Resilience in Information Stewardship Christos Ioannidis, David Pym, - - PowerPoint PPT Presentation

Resilience in Information Stewardship

Christos Ioannidis, David Pym, Julian Williams, and I¤at Gheyas

• WEIS 2014 -

PENNSYLVANIA STATE UNIVERSITY 23 June 2014

(IPWG) () STEWARDSHIP 2 : Resilience 23 June 2014 1 / 33

Resilience in Information Stewardship

• 1. De…nitions

In the information ecosystem, threats to the con…dentiality, integrity, and availability

• f individual components the ecosystem can be transmitted to others,

impacting negatively on their security status . In such an environment, the role of the : information steward is to maintain the sustainability and resilience

• f the ecosystem’s nominal operating capacity.

(IPWG) () STEWARDSHIP 2 : Resilience 23 June 2014 2 / 33

Resilience in Information Stewardship

• 1. De…nitions : Sustainability

By the sustainability of a system, subject to …nite degradation caused by a persistent stream of attacks, we mean its tendency to remain within speci…ed levels of nominal operating capacity

(IPWG) () STEWARDSHIP 2 : Resilience 23 June 2014 3 / 33

Resilience in Information Stewardship

• 1. De…nitions : Sustainability

(IPWG) () STEWARDSHIP 2 : Resilience 23 June 2014 4 / 33

Resilience in Information Stewardship

• 1. De…nitions : Resilience

By resilience, we mean the ability of the system to return back to its operating capacity to within the speci…ed bounds following a shock

(IPWG) () STEWARDSHIP 2 : Resilience 23 June 2014 5 / 33

Resilience in Information Stewardship

• 1. De…nitions : Resilience

(IPWG) () STEWARDSHIP 2 : Resilience 23 June 2014 6 / 33

Resilience in Information Stewardship

TOWARDS A MODEL

We postulate that implicitly the "value" of information assets is signalled by their classi…cation. What’s the mix ? "ICS/SCADA" or "Corporate Information Assets" Our main question centres on whether a …rm would seek to adjust its declared mix of ICS/SCADA and Corporate Information Assets

Table: Decisions on: xh, xl, z. Parameters: ψh,ψl, αh, αl

investments allocation risk-reduction rate attacker elasticity ICS/SCADA xh 1 z ψh αh Corporate xl z ψl αl

(IPWG) () STEWARDSHIP 2 : Resilience 23 June 2014 7 / 33

Resilience in Information Stewardship

TOWARDS A MODEL ; A case ?

In the US, 1,900 bulk power system operators are regulated by The North American Electric Reliability Corporation (NERC). The corporate network has many of the same features as the ICS/SCADA system and there are elements of substitutability between the two. Consider an operator who could phase out using expensive …bre optic cables to communicate between ICS/SCADA systems and substations and replace them with a IP or 3G type communications. A successful penetration of a corporate network that is integrated with an ICS/SCADA now provides attackers with a potentially more e¤ective means of attacking the ICS/ SCADA system.

(IPWG) () STEWARDSHIP 2 : Resilience 23 June 2014 8 / 33

Resilience in Information Stewardship

TOWARDS A MODEL ; A case ?

What’s the response to this technological development, in terms of the system’s ability to withstand a shock ?

(IPWG) () STEWARDSHIP 2 : Resilience 23 June 2014 9 / 33

Resilience in Information Stewardship

TOWARDS A MODEL ;Developing an Economic Model

We consider a set of NT ex-ante identical targets choosing to allocate defensive expenditure x. We consider two types of outlays h and l that correspond to the areas of high and low security where information assets are held: The quantities xh 0 and xl 0 denote the one-o¤ investments made at time t0 in securing assets located in the corresponding areas. And z is a switching variable such that a fraction 0 z 1,of assets is allocated between h and l Attackers per target is given by (η)

(IPWG) () STEWARDSHIP 2 : Resilience 23 June 2014 10 / 33

Resilience in Information Stewardship

TOWARDS A MODEL ;Developing an Economic Model

• 1. Modelling the Attackers I

Instantenous probability of a successful attack. ˜ σi= eψixi ηαi

i ,

i 2 fl, hg. α parameter that captures the marginal e¤ectiveness of an additional attacker per target ψ parameter that captures the relative rate of risk reduction for additional security investments by targets in each asset

(IPWG) () STEWARDSHIP 2 : Resilience 23 June 2014 11 / 33

Resilience in Information Stewardship

TOWARDS A MODEL ;Developing an Economic Model

• 1. Modelling the Attackers II

Let the reward R > 0 for a successful attack be proportional to the assets allocated in each area, h and l, and for notational simplicity let ζi=l = z and ζi=h = 1 z. Set γ = c/R to be the cost ratio of attack, where c is the unit cost of a single attack. When the attacker’s time preference is described by δ. The pro…t function for a single attacker is ˜ ΠA,i =

T

Z

t0

eδtζiη1

i

˜ σi (xi, ηi) dt γ, i 2 fl, hg.

(IPWG) () STEWARDSHIP 2 : Resilience 23 June 2014 12 / 33

Resilience in Information Stewardship

TOWARDS A MODEL ;Developing an Economic Model

• 2. Modelling the Targets I

For the targets of such attacks, let L > 0 be an instantaneous value of assets at risk from attack and β 2 R be a subjective discount rate determining the time preferences of all targets.The risk neutral expected loss over the time horizon t0 < t < T, is given by ˜ V L=

T

Z

t0

eβt (z ˜ σl (xl, ηl) L + (1 z) ˜ σh (xh, ηh) L) dt + xl+xh.

(IPWG) () STEWARDSHIP 2 : Resilience 23 June 2014 13 / 33

Resilience in Information Stewardship

TOWARDS A MODEL ;Developing an Economic Model

The optimal allocation bundle ? (z, x

l , x h),

(IPWG) () STEWARDSHIP 2 : Resilience 23 June 2014 14 / 33

Resilience in Information Stewardship

TOWARDS A MODEL ;Developing an Economic Model

Setting up the Solution Assuming that targets and attackers have positive discount rates the appropriate time horizon, T, for empirical analysis, maybe determined

• endogenously. Let λ be an arbitrarily large,but not in…nite, number.

For a given discount rate, ˜ θ = min(δ, β), by construction LimitT !∞

Z T

t0

˜ θ

1

eθtdt = 1. Therefore, the approximation of the time horizon ˜

T covering the 1 1/λ

proportion of the future losses is derived from ˜ T = log(λ)/˜ θ. Assume that β > δ and ˜

T = log(λ)/δ, such that the interval t0 to ˜ T covers 90% of

the expected present value; that is, λ = 10.

(IPWG) () STEWARDSHIP 2 : Resilience 23 June 2014 15 / 33

Resilience in Information Stewardship

TOWARDS A MODEL ;Developing an Economic Model

Solving the Model I: Non Cooperative Nash Equilibrium x

i

= αi ψi log B @ Lψiψ2

j

• eδT 1

2 γδβ

• ψj + ψi

2 1 C A αiδT ψi , i 2 fl, hg, j 2 fl, hg, j 6= i z = ψl ψh+ψl .

(IPWG) () STEWARDSHIP 2 : Resilience 23 June 2014 16 / 33

Resilience in Information Stewardship

TOWARDS A MODEL ;Developing an Economic Model

Solving the Model I: Non Cooperative Nash Equilibrium x

i

= αi ψi log B @ Lψiψ2

j

• eδT 1

2 γδβ

• ψj + ψi

2 1 C A αiδT ψi , i 2 fl, hg, j 2 fl, hg, j 6= i z = ψl ψh+ψl . (1) η

i =

ψj(eδT 1)ex

i ψi δT

γδ(ψi+ψj) !

1 1αl

, i 2 fl, hg, j 2 fl, hg, j 6= i,

(IPWG) () STEWARDSHIP 2 : Resilience 23 June 2014 16 / 33

Resilience in Information Stewardship

TOWARDS A MODEL ;Developing an Economic Model

• 3. Introducing the Steward

The …rst stewardship action we evaluate replicates our previous work by postulating a Stackelberg policy framework in which the policy-maker stewarding the system sets rules relative to a target level of sustainability. When the steward is fully informed, our model reverts to the mechanism design problem in which the steward is able to set a mandatory investment bundle on the individual targets ( ¯ xl, ¯ xh) as well as imposing a speci…c asset allocation ¯ z.

(IPWG) () STEWARDSHIP 2 : Resilience 23 June 2014 17 / 33

Resilience in Information Stewardship

TOWARDS A MODEL ;Developing an Economic Model

Solving the Model II: Introducing the Steward: The fully informed steward ¯ xi = 1 ψi log

• ψj
• ψi+ψj
• 1

1αj

• + αi

ψi log 1 γδ

• eδT 1
• +

@ ¯ βT (αi 1) ψi δTαi ψi 1 A + (αi1) ψi log @ ¯ β (αj 1) Lψi

• e ¯

βT 1

• 1

A , i 2 fl, hg, j 2 fl, hg, j 6= i ¯ ηi = @ψi

• eδT 1
• e¯

xi ψi δT

γδ

• ψj + ψi
• 1

A

1 1αi

, i 2 fl, hg, j 2 fl, hg, j 6= i

(IPWG) () STEWARDSHIP 2 : Resilience 23 June 2014 18 / 33

Resilience in Information Stewardship

TOWARDS A MODEL ;Developing an Economic Model

Introducing the Steward: Does it work ? Compare the attacking intensities as ¯ xl, ¯ xh> x

l , x h (proposition 3)

¯ ηi= @ψi

• eδT 1
• e ¯

x i ψi δT

γδ

• ψj + ψi
• 1

A

1 1αi

< η

i =

@ψj(eδT 1)ex

i ψi δT

γδ(ψi+ψj) 1 A

1 1αl (IPWG) () STEWARDSHIP 2 : Resilience 23 June 2014 19 / 33

Resilience in Information Stewardship

TOWARDS A MODEL ;Developing an Economic Model

Does the institutional arrangement matter ?

(IPWG) () STEWARDSHIP 2 : Resilience 23 June 2014 20 / 33

Resilience in Information Stewardship

TOWARDS A MODEL ;Developing an Economic Model

3.1 Full Information with Limited Action: Majority and Minority Cases 3.1.a: The majority-action-case Consider the case in which the steward can observe xi2fl,hg and z but can only impose constraints on xh and z. Whilst the steward can attain its desired risk expenditure trade-o¤ it can do so only at a lower level of e¢ciency (in terms

• f total initial cost xl + xh)

(IPWG) () STEWARDSHIP 2 : Resilience 23 June 2014 21 / 33

Resilience in Information Stewardship

TOWARDS A MODEL ;Developing an Economic Model

3.1 bThe Partially Informed Steward with Limited Action 3.1.b The Partially Informed Steward with Limited Action: Minority Case The steward can observe and internalize the externality in ηh, but cannot observe or enforce z or xl The targets then choose the investment and allocation bundle (xl, z). The steward is simply given ˆ L by the targets and z is unrelated to the overall asset allocation of the targets from the point of view of the steward. The steward is not a Stackelberg policy maker, but in a Nash equilibrium with the targets and attackers.

(IPWG) () STEWARDSHIP 2 : Resilience 23 June 2014 22 / 33

We show that there can be "natural limits" in the reaction of targets setting xl and attackers choosing ηl The ecosystem’s performance may be deteriorate, compared to the Nash Equilibrium case, when the stewards capacity is limited

The Institutional Setup Matters !!!

(IPWG) () STEWARDSHIP 2 : Resilience 23 June 2014 23 / 33

Resilience in Information Stewardship

TOWARDS A MODEL ;Developing an Economic Model

3.1 bThe Partially Informed Steward with Limited Action 3.1.b The Partially Informed Steward with Limited Action: Minority Case

(IPWG) () STEWARDSHIP 2 : Resilience 23 June 2014 24 / 33

Resilience in Information Stewardship

TOWARDS A MODEL ; Measuring Resilience

The combined outcome of the choices made by the agents, attackers and the steward about xi2fl,hg, z, and ηi2fl,hg are combined in the proposed : Total Non-Discounted Loss Function (below) ˜ V A(˜ v, ˜ u) =

˜ T

Z

t0

˜ z ˜ σl (˜ xl, ˜ ηl) L + (1 ˜ z) ˜ σh (˜ xh, ηh) Ldt ˜ v = (˜ z, ˜ xi2fl,hg, ˜ ηi2fl,hg) ˜ u = (αi,i2fl,hg, ψi,i2fl,hg), (2) The value of ˜ T, represents the step-size of the periods considered in the model

(IPWG) () STEWARDSHIP 2 : Resilience 23 June 2014 25 / 33

Resilience in Information Stewardship

TOWARDS A MODEL ; Measuring Resilience

For a single period, resilience will be measured by a response function to shocks to the parameters ˜ u. Our choice of response function to technology shocks allows for shocks across the set of parameters ˜ u either simultaneously of individually. It is given by the numerical evaluation of the following ordinary di¤erential equation: ˜ I(˜ u) =

˜ T

Z

t0

∂˜ z ∂˜ u ˜ σl ∂˜ xl ∂˜ u , ∂˜ ηl ∂˜ u

• L + ∂ (1 ˜

z) ∂˜ u ˜ σh ∂˜ x ∂˜ u , ∂˜ η ∂˜ u

• Ldt,

˜ u = fαi2fl,hg, ψi2fl,hgg,

(IPWG) () STEWARDSHIP 2 : Resilience 23 June 2014 26 / 33

Resilience in Information Stewardship

TOWARDS A MODEL ; Measuring Resilience

We are interested in establishing the existence of possible thresholds, , which describe levels of system operating capacity, as measured by loss, for di¤ering degrees of stewart’s e¤ectiveness. We attempt to establish whether the system restores, through co-ordinated investment, to the target zone or not.

(IPWG) () STEWARDSHIP 2 : Resilience 23 June 2014 27 / 33

Resilience in Information Stewardship

TOWARDS A MODEL ; Measuring Resilience

To examine the impact of shocks and measure resilience we compare the response functions ˜ I(u) and I(¯ u) to evaluate the impact of the fully informed steward. To compare the resilience of the system when the stewards information set is restricted by comparing ˜ I(u) and I(¯ u) to I(¯ u‡), for varying sizes of shocks in ˜ u.

(IPWG) () STEWARDSHIP 2 : Resilience 23 June 2014 28 / 33

Resilience in Information Stewardship

TOWARDS A MODEL ; Measuring Resilience

(IPWG) () STEWARDSHIP 2 : Resilience 23 June 2014 29 / 33

Resilience in Information Stewardship

TOWARDS A MODEL ; Measuring Resilience

(IPWG) () STEWARDSHIP 2 : Resilience 23 June 2014 30 / 33

Resilience in Information Stewardship

TOWARDS A MODEL ; Remarks

The "creation/emergence" of an institution assigned the role of Infromation Stewardship can be truly bene…cial for the resilience of the ecosystem. The orderly co-ordination of the defensive postures assumed by the agents is fully incorporated in the responses of rational attackers To achieve such co-ordination the structure of institutional arrangements is crucial, as the successful STEWARD requires: information disclosure on expenditure/investment in "information security" information disclosure about incidents of attack auditing and classi…cation of assets authority to enforce expenditure in investment security Failure to empower correctly the steward may actually be detrimental to the unregulated system’s resilience

(IPWG) () STEWARDSHIP 2 : Resilience 23 June 2014 31 / 33