Investment Decision on Information System Security: A Scenario Approach

Transcription

1 Association for Information Systems AIS Electronic Library (AISeL) AMCIS 009 Proceedings Americas Conference on Information Systems (AMCIS) 009 Investment Decision on Information System Security: A Scenario Approach C. Derrick Huang Florida Atlantic University, dhaung@fau.edu Jahyun Goo Florida Atlantic University, jgoo@fau.edu Follow this and additional works at: Recommended Citation Huang, C. Derrick and Goo, Jahyun, ": A Scenario Approach" (009). AMCIS 009 Proceedings This material is brought to you by the Americas Conference on Information Systems (AMCIS) at AIS Electronic Library (AISeL). It has been accepted for inclusion in AMCIS 009 Proceedings by an authorized administrator of AIS Electronic Library (AISeL). For more information, please contact elibrary@aisnet.org.

2 : A Scenario Approach C. Derrick Huang Florida Atlantic University dhuang@fau.edu Jahyun Goo Florida Atlantic University jgoo@fau.edu ABSTRACT This paper presents scenarios of information security defending against directed security threats, risk-averse firm s willingness to invest, and attacker s propensity to security measures each enhancing our understanding of a firm s information security investment under different circumstances. We find that, when a firm tries to defend against directed attacks, the relative size of potential losses is an important factor in determining the level of optimal investment, and the total investment may drop when the system vulnerability is high. And a firm should carefully weight its and the potential attacker s levels of aversion to risks in order to determine the most optimal level information security investments. The implications, limitations, and future directions of this research are also discussed. Keywords Information security, security investment, directed attack INTRODUCTION Managing information security has become an integral part of company s day-to-day operations. The number of security incidents, ranging from those by hackers with benign consequences, to attacks aimed at stealing valuable information, to cyber-terrorism, has increased significantly in recent years. To protect against such risks, organizations are investing heavily in information security-related products and services, in addition to the manpower and management attention dedicated to protecting the data and systems and recovering from virus infections and occasional breaches (Gordon et al. 006). Given the potential damages of information security events and the unattainable goal of complete security in today s business environment, it only makes sense for decision makers to wonder if their investments are made wisely and effectively. Firms are likely inclined to know how they would determine the optimal amount of investment and what to invest in. Those seemingly straightforward questions, however, are complicated by the fact that the information security is a complex system of many variables, many of which are outside the control of the firms in question. In order to address information security investment issues, one needs to study carefully the possible scenarios to which firms are exposed. This paper is intended to fill the research gap by building a generalized model for information system security investment and then applying the model to different security scenarios. This paper is organized as follows. We first review the literature on information security investment, pointing out the major findings and gaps in research. We next build a general model for managing information security investment. In the following sections, we present and apply the general models to different scenarios of information system security, including directed attacks, risk-averse decision maker, and attacker propensity. We conclude the study by discussing the implication of our research, its limitations, and future research directions. RESEARCH BACKGROUND The first issue of information security investment is to determine its optimal level for the firm in question. This issue is often addressed via the traditional decision analysis to compare the security risk and return of investments. Schechter (005) proposes an econometric model, in which risk is evaluated as security risk = (likelihood of loss event) * (cost of loss event). The return of security investment, on the other hand, comes from reduced security risks that a firm is facing. Based on this formulation, Gordon and Loeb in their seminal paper (00a) analyze the economics of security investment for a risk-neutral firm by comparing the cost of the investment and the potential loss caused by possible security breaches. They find that the optimal security investment would be far less than (with a theoretical maximum of 36.8% of) the potential loss if a security breach does happen, and that the optimal security investment does not necessarily increase with system vulnerability. In extending the Gordon and Loeb model, Huang et al. (008) adopt the expected utility theory to study the behavior of a riskaverse decision maker and find that optimal information security investment only exists when potential loss reaches a Proceedings of the Fifteenth Americas Conference on Information Systems, San Francisco, California August 6 th -9 th 009 1

3 minimum level; above that minimum, optimal investment increases with potential loss. In addition, contrary to the riskneutral case, a risk-averse decision maker may continue to invest in information security until the spending is close to (but never exceeds) the potential loss. After the amount of investment is determined (by optimization, budget, or other constraints), a firm needs to decide what security measures to invest in. Often, selection of the right investments is aided by traditional management tools as costbenefit analysis and financial analyses based on such measures as return on investment (ROI), net present value (NPV), and internal rate of return (IRR) (Gordon and Loeb, 00b). However, none of the methodologies have been identified as effective all the time. It is with this knowledge that we approach the analysis of information security investment based on scenarios. BASIC MODEL We model the attack based on the breach probability and expected loss, following closely the approach in Huang et al. (008) and Gordon and Loeb (00a). Our focus is to use the same modeling assumptions to examine scenarios such as attacker s propensity. Following their formulations, we assume that security adversaries generate attacks on the information systems with a threat probability t. The security property of the information systems is determined by the system vulnerability and security investment. The system vulnerability, v, is assumed to be a direct result of the topology and connectivity of the firm s information systems: The more accessible and connected the systems, the more intrinsically susceptible they are to attacks. To protect against the system vulnerability being exploited by threat agents, the firm invests S in security measures. The probability of a security breach to occur can then be considered as a function of the behavior of the attack agents, as described by the threat probability, and the security property of the information systems, which, in our model, is determined by the system vulnerability and investments in security measures. In other words, the breach probability p can be written as the following: p= p( t, v, S). (1) For simplicity, we require that both t and v to be between 0 and 1. We note that for any given system, the higher the security threat and the more susceptible to attacks, the higher breach probability; that is, both 0 and 0. Further, the effect of the security investment is to reduce the breach probability, or p 0 p t p v. () We assume that this reduction is governed by the law of diminishing return, which implies that p 0. (3) We also require the following boundary condition p ( t, v,0) = tv. That is, when the firm does not make any security investment, the breach probability is solely determined by and can be described as a product of the threat and the intrinsic system vulnerability. A common definition of risk is the combination of the likelihood and the consequence of a specified hazard being realized (Schechter, 005). The security risk R the firm faces can therefore be written as R= pl, (4) where L is potential economic loss caused by a security breach. For our model, we make the simplifying assumption that L > 0 is a fixed amount, as estimated by the firm based on the type of attack. From the boundary condition p ( t, v,0) = tv, we know that the security risk a company faces when no investment is made is tvl. To protect against the attack, the firm makes investment S to reduce the breach probability such that the information security risks is reduced by R= ( tv p) L. In other words, the net benefit of the security investments would be B( S, t, v) = ( tv p) L S. (5) Proceedings of the Fifteenth Americas Conference on Information Systems, San Francisco, California August 6 th -9 th 009

4 The task of optimizing the security investments is to maximize their benefits. In later sections, we apply this model to various scenarios to optimize the investment S by setting the first-order partial differentiation of B in (5) with respect to S; B that is, = 0. For it to be valid, we check to see that this operation indeed yields maximum, not minimum, of B: because of (3). SCENARIO 1: DIRECTED ATTACKS B p = L 0, (6) In this scenario, we consider the case when the attacks are directed at a particular firm s systems or properties. We follow a derivation that has its root in scale-free networks (Albert et al., 1999; Faloutsos et al., 1999; Kumar et al., 000). It has been shown that the connectedness of the Internet and the worldwide web resembles that of a scale-free, small-world network, distinguished by a limited number of highly connected nodes (called hubs ) as well as by its structural independence of the system s size N (Barabási and Albert, 1999; Watts and Strogatz, 1998). In a scale-free network, the probability that a node connects with k other nodes is roughly proportional to k -γ, where γ is between and 3 for most real networks such as the Internet (Barabási and Albert, 1999). To examine how the scale free network can shed light on the directed attacks, we follow the derivation of Chang and Young (005) and Pastor-Satorras and Vespignani (001) to consider the case that an epidemic event starts spreading in a scale-free network. The rate of epidemic spreading, λ, is determined by r, the infection rate of a previously uninfected node if it is connected to an infected one, and δ, the remediation rate of an infected node: λ r δ =. (7) Let P k (t) denote the relative density of infected nodes with k connections that is the probability that a node with k connections is infected at time t. The mean field rate equation gives (Pastor-Satorras and Vespignani, 001) Pk ( t) = Pk ( t) + λk[1 Pk ( t)] Θ( λ) t, (8) where Θ(λ) is the probability that any given connection points to an infected node, which can be given in the lowest order of λ (Chang and Young, 005): λ e n Θ λ) = λn (, (9) where n is the minimum number of nodes available for connection in such a network. Solving for P k in a steady state (i.e., P k ( t) = 0 t ), we get kλθ( λ) = 1+ kλθ( λ) P k. (10) When averaging P k over k, we get the average infection probability of any node in the network (Pastor-Satorras and Vespignani, 001): where c is a normalization constant. 1 λn P= ce, (11) To extend this result to security investment of the firm s information systems, we assume that the firm s information systems can be represented as a node in such a network. Further, we assume that the effect of security investment S can be shown in the reduction of the infection rate λ in (9). We further observe that λ and S satisfy certain boundary conditions. First, the attack would be spread freely to the node without any security investment; in other words, λ = 1 when S = 0. Second, any finite security investments, no matter how large, would never be able to fully block all attacks; in other words, λ 0 only Proceedings of the Fifteenth Americas Conference on Information Systems, San Francisco, California August 6 th -9 th 009 3

5 when S. Without loss of generality, we assume a linear inverse relationship between security investment and infection rate. Such relationship with the above boundary conditions can be expressed in the following manner: 1 κs + 1 λ, (1) where κ, normalized to between 0 and 1, is a scaling factor for S: The higher the κ, the greater reduction of the infection rate for any given security investment S. Our next set of observations is on the system vulnerability v. We note that since v represents the connectivity of the information systems in question, v would be strictly increasing in n, which represents the extent of connections in such a scale-free network. Further, when n = 0, v = 0. On the other hand, v 1 when n ; that is, the systems are highly vulnerable to the epidemic, or security attacks in our case, when they are completely open. We assign the following relationship between c and n that satisfies all the above conditions: 1 n v e. (13) When the systems are under directed attack, the scale-free network effectively becomes a regular randomly connected network to the attackers, because the attacker has to initiate the attack from a connected node regardless of the topology of the overall network. The vulnerability, in this case, can be regarded as the probability of an attacker successfully identifying any connecting node to initiate such an attack. The probability of a breach by such a directed attack can therefore be represented as the product of the vulnerability v, the infection rate λ, and the threat probability t. In other words, we can write the breach probability for a directed attack as: p = tv κ S +1. (14) Before we proceed, we have to establish an important boundary condition. Before a firm makes the first ever security investment, it has to assume that such investment generates positive benefit. This is true, because otherwise no firms would be making any information security investment. Such boundary condition can be expressed as B ( t, v, S = 0) 0 We first apply (15) to S to produce the following boundary conditions: B (0) 0 v 1 tκl. (15) ; (16) In this case, we solve for optimal investments by taking the partial derivative of (16) with respect to one while holding the other constant: Because we have Substituting (18) into (17), we get B ( S * ) = 0 ρ t κ v = ( κ S +1) Rearranging the terms in (19) and solving for S*, we have t κ vl 1= 0. * ( κs + 1), (17) ; (18) (19) t vκl 1 S * =. (0) κ Proceedings of the Fifteenth Americas Conference on Information Systems, San Francisco, California August 6 th -9 th 009 4

6 Plotting out Eq. (0), along with boundary condition (16), we can see that S* increases with v initially, starts to drop after certain v, and eventually becomes a strictly increasing function of v when v is large. To summarize, the optimal total investment S* in information security in the case of concurrent attack, with no additional constraints, becomes nonzero above some minimum vulnerability v and increases with v thereafter. When v becomes large, S* starts to drop, but eventually becomes a strictly increasing function of v. These results are consistent with those of Gordon and Loeb (00a). SCENARIO : SECURITY INVESTMENT IN THE CASE OF RISK-AVERSE FIRM Our second scenario involves a closer look at how much a firm is willing to invest against security threat. In the case of riskneutral firm, as represented by (5), such willingness is trivial: Firms always respond in a linear fashion. However, when the firm is risk-averse, the amount of investment a firm is willing to make in order to reduce the security can be an interesting subject. We follow the assumptions and derivations of Huang et al. (008) in assuming that such firms would tend to maximize a utility function u = u(b) and that the risk aversion coefficient α is constant: We arrive at the form of the appropriate u(b): u ( B) α = 0. u ( B) (1) B u( B) = αe α. We can then use this utility function as the subject for maximization, as shown in Huang et al. (008), instead of the B itself, to find the willingness to invest. In the next scenario, we will extend the behavior assumption to the attacker as well. SCENARIO 3: HACKER S PROPENSITY TO ATTACK When a firm makes investment in information security, potential attackers actions may be affected: Protective measures taken by the directed firm are likely to influence the decision of the potential attackers on whether and how to attack (Cremonini and Nizovtsev, 006). In this section, we consider the scenario where security investment made by the directed firm is felt by the security adversaries. To compare the reaction of the attacker and the firm under attack, we adopt the assumption of a risk-averse firm as in Scenario. Further, we adopt the derivation by Huang et al. (008) but consider only the directed attack, because, by definition, whoever that initiated random attacks would not be affected by the measure of any of the firms that are randomly under attack. In this case, the threat probability is no longer an exogenous parameter, but a function of the directed firm s security investment; i.e., t = t(s). To model the attackers reactions to directed firm s security investment, it is reasonable to assume that the more protective measures taken by the directed firm, the more likely is the attacker taking notice and reacting accordingly. Without loss of generality, we assume the rate of decrease in the incentive to attack (thus the threat probability) is proportional to the security investment made by the directed firm. This can be written as the following: t( S) ln = ϕs, t 0 where t 0 is the attack probability when the directed firms takes no protective measures. The factor φ in (3), which we define as the attack propensity parameter, represents the degree of reaction of an attacker to the directed firm s protective actions. A potential attacker who is more unwilling to face a failed attack and its consequences and more averse to the risk of getting caught would have a higher φ. Based on (3), we have ( 0 () (3) κs t S) = t e. (4) A generic plot of t(s) is presented in Figure 1: the decrease in t is small when S is small, but t drops off rapid when S becomes large. In practice, this means that the attacker is not deterred much when the directed firm only makes scant effort toward information security; however, when the protective measures grow extensive, the incentive for the potential attacker to attack is quickly reduced. Proceedings of the Fifteenth Americas Conference on Information Systems, San Francisco, California August 6 th -9 th 009 5

7 Figure 1. Threat Probability as a Function of S With (4), the directed breach probability in (14) can becomes ϕs vt0e p=. κs + 1 (5) And p ϕs vt0e = ( κs + 1) ( κ + ϕ+ κϕs ). (6) To see the effect of this new form of breach probability, we borrow the optimization condition from Huang et al. (008) for the risk-averse firm facing directed attacks: p ( e α L L 1) + α( e α 1) p+ α = 0. (7) Plugging in (5) and (6) into the optimization condition (7), and after rearranging terms, we have * * αl ϕsi * * αl ϕsi α ϕ)( e 1) vt0e ( κs I + 1) + α( κs + 1) κ ( e 1) vt0e = 0. (8) ( A quick examination of (8) shows that a closed-form solution of S* is impossible, so we resort to simulation to study its properties. Figures and 3 show the behavior of optimal investment with respect to system vulnerability v and expected loss L, respectively. We also include the base case (i.e., φ = 0) as a comparison. First thing we note is that, everything else being equal, the optimal investment S* is always higher when attack propensity φ is nonzero. This is not surprising, given that, in this scenario, the more investment a firm makes, the lower the threat probability is. And perhaps because of the investment effect on attack probability, the minimum vulnerability for nonzero optimal investment against directed attacks (Huang et al., 008) disappear (Figure 3), although the minimum expected loss, proposed by Huang et al (008), still applies. Proceedings of the Fifteenth Americas Conference on Information Systems, San Francisco, California August 6 th -9 th 009 6

8 Figure. Optimal Investment vs. System Vulnerability in the Presence of Attack Propensity Figure 3. Optimal Investment vs. Potential Loss in the Presence of Attack Propensity When an attacker is aware of and averse to the security investment made by the directed firm, the investment itself becomes more effective. Thus, intuitively, S* would increase with φ. However, such strictly increasing relationship does not exist when we plot S* against φ, as shown in Figure 4. Instead, S* increases first with larger φ, reaches a maximum, then starts to decline quickly, given L and v. In other words, when attacker s awareness and aversion to directed firm s action are high, optimal investment decreases with attack propensity. An important practical implication of this finding is that, when the potential attackers are likely to be deterred by a firm s security measures, it is to the firm s advantage to announce and advertise such measures as much as possible. By doing so, the firm can actually lower its investment on information security. Proceedings of the Fifteenth Americas Conference on Information Systems, San Francisco, California August 6 th -9 th 009 7

9 Figure 4. Optimal Investment vs. Attack Propensity It is perhaps most interesting to note that, in Figure 4, S* reaches a maximum when φ = α. That is, the optimal investment is the highest when attacker s propensity matches directed firm s risk aversion parameter. This can be best understood by examining closely the meanings of φ and α. As structured in the model, both represent the level of risk tolerance α indicates the directed firm s risk aversion, and φ does the attacker s. As such, when φ < α, S* increases with φ, because the directed firm is more averse to the security risk and more willing to invest against it. However, when the attacker is highly aware of and averse to (the risk of being caught or simply defended against by) the security measures taken up the directed firm, the directed firm may not need to invest as much. Therefore, when φ > α, S* tend to decline with increasing φ. Combining these two arguments, we can see that S* reaches a maximum when φ = α. CONCLUSION In this paper, we present scenarios of information security: directed attack threats, risk-aversion firm, and attacker s propensity to security measures. Each enhances our understanding of a firm s information security investment under different circumstances. When a firm tries to defend against directed or directed attacks, the relative size of potential losses is an important factor in determining the level of optimal investment, and the total investment may drop when the system vulnerability is high. A risk-averse firm would always invest more than the information security risk but never more than the expected loss. And lastly, a firm should study its and the potential attacker s levels of aversion to risks in order to determine the most optimal level information security investments. This research, like all studies, has its limitations. All parameters adopted in the mathematical models are assumed to be well behaved, that is, continuous and twice differentiable. Likewise, certain boundary conditions, such as extremely large expected loss, are excluded to preserve the integrity of the models. Additionally, the assumptions we adopt in the mathematical models are unavoidably a simplified representation of reality. This study points to a few future research directions. First, a natural extension of the current research would be to verify its results with real data. It would also be useful to relax some of the limitations posed by the mathematically modeling. Further, this paper establishes a path of research for future studies to follow and examine other possible scenarios of information security faced by organizations. It would also be interesting if one can combine all or several of such scenarios. Finally, future research can couple the mathematical modeling technique with other methodologies, such as qualitative case study or action research, to extend the usefulness and applicability of optimal information security investment. Proceedings of the Fifteenth Americas Conference on Information Systems, San Francisco, California August 6 th -9 th 009 8

10 REFERENCES 1. Albert, R., Jeong, H, and Barabási, A.-L. Diameter of the world-wide web. Nature, 401 (1999), Barabási, A.-L., and Albert, R. Emergence of scaling in random networks. Science, 86 (1999), Chang, D.B., and Young, C.S. Infection dynamics on the Internet. Computers & Security, 4 (005), Cremonini, D., and Nizovtsev, M. Understanding and influencing attackers' decisions: implications for security investment strategies. The Fifth Workshop on the Economics of Information Security (WEIS06), Cambridge, England, June 6-8, 006, online at 5. Faloutsos, M., Faloutsos, P., and Faloutsos, C. On power-law relationships of the Internet topology. ACM SIGCOMM Computer Communication Review, 9, 4 (1999), Gordon, L.A., and Loeb, M.P. (00a) The Economics of Information Security Investment, ACM Transactions on Information and Systems Security, 5(4), Gordon, L.A., and Loeb, M.P. (00b) Return on Information Security Investments: Myths vs. realities, Strategic Finance, 84(5), Gordon, L.A., Loeb, M. P., Lucyshyn, W., and Richardson, R. (005) Tenth Annual CSI/FBI Computer Crime and Security Survey. Computer Security Institute. 9. Huang, C.D., Hu, Q., and Behara, R.S. (008) Economics of Information Security Investment in the Case of Simultaneous Attacks, International Journal of Production Economics, 114 (), Jonsson, E. and Olovsson, T. (1997) A Quantitative Model of the Security Intrusion Process Based on Attacker Behavior, IEEE Transactions on Software Engineering, 3(4), Kumar, R., Raghavan, P., Rajagopalan, S., Sivakumar, D., Tomkins, A., and Upfal, E. The web as a graph. Proceedings of the Nineteenth ACM Symposium on Principles of Database Systems, Dallas, Texas, May 15-17, 000, Liu, P., Zang, W. and Yu, M. (005) Incentive-Based Modeling and Inference of Attacker Intent, Objectives, and Strategies, ACM Transactions on Information and System Security, 8(1), Leeson P.T. and Coyne, C.J. (006) The Economics of Computer Hacking, Journal of Law, Economics and Policy, forthcoming. 14. Mercuri, R. T. (003) Analyzing Security Costs, Communications of the ACM, 46(6), Pastor-Satorras, R., and Vespignani, A. Epidemic spreading in scale-free networks. Physical Review Letters, 86, 14 (001), Schechter, S.E. Toward econometric models of the security risk from remote attacks. IEEE Security & Privacy, 3, 1 (005), Watts, D.J., and Strogatz, S.H. Collective dynamics of small-world networks. Nature, 393 (1998), Proceedings of the Fifteenth Americas Conference on Information Systems, San Francisco, California August 6 th -9 th 009 9