Managing Security Investment Part I Tyler Moore Computer Science - - PDF document

managing security investment
SMART_READER_LITE
LIVE PREVIEW

Managing Security Investment Part I Tyler Moore Computer Science - - PDF document

Mar 25, 2023 225 likes •316 views

Notes Managing Security Investment Part I Tyler Moore Computer Science & Engineering Department, SMU, Dallas, TX September 18, 2012 Reading Market Failures Managing security investment Notes Outline 1 Reading Market Failures 2

slide-1
SLIDE 1

Managing Security Investment

Part I Tyler Moore

Computer Science & Engineering Department, SMU, Dallas, TX

September 18, 2012

Reading Market Failures Managing security investment

Outline

1

Reading

2

Market Failures Review and other slides Asymmetric information

3

Managing security investment Overview Measuring security benefits High-level investment metrics

2 / 32 Reading Market Failures Managing security investment

Homework assignment

Turn in via Blackboard Due Monday September 27 at 7pm Office hours this week: this afternoon plus Friday 9-10am

4 / 32 Reading Market Failures Managing security investment Review and other slides Asymmetric information

First Fundamental Theorem of Welfare Economics

Definition (First Fundamental Theorem of Welfare Economics) Any competitive equilibrium leads to a Pareto efficient allocation of resources. This definition begs the question: under what circumstances do we get competitive equilibrium?

Assume complete markets (perfect information, no transaction costs) Assume price-taking behavior (infinite buyers and sellers, no barriers to entry)

Now we will discuss market failures, and explain why information security suffers from many of them

6 / 32

Notes Notes Notes Notes

slide-2
SLIDE 2

Reading Market Failures Managing security investment Review and other slides Asymmetric information

Last time

We discussed how monopolists behave (choosing prices or supply to maximize their own profits) Also talked about public goods

Non-rivalrous: individual consumption does not reduce what’s available to others Non-excludable: no practical way to exclude people from consuming

Let’s switch over to another slide deck to talk about other issues

7 / 32 Reading Market Failures Managing security investment Review and other slides Asymmetric information

Information Asymmetries

?

equilibrium market price

p > 0 security s ≈ cost

E (s | p) p

s = 0 s = 1

willingness to pay: p∗ = 3

2s

unknown security: p = 3

2E (s | p)

uniform distribution: p = 3

2 · p 2 = 3 4p < p !

→ The market for secure products collapses Akerlof, 1970; Anderson, 2001

8 / 32 Reading Market Failures Managing security investment Overview Measuring security benefits High-level investment metrics

Motivation

It can be important to frame information security decisions using the language of business ⇒ Security investment decisions must balance expected costs and benefits To model rational decisions, we start by simplifying our assumptions of attacker behavior

X Strategic adversary Attacker exogenously given, follows a probability of attack known to the defender In this sense, we treat security like a safety problem

When is the simplified attacker model appropriate?

+ Indiscriminate attackers (e.g., phishing, scanning)

  • Targeted attackers (e.g., spear-phishing, adaptive attacks)

10 / 32 Reading Market Failures Managing security investment Overview Measuring security benefits High-level investment metrics

Security cost and benefits

cost of security $ benefit of security $

direct / indirect variable / fixed

  • netime / recurring

sunk / recoverable expected prevented losses

11 / 32

Notes Notes Notes Notes

slide-3
SLIDE 3

Reading Market Failures Managing security investment Overview Measuring security benefits High-level investment metrics

Cost of security

Definition (Cost of security, security level) The cost of security c is the amount spent to reach a security level s. No security investment (c = 0) implies s = 0, and for any c > 0, s increases monotonically in c. Definition (Effective security investment) If security investment is effective, the security level can be approximated by the cost of security, i.e., s ≈ c. When does the effective security investment definition apply? When not?

12 / 32 Reading Market Failures Managing security investment Overview Measuring security benefits High-level investment metrics

Security benefit: reduction of losses incurred in the absence of security In other words: take a small fixed loss now to reduce the chances of a large but uncertain future loss We already have the tools to deal with uncertainty about

  • utcomes: expected utility!

13 / 32 Reading Market Failures Managing security investment Overview Measuring security benefits High-level investment metrics

Expected utility (discrete)

E[U(a)] =

  • ∈O

U(o) · P(o|a)

  • P(o|a)
  • 1: no attack
  • 2: attack

0.1 0.9

14 / 32 Reading Market Failures Managing security investment Overview Measuring security benefits High-level investment metrics

Expected utility (continuous)

E[U(a)] = v

u

U(x) · P(x|a)dx

  • P(o|a)

u v

15 / 32

Notes Notes Notes Notes

slide-4
SLIDE 4

Reading Market Failures Managing security investment Overview Measuring security benefits High-level investment metrics

Loss distribution function

Definition (Loss distribution function) Let Ls : R+ → [0, 1] be the family of probability distribution functions describing the monetary losses incurred from insecurity for a given security level s. L0 is the loss distribution function in the absence of security investment Benefit of security: Ls − L0 We use expected utility to compare outcomes for the loss functions

16 / 32 Reading Market Failures Managing security investment Overview Measuring security benefits High-level investment metrics

Comparing loss functions (discrete)

E[U(L)] =

  • ∈O

U(o) · L(o) loss L(loss)

$0 $2,000

0.2 0.8 L0 0.1 0.9 Ls

17 / 32 Reading Market Failures Managing security investment Overview Measuring security benefits High-level investment metrics

Annual loss expectancy

Definition (ALE) The annual loss expectancy ALEs is the expected loss per period due to information security failures given security level s, ALEs = E(Ls) = ∞ x · Ls(x) dx . Note that annual suggests a multi-period view. Even when this isn’t the case, the ALE term is used

18 / 32 Reading Market Failures Managing security investment Overview Measuring security benefits High-level investment metrics

Annual loss expectancy visualized

ALEs = E(Ls) = ∞ x·Ls(x) dx ALE0 = E(L0) = ∞ x·L0(x) dx loss L(loss) Ls L0

19 / 32

Notes Notes Notes Notes

slide-5
SLIDE 5

Reading Market Failures Managing security investment Overview Measuring security benefits High-level investment metrics

Metrics for security benefits

Definition (EBIS) The expected benefit of information security EBISs is the difference between the loss expectancy without security and the loss expectancy given security level s, EBISs = ALE0 − ALEs = E(L0) − E(Ls) = ∞ x · (L0(x) − Ls(x)) dx.

20 / 32 Reading Market Failures Managing security investment Overview Measuring security benefits High-level investment metrics

Metrics for security benefits

Definition (ENBIS) The expected net benefit of information security investment ENBISs is given by the expected benefit of information security minus the cost of the investment to reach security level s. ENBISs = EBISs − c = ALE0 − ALEs − c,

  • r, assuming effective security investment,

ENBISs = EBISs − s. Straightforward investment rule: only invest if ENBISs > 0

21 / 32 Reading Market Failures Managing security investment Overview Measuring security benefits High-level investment metrics

Bernoulli loss assumption

OK, so continuous loss distribution functions are nice, but they can be difficult to analyze Not to mention it can be hard to justify assumptions about how the loss distribution might be shaped Simplified scenario

Two loss outcomes: {0, λ} λ > 0: fixed loss, occurs with ps = Ls(λ) With probability 1 − ps = Ls(0), suffers no loss

22 / 32 Reading Market Failures Managing security investment Overview Measuring security benefits High-level investment metrics

Metrics under Bernoulli loss assumption

ALEs =

  • ps · λ + (1 − ps) · 0
  • E(Ls)

EBISs =

  • p0 · λ + (1 − p0) · 0
  • E(L0)

  • ps · λ + (1 − ps) · 0
  • E(Ls)

ENBISs =

  • p0 · λ + (1 − p0) · 0
  • E(L0)

  • ps · λ + (1 − ps) · 0
  • E(Ls)

−s

23 / 32

Notes Notes Notes Notes

slide-6
SLIDE 6

Reading Market Failures Managing security investment Overview Measuring security benefits High-level investment metrics

Recall the GoDaddy DDoS example

Source: http://www.zdnet.com/anonymous-hacker-claims-godaddy-attack-outage-hits-millions-7000003925/ 24 / 32 Reading Market Failures Managing security investment Overview Measuring security benefits High-level investment metrics

Recall the GoDaddy DDoS example

Source: http://www.cnn.com/2012/09/11/tech/mobile/godaddy-response-outage/index.html 25 / 32 Reading Market Failures Managing security investment Overview Measuring security benefits High-level investment metrics

Recall the GoDaddy DDoS example

no outage o1

  • utage o2

Action U(o1) P(o1|action) U(o2) P(o2|action) E[U(action)] s λ ps E(Ls) − s buy anti-DDoS

  • $100K

.99999

  • $100K - $100M

.00001

  • $101K

don’t buy .98999

  • $100M

.01001

  • $1,001K

λ p0 E(L0)

26 / 32 Reading Market Failures Managing security investment Overview Measuring security benefits High-level investment metrics

Metrics under Bernoulli loss assumption

ALEs =

  • ps · λ + (1 − ps) · 0
  • E(Ls)

EBISs =

  • p0 · λ + (1 − p0) · 0
  • E(L0)

  • ps · λ + (1 − ps) · 0
  • E(Ls)

ENBISs =

  • p0 · λ + (1 − p0) · 0
  • E(L0)

  • ps · λ + (1 − ps) · 0
  • E(Ls)

−s

27 / 32

Notes Notes Notes Notes

slide-7
SLIDE 7

Reading Market Failures Managing security investment Overview Measuring security benefits High-level investment metrics

Metrics under Bernoulli loss assumption & λ = 1

Things get simplified even more if we scale the loss to 1 (λ = 1) ALEs = ps, EBISs = p0 − ps, and ENBISs = p0 − ps − s

28 / 32 Reading Market Failures Managing security investment Overview Measuring security benefits High-level investment metrics

Incorporating risk attitudes

ENBISs = ALE0 − ALEs − c = E(L0) − E(Ls) − c = ∞ x · L0(x) dx − ∞ x · Ls(x) dx − c, = ∞ x · L0(x) dx − ∞ (x + c) · Ls(x) dx But what if the agent has a risk-averse or risk-seeking utility function?

29 / 32 Reading Market Failures Managing security investment Overview Measuring security benefits High-level investment metrics

Incorporating risk attitudes

Definition (ENUBIS (expected net utility benefit of information security)) ENUBISs = − ∞ U(−x) · L0(x) dx

  • expected utility without

security investment

+ ∞ U(−x − c) · Ls(x) dx

  • expected utility with

security investment

.

30 / 32 Reading Market Failures Managing security investment Overview Measuring security benefits High-level investment metrics

Return on security investment (ROSI)

cost of security $ benefit of security $ ROSI1) = benefit of security−cost of security

cost of security 1) Return On Security Investment

31 / 32

Notes Notes Notes Notes

slide-8
SLIDE 8

Reading Market Failures Managing security investment Overview Measuring security benefits High-level investment metrics

Return on security investment (ROSI)

Definition (ROSI) The return on information security investment ROSIs is the ratio of the expected net benefit over the cost of security, ROSIs = ENBISs c = ALE0 − ALEs − c c

32 / 32

Notes Notes Notes Notes