Modeling the Risk of Data Breach Incidents at the Firm Level

2020. 06. 25.IMIS2020

Kazuki ikegami, Hiroaki KikuchiGraduate School of Advanced Mathematical Sciences Meiji University

1

Backgroundn Increasing of cyber incident

• In 2018 alone, 443 data breaches in Japan, 5.61 million records of personal information

nThe Ministry of Economy, Trade and Industry (METI) published Cybersecurity Management Guidelines as a way to help address the cyber incident.• Risk identification and implementation of countermeasures• Necessity of measures to prepare for incidents

nOrganizations need to know proper risk

2

Goal of our study

n To reveal the risk of cyber incidents specific to a given organization and to quantify the effect of

security management in reducing this risk

3

Cost of security managements

Risk of Cyber incident

Previous study

4

In this study yamada [1] Edword [2]Purpose Risk assessment for

each organizationQuantification of management effect

Investigation of incident tendency

Technique Negative binomial distribution

Logistic regression Bayes generalized liner model

Data Data Breach incident in Japan from 2005 to 2018

Data Breach incident in Japan from 2005 to 2016

Data Breach incident in the US from 2005 to 2015

Target Single organization in Japan

All organizationsin 17 industries in Japan

All organizations in the US

[1] Yamada M, Ikegami K, Kikuchi H, Inui K (2018), Assessment of the effect of decreasing data breach by the management situation (2). Computer Security Symposium (CSS2018), 376--384[2] B.~Edwards, S.~Hofmeyr, and S.~Forrest, Hype and heavy tails: A closer look at data breaches, Journal of Cybersecurity, 2(1):3--14, 2016.

Research Question1. What is the probability that an incident will occur at an

organization in one year?• 10% or 20% ?

2. How long does it take before the next incident will occur at the organization?• 1 year or 3 year ?

3. How much is the inter-arrival time of incidents reduced by security management?• ISMS is good ?

5

Inter-arrival time

6

2017-09-01 2018-02-162018-01-09

2018-01-15

!1 !2 !3 !4

Inter-arrival time(day)

time

&'Inter-arrival time(day)

time

Two DatasetsnJNSA dataset(2005-2018)

• Data Breach dataset• The JNSA collects Data Breach incident information from Internet news

sites and major press releases officially published each year since 2005.

nCSR dataset• Management dataset• Toyo Keizai Inc. conduct a survey about corporate social responsibility

(CSR) for listed firms and major unlisted firms every year

8

period total Incident total organization2005-2018 16,392 9,358

period total question total organization2017 800 1,574

Research Question

1. What is the probability that an incident will occur at an organization in one year?

2. How long does it take before the next incident will occur at the organization?

3. How much is the inter-arrival time of incidents reduced by security management?

9

Method 1-1︓Fitting

nModeling the inter-arrival time by probability distribution(Normal, Poisson, Negative binomial)

nEstimate parameters for given inter-arrival time by the maximum likelihood estimation.

10

●

●

●

●

●

●

●

●

●

●●

0.00

0.25

0.50

0.75

1.00

0 1 2 3 4 5 6 7 8 9 10try_times

Pr

size●

●

●

●

1.4001.4251.4501.475

colour● 5

day

2018-01-262018-11-282018-05-16

2018-11-26

110day 194day 2dayInter-arrival time

example CDF

Method 1-2 ︓Kolmogorov-Smirnov Test

nPurpose : Test if a reference probability distribution is correctly modeled for a given sample

nH0 : The estimated distribution is identical to a given sample

11

The Estimated distribution function

The empirical distribution function

0 100 200 300 400 500 600

0.0

0.2

0.4

0.6

0.8

1.0

d(day)

Pr

Experiment

1. Get inter-arrival time 𝑑𝑖 for each firm from JNSA dataset• At least 4 incidents required• 3,789 incidents of 391 firms were extracted.

2. Estimate parameters of distribution by the maximum likelihood estimation.

3. Confirm the accuracy of the model by KS test

12

391 Results of fitting to the organization (partial)

13

オリエントコーポレーション

day

WOWOW

day

Pr

らでぃっしゅぼーや

day

Pr

GEコンシューマー・ファイナンス

day

Pr

テレビ朝日

day

Pr

愛知県

day

北海道電力

day

Pr

住友信託銀行

day

Pr

NTTドコモ

day

Pr

京都大学医学部付属病院

day

Pr

東京ガス

day

神奈川県

day

Pr

中部電力

day

Pr

東京電力

day

Pr

JR東日本

day

Pr

住友生命保険

day

JCB

day

Pr

高島屋

day

Pr

みずほ銀行

day

Pr

愛知社会保険事務局

day

Pr

北海道銀行 阪急交通社

Pr

北陸ガス

Pr

横浜市水道局

Pr

静岡市

Pr

名古屋市

day

横浜市保土ケ谷区

day

Pr

TBS

day

Pr

中国電力

day

Pr

沖縄電力

day

Pr

りそな銀行

day

住宅金融公庫

day

Pr

ブラザー販売

day

Pr

横浜市都筑区

day

Pr

東京都水道局

day

Pr

琉球銀行

day

福島県

day

Pr

九州電力

day

Pr

東邦銀行

day

Pr

八十二銀行

day

Pr

北越銀行

day

関西アーバン銀行

day

Pr

京都中央信用金庫

day

Pr

近畿大阪銀行

day

Pr

熊本ファミリー銀行

day

Pr

横浜銀行 大分銀行

Pr

豊和銀行

Pr

佐賀銀行

Pr

三重銀行

Pr

Tokyo Gas Corporation

Result of Fitting and KS test

nComparison of results fitted to three different probability distributions (Tokyo gas Co., Ltd)

nRate of organizations rejecting the null hypothesis at the 5% level

14

Negative Binomial Poisson Normal0.02(9/391) 0.39(155/391) 0.08(31/391)

P-value=0.09 P-value=0.00 P-value=0.00

Negative Binomial Poisson Normal

0 100 200 300 400 500 600

0.0

0.2

0.4

0.6

0.8

1.0

d(day)

Pr

0 100 200 300 400 500 600

0.0

0.2

0.4

0.6

0.8

1.0

d(day)

Pr

0 100 200 300 400 500 600

0.0

0.2

0.4

0.6

0.8

1.0

d(day)

PrFitting

KS test

Answer to Research Question 1Q) What is the probability that an incident will occur at an organization in one year?

A) Pr 𝐷 ≤ 365 = 0.92• Tokyo gas Co., Ltd

• Parameter 𝜇 = 111, 𝑟 = 0.92

nIncident probability statisticsafter one year

15

0.92

0 100 200 300 400 500 600

0.0

0.2

0.4

0.6

0.8

1.0

d(day)

Pr

Average Max Minimum deviation 0.11 1 0 0.27

365

Answer to Research Question 2Q) How long does it take before the next incident will occur at the organization?

A) 133 day• Tokyo gas Co., Ltd • Use Pr 𝐷 ≤ 365 = 0.7 as a threshold

160 100 200 300 400 500 600

0.0

0.2

0.4

0.6

0.8

1.0

d(day)Pr

0.7

133

How correct is our prediction ?

17

-𝒅𝒊" :不正解

2017-09-01 2018-01-09

time

実到着間隔𝑑#

-𝒅𝒊 : 正解

誤差

misscorrect

Real inter-arrival time Error

Prediction accuracynPrediction accuracy (n=391)

nHistogram of Error

18

Recall Average ofPredicted Inter-arrival time

0.55(214/391) 426

0

50

100

0 1000 2000 3000 4000error(day)

Frequency

Error(day)

Most of them are within 1 years. The fraction is 60%.

Research Question

1. What is the probability that an incident will occur at an organization in one year?

2. How long does it take before the next incident will occur at the organization?

3. How much is the inter-arrival time of incidents reduced by security management?

19

Method 2 ︓Generalized linear model

20

n Inter-arrival time 𝜇! when organization 𝑖 implements management 𝑚• 𝜇! = 𝑒"#$!%!#$"%"#$#%##⋯#$$!%%!%

• 𝑥!︓Industry，𝑥"︓Number of employees• 𝑥#︓1 if security management 𝑚 is deployed, or otherwise.

nEffect of management 𝑥!• Let 𝜇$%+ and 𝜇$& be the mean inter-arrival time with/without security management 𝑥$

• Ration of two of inter-arrival time = &!"

&!#

= '$"%&'&"%('("%)')"⋯"%!#&'!#&"%!'!'$"%&'&"%('("%)')"⋯"%!#&'!#&

= 𝑒(!

Result of Management effects

21

Management Estimate 𝜇!"/ 𝜇!#Pr(>|t|)ISMS 0.04 1.04 0.18CIO −0.07 0.93 0.01**CFO 0.01 1.01 0.64External Report Help Line 0.01 1.01 0.70Internal Report Help Line −0.07 0.93 0.14Whistleblower Rights Protection 0.06 1.06 0.24Establishment of Internal Control Committe −0.01 0.99 0.65Privacy Policy 0.00 1.00 0.98Security Policy −0.01 0.99 0.79Internal Auditing 0.01 1.01 0.75External Auditing −0.07 0.93 0.00**Independent Internal Audit Department 0.02 1.02 0.61Establish a Risk Management/Crisis Management System 0.03 1.03 0.42Basic Risk and Crisis Management Policy −0.08 0.92 0.03*Conduct Environmental Audits −0.03 0.97 0.33Establish Environment Management 0.10 1.10 0.01**Building an Occupational Health and Safety Management System 0.00 1.00 0.98

How much is the inter-arrival time of incidents reduced by security management?

ConclusionsnThe inter-arrival time in391 organizations was applied to three

different probability distributions, and it was shown that the negative binomial is the best.

n What is the probability that an incident will occur at an organization in one year?- For example, In Tokyo gas Co., Ltd, it’s 0.92.- An average of probability is 0.11.

n How long does it take before the next incident will occur at the organization?- For example, In Tokyo gas Co., Ltd, it’s 133 days.- An average of time is 426 days.

n How much is the inter-arrival time of incidents reduced by security management?- The effect of security management to inter-arrival time is that the inter-arrival time is 1.04

times longer when the ISMS is conducted.

22