Managing Security Investment

Managing Security InvestmentPart I

Tyler Moore

Computer Science & Engineering Department, SMU, Dallas, TX

September 18, 2012

ReadingMarket Failures

Managing security investment

Outline

1 Reading

2 Market FailuresReview and other slidesAsymmetric information

3 Managing security investmentOverviewMeasuring security benefitsHigh-level investment metrics

2 / 32



Homework assignment

Turn in via Blackboard

Due Monday September 27 at 7pm

Office hours this week: this afternoon plus Friday 9-10am

4 / 32



Review and other slidesAsymmetric information

First Fundamental Theorem of Welfare Economics

Definition

(First Fundamental Theorem of Welfare Economics) Anycompetitive equilibrium leads to a Pareto efficient allocation ofresources.

This definition begs the question: under what circumstancesdo we get competitive equilibrium?

Assume complete markets (perfect information, no transactioncosts)Assume price-taking behavior (infinite buyers and sellers, nobarriers to entry)

Now we will discuss market failures, and explain whyinformation security suffers from many of them

6 / 32

Notes

Notes

Notes

Notes




Last time

We discussed how monopolists behave (choosing prices orsupply to maximize their own profits)

Also talked about public goods

Non-rivalrous: individual consumption does not reduce what’savailable to othersNon-excludable: no practical way to exclude people fromconsuming

Let’s switch over to another slide deck to talk about otherissues

7 / 32




Information Asymmetries

?

equilibrium

market price

p > 0

security s ≈ cost

E (s | p) p

s = 0 s = 1willingness to pay: p∗ = 3

2 s

unknown security: p = 32 E (s | p)

uniform distribution: p = 32 ·

p2 = 3

4 p < p !

→ The market for secure products collapses Akerlof, 1970; Anderson, 2001

8 / 32



OverviewMeasuring security benefitsHigh-level investment metrics

Motivation

It can be important to frame information security decisionsusing the language of business

⇒ Security investment decisions must balance expected costsand benefits

To model rational decisions, we start by simplifying ourassumptions of attacker behavior

X Strategic adversaryAttacker exogenously given, follows a probability of attackknown to the defenderIn this sense, we treat security like a safety problem

When is the simplified attacker model appropriate?

+ Indiscriminate attackers (e.g., phishing, scanning)- Targeted attackers (e.g., spear-phishing, adaptive attacks)

10 / 32




Security cost and benefits

cost ofsecurity

$

benefit ofsecurity

$

direct / indirect

variable / fixed

onetime / recurring

sunk / recoverable

expectedprevented

losses

11 / 32

Notes

Notes

Notes

Notes




Cost of security

Definition

(Cost of security, security level) The cost of security c is theamount spent to reach a security level s. No security investment(c = 0) implies s = 0, and for any c > 0, s increasesmonotonically in c .

Definition

(Effective security investment) If security investment is effective,the security level can be approximated by the cost of security, i.e.,s ≈ c .

When does the effective security investment definition apply?When not?

12 / 32




Security benefit: reduction of losses incurred in the absence ofsecurity

In other words: take a small fixed loss now to reduce thechances of a large but uncertain future loss

We already have the tools to deal with uncertainty aboutoutcomes: expected utility!

13 / 32




Expected utility (discrete)

E [U(a)] =∑o∈O

U(o) · P(o|a)

o

P(o|a

)

o1: no attack o2: attack

0.1

0.9

14 / 32




Expected utility (continuous)

E [U(a)] =

∫ v

uU(x) · P(x |a)dx

o

P(o|a

)

u v15 / 32

Notes

Notes

Notes

Notes




Loss distribution function

Definition

(Loss distribution function) Let Ls : R+ → [0, 1] be the family ofprobability distribution functions describing the monetary lossesincurred from insecurity for a given security level s.

L0 is the loss distribution function in the absence of securityinvestment

Benefit of security: Ls − L0

We use expected utility to compare outcomes for the lossfunctions

16 / 32




Comparing loss functions (discrete)

E [U(L)] =∑o∈O

U(o) · L(o)

loss

L(l

oss)

$0 $2,000

0.2

0.8 L0

0.1

0.9Ls

17 / 32




Annual loss expectancy

Definition

(ALE) The annual loss expectancy ALEs is the expected loss perperiod due to information security failures given security level s,

ALEs = E (Ls) =

∫ ∞0

x · Ls(x) dx .

Note that annual suggests a multi-period view. Even when thisisn’t the case, the ALE term is used

18 / 32




Annual loss expectancy visualized

ALEs = E (Ls) =

∫ ∞0

x ·Ls(x) dx ALE0 = E (L0) =

∫ ∞0

x ·L0(x) dx

loss

L(l

oss)

Ls L0

19 / 32

Notes

Notes

Notes

Notes




Metrics for security benefits

Definition

(EBIS) The expected benefit of information security EBISs is thedifference between the loss expectancy without security and theloss expectancy given security level s,

EBISs = ALE0 −ALEs

= E (L0)− E (Ls) =

∫ ∞0

x · (L0(x)− Ls(x)) dx .

20 / 32




Metrics for security benefits

Definition

(ENBIS) The expected net benefit of information securityinvestment ENBISs is given by the expected benefit of informationsecurity minus the cost of the investment to reach security level s.

ENBISs = EBISs − c = ALE0 −ALEs − c ,

or, assuming effective security investment,

ENBISs = EBISs − s.

Straightforward investment rule: only invest if ENBISs > 0

21 / 32




Bernoulli loss assumption

OK, so continuous loss distribution functions are nice, butthey can be difficult to analyze

Not to mention it can be hard to justify assumptions abouthow the loss distribution might be shaped

Simplified scenario

Two loss outcomes: {0, λ}λ > 0: fixed loss, occurs with ps = Ls(λ)With probability 1− ps = Ls(0), suffers no loss

22 / 32




Metrics under Bernoulli loss assumption

ALEs =(ps · λ+ (1− ps) · 0

)︸︷︷︸E(Ls)

EBISs =(p0 · λ+ (1− p0) · 0

)︸︷︷︸E(L0)

−(ps · λ+ (1− ps) · 0

)︸︷︷︸E(Ls)

ENBISs =(p0 · λ+ (1− p0) · 0

)︸︷︷︸E(L0)

−(ps · λ+ (1− ps) · 0

)︸︷︷︸E(Ls)

−s

23 / 32

Notes

Notes

Notes

Notes




Recall the GoDaddy DDoS example

Source: http://www.zdnet.com/anonymous-hacker-claims-godaddy-attack-outage-hits-millions-7000003925/

24 / 32





Source: http://www.cnn.com/2012/09/11/tech/mobile/godaddy-response-outage/index.html

25 / 32





no outage o1 outage o2

Action U(o1) P(o1|action) U(o2) P(o2|action) E [U(action)]

s λ ps E (Ls)− s

buy anti-DDoS -$100K .99999 - $100K - $100M .00001 - $101Kdon’t buy 0 .98999 - $100M .01001 - $1,001K

λ p0 E (L0)

26 / 32




Metrics under Bernoulli loss assumption

ALEs =(ps · λ+ (1− ps) · 0

)︸︷︷︸E(Ls)

EBISs =(p0 · λ+ (1− p0) · 0

)︸︷︷︸E(L0)

−(ps · λ+ (1− ps) · 0

)︸︷︷︸E(Ls)

ENBISs =(p0 · λ+ (1− p0) · 0

)︸︷︷︸E(L0)

−(ps · λ+ (1− ps) · 0

)︸︷︷︸E(Ls)

−s

27 / 32

Notes

Notes

Notes

Notes

http://www.zdnet.com/anonymous-hacker-claims-godaddy-attack-outage-hits-millions-7000003925/

http://www.cnn.com/2012/09/11/tech/mobile/godaddy-response-outage/index.html




Metrics under Bernoulli loss assumption & λ = 1

Things get simplified even more if we scale the loss to 1 (λ = 1)

ALEs = ps ,

EBISs = p0 − ps , and

ENBISs = p0 − ps − s

28 / 32




Incorporating risk attitudes

ENBISs = ALE0 −ALEs − c = E (L0)− E (Ls)− c

=

∫ ∞0

x · L0(x) dx −∫ ∞

0x · Ls(x) dx − c ,

=

∫ ∞0

x · L0(x) dx −∫ ∞

0(x + c) · Ls(x) dx

But what if the agent has a risk-averse or risk-seeking utilityfunction?

29 / 32




Incorporating risk attitudes

Definition

(ENUBIS (expected net utility benefit of information security))

ENUBISs = −∫ ∞

0U(−x) · L0(x) dx︸︷︷︸

expected utility withoutsecurity investment

+

∫ ∞0

U(−x − c) · Ls(x) dx︸︷︷︸expected utility withsecurity investment

.

30 / 32




Return on security investment (ROSI)

cost ofsecurity

$

benefit ofsecurity

$

direct / indirect

variable / fixed

onetime / recurring

sunk / recoverable

expectedprevented

losses

ROSI1) = benefit of security−cost of securitycost of security

1)Return On Security Investment

31 / 32

Notes

Notes

Notes

Notes




Return on security investment (ROSI)

Definition

(ROSI) The return on information security investment ROSIs isthe ratio of the expected net benefit over the cost of security,

ROSIs =ENBISs

c=

ALE0 −ALEs − c

c

32 / 32

Notes

Notes

Notes

Notes

Managing Security Investment

Documents

Transcript of Managing Security Investment