Security Standardization in the Presence of Chul Ho Lee With Dr. Geng and Dr. Raghunathan Unverifiable Control 2011. 6.15 The University of Texas at Dallas Agenda Introduction & Research Question Literature Review Model Setup Model Analysis Introduction The emergence of security standard Damages from security breaches often beyond the organizational boundary go o2006, U.S. Department of Veterans affairs lost 26.5 million of personal information o2007, million retailer TJX Companies lost credit and debit cards 46.2 o2005, Identity theft resulted in corporate and consumer losses of $56 billion dollars Firms do not have incentive to protect stakeholder value out of their boundaries Regulation forces companies to take security more seriously. - Bruce Schneier (2008) o for payment card industry, 2 PCI-DSS Introduction- But do security standards really help? The number of breached companies keeps increasing since 2005. The Number of Breached Companies (Business Company) 2004 Dec. 2004 PCI DSS Released 2005 2006 2007 Sep. 2006 2008 Oct. 2008 Version 1.1 Version 1.2 Released Released 3 2009 Oct. 2010 Version 2.0 Released Introduction- Relaxing of PCI-DSS standard Is it just a coincidence? On October 1, was adopted 2008, PCI-DSS version 1.2 A major change in this version is the elaxation of some standards o r changed freuency of rule set review from uarterly to at least every six mon ths. o Why relaxing the standards? # of security breaches decreased since th e same year ? 4 Introduction Configuration Security security configurations are different Digital Assets Digital Assets 5 Introduction- What is breached is often not regulated What is breached is often not regulated Heartland Payment is stolen Systems: data in transit Miller and Tucker (2010) state the focus on encryption as a solution may be misplaced, because so many instances of electronic data loss are due to negligence The evidences that attackers or internal fraud rather than direct deliberately target security targeting data inunregulated transit (Heartland instances of on hacking. controls. Payment Systems) targeting on wireless network (TJX company) Why some security controls are not regulated by standards? Some controls are difficult to measure or to use as court evidence Some controls are measureable but prohibitive cost- New security controls constantly emerge of fast-evolving nature Inbecause this paper we refer to such of security information security. 6 controls as unverifiable controls Introduction Standard compliance helps not only in fighting security attacks, but also in Liability Reduction fights in courts Heartland Payment Systems and TJX Company Heartland and TJX was certified as being PCI compliant at the time of the breach and had received this certification several times o When they breached, both companies used being PCI compliant as court evidence o QIRA(Qualified Incident Response Assessors) makes a decision to assess the merchants PCI compliance for the lawsuit (Navetta, 2009) The actual legal obligations in the serves dual includes roles event Standard of a security breach not only the contract itself but also the specific mandates of the payment card operating regulations o o A report by QIRA coming down on 7 the Introduction – A research on security standardization that highlights unverifiable controls and liability reduction effect We consider two security controls scenario where one is verifiable and the other is unverifiable We consider the liability reduction effect We seek to explain the counterintuitive data mentioned before We consider two security configuration; parallel configuration and serial configuration 8 Introduction Research Question How does standard on a verifiable control affect firm effort on an unverifiable control? How does standard on a verifiable control affect overall firm security? How do security configuration and liability reduction affect overall firm security? How does unobservability affect overall firm security? How does attack strategy affect firm effort and security standard? 9 Agenda Introduction & Research Question Literature Review Model Description Model Analysis Literature Review pirical papers Economics Model Romanosky et al (2009) • Bernheim and Whinston • the adoption of (1998) data breach • it is often optimal to disclosure laws has specify an incomplete marginal effect on contract, when some the reduction in ed Research from Accountingaspects of performance incidences of are unverifiable. • Dye (1993) identity thefts. • Hendricks and McAfee • the average (2006) uality of audits • consider signaling may decline as model to analyze What is new? auditing standard attacker-defender becomes tougher. games. • This is the first paper • Schwarts (1998) to deal with security • the socially optimal standard from a policy commitment according makers perspective. to standards is • We consider a model in achievable if the which multiple security auditors legal controls exists and liability regime is standards cannot be strict liability and imposed on all of them. is independent of the • 11We consider strategic actual investment. • Agenda Introduction & Research Question Literature Review Model Description Model Analysis Model Setup We are interested in the scenario where, if the digital asset or service is compromised by attacks, damages go Players beyond the firm boundary. One firm that is in charge of protecting a digital asset or service using two security controls A representative attack that may assail the security controls in order to compromise the digital asset/service One policy maker that social welfare aims to optimize Security Controls In order to protect the digital asset, (eV , einvest N ) 1 eV eN in the firm needs to two security controls, V (Verifiable) N (eV , eN ) (1 eV )(1 and eN ) (Nonverifiable). (eV , eN ) 1 min(eV , eN ) Breach probability functions parallel configuration Model Setup While the direct control of security investments is in the hands of the firm, the policy maker can indirectly affect Social Welfare through standards firm investments o U SW VSW (eV , eN ) DSW CV (eV ) CN (eN ) Firms Payoff o U F VF (eV , eN )(1 keV ) DF CV (eV ) CN (eN ) For the scope of this paper, we focus on security standards that have strict enforcement power, so that the affected firm has to unconditionally confirm. Model Setup Timing of the Model Agenda Introduction & Research Question Literature Review Model Description Model Analysis Model Analysis standard The impact of Unverifiable control The firms effort on an unverifiable control can increase or decrease in security standard. Overall security High security standard can help the firms overall security. 17 or hurt Model Analysis The impact of security configuration Parallel configuration The firms effort on an unverifiable control can decrease in high security standard. Overall firm security can high security standard decrease in Serial configuration The firms effort on unverifiable control decrease in security standard. Overall firm security can security standard 18 decrease in low Model Analysis The impact of standard (Comparative Statistics) High liability reduction If liability reduction effect is high enough, higher security standard hurts the firms security under parallel configuration. If liability reduction effect is high enough, lower security standard can hurts Low reduction theliability firms security under serial configuration. If liability reduction effect is low, security standard improve the firms security under parallel configuration. If liability reduction effect is low, security standard improve the firms security under serial configuration. 19 Model Analysis The impact of Unobservability and Unverifiability Nave Standard - Unobservability The policy maker does not recognize the existence of the unverifiable control N. Nave standard over-estimates the marginal value of improving control V Nave standard maker oversets the security First Best standard. Standard - Unverifiability The policy maker believes that control both security controls. he can First best standard maker oversets the security standard under parallel configuration. First best standard maker may overset or underset the security standard under serial configuration. 20 Model Analysis attack strategy The impact of Strategic attack Strategic attackers behavior First identify (or infer the weakest link o o Then concentrate Relevant only configuration o to on this the 21 in euilibrium) weakest link parallel Model Analysis attack strategy The impact of s sˆstandard Lower effective W (i.e. Strategic attacks ) provide supplement incentive for the firm unverifiable control Strategic to secure up attacks can benefit the firm security s sˆWstandard Higher effective (i.e. ) the unverifiable All attacks focus on control Under a very high standard, since strategic attacks are all directed to the unverifiable control, standard does not improve the overall security but rather decrease the effort of the unverifiable control. Therefore a standard harms security. 22 Conclusion What we have found is as follows This paper is a first study, from a policy makers perspective, on whether and how the existence of an unverifiable security control and strategic attack affect on firm security. Under parallel configuration increasing security standard may harm firm security Under serial configuration, increasing security standard help firm security Boundly rational policy maker will overestimate the optimal standard Strategic attacks may benefit firm security under lower standard 23
© Copyright 2026 Paperzz