ECONOMICS, SECURITY MANAGEMENT AND THE FUTURE INTERNET Simon Shiu HP Labs 15 th April 2010 1 Copyright Copyright 2010 Hewlett-Packard 2010 Development Development Company, Company, L.P. L.P.
SYNOPSIS OF THIS TALK The Application of Economic Methods to Enterprise Security Management Early work on the Application of Economic Methods to Cloud Information Stewardship Some personal thoughts on the relevance of Economic Methods to Security Management in the future internet 2
0.35 0.3 0.25 0.2 0.15 0.1 0.05 0 Malware Reports? Y Patch Available? N Workaround Available? Y Implement Workaround Malware Y N Accelerate? Y Exploit Available N Exposed? Early Mitigation? Deploy Mitigation Y Y Vulnerability Disclosed Vulnerability Assessment Test Solution Patch Deployment Accelerated Patching Emergency Patching Patch Available TODAYS SECURITY MANAGEMENT LIFECYCLE Economics/ Threats/ Investments Policy, process, people, technology & operations Proportion of vulnerabilities Risk reduced window (from disclosure time) across all vulnerabilities timeline Security Analytics Assurance & Situational Awareness Personal Environment Win/Lx/OSX Trusted Hypervisor Home Banking E-Govt Intf. Remote IT Mgmt Corporate Productivity OS Corporate Production Environment OS Corp. Soft Phone Trusted Infrastructure 3
PROBLEMS WITH SECURITY INVESTMENTS Security Investments affect multiple outcomes: budget, confidentiality, integrity, availability, In most situations these outcomes can only be predicted with high degrees of uncertainty Often the outcomes are inter-related (trade-off) and the link to investments is poorly understood Classical business justification/due diligence (Return on Security Investment, cost benefit analysis) encourages these points to be glossed over 4
ECONOMIC FRAMING: AN ANALOGY 5 The Central Bank problem How to set the interest rate to achieve satisfactory levels of inflation (f) and unemployment (e). Satisfactory is defined by a utility (or loss) function, such as: U(e,f) = F(e e*) + G(f f*) + The Security Management problem How to invest in security to achieve satisfactory levels of confidentiality (C) and availability (A) And then there is the limited budget.
PREFERENCE ELICITATION (CONSTRUCTION?) Structured Discussion (framed by initially provided components) Confidentiality Availability Cost Impact of Breaches Assurance Affect on Capital Operational Expense Expense # of Breaches # detected Breaches SLA violations F(capex,opex) 6 Agreed proxies for our utility components
OUR METHODOLOGY Problem Architectur e Preferences Problem System Model components of utility Utility things to measure problem refinement consequences of preferences 7
THE CLOUD ECO-SYSTEM Consumer Small Business Enterprise Government Department Pure Consumers Simple ISP Bundled ISP Integrated ISP Consumer/ Providers 8 CPU Infrastructur e Secure Archive Storage 24*7 Available Storage Pure Providers
STEWARDSHIP IN THE CLOUD ECO- SYSTEM Consumer Small Business Enterprise Government Department requirements expectations Simple ISP Bundled ISP Integrated ISP Confidentiality Integrity Availability incentives CPU Infrastructur e Secure Archive Storage 24*7 Available Storage Obligations preferences 9
CLOUD STEWARDSHIP ECONOMICS Key ideas that are guiding our empirical work Information Asymmetry As the service provider I know more about the costs and risks of handling your data than you or any regulator Externalities; Public/Club Goods Being secure costs me more than I gain, even though others in the community gain too. Heterogeneity of services & users How do we value bundled security characteristics & develop associated product and pricing strategies As well as applying preference, utility, system modelling to this context 10
FOUNDATIONS OF TRUST IN THE FUTURE INTERNET My Current Views Left unchecked the (IT) services market will prioritize low cost and flexibility with bad security externality effects To counter this we need organisations to become much more explicit about their (current and future) information security lifecycle and needs Sharing security information is already hard it will be harder in the services eco-system Enterprise Security Lifecycle We should think more about how adjusting incentives can improve this situation 11
Q&A 12