Economic Models & Approaches in
Information Security for Computer Networks
Authors: P. Souras et al.
Submission: International Journal of Network Security
Reporter: Chun-Ta Li
Outline
•
•
•
•
•
•
•
Introduction
Networks & Security
Risk Management
Financial Approaches in Information Security
Return on Security Information
Conclusion
Comments
2
2
Introduction
• An organization consists of logical and physical
assets that can be grouped into smaller elements
[Wei 2001]
3
3
Introduction (cont.)
• An information security system
– Protection from unauthorized access
– Protection of information from integrity flaws
– Detection and correction of information security breaches
• The potential decrease in Market Value due to IT security b
reaches is composed of both tangible and intangible assets
– Loss of productivity, cost of system repair, insurance
– Loss of reputation, reduction in brand value, legal implications
4
4
Introduction (cont.)
• Key issues in this paper
– Economic models
•
•
•
•
•
Evaluation of an information security investment
Calculating information security risk
Annual Loss Expectancy (ALE)
Cost To Break metric
Set the rules for the calculation of the Return on
Information Security
5
5
Networks & Security
• Organizations typically employ multiple security
technologies
– Firewalls
– Intrusion Detection Systems (IDS)
• Three basic types of cryptography
– Bulk encryption, Message authentication, Data integrity
• Three types of cryptographic systems
– Totally secret, Public algorithms, Public key systems
6
6
Networks & Security (cont.)
• Possible ways of attack to the encrypted data
–
–
–
–
–
Calculation of the Password
Dictionary Attack
Packet Modification
Replay Attack
Evil Twin (man-in-the middle)
7
7
Risk Management
• Quantification of risk [Reavis 2004][Schechter 2004]
– RISK = VA*SV*LA
– RISK = LLE*CLE
– SecurityRisk = LSB*CSB
– SecurityRisk = SBR*ACPB
8
8
Risk Management (cont.)
• Annual Loss Expectancy (ALE)
[National Bureau of Standards 1979][Hoo 2000][Schrecher 2004]
– ALE = expected rate of loss * value of loss
9
9
Financial Approaches in Information Security
• Information security investment
– Cost (implementing infrastructure)
– Benefit (prevention of losses by security breaches)
• Optimization economic model [Gordon and Loeb 2001]
– G(S) = B(S) – C(S)
•
•
•
•
B: implementation of information security infrastructure
C: total cost of that implementation
S: different levels of information security
G: determine the point where the gain
10
10
Financial Approaches in Information Security
(cont.)
• Total annual security expenditure [Mizzi 2005]
– Es = F + B + M
– LT = LI + A(t) + r(t)
– A(t) = I*t/365
11
11
Financial Approaches in Information Security
(cont.)
• The security implementation is viable if
ES < LT
(F+B+M) < [LI+A(t)+r(t)]
• Cost to repair annual damages
D = DD + DI
(F+B+M) < (LT+A(t)+r(t)+D)
12
12
Financial Approaches in Information Security
(cont.)
• Annual Cost To Break [Mizzi 2005][Schrecher 2002]
CTB = CD + CV
CTB > ES
CTB > (F+B+M)
13
13
Return on Security Information
• ALE framework had seven basic elements [Campbell et al. 1979]
–
–
–
–
–
–
–
Requirements, R= [R1, R2, …, Ri]
Assets, A = [A1, A2, …, Ak]
Security Concerns, C= [C1, …, Cs]
Threats, T= [T1, T2, …, Tm]
Safeguards, S= [S1, S2, …, Sp]
Vulnerabilities, V= [V1, V2, …, Vq]
Outcome, O= [O1, O2, …, Or]
• Three associated quantities
– Asset Values: Aval = [A1val, A2val, …, Akval]
– Safeguard Effectiveness: Seff = [S1eff, S2eff, …, Speff]
– Outcome Severity: Osev = [O1sev, O2sev, …, Orsev]
14
14
Return on Security Information (cont.)
• Identification of the security requirements
– Security concerns, possible threats et al.
• Analysis phase
– Threat analysis, Vulnerability analysis, Scenario analysis
• Risk measurement (potential impact and probability)
– Acceptability test, cost-benefit analysis
• Decisions on safeguards
15
15
Return on Security Information (cont.)
• The reduction in ALE [Schrecher 2004]
S = ALEBASELINE – ALEWITH NEW SAFEGUARDS
• Total annual benefit B
B = S + (profit from new ventures)
• Return on security investment
16
16
Return on Security Information (cont.)
• Internal Rate of Return (IRR) [Gordon and Loeb 2002]
17
17
Conclusion
• Investment of information security
• Risk quantification methods – ALE
• Return on security investment (ROSI)
18
18
Comments
• Evaluation of Paper
– Sound but dull
• Recommendation
– Reject
• All of the economic models and approaches are previous
research results.
• The authors must proposed some brand-new concepts or
models to evaluate the information security in the
organization to enhance the contribution of this article.
19
19