Economic Models & Approaches in Economic Models & Approaches in Information Security for Information Security for Computer Networks Computer Networks Authors Authors : P. Souras : P. Souras et al et al . . Submission Submission : International Journal of : International Journal of Network Security Network Security Reporter Reporter : Chun-Ta Li : Chun-Ta Li
19
Embed
Economic Models & Approaches in Information Security for Computer Networks Authors: P. Souras et al. Submission: International Journal of Network Security.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Economic Models & Approaches in Economic Models & Approaches in Information Security for Computer Information Security for Computer
NetworksNetworks
AuthorsAuthors: P. Souras : P. Souras et alet al..
SubmissionSubmission: International Journal of Network Security: International Journal of Network Security
ReporterReporter: Chun-Ta Li: Chun-Ta Li
2 2
Outline
• IntroductionIntroduction
• Networks & SecurityNetworks & Security
• Risk ManagementRisk Management
• Financial Approaches in Information SecurityFinancial Approaches in Information Security
• Return on Security InformationReturn on Security Information
• ConclusionConclusion
• CommentsComments
3 3
IntroductionIntroduction
• An organization consists of logical and physical An organization consists of logical and physical assets that can be grouped into smaller elements assets that can be grouped into smaller elements [Wei 2001][Wei 2001]
4 4
Introduction (cont.)Introduction (cont.)
• An information security systemAn information security system– Protection from unauthorized accessProtection from unauthorized access
– Protection of information from integrity flawsProtection of information from integrity flaws
– Detection and correction of information security breachesDetection and correction of information security breaches
• The potential decrease in Market Value due to IT security The potential decrease in Market Value due to IT security breaches is composed of both tangible and intangible assetsbreaches is composed of both tangible and intangible assets– Loss of productivity, cost of system repair, insuranceLoss of productivity, cost of system repair, insurance
– Loss of reputation, reduction in brand value, legal implicationsLoss of reputation, reduction in brand value, legal implications
5 5
Introduction (cont.)Introduction (cont.)
• Key issues in this paperKey issues in this paper– Economic modelsEconomic models
• Evaluation of an information security investmentEvaluation of an information security investment
• Calculating information security riskCalculating information security risk
• Annual Loss Expectancy (ALE)Annual Loss Expectancy (ALE)
• Cost To Break metricCost To Break metric
• Set the rules for the calculation of the Return on Set the rules for the calculation of the Return on Information Security Information Security
6 6
Networks & SecurityNetworks & Security
• Organizations typically employ multiple security Organizations typically employ multiple security technologies technologies– FirewallsFirewalls
– Intrusion Detection Systems (IDS)Intrusion Detection Systems (IDS)
• Three basic types of cryptographyThree basic types of cryptography– Bulk encryption, Message authentication, Data integrityBulk encryption, Message authentication, Data integrity
• Three types of cryptographic systemsThree types of cryptographic systems– Totally secret, Public algorithms, Public key systemsTotally secret, Public algorithms, Public key systems
• Possible ways of attack to the encrypted dataPossible ways of attack to the encrypted data– Calculation of the PasswordCalculation of the Password– Dictionary AttackDictionary Attack– Packet ModificationPacket Modification– Replay AttackReplay Attack– Evil Twin (man-in-the middle)Evil Twin (man-in-the middle)
8 8
Risk ManagementRisk Management
• Quantification of risk Quantification of risk [Reavis 2004][Schechter 2004][Reavis 2004][Schechter 2004]
– RISK = VA*SV*LARISK = VA*SV*LA
– RISK = LLE*CLERISK = LLE*CLE
– SecurityRisk = LSB*CSBSecurityRisk = LSB*CSB
– SecurityRisk = SBR*ACPBSecurityRisk = SBR*ACPB
9 9
Risk Management (cont.)Risk Management (cont.)
• Annual Loss Expectancy (ALE) Annual Loss Expectancy (ALE) [National Bureau of Standards 1979][Hoo 2000][Schrecher [National Bureau of Standards 1979][Hoo 2000][Schrecher 2004]2004]
– ALE = expected rate of loss * value of lossALE = expected rate of loss * value of loss
10 10
Financial Approaches in Information SecurityFinancial Approaches in Information Security
– Benefit (prevention of losses by security breaches)Benefit (prevention of losses by security breaches)
• Optimization economic model Optimization economic model [Gordon and Loeb 2001][Gordon and Loeb 2001]– G(S) = B(S) – C(S)G(S) = B(S) – C(S)
• B: implementation of information security infrastructureB: implementation of information security infrastructure
• C: total cost of that implementationC: total cost of that implementation
• S: different levels of information securityS: different levels of information security
• G: determine the point where the gainG: determine the point where the gain
11 11
Financial Approaches in Information Security Financial Approaches in Information Security (cont.)(cont.)
• Total annual security expenditure Total annual security expenditure [Mizzi 2005][Mizzi 2005]
– EEss = F + B + M = F + B + M
– LLTT = L = LII + A(t) + r(t) + A(t) + r(t)
– A(t) = I*t/365A(t) = I*t/365
12 12
Financial Approaches in Information Security Financial Approaches in Information Security (cont.)(cont.)• The security implementation is viable ifThe security implementation is viable if
EESS < L < LTT
(F+B+M) < [L(F+B+M) < [LII+A(t)+r(t)]+A(t)+r(t)]
• Cost to repair annual damagesCost to repair annual damages
Financial Approaches in Information Security Financial Approaches in Information Security (cont.)(cont.)• Annual Cost To Break Annual Cost To Break [Mizzi 2005][Schrecher 2002][Mizzi 2005][Schrecher 2002]
CTB = CCTB = CDD + C + CVV
CTB > ECTB > ESS
CTB > (F+B+M)CTB > (F+B+M)
14 14
Return on Security InformationReturn on Security Information• ALE framework had seven basic elementsALE framework had seven basic elements [Campbell [Campbell et al.et al. 1979] 1979]
Return on Security Information (cont.)Return on Security Information (cont.)
• The reduction in ALEThe reduction in ALE [Schrecher 2004][Schrecher 2004]
S = ALES = ALEBASELINEBASELINE – ALE – ALEWITH NEW SAFEGUARDSWITH NEW SAFEGUARDS
• Total annual benefit BTotal annual benefit B
B = S + (profit from new ventures)B = S + (profit from new ventures)
• Return on security investmentReturn on security investment
17 17
Return on Security Information (cont.)Return on Security Information (cont.)
• Internal Rate of Return (IRR) Internal Rate of Return (IRR) [Gordon and Loeb [Gordon and Loeb 2002]2002]
18 18
ConclusionConclusion
• Investment of information securityInvestment of information security
• Risk quantification methods – ALERisk quantification methods – ALE
• Return on security investment (ROSI)Return on security investment (ROSI)
19 19
CommentsComments
• Evaluation of PaperEvaluation of Paper– Sound but dullSound but dull
• RecommendationRecommendation– RejectReject
• All of the economic models and approaches are previous All of the economic models and approaches are previous research results. research results.
• The authors must proposed some brand-new concepts or The authors must proposed some brand-new concepts or models to evaluate the information security in the models to evaluate the information security in the organization to enhance the contribution of this article. organization to enhance the contribution of this article.