Embed Size (px)
Citation preview
Managing Information Risk and the
Economics of Security
Managing Information Risk and the
Economics of Security
Edited by
M. Eric Johnson Center for Digital Strategies
Tuck School of Business at Dartmouth Hanover, NH, USA
© Springer Science+Business Media, LLC 2009 All rights reserved. This work may not be translated or copied in whole or in part without the written permission of the publisher (Springer Science+Business Media, LLC, 233 Spring Street, New York, NY 10013, USA), except for brief excerpts in connection with reviews or scholarly analysis. Use in connection with any form of information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed is forbidden. The use in this publication of trade names, trademarks, service marks, and similar terms, even if they are not identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to proprietary rights.
Library of Congress Control Number: 2008936480
ISBN: 978-0-387-09761-9 e-ISBN: 978-0-387-09762-6
Printed on acid-free paper
springer.com
Editor Dr. M. Eric Johnson Tuck School of Business Administration Dartmouth College Hanover, NH 03755, USA [email protected]
List of Contributors
Managing Information Risk and Economics of Security M. Eric Johnson, Tuck School of Business at Dartmouth Nonbanks and Risk in Retail Payments Terri Bradford, Federal Reserve Bank-Kansas City Fumiko Hayashi, Federal Reserve Bank-Kansas City Christian Hung, Federal Reserve Bank-Kansas City Stuart Weiner, Federal Reserve Bank-Kansas City Zhu Wang, Federal Reserve Bank-Kansas City Richard Sullivan, Federal Reserve Bank-Kansas City Simonetta Rosati, European Central Bank Security Economics and European Policy Ross Anderson, University of Cambridge Rainer Boehme, Dresden University of Technology Richard Clayton, University of Cambridge Tyler Moore, University of Cambridge BORIS – Business-Oriented Management of Information Security Sebastian Sowa, Ruhr-University of Bochum Lampros Tsinas, Munich Re Roland Gabriel, Ruhr-University of Bochum Productivity Space of Information Security in an Extension of the
Kanta Matsuura, University of Tokyo Communicating the Economic Value of Security Investments; Value at Security Risk Rolf Hulthén, TeliaSonera AB Modelling the Human and Technological Costs and Benefits of USB Memory Stick Security Adam Beautement, UCL Robert Coles, Merrill Lynch Jonathan Griffin, HP Labs Christos Ioannidis, University of Bath Brian Monahan, HP Labs David Pym, HP Labs and University of Bath Angela Sasse, UCL Mike Wonham, HP Labs
Gordon-Loeb’s Investment Model
Xia Zhao, Tuck School of Business at Dartmouth College M. Eric Johnson, Tuck School of Business at Dartmouth College Reinterpreting the Disclosure Debate for Web Infections Oliver Day, Harvard University Rachel Greenstadt, Harvard University Brandon Palmen, Harvard University The Impact of Incentives on Notice and Take-down Tyler Moore, University of Cambridge Richard Clayton, University of Cambridge Studying Malicious Websites and the Underground Economy on the Chinese Web Jianwei Zhuge, Peking University Thorsten Holz, University of Mannheim Chengyu Song, Peking University Jinpeng Guo, Peking University Xinhui Han, Peking University Wei Zou, Peking University Botnet Economics: Uncertainty Matters Zhen Li, Albion College Qi Liao, University of Notre Dame Aaron Striegel, University of Notre Dame Cyber Insurance as an Incentive for IT Security Jean Bolot, Sprint Marc Lelarge, INRIA-ENS Conformity or Diversity: Social Implications of Transparency in Personal Data Processing Rainer Böhme, Technische Universitat Dresden Is Distributed Trust More Trustworthy? Kurt Nielsen, University of Copenhagen
vi List of Contributors
Information AccessThe Value of Escalation and Incentives in Managing
Preface
Security has been a human concern since the dawn of time. With the rise of the digital society, information security has rapidly grown to an area of serious study and ongoing research. While much research has focused on the technical aspects of computer security, far less attention has been given to the management issues of information risk and the economic concerns facing firms and nations. Managing Information Risk and the Economics of Security provides leading edge thinking on the security issues facing managers, policy makers, and individuals. Many of the chapters of this volume were presented and debated at the 2008 Workshop on the Economics of Information Security (WEIS), hosted by the Tuck School of Business at Dartmouth College. Sponsored by Tuck’s Center for Digital Strategies and the Institute for Information Infrastructure Protection (I3P), the conference brought together over one hundred information security experts, researchers, academics, reporters, corporate executives, government officials, cyber crime investigators and prosecutors. The group represented the global nature of information security with participants from China, Italy, Germany, Canada, Australia, Denmark, Japan, Sweden, Switzerland, the United Kingdom and the US.
This volume would not be possible without the dedicated work Xia Zhao (of Dartmouth College and now the University of North Carolina, Greensboro) who acted as the technical editor. I am also grateful for the service of the WEIS program committee: Alessandro Acquisti (Carnegie Mellon University), Ross Anderson (Cambridge University), Jean Camp (Indiana University), Huseyin Cavusoglu (University of Texas, Dallas), Ramnath Chellappa (Emory University), Neil Gandal (Tel Aviv University), Anindya Ghose (New York University), Eric Goetz (Dartmouth College), Larry Gordon (University of Maryland), Karthik Kannan (Purdue University), Marty Loeb (University of Maryland), Tyler Moore (Cambridge University), Andrew Odlyzko (University of Minnesota), Brent Rowe (RTI), Stuart Schechter (Microsoft), Bruce Schneier (BT Counterpane), Sean Smith (Dartmouth College), Rahul Telang (Carnegie Mellon University), Catherine Tucker (MIT), and Hal Varian (University of California, Berkeley).
Many thanks also go to the individuals and the organizations that helped us organize WEIS: Hans Brechbühl, Jennifer Childs, Scott Dynes, Eric Goetz, David Kotz, Xia Zhao (all of Dartmouth), and Stuart Schechter (Microsoft), as well as the support of Tuck School of Business and Thayer School of Engineering at Dartmouth College; the Institute for Information Infrastructure Protection (I3P); the Institute for Security Technology Studies; and Microsoft. WEIS and the efforts to compile this book were partially supported by the U.S. Department of Homeland Security under Grant Award Number 2006-CS-001-000001, under the auspices of the Institute for Information Infrastructure Protection (I3P) and through the Institute
for Security Technology Studies (ISTS). The I3P is managed by Dartmouth College. The views and conclusions contained in this book are those of the authors and should not be interpreted as necessarily representing the official policies, either expressed or implied, of the U.S. Department of Homeland Security, the I3P, ISTS, or Dartmouth College.
September 2008 M. Eric Johnson
viii Preface
Table of Contents
List of Cintributors ................................................................................................... v Preface ....................................................................................................................vii Managing Information Risk and the Economics of Security ............................. 1 1 Introduction .................................................................................................. 1 2 Communicating Security – The Role of Media............................................ 2 3 Investigating and Prosecuting Cybercrime................................................... 6 4 CISO Perspective – Evaluating and Communicating Information Risk ...... 8
4.1 Ranking the Information Threats ........................................................ 8 4.2 Communicating the Information Risks............................................. 11 4.3 Measuring Progress........................................................................... 13
5 Overview of Book ...................................................................................... 14 References .............................................................................................................. 15
1 Introduction ................................................................................................ 17 2 Nonbanks in Retail Payment Systems........................................................ 18
2.1 Methodology ..................................................................................... 18 2.2 Definitions......................................................................................... 19 2.3 Payment Types and Payment Activities ........................................... 20 2.4 Nonbank Prevalence ......................................................................... 21
3 Risks in Retail Payments Processing.......................................................... 33 3.1 Risks in Retail Payments .................................................................. 33 3.2 Risks along the Processing Chain..................................................... 36
4 Impact of Nonbanks on Risk ...................................................................... 42 4.1 Changing Risk Profile....................................................................... 42 4.2 Risk Management ............................................................................. 45
5 Conclusions and Closing Remarks............................................................. 49 Acknowledgments .................................................................................................. 51 References .............................................................................................................. 51 Security Economics and European Policy ......................................................... 55 1 Introduction ................................................................................................ 55
2 Information Asymmetries .......................................................................... 59 2.1 Security-Breach Notification ............................................................ 59 2.2 Further Data Sources......................................................................... 60
3 Externalities................................................................................................ 63 3.1 Who Should Internalise the Costs of Malware? ............................... 63 3.2 Policy Options for Coping with Externalities................................... 64
4 Liability Assignment.................................................................................. 66
1.1 Economic Barriers to Network and Information Security................... 57
Nonbanks and Risk in Retail Payments: EU and U.S. ..................................... 17
Table of Contents x
4.1 Software and Systems Liability Assignment .................................... 67 4.2 Patching............................................................................................. 68 4.3 Consumer Policy............................................................................... 70
5 Dealing with the Lack of Diversity............................................................ 73 5.1 Promoting Logical Diversity ............................................................ 73 5.2 Promoting Physical Diversity in CNI ............................................... 74
6 Fragmentation of Legislation and Law Enforcement ................................ 75 7 Security Research and Legislation............................................................. 76 8 Conclusions ................................................................................................ 77 Acknowledgments .................................................................................................. 78 References .............................................................................................................. 78 BORIS –Business ORiented management of Information Security................ 81 1 Introduction ................................................................................................ 81
1.1 Background ....................................................................................... 81 1.2 Terms ................................................................................................ 82 1.3 Goals ................................................................................................. 83
2 BORIS design ............................................................................................. 84 2.1 Overview........................................................................................... 84 2.2 Business Strategic Methods .............................................................. 84 2.3 Process Tactical Methods ................................................................. 87 2.4 Financial Tactical Methods............................................................... 89 2.5 Operational Evaluation and Optimization Methods ......................... 90 2.6 Integrated Program Management...................................................... 93
3 Evaluation................................................................................................... 94 4 Conclusion and Outlook ............................................................................. 95 References .............................................................................................................. 96 Productivity Space of Information Security in an Extension of the Gordon-Loeb’s Investment Model...................................................................... 99 1 Introduction ................................................................................................ 99 2 The Two Reductions................................................................................. 100
2.1 Vulnerability Reduction.................................................................. 100 2.2 Threat Reduction............................................................................. 101
3 Productivity Space of Information Security ............................................. 102 3.1 Threat Reduction Productivity........................................................ 102 3.2 Optimal Investment......................................................................... 103 3.3 Productivity Space .......................................................................... 104
4 Implications and Limitations.................................................................... 110 4.1 Different Investment Strategies ...................................................... 110 4.2 Influence of Productivity-Assessment Failures .............................. 110 4.3 Upper Limit of the Optimal Investment ......................................... 110 4.4 Influence of Countermeasure Innovation ....................................... 111 4.5 Trade-off between Vulnerability Reduction and Threat Reduction............................................................................... 115
5 Concluding Remarks ................................................................................ 116
Table of Contents xi
Acknowledgments ................................................................................................ 116 References ............................................................................................................ 117 Appendix .............................................................................................................. 118 Communicating the Economic Value of Security Investments: Value at Security Risk........................................................................................ 121 1 Introduction and Problem Situation.......................................................... 121 2 Background and Preliminaries ................................................................. 123 3 Problem Formulations: Value-at-Risk...................................................... 124 4 Value-at-Security Risk Model: Assumptions........................................... 124 5 Our Parametric Model .............................................................................. 125
5.1 Some Observations on fL (x;t) and gL (x)........................................ 127 5.2 A Special Case: Constant
6 Value-at-Security Risk Entities ................................................................ 129 7 Analysis of Authentic Data: Model Evaluation ....................................... 131
7.1 Number of Incidents per Time Unit................................................ 131 7.2 Breach Loss Model ......................................................................... 134
8 Comments and Conclusions: Present and Future Work........................... 138 References ............................................................................................................ 139 Modelling the Human and Technological Costs and Benefits of USB Memory Stick Security ......................................................................... 141 1 Introduction .............................................................................................. 141 2 The Central Bank Problem and Information Security.............................. 143 3 An Empirical Study .................................................................................. 145 4 The Conceptual Model ............................................................................. 147 5 An Executable Model ............................................................................... 155 6 The Experimental Space........................................................................... 157
6.1 Exploratory Fit of Additional Calibration Parameters.................... 158 6.2 Some Confirmation of Expected Behaviour................................... 158 6.3 Results............................................................................................. 159 6.4 A Utility Function ........................................................................... 160
7 Conclusions and Directions...................................................................... 161 Acknowledgments ................................................................................................ 162 References ............................................................................................................ 162 The Value of Escalation and Incentives in Managing Information Access .. 165 1 Introduction .............................................................................................. 165 2 Background and Solution Framework...................................................... 167
2.1 Access Control Policies .................................................................. 167 2.2 Security and Flexibility of Access Control Policies ....................... 168 2.3 Access Governance System with Escalation .................................. 169
3 Literature Review ..................................................................................... 170 4 Economic Modeling of an Information Governance System................... 170
λ and v ................................................. 128
Table of Contents xii
5 Overview of Insights and Results............................................................. 172 5.1 Employee ........................................................................................ 173 5.2 Firm................................................................................................. 174
6 Conclusion ................................................................................................ 175 References ............................................................................................................ 176 Reinterpreting the Disclosure Debate for Web Infections ............................. 179 1 Introduction .............................................................................................. 179 2 Attack Trends ........................................................................................... 181
2.1 Drive-By Downloads ...................................................................... 183 2.2 Weaponized Exploit Packs ............................................................. 185
3 Market Failure: Consumer Webmasters and Mid-Tier Web Hosts.......... 186 4 Vulnerability Disclosure........................................................................... 188 5 Methods for Identifying Most-Infected Web Hosts ................................. 190 6 Web Host Infection Results...................................................................... 191
6.1 The Panda in the Room................................................................... 192 7 Recommendations .................................................................................... 194 8 Conclusion ................................................................................................ 196 Acknowledgments ................................................................................................ 196 References ............................................................................................................ 196 The Impact of Incentives on Notice and Take-down ...................................... 199 1 Introduction .............................................................................................. 199 2 Defamation ............................................................................................... 200 3 Copyright Violations ................................................................................ 202 4 Child Sexual Abuse Images...................................................................... 203 5 Phishing .................................................................................................... 205
5.1 Free Web-hosting............................................................................ 207 5.2 Compromised Machines ................................................................. 207 5.3 Rock-phish and Fast-flux Attacks................................................... 209 5.4 Common Features of Phishing Website Removal .......................... 210
6 Fraudulent Websites ................................................................................. 211 6.1 Fake Escrow Agents ....................................................................... 211 6.2 Mule-recruitment Websites............................................................. 212 6.3 Online Pharmacies Hosted on Fast-flux Networks......................... 215
7 Spam, Malware and Viruses..................................................................... 216 8 Comparing Take-down Effectiveness ...................................................... 217
8.1 Lifetimes of Child Sexual Abuse Image Websites ......................... 219 9 Conclusion ................................................................................................ 221 Acknowledgments ................................................................................................ 222 References ............................................................................................................ 222 Studying Malicious Websites and the Underground Economy on the Chinese Web............................................................................................ 225 1 Introduction .............................................................................................. 225 2 Related Work............................................................................................ 227
Table of Contents xiii
3 Underground Economy Model ................................................................. 228 3.1 Modeling the Individual Actors ...................................................... 228 3.2 Market Interaction........................................................................... 230 3.3 Case Study: PandaWorm ................................................................ 232
4 Mechanisms Behind Malicious Websites on the Chinese Web ............... 232 4.1 Overall Technical Flow................................................................... 232 4.2 Web-based and Conventional Trojans............................................ 233 4.3 Vulnerabilities Used for Web-based Trojans in China................... 235 4.4 Strategies for Redirecting Visitors to Web-based Trojans ............. 236
5 Measurements and Results ....................................................................... 238 5.1 Measurements on the Underground Black Market ......................... 238 5.2 Measurements on the Public Virtual Assets Marketplace .............. 239 5.3 Malicious Websites on the Chinese Web ....................................... 240
6 Conclusions .............................................................................................. 243
References ............................................................................................................ 244 Botnet Economics: Uncertainty Matters.......................................................... 245 1 Introduction .............................................................................................. 245 2 Background and Related Work ................................................................ 247 3 The Benchmark Model ............................................................................. 249
3.1 Profit-driven Cybercriminals .......................................................... 249 3.2 Assumptions.................................................................................... 250 3.3 Model Without Virtual Machines ................................................... 251
4 Optimization Model With Virtual Machines............................................ 253 4.1 Fixed Probability for a Rental Bot Being Virtual ........................... 253 4.2 Uncertainty for a Rental Bot Being Virtual .................................... 256
5 Further Discussion and Case Study.......................................................... 259 5.1 Countervirtual Strategies ................................................................ 259 5.2 Examples and Illustration ............................................................... 260 5.3 Technical Challenges ...................................................................... 264
6 Conclusion and Future Work.................................................................... 266 References ............................................................................................................ 267 Cyber Insurance as an Incentive for Internet Security .................................. 269 1 Introduction .............................................................................................. 269 2 Related Work............................................................................................ 272 3 Insurance and Self-protection: Basic Concepts........................................ 275
3.1 Classical Models for Insurance....................................................... 275 3.2 A Model for Self-protection ........................................................... 276 3.3 Interplay between Insurance and Self-protection ........................... 277
4 Interdependent Security and Insurance: the 2-agent Case ....................... 278 4.1 Interdependent Risks for 2 Agents.................................................. 279 4.2 IDS and Mandatory Insurance ........................................................ 280 4.3 IDS and Full Coverage Insurance................................................... 281
Acknowledgments ................................................................................................ 244
Table of Contents xiv
5 Interdependent Security and Insurance on a Network.............................. 282 5.1 The Complete Graph Network........................................................ 283 5.2 The Star-shaped Network ............................................................... 285
6 Discussion................................................................................................. 286 7 Conclusion ................................................................................................ 287 References ............................................................................................................ 288 Conformity or Diversity: Social Implications of Transparency in Personal Data Processing .............................................................................. 291 1 Introduction .............................................................................................. 291
1.1 From PETs to TETs ........................................................................ 292 1.2 TETs and Individual Behaviour...................................................... 293
2 Model........................................................................................................ 293 2.1 Assumptions.................................................................................... 294 2.2 Problem Statement .......................................................................... 295 2.3 Rationales for the Assumptions ...................................................... 295 2.4 Analytical Approach ....................................................................... 297
3 Results ...................................................................................................... 302 4 Discussion................................................................................................. 304 5 Related Work............................................................................................ 306 6 Summary and Outlook.............................................................................. 307 Acknowledgments ................................................................................................ 308 References ............................................................................................................ 308 Appendix .............................................................................................................. 311 Is Distributed Trust More Trustworthy?......................................................... 313 1 Introduction .............................................................................................. 313 2 Threshold Trust......................................................................................... 316 3 The Game-Theoretic Modeling ................................................................ 318
3.1 The Basic Model ............................................................................. 319 3.2 The Extended Model....................................................................... 321 3.3 The Choice of N and T.................................................................... 324 3.4 The Payoff Matrix........................................................................... 326
4 Discussion and Policy Recommendation ................................................. 327 4.1 NT-TTP Has a Different Cost Structure ......................................... 327 4.2 Breakdown of The NT-TTP............................................................ 327 4.3 Counteract Stable Coalitions .......................................................... 328 4.4 NT-TTP and Leniency Programs.................................................... 329
5 Conclusion ................................................................................................ 330 Acknowledgments ................................................................................................ 331 References ............................................................................................................ 331 Index ..................................................................................................................... 333
