How Much Should You Invest In Software Security? f ? Kelce S. - - PowerPoint PPT Presentation

how much should you invest in software security f
SMART_READER_LITE
LIVE PREVIEW

How Much Should You Invest In Software Security? f ? Kelce S. - - PowerPoint PPT Presentation

Apr 05, 2024 209 likes •443 views

How Much Should You Invest In Software Security? f ? Kelce S. Wilson, PhD, MBA, JD Technical Director, Standards and Licensing Research In Motion May 24, 2011 1 Introduction Introduction 2 Introduction New economic theory for optimizing

slide-1
SLIDE 1

How Much Should You Invest In f ? Software Security?

Kelce S. Wilson, PhD, MBA, JD Technical Director, Standards and Licensing Research In Motion

1

May 24, 2011

slide-2
SLIDE 2

Introduction Introduction

2

slide-3
SLIDE 3

Introduction

  • New economic theory for optimizing budgets
  • Efficient use of resources
  • Manage risks intelligently

You can fall asleep now because BUDGETING = BORING! You can fall asleep now, because BUDGETING = BORING!

  • New theory can justify spending nothing, nada, $0
  • But only when it makes sense and is truly defensible

WAIT! WAIT! What was that? How can I get away without having to spend a single penny on hacking prevention?

3

Maybe it’s time to wake up and find out.

slide-4
SLIDE 4

Introduction

  • PVT tool sets an anti‐hacking budget for you
  • Uses values assigned to options available in the market
  • No more:
  • Just using leftover scraps, after meeting other reqs
  • Using arbitrary gut‐feelings that can change daily
  • Throwing darts at numbers on the wall
  • Analyze multiple funding factors
  • Changes in attack and defense effectiveness
  • Changes in attack and defense effectiveness
  • Over‐funding (unlikely) vs Under‐funding (probably you)

4

slide-5
SLIDE 5

Introduction

  • Extends to larger “insurance” budgeting question:

Given that you have a resource valued at $X, how much should you spend ($Y) to reduce risk, by an amount Z%, to the loss of that resource’s value?

  • Examples:
  • Examples:
  • Purchasing insurance for a car that might be stolen
  • Warranty valuation for potentially expensive repairs

y p y p p

  • Patent budgeting for inventions that might be copied
  • Earlier publication of the underlying concept in a legal,

t t l t d j l l N ll M h 2010 patent‐related journal: les Nouvelles, March 2010

  • Protection budgeting for computing resources that

might be hacked

5

  • Hey! This is you!
slide-6
SLIDE 6

Generating a Protection Valuation Tool (PVT)

6

slide-7
SLIDE 7

PVT Introduction

  • Protection Valuation Tool (PVT)
  • Graphic based tool

Effectiveness

25 50 75 100 Risk Reduction Target, %

  • Graphic‐based tool
  • Look for intersection of lines
  • Similar to Supply & Demand graph

High Value Moderate Value Low Value Effectiveness

, $ $

Nat’l Security

  • 2 independent curves
  • Value curve

Eff ti

tection Value tection Cost,

  • Effectiveness curve
  • Generate each one independently,

without any regard to the other curve

Prot Prot

  • Budgets are defined by intersections
  • That is, IF an intersection point

even exists at all

25 50 75 100 Actual Risk Reduction, %

7

slide-8
SLIDE 8

PVT vs Supply/Demand Graph

Effectiveness

25 50 75 100 Risk Reduction Target, %

High Value Moderate Value Low Value Effectiveness

$ $

Nat’l Security

tection Value, tection Cost, $ Prot Prot 25 50 75 100 Actual Risk Reduction, %

Source: http://randomactsofeconomics blogspot com/

8

Source: http://randomactsofeconomics.blogspot.com/ 2008/08/supply-and-demand-basics.html

slide-9
SLIDE 9

PVT vs Supply/Demand Graph

Supply and Demand Graph Protection Valuation Tool (“PVT”)

Curves Supply has a positive slope, and is monotonically non‐decreasing. Value has a positive slope, and is monotonically non‐decreasing. Demand has a negative slope, and is monotonically non‐increasing. Effectiveness has a positive slope, and is monotonically non‐decreasing. Intersection P i t One point is certain to exist. O l i t i t i t i l One trivial point will exist at zero. N i t t i t i t Points Only one point exists in a typical market. No non‐zero points are certain to exist. Multiple non‐zero points may exist. Primary Use To explain a market price. The intersection point is the To set an optimum budget. Each non‐zero intersection point is a The intersection point is the market price. Each non zero intersection point is a local optimum budgeting point. Secondary Uses To predict price dependence on variations in supply and demand.

  • 1. To identify the impact of funding

variations on risk reduction.

  • 2. To identify adjustments for changes

in protection cost and effectiveness.

  • 3. To explain a sensible lack of funding.

9

slide-10
SLIDE 10

PVT Introduction

  • Underlying Theory:
  • If an intersection point between a first set of 2 curves can be
  • If an intersection point between a first set of 2 curves can be

used to explain a price, then perhaps an intersection point between a second set of 2 curves can be used to set a price

  • But only if the curves in each set are similarly related
  • Leverage Supply & Demand graph theory, but adapt it

“ h ” h d f “ h h ld b ” l

  • Use “what it is” theory to define a “what it should be” tool
  • Challenge:
  • Challenge:
  • No clear Equivalents for Supply and Demand curves

10

slide-11
SLIDE 11

PVT Process

4 Steps:

1 Construct at least one Value Curve

  • 1. Construct at least one Value Curve
  • 2. Construct at least one Effectiveness Curve
  • 3. Overlay the Curves
  • 3. Overlay the Curves
  • 4. Use the PVT for multiple tasks:
  • Set a protection budget
  • Analyze a possible “no market” condition
  • Analyze over‐funding scenarios

Analyze under funding scenarios

  • Analyze under‐funding scenarios
  • Predict impacts of changing protection effectiveness
  • Predict impacts of changing attack technology

11

slide-12
SLIDE 12

Constructing a Value Curve

  • A Value Curve traces the set of points

representing the actual value

High Value

achieved by reducing the risk of loss by various target percentages. The value assigned to a reduction

ue, $

g Moderate Value Low Value

  • The value assigned to a reduction

target is not the cost that the owner expects to pay to achieve that target,

rotection Val

Value

but instead what the owner would be willing to pay.

  • This amount is the owner’s perceived

Pr

Value Increase Value Decrease

  • This amount is the owner s perceived

value, based on expected increases in profits, damage avoidance and other b fi

25 50 75 100 Risk Reduction Target, %

12

benefits.

slide-13
SLIDE 13

Comments on the Value Curve

  • Starts at $0 for 0% risk reduction. There is no value, if there

is no benefit for effort expended is no benefit for effort expended.

  • Limited maximum value for the theoretical, but impossible,

case of 100% risk reduction

  • Likely tapers off to nearly flat, as risk reduction approaches

100%

  • Monotonically non‐decreasing, although they maybe not

monotonically increasing h l d l h

  • Higher value and greater criticality raises the protection

value for a given risk reduction target

13

slide-14
SLIDE 14

Constructing an Effectiveness Curve

  • An Effectiveness Curve traces actual

costs that are necessary to obtain

Ineffective

threat reductions at various levels

  • Must be at the same scope as a

corresponding Value Curve

Highly Effective

t, $

corresponding Value Curve

  • Risk reduction for Effectiveness Curve

is the actual risk reduction, whereas

  • tection Cost

Attack M h d

for a Value curve, the risk reduction is a target amount Act al risk red ction al es can be

Pro

Methods Improve Protection Methods Improve

  • Actual risk reduction values can be

determined empirically, using historical data for similar activities

25 50 75 100 Actual Risk Reduction, %

14

  • Example: Red Team results
slide-15
SLIDE 15

Constructing an Effectiveness Curve

Create this one first:

Ineffective I ff i

100

Highly Effective

t, $

Ineffective Highly Effective

75 00 ction, %

  • tection Cost

Attack M h d

50 l Risk Reduc Pro

Methods Improve Protection Methods Improve

25 Actua 25 50 75 100 Actual Risk Reduction, % Protection Cost, $

Then rotate it

15

slide-16
SLIDE 16

Comments on Effectiveness Curve

  • Starts at $0 for 0% reduction. There is no benefit, if there is

no effort expended no effort expended.

  • Never reaches 100% risk reduction
  • Cost rapidly escalates as reduction approaches 100%

Cost rapidly escalates as reduction approaches 100%

  • Monotonically non‐decreasing, although they maybe not

monotonically increasing

  • Changes in technology affect shape and maximum cost

endpoint

  • Attack Improvements
  • Defensive Improvements

16

slide-17
SLIDE 17

Overlaying the Curves

  • 2 different curves, 2 sets of axes
  • Parallel axes have same units, but

25 50 75 100

Optimum Budget Operating Points:

Risk Reduction Target, %

different meanings

  • At intersection points:

Cost Value

alue, $

  • st, $

Operating Points: Cost = Value Target = Actual Region of

Cost = Value Target = Actual

  • Intersection points define a unique

Protection Va Protection Co

Triviality

Intersection points define a unique relationship between a Value Curve and an Effectiveness Curve:

h h d l bl

P P

  • What the owner wanted is available

at only those intersection points

  • Just operate at an amount for which

25 50 75 100 Actual Risk Reduction, %

17

you get what you really wanted

slide-18
SLIDE 18

Watch out for Region of Triviality

  • Several intersection points near the

($0, 0%) point are likely to exist

25 50 75 100

Optimum Budget

Risk Reduction Target, %

  • Ignore all intersection points below

some threshold of significance b bl b h h

e, $ $

Optimum Budget Operating Points: Cost = Value Target = Actual

  • Probably best to use highest

intersection point at a meaningful level of protection effectiveness

  • tection Value
  • tection Cost,

Region of Triviality

p

Pro Pro 25 50 75 100 Actual Risk Reduction, %

18

slide-19
SLIDE 19

Using a PVT Using a PVT

19

slide-20
SLIDE 20

Explain Lack of Market

  • Market only exists if an Effectiveness

Curve touches a Value Curve

25 50 75 100 Risk Reduction Target, %

Effectiveness

  • Otherwise, no available solutions

provide sufficient value for the

  • wner to seriously consider

, $ $

Value Effectiveness

  • wner to seriously consider
  • Protection services providers can

create a market by increasing an

  • tection Value
  • tection Cost,

y g

  • wner’s perception of protection

value or by reducing costs for solutions

Pro

No Protection Market

Pro

solutions

25 50 75 100 Actual Risk Reduction, %

20

slide-21
SLIDE 21

Over‐funding and Under‐funding

Take a guess which one probably describes you:

2 100 Risk Reduction Target, % 2 100 Risk Reduction Target, % 25 50 75 100

Value Effectiveness

25 50 75 100

Value Effectiveness

n Value, $

Over-funding

n Cost, $

Waste

n Value, $ n Cost, $ Protection Protection

Unnecessary Expense

Protection

Under-funding

Protection

Risk Discount Excess Protection

25 50 75 100

Excessive Risk

25 50 75 100

21

25 50 75 100 Actual Risk Reduction, % 25 50 75 100 Actual Risk Reduction, %

slide-22
SLIDE 22

Summary

  • Protection Valuation Tool (PVT)
  • Graphic based tool for budgeting

Effectiveness

25 50 75 100 Risk Reduction Target, %

  • Graphic‐based tool for budgeting
  • Multiple uses
  • Set an optimum budget

High Value Moderate Value Low Value

e, $ , $

Nat’l Security

  • Explain lack of market
  • Analyze over‐funding
  • Analyze under‐funding
  • tection Value
  • tection Cost,
  • Analyze under‐funding
  • Analyze improvements in attacks
  • Analyze improvements in defense

Pro Pro

  • Applicable to other fields

25 50 75 100 Actual Risk Reduction, %

22