Notes Managing Security Investment Part I Tyler Moore Computer Science & Engineering Department, SMU, Dallas, TX September 18, 2012 Reading Market Failures Managing security investment Notes Outline 1 Reading Market Failures 2 Review and other slides Asymmetric information Managing security investment 3 Overview Measuring security benefits High-level investment metrics 2 / 32 Reading Market Failures Managing security investment Notes Homework assignment Turn in via Blackboard Due Monday September 27 at 7pm Office hours this week: this afternoon plus Friday 9-10am 4 / 32 Reading Review and other slides Market Failures Asymmetric information Managing security investment Notes First Fundamental Theorem of Welfare Economics Definition (First Fundamental Theorem of Welfare Economics) Any competitive equilibrium leads to a Pareto efficient allocation of resources. This definition begs the question: under what circumstances do we get competitive equilibrium? Assume complete markets (perfect information, no transaction costs) Assume price-taking behavior (infinite buyers and sellers, no barriers to entry) Now we will discuss market failures , and explain why information security suffers from many of them 6 / 32
Reading Review and other slides Market Failures Asymmetric information Managing security investment Notes Last time We discussed how monopolists behave (choosing prices or supply to maximize their own profits) Also talked about public goods Non-rivalrous : individual consumption does not reduce what’s available to others Non-excludable : no practical way to exclude people from consuming Let’s switch over to another slide deck to talk about other issues 7 / 32 Reading Review and other slides Market Failures Asymmetric information Managing security investment Notes Information Asymmetries equilibrium market price p > 0 E ( s | p ) ? p security s ≈ cost s = 0 s = 1 p ∗ = 3 willingness to pay: 2 s p = 3 unknown security: 2 E ( s | p ) p = 3 2 · p 2 = 3 uniform distribution: 4 p < p ! → The market for secure products collapses Akerlof, 1970; Anderson, 2001 8 / 32 Reading Overview Market Failures Measuring security benefits Managing security investment High-level investment metrics Notes Motivation It can be important to frame information security decisions using the language of business ⇒ Security investment decisions must balance expected costs and benefits To model rational decisions, we start by simplifying our assumptions of attacker behavior X Strategic adversary Attacker exogenously given, follows a probability of attack known to the defender In this sense, we treat security like a safety problem When is the simplified attacker model appropriate? + Indiscriminate attackers (e.g., phishing, scanning) - Targeted attackers (e.g., spear-phishing, adaptive attacks) 10 / 32 Reading Overview Market Failures Measuring security benefits Managing security investment High-level investment metrics Notes Security cost and benefits cost of benefit of security security $ $ expected direct / indirect prevented losses variable / fixed onetime / recurring sunk / recoverable 11 / 32
Reading Overview Market Failures Measuring security benefits Managing security investment High-level investment metrics Notes Cost of security Definition (Cost of security, security level) The cost of security c is the amount spent to reach a security level s . No security investment ( c = 0) implies s = 0, and for any c > 0, s increases monotonically in c . Definition (Effective security investment) If security investment is effective , the security level can be approximated by the cost of security, i.e., s ≈ c . When does the effective security investment definition apply? When not? 12 / 32 Reading Overview Market Failures Measuring security benefits Managing security investment High-level investment metrics Notes Security benefit : reduction of losses incurred in the absence of security In other words: take a small fixed loss now to reduce the chances of a large but uncertain future loss We already have the tools to deal with uncertainty about outcomes: expected utility! 13 / 32 Reading Overview Market Failures Measuring security benefits Managing security investment High-level investment metrics Notes Expected utility (discrete) � E [ U ( a )] = U ( o ) · P ( o | a ) o ∈O P ( o | a ) 0.9 0.1 o o 1 : no attack o 2 : attack 14 / 32 Reading Overview Market Failures Measuring security benefits Managing security investment High-level investment metrics Notes Expected utility (continuous) � v E [ U ( a )] = U ( x ) · P ( x | a ) dx u P ( o | a ) o u v 15 / 32
Reading Overview Market Failures Measuring security benefits Managing security investment High-level investment metrics Notes Loss distribution function Definition (Loss distribution function) Let L s : R + → [0 , 1] be the family of probability distribution functions describing the monetary losses incurred from insecurity for a given security level s . L 0 is the loss distribution function in the absence of security investment Benefit of security: L s − L 0 We use expected utility to compare outcomes for the loss functions 16 / 32 Reading Overview Market Failures Measuring security benefits Managing security investment High-level investment metrics Notes Comparing loss functions (discrete) � E [ U ( L )] = U ( o ) · L ( o ) o ∈O L ( loss ) L s 0.9 0.8 L 0 0.2 0.1 loss $0 $2,000 17 / 32 Reading Overview Market Failures Measuring security benefits Managing security investment High-level investment metrics Notes Annual loss expectancy Definition (ALE) The annual loss expectancy ALE s is the expected loss per period due to information security failures given security level s , � ∞ ALE s = E ( L s ) = x · L s ( x ) dx . 0 Note that annual suggests a multi-period view. Even when this isn’t the case, the ALE term is used 18 / 32 Reading Overview Market Failures Measuring security benefits Managing security investment High-level investment metrics Notes Annual loss expectancy visualized � ∞ � ∞ ALE s = E ( L s ) = x · L s ( x ) dx ALE 0 = E ( L 0 ) = x · L 0 ( x ) dx 0 0 L ( loss ) L s L 0 loss 19 / 32
Reading Overview Market Failures Measuring security benefits Managing security investment High-level investment metrics Notes Metrics for security benefits Definition (EBIS) The expected benefit of information security EBIS s is the difference between the loss expectancy without security and the loss expectancy given security level s , EBIS s = ALE 0 − ALE s � ∞ = E ( L 0 ) − E ( L s ) = x · ( L 0 ( x ) − L s ( x )) dx . 0 20 / 32 Reading Overview Market Failures Measuring security benefits Managing security investment High-level investment metrics Notes Metrics for security benefits Definition (ENBIS) The expected net benefit of information security investment ENBIS s is given by the expected benefit of information security minus the cost of the investment to reach security level s . ENBIS s = EBIS s − c = ALE 0 − ALE s − c , or, assuming effective security investment, ENBIS s = EBIS s − s . Straightforward investment rule: only invest if ENBIS s > 0 21 / 32 Reading Overview Market Failures Measuring security benefits Managing security investment High-level investment metrics Notes Bernoulli loss assumption OK, so continuous loss distribution functions are nice, but they can be difficult to analyze Not to mention it can be hard to justify assumptions about how the loss distribution might be shaped Simplified scenario Two loss outcomes: { 0 , λ } λ > 0: fixed loss, occurs with p s = L s ( λ ) With probability 1 − p s = L s (0), suffers no loss 22 / 32 Reading Overview Market Failures Measuring security benefits Managing security investment High-level investment metrics Notes Metrics under Bernoulli loss assumption � � ALE s = p s · λ + (1 − p s ) · 0 � �� � E ( L s ) � � � � EBIS s = p 0 · λ + (1 − p 0 ) · 0 − p s · λ + (1 − p s ) · 0 � �� � � �� � E ( L 0 ) E ( L s ) � � � � ENBIS s = p 0 · λ + (1 − p 0 ) · 0 − p s · λ + (1 − p s ) · 0 − s � �� � � �� � E ( L 0 ) E ( L s ) 23 / 32
Recommend
More recommend
