nvestment opportunty nterchangeably to descrbe an nvestment n nformaton securty 13

14 wsh to spend on system hardware and the labor costs. For example, one nvestment alternatve may be to confgure system at a low securty level by not allocatng much IT labor. Another alternatve may be to allocate a hgher level of IT labor to acheve a hgh level of securty. There are two prmary cost components assocated wth nformaton securty the system confguraton specfc costs and the operatng costs. The costs and benefts of securty nvestments are assumed to vary wth the level of securty nvestment denoted by s. In order to express the securty nvestment costs as an ndex we use a base level of securty nvestment (I 0 ). The level of nformaton securty s then gven by: I s = (6) I Beneft functon: The beneft functon assocated wth the nformaton securty nvestment s the expected beneft of preventng a breach. It s a functon of the level of nformaton securty and the probablty of a breach occurrng condtonal on the level of securty. The probablty of a breach occurrng s modeled by a decay functon as Pr( o s ) = e breach s gven by s. Then the probablty of avodng a 1 e s, whch s equal to the probablty of detectng a breach for a gven level of nvestment P. In Fgure 5 below we show the probablty breach functon. For any level of nvestment s one can compute the probablty of detectng P and usng the ROC curves for a gven r λ = F we can compute the probablty of false postve F N λ P. The assumpton that qualty parameters are a functon of the money spent (resources allocated) on IT securty s a reasonable assumpton snce that s exactly what happens n practce. Gven the probablty of a breach, the beneft from preventng a breach can be calculated usng the probablty of avodng the breach, the complement probablty ( 1 e s ) tmes the cost 14

15 of an nformaton breach f no securty nvestment s made. Therefore the beneft assocated wth preventng a breach s Bˆ s = C (1 Pr( o s )) = C (1 e ) (7) B B Probablty of a Securty Breach s Fgure 5. Securty Breach Functon Notce that the functon s ndependent of the tme subscrpt ndcatng that the beneft assocated wth a certan level of nvestment wll be the same throughout the project lfe. Ths s smplfyng assumpton and can be easly relaxed. The cost of a breach (C B ) s dffcult to measure exactly due to unavalablty of frm specfc data. In order to overcome ths dffculty we model C B as a contnuous random varable havng a trangular (PERT type) dstrbuton for Monte Carlo smulaton. 4.4 Cost functon: The total cost functon ncludes the confguraton specfc costs as gven n Equaton (5) for some level of nvestment s and the operaton costs wth annualzed cost parameters. We consder the followng as operatng costs (annual fxed operatng costs that can be avoded f the 15

16 nformaton securty s not put n place). These are hrng costs of IT securty personnel to mantan the system ndependent on the level of IT securty capacty acqured. Second the annual varable porton of costs, whch wll depend on the level of nformaton securty nvestments such as tranng costs etc. Thrd, the opportunty cost assocated wth loss of ste access as more and more controls are emphaszed. We assume these costs to have a quadratc term so that the total cost of nformaton securty wll ntally ncrease at a decreasng rate and thereafter ncrease at an ncreasng rate due to access restrcton place by hgher levels of nformaton securty. The total cost functon wth confguraton specfc cost and operatng costs are gven below: ˆ 1 C { (1 ) (1 )} { 2 = cp ψ + d P ψ + c1pf ψ + a0 + a1 s + a2s } (8) 2 The annual after tax cash flow related to project s gven by Where τ s the tax rate and f Bˆ and s ) = (1 τ )( Bˆ Cˆ ) (9) ( Ĉ are as n Equatons 7 and 8 respectvely. Assume that each project has an economc lfe of 3 years, and the cost of captal s k. Then the net present value NPV of project s gven by NPV( ) = (1 τ )( Bˆ Cˆ )( P / A, k%,3) I where, ( P / A, k%,3) s the present value of annuty factor. Then as n Fgure 6 we can pck the confguraton that provdes the hghest NPV, gven IT budget constrants. 16

17 Authorzed Payoffs c η 1 Hgh Securty Level Confguraton (L1) Sgnal Grey lsted Emal transactons No Sgnal Authorzed x 1 1 x 1 1 η 1 Fraudulent Authorzed 1 1 η 2 1 η 2 c 0 Fraudulent d Authorzed Payoffs c η 1 Medum Securty Level Confguraton (L2) Emal transactons Sgnal Grey lsted x 2 1 x 2 2 η 1 Fraudulent Authorzed c 0 Max[NPV(L1), NPV(L2), NPV(L3), NPV(O)] No Sgnal Authorzed 2 1 η 2 2 η 2 Low Securty Level Confguraton (L3) Fraudulent Authorzed d Payoffs c η 1 Emal transactons Sgnal Grey lsted x 3 1 x 3 3 η 1 Fraudulent Authorzed c 0 No Sgnal Authorzed 3 1 η 2 3 η 2 Fraudulent d Out of Box Soluton Fgure 6. ecson Tree for Investment Optons 5. Model Applcaton We llustrate the applcaton of the model usng the actual data for NAU s emal transactons for the 1 st September 2005 to 15 th February 2006 perod gven n Table 3. The parameter values related to NAU s nvestment alternatves, opton I (low level of securty confguraton), opton II (medum level of securty confguraton), opton III (hgh level of securty confguraton) and opton IV (off-the shelf box) are gven n Table 4. We make the followng assumptons: NAU s IT budget s lmted to $50,000, each nvestment alternatve 17

18 (opton I, II, and III) have project lfe of three years, and to fnd the level of securty (s ), we assume a base level of nvestment (I 0 = $100,000). The probablty of a detecton s computed s as P = ( 1 e ). Table 3. NAU s Emal statstcs for 1 st September 2005 to 15 th February 2006 Outgong Incomng Total e-mal transactons Incomng Vrus 5180 Spam Reject Longform User Grey Trplet (Whte, Black, New) and Msc Passed Accepted Mal n The rato of mean score of normal transactons to that of fraudulent transactons λ r λf = s determned by defnng normal transactons as # of passed + # of accepted + # of mal n and fraudulent transactons as # of vruses + # of spam + # of reject. We assume a constant r for llustraton smplcty but ths can be relaxed. Next from the ROC curves we compute the probablty of false postve P F. The proporton of malcous emals ψ s found by dvdng the # of fraudulent transactons (computed as # of vruses + # of spam + # of reject ) by the total # of ncomng mal. Snce the beneft and cost parameters are dffcult to precsely estmate we recommend usng Monte Carlo smulaton. For each of the three alternatves we assume the followng N 18

19 beneft and cost nput parameters 5. The cost of securty breach (C B ) s modeled by a trangular dstrbuton wth mnmum securty breach cost of $150,000, a modal value of $170,000 and a maxmum securty breach cost of $215,000.e. T[150,170,215] n thousands. For the confguraton specfc cost parameters we assume the followng: annual nvestgaton cost of correctly sgnaled malcous emal to be unformly dstrbuted over the nterval c~[$10,000, $15,000].e. opportunty cost plus cost to nvestgate an ncorrectly sgnaled emal as c 1 ~U[$12,000, $17,000], damage from an undetected emal, vrus d ~U[$20,000, $80,000],. The followng operatng costs parameters are assumed; an annual fxed cost to be unformly dstrbuted over the nterval [$7,000, $12,500].e. a 0 ~U[7, 12.5] n thousands, the varable cost per unt level of nvestment unformly dstrbuted over [$1,000, $2,500].e. a 1 ~U[1,2.5] n thousands and the margnal cost per unt level of nformaton unform over the nterval [$500, $800],.e. a 2 ~U[ ] n thousands. The data for the three projects s summarzed n Table 4. A company's cost of captal of 10% per annum s assumed, reflectng a rsk-premum of 3% above the rsk-free rate of 7%. The margnal tax s assumed to be 40%. Table 4: Cost and Parameter Values All costs are n thousands of $ escrpton Opton I Opton II Opton III Opton VI Project lfe 3 years 3 years 3 years Investment cost (I ) $35 $50 $59 $45 Level of nvestment (s ) P P F r ψ Cost of a securty breach T[50,70,115] T[50,70,115] T[50,70,115] (C B ) Annual fxed (a 0 ) U[7, 12.5] U[7, 12.5] U[7, 12.5] Varable cost (a 1 ) U[1,2.5] U[1,2.5] U[1,2.5] Margnal cost (a 2 ) U[ ] U[ ] U[ ] 5 We have assumed the same costs and beneft parameters for all the three projects for smplcty but dfferent values can be consdered for each project. 19

20 c U[10, 15] U[10, 15] U[10, 15] c U[12, 17] U[12, 17] U[12, 17] 1 d U[20, 80] U[20, 80] U[20, 80] 6. Conclusons In Table 5, we present the smulaton output for each of the three IT securty nvestment alternatves along wth the out-of-the-box alternatve. Snce NAU s IT securty budget s lmted to $50,000, opton III s not vable although t has the largest NPV. From the remanng two n house confguraton alternatves, opton I wll be rejected as the NPV s negatve. Then the best n house confgures alternatve s opton II wth a postve NPV and a hgh proftablty ndex. Snce NAU can also buy an out-of-the-box system for $45,000, there are two possble IT securty nvestment alternatves: (1) select a medum securty level confguraton (opton II) or (2) the out of box alternatve (opton VI). NAU decded on opton II snce the probablty of detecton s hgher than under opton (IV). Other factors favorng opton II nclude greater flexblty to manage snce IT staff are famlar wth the confguraton as t was developed n house, value of learnng, and n house tranng. Table 5. Summary of Results Opon I Opton II Opton III Opton VI Mean(NPV) (12,646) 21,511 21,874 stdev(npv) 6,489 8,129 9,313 Investment Proftablty ndex prob of detecton In ths artcle we nvestgated the spam emal and vrus problem of an organzaton and demonstrated how theoretcal research can be appled n practce through a real lfe case study. Future research should also look at how game theoretc models can be ncorporated nto ths 20

21 framework n a mult-perod settng f hackng s found to be sgnfcant. Although, we have consdered the vablty of several confguraton alternatves, we have not nvestgated the manageral flexblty or embedded real optons to choose on the optmal tmng of nvestment. Acknowledgement valuable nput. We would lke to thank computng consultants Josh Sekel and Shawn Marrott for ther REFERENCES E-Crme Watch Survey Summary of Fndngs. Retreved ecember 3, 2004, from Computer Emergency Response Team Coordnaton Center Web Ste: Cagnem, M. P Top Technology Issues. Informaton Systems Controls Journal, 4(6). Camp, L. J., C. Wolfram Prcng Securty. J. Camp and R. Lews (eds). Economcs of Informaton Securty, Kluwer, Cavusoglu, H., B. Mshra, S. Raghunathan The Value of Intruson etecton Systems n Informaton Technology Securty Archtecture. Informaton Systems Research, 16(1), Cavusoglu, H Economcs of IT Securty: A Lterature Revew. J. Camp and R. Lews (eds), Economcs of Informaton Securty, Kluwer, Cavusoglu, H., B. Mshra, S. Raghunathan A Model for Evaluatng IT Securty Investments. Communcatons of ACM, 47(7), Cavusoglu, H., S. Raghunathan Confguraton of etecton Software: A comparson of ecson and Game Theory Approaches. ecson Analyss. 1(3), CSI/FBI Computer Crme and Securty Survey. Retreved September 12, 2004, from Gordon, L. A., M. P. Loeb, W. Lucyshyn Informaton Securty Expendtures and Real Optons: A Wat and See Approach. Computer Securty Journal, 19(2),

22 Gordon, L. A., M. P. Loeb The Economcs of Informaton Securty Investment, ACM Transactons on Informaton and Systems Securty, November, Hoo, K.J. Soo How much s Enough? A Rsk Management Approach to Computer Securty. Consortum for Research on Informaton Securty Polcy (CRISP) Workng Paper, Stanford Unversty, June. ICSA Labs Computer Vrus Prevalence Survey. Longstaff, T.A., C. Chttster, R. Petha, Y.Y. Hames Are we forgettng the Rsks of Informaton Technology? IEEE Computer, ecember, Ulvla, J.W., J.E. Gaffney A ecson Analyss Method for Evaluatng Computer Intruson etecton Systems. ecson Analyss. 1(1)