Economic Models & Approaches in Economic Models & Approaches in Information Security for Computer Information Security for Computer

NetworksNetworks

AuthorsAuthors: P. Souras : P. Souras et alet al..

SubmissionSubmission: International Journal of Network Security: International Journal of Network Security

ReporterReporter: Chun-Ta Li: Chun-Ta Li

2 2

Outline

• IntroductionIntroduction

• Networks & SecurityNetworks & Security

• Risk ManagementRisk Management

• Financial Approaches in Information SecurityFinancial Approaches in Information Security

• Return on Security InformationReturn on Security Information

• ConclusionConclusion

• CommentsComments

3 3

IntroductionIntroduction

• An organization consists of logical and physical An organization consists of logical and physical assets that can be grouped into smaller elements assets that can be grouped into smaller elements [Wei 2001][Wei 2001]

4 4

Introduction (cont.)Introduction (cont.)

• An information security systemAn information security system– Protection from unauthorized accessProtection from unauthorized access

– Protection of information from integrity flawsProtection of information from integrity flaws

– Detection and correction of information security breachesDetection and correction of information security breaches

• The potential decrease in Market Value due to IT security The potential decrease in Market Value due to IT security breaches is composed of both tangible and intangible assetsbreaches is composed of both tangible and intangible assets– Loss of productivity, cost of system repair, insuranceLoss of productivity, cost of system repair, insurance

– Loss of reputation, reduction in brand value, legal implicationsLoss of reputation, reduction in brand value, legal implications

5 5

Introduction (cont.)Introduction (cont.)

• Key issues in this paperKey issues in this paper– Economic modelsEconomic models

• Evaluation of an information security investmentEvaluation of an information security investment

• Calculating information security riskCalculating information security risk

• Annual Loss Expectancy (ALE)Annual Loss Expectancy (ALE)

• Cost To Break metricCost To Break metric

• Set the rules for the calculation of the Return on Set the rules for the calculation of the Return on Information Security Information Security

6 6

Networks & SecurityNetworks & Security

• Organizations typically employ multiple security Organizations typically employ multiple security technologies technologies– FirewallsFirewalls

– Intrusion Detection Systems (IDS)Intrusion Detection Systems (IDS)

• Three basic types of cryptographyThree basic types of cryptography– Bulk encryption, Message authentication, Data integrityBulk encryption, Message authentication, Data integrity

• Three types of cryptographic systemsThree types of cryptographic systems– Totally secret, Public algorithms, Public key systemsTotally secret, Public algorithms, Public key systems

7 7

Networks & Security (cont.)Networks & Security (cont.)

• Possible ways of attack to the encrypted dataPossible ways of attack to the encrypted data– Calculation of the PasswordCalculation of the Password– Dictionary AttackDictionary Attack– Packet ModificationPacket Modification– Replay AttackReplay Attack– Evil Twin (man-in-the middle)Evil Twin (man-in-the middle)

8 8

Risk ManagementRisk Management

• Quantification of risk Quantification of risk [Reavis 2004][Schechter 2004][Reavis 2004][Schechter 2004]

– RISK = VA*SV*LARISK = VA*SV*LA

– RISK = LLE*CLERISK = LLE*CLE

– SecurityRisk = LSB*CSBSecurityRisk = LSB*CSB

– SecurityRisk = SBR*ACPBSecurityRisk = SBR*ACPB

9 9

Risk Management (cont.)Risk Management (cont.)

• Annual Loss Expectancy (ALE) Annual Loss Expectancy (ALE) [National Bureau of Standards 1979][Hoo 2000][Schrecher [National Bureau of Standards 1979][Hoo 2000][Schrecher 2004]2004]

– ALE = expected rate of loss * value of lossALE = expected rate of loss * value of loss

10 10

Financial Approaches in Information SecurityFinancial Approaches in Information Security

• Information security investmentInformation security investment– Cost (implementing infrastructure)Cost (implementing infrastructure)

– Benefit (prevention of losses by security breaches)Benefit (prevention of losses by security breaches)

• Optimization economic model Optimization economic model [Gordon and Loeb 2001][Gordon and Loeb 2001]– G(S) = B(S) – C(S)G(S) = B(S) – C(S)

• B: implementation of information security infrastructureB: implementation of information security infrastructure

• C: total cost of that implementationC: total cost of that implementation

• S: different levels of information securityS: different levels of information security

• G: determine the point where the gainG: determine the point where the gain

11 11

Financial Approaches in Information Security Financial Approaches in Information Security (cont.)(cont.)

• Total annual security expenditure Total annual security expenditure [Mizzi 2005][Mizzi 2005]

– EEss = F + B + M = F + B + M

– LLTT = L = LII + A(t) + r(t) + A(t) + r(t)

– A(t) = I*t/365A(t) = I*t/365

12 12

Financial Approaches in Information Security Financial Approaches in Information Security (cont.)(cont.)• The security implementation is viable ifThe security implementation is viable if

EESS < L < LTT

(F+B+M) < [L(F+B+M) < [LII+A(t)+r(t)]+A(t)+r(t)]

• Cost to repair annual damagesCost to repair annual damages

D = DD = DDD + D + DII

(F+B+M) < (L(F+B+M) < (LTT+A(t)+r(t)+D)+A(t)+r(t)+D)

13 13

Financial Approaches in Information Security Financial Approaches in Information Security (cont.)(cont.)• Annual Cost To Break Annual Cost To Break [Mizzi 2005][Schrecher 2002][Mizzi 2005][Schrecher 2002]

CTB = CCTB = CDD + C + CVV

CTB > ECTB > ESS

CTB > (F+B+M)CTB > (F+B+M)

14 14

Return on Security InformationReturn on Security Information• ALE framework had seven basic elementsALE framework had seven basic elements [Campbell [Campbell et al.et al. 1979] 1979]

– Requirements, Requirements, R= [R1, R2, …, Ri]R= [R1, R2, …, Ri]– Assets, Assets, A = [A1, A2, …, Ak]A = [A1, A2, …, Ak]– Security Concerns, Security Concerns, C= [C1, …, Cs]C= [C1, …, Cs]– Threats, Threats, T= [T1, T2, …, Tm]T= [T1, T2, …, Tm]– Safeguards, Safeguards, S= [S1, S2, …, Sp]S= [S1, S2, …, Sp]– Vulnerabilities, Vulnerabilities, V= [V1, V2, …, Vq]V= [V1, V2, …, Vq]– Outcome, Outcome, O= [O1, O2, …, Or]O= [O1, O2, …, Or]

• Three associated quantitiesThree associated quantities– Asset Values: Asset Values: Aval = [A1val, A2val, …, Akval]Aval = [A1val, A2val, …, Akval]– Safeguard Effectiveness: Safeguard Effectiveness: Seff = [S1eff, S2eff, …, Speff]Seff = [S1eff, S2eff, …, Speff]– Outcome Severity: Outcome Severity: Osev = [O1sev, O2sev, …, Orsev]Osev = [O1sev, O2sev, …, Orsev]

15 15

Return on Security Information (cont.)Return on Security Information (cont.)

• Identification of the security requirements– Security concerns, possible threats et al.

• Analysis phase– Threat analysis, Vulnerability analysis, Scenario analysis

• Risk measurement (potential impact and probability)– Acceptability test, cost-benefit analysis

• Decisions on safeguards

16 16

Return on Security Information (cont.)Return on Security Information (cont.)

• The reduction in ALEThe reduction in ALE [Schrecher 2004][Schrecher 2004]

S = ALES = ALEBASELINEBASELINE – ALE – ALEWITH NEW SAFEGUARDSWITH NEW SAFEGUARDS

• Total annual benefit BTotal annual benefit B

B = S + (profit from new ventures)B = S + (profit from new ventures)

• Return on security investmentReturn on security investment

17 17

Return on Security Information (cont.)Return on Security Information (cont.)

• Internal Rate of Return (IRR) Internal Rate of Return (IRR) [Gordon and Loeb [Gordon and Loeb 2002]2002]

18 18

ConclusionConclusion

• Investment of information securityInvestment of information security

• Risk quantification methods – ALERisk quantification methods – ALE

• Return on security investment (ROSI)Return on security investment (ROSI)

19 19

CommentsComments

• Evaluation of PaperEvaluation of Paper– Sound but dullSound but dull

• RecommendationRecommendation– RejectReject

• All of the economic models and approaches are previous All of the economic models and approaches are previous research results. research results.

• The authors must proposed some brand-new concepts or The authors must proposed some brand-new concepts or models to evaluate the information security in the models to evaluate the information security in the organization to enhance the contribution of this article. organization to enhance the contribution of this article.