Economics of Information Security Investment in the Case of Simultaneous Attacks

Transcription

1 Iowa State Unversty From the SelectedWorks of Qng Hu June, 006 Economcs of Informaton Securty Investment n the Case of Smultaneous Attacks C. Derrck Huang, Florda Atlantc Unversty Qng Hu, Florda Atlantc Unversty Rav S. Behara, Florda Atlantc Unversty Avalable at:

2 Economcs of Informaton Securty Investment n the Case of Smultaneous Attacks C. Derrck Huang Department of Informaton Technology & Operatons Management College of Busness Florda Atlantc Unversty Boca Raton, FL 3343 dhuang@fau.edu Qng Hu Department of Informaton Technology & Operatons Management College of Busness Florda Atlantc Unversty Boca Raton, FL 3343 qhu@fau.edu Rav S. Behara Department of Informaton Technology & Operatons Management College of Busness Florda Atlantc Unversty Boca Raton, FL 3343 rbehara@fau.edu Manuscrpt to be presented at The Ffth Workshop on the Economcs of Informaton Securty (WEIS 006)

3 Economcs of Informaton Securty Investment n the Case of Smultaneous Attacks ABSTRACT Wth bllons of dollars beng spent on nformaton securty related products and servces each year, the economcs of nformaton securty nvestment has become an mportant area of research, wth sgnfcant mplcatons for management practces. Drawng on recent studes that examne optmal securty nvestment levels under varous attack scenaros, we propose an economc model that consders smultaneous attacks from multple external agents wth dstnct characterstcs, and derve optmal nvestments based on the prncple of beneft maxmzaton. The relatonshps among the major varables, such as systems vulnerablty, securty breach probablty, potental loss of securty breach, and securty nvestment levels, are nvestgated va analytcal and numercal analyses subject to varous boundary condtons. In partcular, our model shows how a frm should allocate ts lmted securty budget to defend aganst two types of securty attacks (dstrbuted and targeted) smultaneously. Among the results of these analyses, we fnd that a frm wth a small securty budget s better off allocatng most or all of the nvestment to measures aganst one of the classes of attack. Further, when the potental loss from the targeted attacks and the system vulnerablty are relatvely large, the focal frm should allocate most of ts budget to such attacks. Keywords: Informaton Securty, Securty Investment, Economc Modelng, Optmal Investment Huang, Hu, Behara (The Ffth Workshop on the Economcs of Informaton Securty) Page /33

4 . Introducton In the era of the commodtzaton of nformaton technology (IT) and the globalzaton of world economy, t s argued that the most challengng aspect of managng today s networked organzatons s not so much usng IT to create compettve advantages n the marketplace but managng the potental rsks created by IT (Carr, 003). And among the rsks, securty breach to the hghly connected corporate nformaton systems s perhaps the most promnent and vsble, as evdenced n the headlnes of mass meda n recent years. In a 003 survey of the Global 500 companes, 39% of the respondents reported that ther nformaton systems had been compromsed n some way n the pror year (Power, 003). And the general (and seemngly natural) reacton to ths growng rsk has been ncreased spendng on securty technologes. Whle worldwde IT spendng has remaned flat or even slghtly down n recent years after the burst of Internet bubble n 000, spendng on nformaton securty related products and servces by organzatons large and small has been growng at a rate of 7.6% per annum and s forecasted to reach $.6 bllon n 006 (AT&T, 004). However, t s commonly recognzed that complete nformaton securty at the corporate level s vrtually mpossble wthout hnderng the normal busness actvtes n today s economy, where connectvty to external busness partners and customers s essental. Gven the unattanable state of complete securty, n recent years, scholars and practtoners alke seek to address a dfferent queston about nformaton securty: How does a frm mnmze securty rsks wth lmted resources for mplementng securty technologes and programs? Ths queston has spawned two dstnct yet complementary streams of research: The determnaton of return on securty nvestments (ROSI) (Cavusoglu et al., 004, 005) and the search for optmal securty nvestment levels under dfferent securty threat scenaros (Gordon and Loeb, 00; Huang et al., Huang, Hu, Behara (The Ffth Workshop on the Economcs of Informaton Securty) Page 3/33

5 005a, 005b). In ths paper, we draw on the pror works n the latter stream and examne the optmal nvestment levels under a more realstc set of boundary condtons and assumptons. Specfcally, we develop securty nvestment optmzaton models that consder smultaneous attacks on the focal nformaton system by two types of external threats: the dstrbuted attack, such as computer vruses and spyware lurkng for opportuntes through random but massve campagns, and the targeted attack, va whch hackers attempt to break nto specfc systems to destroy, alter, or steal valuable data and nformaton. In so dong, we hope to advance the knowledge of economcs of nformaton securty and to provde nsght nto better nformaton securty management practces. The rest of the paper s arranged as follows. In the next secton, we revew the recent development n the area of economcs of nformaton securty and dentfy the gaps n the research lterature. In secton 3, we develop the core economc model of nformaton securty nvestment for managng the aforementoned two types of securty breaches. Ths model s then used to yeld optmal securty nvestments wthout (n secton 4) and wth (n secton 5) the constrant of securty budget. Numercal analyses are also performed to provde nsghts nto the behavors of the model and the nteractons of the varables under dfferent scenaros. Fnally, n secton 6, we dscuss the man fndngs of ths study n the context of nformaton securty practces. Lmtatons of the current approach and future research drectons for further advancng the research stream are also dscussed.. Research Background Research n the area of the economcs of nformaton securty nvestment, where the tradtonal decson analyss n determnng the optmal level of nvestments based on rsk and Huang, Hu, Behara (The Ffth Workshop on the Economcs of Informaton Securty) Page 4/33

6 return, s stll n ts early stage. Adoptng the assumpton of rsk neutralty, Gordon and Loeb (00a) analyze the optmal level of securty nvestments based on the prncple of maxmzng the net beneft of such nvestments. They fnd that the optmal nvestment n nformaton securty does not necessarly ncrease wth vulnerablty, mplyng that a frm should not always nvest to protect the most vulnerable nformaton systems. They also show that the optmal securty nvestment would be far less than the potental loss (wth a theoretcal maxmum of 36.8%) due to a securty breach. Huang et al. (005a, 005b) extend the above model by takng nto account the rsk profle of the decson maker of the frm n queston and adopt the expected utlty theory n optmzng the nformaton securty nvestment. When the decson maker s rsk averse a commonly accepted assumpton for frms wth good performance (Fegenbaum and Thomas, 988; Jegers, 99) they fnd that the optmal nformaton securty nvestment s zero below a mnmum potental loss; above that mnmum, optmal nvestment does ncrease wth potental loss. And, contrary to the rsk-neutral case, a rsk-averse decson maker may make securty nvestment close to (but never exceeds) the potental loss n the case of dstrbuted attacks. In addton, they fnd that a decson maker more averse to rsk (.e., wth less appette n acceptng rsk) does not necessarly nvests more n nformaton securty. In the case of frms wth nterconnected IT systems, Ogut, Menon, and Raghunathan (005) fnd that such nterdependency reduces the frms nformaton securty nvestments to a level lower than optmum. In contrast, when these nterconnected frms face lablty n IT securty the breached frm has to pay others for collateral damages they tend to over-nvest above the optmal level. Ths s because each frm can only optmze ts own utlty, even though some of the rsks are controlled by other nterconnected frms. Consequently, the nvestment Huang, Hu, Behara (The Ffth Workshop on the Economcs of Informaton Securty) Page 5/33

7 decson reached under such constrant s almost always sub-optmal, unless all nterconnected frms can plan and optmze ther nformaton securty nvestment jontly. So far, these economc studes have focused on optmzng the total nvestment n nformaton securty. But today s frms face dfferent types of securty challenges at the same tme. The most common are the dstrbuted attacks, such as vrus, spyware, phshng, and spam emal, that corporatons face on the daly or even hourly bass. The probablty of such dstrbuted attacks overwhelms other types of securty ncdents (CSO 005), but ther consequences are generally lmted. The targeted attacks, such as the purposeful penetraton nto the bank s systems to transfer large amount of money by hackers, consttute another class of securty challenges. Such attacks may be less frequent than dstrbuted attacks, but they tend to cause large damages to the targeted frms. For nstance, per-respondent loss from theft of propretary nformaton s three tmes that from vrus n the 005 CSI/FBI survey (Gordon et al., 005). Yet other classes, such as nsder attacks and property theft, of securty ncdents exst. Frms may need to nvest n dfferent measures to defend aganst dfferent classes of attacks, and economc analyss focusng on the optmal allocaton of nformaton securty nvestment to each of the classes can be helpful to decson makers. In the followng secton, we present a model for such a purpose. 3. Model Constructon We consder a sngle-perod, mult-event model for nformaton system securty of a frm (see Fgure for a conceptual descrpton of the model). Threat agents, whch can be external or nternal to the frm, generate attacks on the nformaton systems. Some of the attacks compromse the securty of the nformaton systems (wth the breach probablty ρ) cause Huang, Hu, Behara (The Ffth Workshop on the Economcs of Informaton Securty) Page 6/33

8 damages (of the potental loss L) to the frm. The securty rsk z the frm faces can therefore be wrtten as (Kaas et al., 00, Schechter 004) z = ρl. () The breach probablty ρ s a functon of the behavor of the attack agents, characterzed by ther attack probablty ξ, and the securty property of the nformaton systems, whch s n turn determned by the system vulnerablty and securty measures. For any gven system, the hgher the attack probablty, the hgher breach probablty; that s, ρ 0. The system ξ vulnerablty, v, s ntrnsc to the topology and connectvty of the frm s nformaton systems: the more access and connected the systems, the more ntrnscally vulnerable. In other words, v represents the probablty (0 v ) for a securty breach wthout any addtonal securty nvestment. The breach probablty s an ncreasng functon of v; that s, ρ 0. It s v mportant to note that, n ths defnton, the system s confguraton, access, and connectvty are dctated by the frm s busness requrements, not technology choces. So, for nstance, the frm n queston may choose to allow ts vendors to access certan areas of ts nformaton systems, a decson whch may facltate ts busness operatons but would ncrease the vulnerablty. To protect aganst the system vulnerablty beng exploted by threat agents, the frm nvest S n securty measures. Ths nvestment can take many forms, from technologes such as frewalls and ant-vrus software, to procedures such as auto log-off and password agng, to polces such as user tranng and securty audts. We requre that the effect of the securty nvestment s a reducton of breach probablty, or ρ 0. () S Huang, Hu, Behara (The Ffth Workshop on the Economcs of Informaton Securty) Page 7/33

9 We further assume that ths reducton s governed by the law of dmnshng return, whch mples that ρ 0. (3) S To summarze, the breach probablty can be descrbed as ρ = ρ( ξ, v, S), (4) subject to the boundary condton 0 ρ = ρ( ξ, v,0) = ξv. (5) Now we consder the case of n types of smultaneous attacks. We assume that each type of attack can be descrbed by ts own breach probablty and loss. In other words, z = ρ L, [, n] I, (6) where ρ = ρ (ξ, v, S ). Note that the vulnerablty v s the same for all attacks, because t s ntrnsc to the systems. L represents the potental economc (.e., monetary) loss the frm faces when the th type of attack happens. Ths loss can be the drect for nstance, stolen product nformaton or ndrect for nstance, customer losng trust of a company that could not safeguard credt card data result of securty breach of ths partcular type of attack. Wthout loss of generalty, we make the smplfyng assumpton that each L > 0 s a fxed amount, as estmated by the frm based on the type of attack. We further assume that L can be very large but always remans fnte; that s, our model does not cover the case of potental losses of a catastrophc level. So n the case of a frm facng n types of attacks, the total nformaton securty rsk can be expressed as Z = n = z = n = ρ (ξ, v, S )L. (7) Huang, Hu, Behara (The Ffth Workshop on the Economcs of Informaton Securty) Page 8/33

10 To protect aganst the th type of attack, the frm makes nvestment S to reduces the breach probablty ρ, hence, from (5) and (6), reducng the nformaton securty rsks that the frm faces by Δ z = ( ρ 0 ρ )L = ( ξ v ρ ) L. If the frm repeats the same process for all n types of attacks, the net beneft of all the securty nvestments of S, =..n, can be expressed as Φ( S,.., S n ) = = n = n = ( Δz ( ξ v ρ )L S ) n = S, (8) And t s subject to the boundary condton the margnal net beneft of any securty nvestment S at S = 0 s non-negatve; n other words, the ntal securty nvestment of S has to produce nonnegatve net beneft. Mathematcally, ths condton s wrtten as Φ ( S,.., S = 0,.., S n ) 0, =,.., n. (9) S The task of optmzng the securty nvestments s to maxmze ther benefts Φ. In later sectons, ths optmzaton s performed by settng the frst-order partal dfferentaton of Φ ( S,.., S n ) n (8) wth respect to each S ; that s Φ = 0. S And ths operaton ndeed yelds maxmum, not mnmum, of Φ: Φ ρ = L S S 0, (0) because ρ 0,, from (3). S We follow Gordon and Loeb (00) n makng the assumpton of a rsk-neutral frm. When the decson-maker of a frm s rsk-neutral, he s sad to be ndfferent towards nvestment decsons that carry the same expected values, even when they assume dfferent rsks (that s, dfferent probablty of realzaton). In general, the atttude towards rsk can be captured by the functonal form of the utlty functon u(w). For a dscusson of optmal nvestment n nformaton securty by a rsk-averse decson maker, see Huang et al. (005b). Huang, Hu, Behara (The Ffth Workshop on the Economcs of Informaton Securty) Page 9/33

11 Wthout loss of generalty, we consder the case of n =, or two smultaneous attacks. We can then rewrte (8) to Φ S, S ) = ( ξ v ρ )L + ( ξ v ρ )L ( S + ). () ( S For the two types of attacks, we adopt the two broad classes of securty breach probablty frst proposed by Gordon and Loeb (00): ξv ρ =, () κ S + S + ρ = ξv κ. (3) S and S represent securty nvestments made to counter Class and Class attacks, respectvely, and the parameters κ and κ measure the level of mpact of, or the return on, the securty nvestment. For any gven securty nvestment S, the hgher the κ, the more reducton of the breach probablty. We further smplfy t by assumng that ξ = ξ = ξ. The assocated potental losses of the two classes are L and L. The total securty nvestment that the frm makes n the case of two smultaneous attacks s the sum of the nvestments made to counter the ndvdual attacks: S = S + S. (4) Before we proceed, t s mportant to examne these two classes of attacks based on the property of the breach probabltes. ρ n () ncreases lnearly wth the system vulnerablty, a characterstcs generally exhbted by prmary attacks such as one targeted at a frm s databases that store customer credt card nformaton by explotng specfc system vulnerabltes. The Class securty breach probablty n (3), whch ncreases slowly at frst wth an ncrease n vulnerablty but then rapdly when the vulnerablty crosses a certan threshold (Fgure ), seems to approprately descrbe mass or dstrbuted attacks such as computer vrus attack through emal Huang, Hu, Behara (The Ffth Workshop on the Economcs of Informaton Securty) Page 0/33

12 attachments. Wth respect to the securty nvestment, Class probablty s much more convex n S than Class (Fgure 3), meanng that an ntal nvestment n securty s lkely to have a more sgnfcant mpact on the securty threats represented by ρ than those represented by ρ. Ths comparson fts well wth the response to securty nvestment by the reducton of breach probablty from dstrbuted attacks verses that from targeted attacks, because t s often more dffcult to stop a determned attacker who tres to break nto a partcular system wth known or unknown vulnerabltes. Based on these characterstcs, we post that that Class n () best descrbes a targeted attack, whle Class n (3) can be regarded as that related to a mass or dstrbuted attack (Huang et al., 005). Substtutng () and (3) nto () and rearrange the terms, we have ξvκ SL κ S Φ( S, S ) = + ξv( v )L ( S + S ). κ S + (5) Maxmzng the total net beneft Φ n (5) then yelds the optmal securty nvestments for both classes of attacks. In the followng sectons, we examne several models, each wth dfferent assumptons and constrants, to arrve at the optmal level of securty nvestments S and S. 4. Independent Investments wthout Constrants Our frst model concerns wth the stuaton where the frm evaluates nvestment for each type separately wth no budget constrant, and securty measures deploy to combat Class attacks do not have any effects on Class attacks and vce versa. In other words, the decson on and the mpact of nvestments S and S are completely ndependent of each other. We frst apply (9) to S and S n (5) ndependently to produce the followng boundary condtons: Φ S (0, S ) 0 v ξκl ; (6) Huang, Hu, Behara (The Ffth Workshop on the Economcs of Informaton Securty) Page /33

13 Φ ( S S,0) 0 v ln v ξκ L. (7) In ths case, we solve for optmal nvestments for Class and Class by takng the partal dervatve of (5) wth respect to one whle holdng the other constant: Φ ( S S *, S ) S = 0, (8) and Φ S ( S, S * ) S = 0. (9) These two frst order condtons yeld the optmal nvestments S * and S *. Wth (4), we get S* = ξvκ L κ + κ ln ln. (0) v ξκ L v ln v A quck comparson between (6) and the ndvdual optmzaton based on Class and Class attack alone (equatons (6) and (8) n Gordon and Loeb, 00) shows that the S* n ths case s the straght sum of the optmal nvestments obtaned by optmzng the utlty functon wth respect to ndvdual attacks separately, whch s to be expected. Equaton (0) s plotted n Fgure 4. From boundary condton (6), we notce that there exsts a lower bound of v for fndng S*. However, n the case of L > L, ths v lower bound can be very small wth large L. Further, the optmal nvestment does not strctly ncrease wth vulnerablty. S* ncreases wth v ntally, starts to drop after certan v, and eventually becomes an strctly ncreasng functon of v when v s large. To summarze, the optmal total nvestment S* n nformaton securty n the case of smultaneous attack, wth no addtonal constrants, becomes nonzero above some Huang, Hu, Behara (The Ffth Workshop on the Economcs of Informaton Securty) Page /33

14 mnmum vulnerablty v and ncreases wth v thereafter. When v becomes large, S* starts to drop, but eventually becomes a strctly ncreasng functon of v. 5. Independent Investments wth Budgetary Constrant Equaton (0) gves the optmal level when the frm makes decsons on how much to nvestment to protect ts nformaton systems from two classes of ndependent but smultaneous attacks. Ideally the nvestments would be solely determned by system parameters such as v, ξ, and L. In realty, however, a frm s ablty to nvest n nformaton securty, or anythng else for that matter, s lmted by ts budget. That s, a frm may not be able to make certan level of securty nvestment even when t was deemed optmal economcally. Faced wth a budgetary requrement, the frm then has to decde how much of the total securty budget to allocate to Class or Class attack. The total nvestment thus becomes a constrant that represents the budgetary requrement, nstead of a dependent varable (as n (0) and Fgure 4). In ths secton, we examne the optmal allocaton of nformaton securty nvestment among two classes of smultaneous attacks n the exstence of such budgetary constrant. 5.. The Model Assume that the frm has set the total securty nvestment to a fxed amount S. It follows that S + S = S, no matter what the threat or vulnerablty levels are. In other words, S and S are no longer ndependent of each other. In ths case, we rewrte ρ n (3) nto a functon of S by notng that S = S - S : ρ ( S) ξ ξ κ (S S ) + κ S+ κ S = v = v v. () Huang, Hu, Behara (The Ffth Workshop on the Economcs of Informaton Securty) Page 3/33

15 And we also have ρ S = κ ln vξv κ S+ v κ S () and ρ S = κ (ln v) ξv κ S+ v κ S. (3) Substtutng (4) and () nto (), we get ξvκ SL κ S κ S Φ( S) = + ξv( v )L κ S + S. (4) Dfferentatng Φ(S ) wth respect to S, we get Φ S S,L,L, v, ξ ρ = L S ξκvl = ( κ S + ) ρ S L + ξκ ln vl v κ S+ v κ S, (5) The boundary condton (9) requres that (5) s equal to or greater than zero when S = 0. After rearrangng terms, we get L L κ κ S (ln v ) v. (6) κ And ths leads to the followng (proof s omtted): Corollary. In the case of ndependent nvestments to counter the attacks as descrbed by the two breach probablty functons () and (3), the total budget constrant has a lower bound S 0 L = κ ln κ ln v L ln v κ L κ L κ when v < v' = e. (3) s always non-negatve, because lnv s negatve for all v [0,]. Note that, however, ths does not volate the condton for breach probablty (3), because when S ncreases, S actually decreases due to the fxed budget S, so ρ S 0 stll holds. Huang, Hu, Behara (The Ffth Workshop on the Economcs of Informaton Securty) Page 4/33

16 To fnd the optmal nvestment S * (and S * s therefore determned), we set (5) to zero. After rearrangng terms, we get the followng equaton: ( κ S κ * v S * + ) L = L κ (ln v) v κ κ S. (7) We frst note that (7) ndeed yelds the maxmum of Φ(S ), because both ρ 0 S (from (3)) and ρ 0 S (form (3)), Φ S ρ ρ = L L S S 0. (8) We also note that the boundary condton (6) holds for (7), because the left-hand sde of (7) s always smaller than or equal to one: S* v κ * (snce v [0, ]) and ( κ S + ), for all S * > 0. A close examnaton shows that a closed-form S * cannot be obtaned from (7), but some analyses of the absolute value of S * can be done wthout such a soluton. When S ncreases, the L κ rght hand sde of (7) decreases (snce (ln v) > 0), gvng rse to a larger S * n the left L κ hand sde, whch s a strctly decreasng functon of S * for all S * > 0 (snce v [0, ]). That s, when the total budget S ncreases, so does the optmal nvestment S *. Further, snce lnv < 0, κ * v S L. * ( κ S + ) L (9) And because, agan, the left hand sde s a decreasng functon S *, we conclude that, from (9), S * ncreases wth the rato L /L. That s, optmal nvestment S * s hgher when the potental loss L s hgher relatve to the potental loss L. To summarze, when a frm faces two smultaneous attacks, the absolute value of the optmal securty nvestment aganst one of the Huang, Hu, Behara (The Ffth Workshop on the Economcs of Informaton Securty) Page 5/33

17 attacks ncreases wth the total securty budget, as well as wth the ncrease of the relatve potental loss of that attack to that of the other one. 5.. Computatonal Results Of partcular nterest n (7) s how the frm would allocate securty nvestments gven a budgetary constran. Because no closed-form soluton s possble, we use numercal analyss to examne the optmal nvestment allocaton to Class attack, as represented by S */S (and allocaton to Class attack, S */S, s thus determned). In ths secton, we compute and graph S */S wth respect to four parameters of nterest, namely the total securty budget S, the system vulnerablty v, rato of nvestment effectveness κ and κ, and the rato of potental loss L and L. The frst set of numercal analyss examnes how S */S vares wth v, the ntrnsc system vulnerablty. We fx κ, κ, L, L, and S, and run a seres of v values to obtan the rato S */S. Fgure 5 shows the result of S */S vs. v for three dfferent sets of potental loss values (L = L = $M; L = $M and L = $M; L = $M and L = $M), whle fxng κ = κ = and S = $00,000 (as 5% of ether L or L ). We can see that, for each combnaton of L and L, S */S ncreases wth v between a mnmum v where S * remans zero and a maxmum v where S */S approaches 00%. Further, the relatve sze of L shfts the curve to the left. The computatonal result n Fgure 5 s readly understood when compared wth the result of the sngle-event model presented by Gordon and Loeb (00) as well as the ndependent model n Secton 4. When attacks are consdered separately, optmzed nvestment for Class starts at a hgher v than that for Class. However, the latter drops off to zero when v gets large, whle the former contnues to ncrease wth v. Therefore, when the total nvestment s fxed, the Huang, Hu, Behara (The Ffth Workshop on the Economcs of Informaton Securty) Page 6/33

18 optmal allocaton would shfts gradually from Class to Class wth ncreasng vulnerablty. And when Class attack takes on more mportance (as represented by the relatve sze of L vs. L ), ths shft from Class to Class happens at a lower v (thus coverng a broader range of v). As a summary, when a frm faces two smultaneous attacks wth a fxed total securty nvestment budget, the frm should optmally allocate all of ts nvestment to Class when the system vulnerablty s low, gradually ncreases, and eventually allocates all, ts nvestment to Class. Wth larger potental loss due to Class attack vs. that from the Class attack, the range of vulnerablty where the optmal nvestment allocated to the former s wder (.e., starts at a smaller vulnerablty). Next, we examne how S */S vares wth L /L, by fxng S, v, κ, and κ. Fgure 6 shows the result of one such set of computaton, where we fx κ = κ = , v = 0.4, and L = $M whle recordng the relatonshp S */S vs. L /L by varyng L for S = $00,000 (5% of L ) and S = $500,000 (.5% of L ). The result confrms the observaton n Secton 5. that S * ncreases wth the rato L /L for a fxed S. We further note that for the curve wth small S (S=5% of L ), S * starts to become nonzero when L s about half of L and takes all of the budget S when L reaches twce as much as L. The curve of larger S (S =.5% of L ), on the other hand, s smoother and over a larger range of L /L. In other words, the shft of allocaton from nvestng aganst one class of attack to the other occurs at a hgher relatve loss and ncreases faster when the total budget s smaller. Our next numercal analyss focuses on how the effectveness of securty nvestment, represented by κ and κ, affects the allocaton of nvestment. Ths s done by leavng all other parameters (S, L /L, and v) constant whle varyng κ /κ. Fgure 7 shows the result of ths calculaton for L = L = $M, v = 0.4, and S = $00,000 (5% of L) and S = $500,000 (.5% of Huang, Hu, Behara (The Ffth Workshop on the Economcs of Informaton Securty) Page 7/33

19 L). Intally, allocaton to Class I (as represented by S */S) ncreases quckly wth κ /κ ; that s, S * s share of the total nvestment grows as the effectveness of S n reducng ρ vs. S s effectveness n reducng ρ ncreases. However, after κ /κ reaches certan level, the share of S * starts to decrease, albet slowly. In other words, when a frm nvests a fxed amount of budget aganst two smultaneous attacks, allocaton to nvestng n protectng aganst one class of attack ncreases wth the effectveness of such nvestment vs. that of the nvestment n the other class. When the relatve effectveness reaches a certan level, however, the allocaton of nvestment starts to shft towards the less effectve class. Ths result can be nterpreted as follows. Intally, when κ /κ s very small, nvestng n measures aganst Class attack s smply too neffectve, resultng n a zero allocaton to t. S * starts to become postve after certan level of κ /κ ; wth ncreasng κ /κ, the optmal allocaton to S * ncreases to capture the ncreasng relatve effectveness of nvestment n Class. Here, smlar to the case of S */S vs. L /L for the reason of nvestment effcency, the mnmum level of κ /κ for S * to become nonzero and the rate of ncrease thereafter are hgher for small S. As κ /κ crosses certan level, S * starts to decrease wth ncreasng κ /κ, sgnalng that the gan n ncreasng effectveness has peaked. When ths happens, the optmal allocaton starts to shft more towards Class. Our last, but arguably the most nterestng, analyss s focused on the optmal allocaton among S * and S * at dfferent levels of budgetary constrant S. From Secton 5., we know that S * ncreases wth S. A quck glance at (7) leads one to suspect that when the total securty budget S goes up, the optmal allocaton to Class attack also ncreases: For a fxed L L κ κ (ln v), the rate of ncrease of S * s hgher than the rate of ncrease of S, because the value of the left hand sde of (7) s offset by the denomnator ( κ + for all S * > 0. * S ) Huang, Hu, Behara (The Ffth Workshop on the Economcs of Informaton Securty) Page 8/33

20 However, ths observaton may not hold true for all S at vared combnatons of all other parameters, n partcular v, κ, and κ, because of the presence of S n the exponent on the rght hand sde as well as the boundary condton (6). We therefore perform numercal analyss on (7) to uncover the effect of the budgetary constran S on the optmal allocaton to S *. Two sets of the computatonal results are presented n Fgures 8 and 9, where S */S, the optmal allocaton to Class attack, s plotted aganst S/L, the normalzed budget constrant, n a famly of so-vulnerablty curves. In Fgure 8, wth κ = , κ = , L = $M, and L = $3M, those curves are all concave and ncreasng, mplyng that the percentage allocated to S * ncreases, albet at a decreasng rate, wth S. Also, both the value and the slope of S */S s hgher for larger v, mplyng that the allocaton to S * ncreases wth v for any gven S. These results are consstent wth both the above observaton of (7) and earler result wth respect to v. However, Fgure 9, where we set κ = κ = and L = L = $M, shows a dstnctvely dfferent behavor of S */S vs. S/L. At small v, the so-vulnerablty curves are concave and ncreasng, smlarly to those n Fgure 6. When v become suffcently large, however, the so-vulnerablty curves become U-shape. That s, for v greater than some nflecton pont v, S */S s convex and non-ncreasng n S/L : at small S, S * s share decreases wth ncreasng total nvestment, and approaches 00% when S 0; for large S, optmal allocaton S I * ncreases wth the total nvestment, and approaches 00% when S becomes large. And throughout all levels of total nvestment, S I * s share never approaches 0. From the modelng perspectve, the dstnctve behavor can be partally explaned by L κ Corollary. For any gven κ, κ, L, and L, S has a lower bound when v < v' = e, hence the lower curves n Fgure 9. When v > v, S no longer has lower lmt, and the curves cover the L κ Huang, Hu, Behara (The Ffth Workshop on the Economcs of Informaton Securty) Page 9/33

21 whole range of S. ( v ' = e n Fgure 9.) However, when L L κ κ becomes large L κ enough such that ' = L κ v e >, the lower bound S 0 exsts for all v [0,], and all the sovulnerablty curves behave lke those n Fgure 8. In summary, our computatonal result shows that under most crcumstances (e.g., Fgure 8 and part of Fgure 9), the optmal allocaton to Class ncreases wth total securty budget. However, when the potental loss from Class attack s suffcently small compared to that from the Class attack, and when the system vulnerablty s suffcently large, optmal allocaton to protectng aganst Class attack approaches 00% when the total nvestment constrant s very small, decreases and then ncreases wth ncreasng S, and approaches 00% wth large budgetary constrant. 6. Dscussons and Conclusons So far, the analyses have been strctly based on the mathematc propertes of the models. In the secton, we attempt to lnk the modelng results to practce, hopng to gan nsght nto the management of nformaton securty nvestment. In the case of ndependent nvestments wth no budgetary constrants, our analyss shows two nterestng characterstcs. Frst, there exsts a mnmum vulnerablty below whch nvestment s zero. Ths tolerance threshold for not nvestng s much lower, as can be expected, when breaches from targeted attacks would cause large losses. The second characterstc s the drop n total nvestment beyond a specfc vulnerablty. In practce, beyond ths level of vulnerablty, t may be more benefcal for the frm to concentrate on recovery from the losses (such as mantanng system ntegrty, ensurng busness contnuance or mtgatng lablty ncurred) than on nvestment to defend aganst vulnerablty. Huang, Hu, Behara (The Ffth Workshop on the Economcs of Informaton Securty) Page 0/33

22 When the total budget s lmted, the absolute level of nvestment to protect aganst a specfc type of attack ncreases as the potental loss from type of attack ncreases or when the total budget ncreases. Ths s an expected reacton. And when we consder the relatve loss between targeted and dstrbuted attacks, we fnd that frms could start shftng nvestment allocaton from protectng aganst dstrbuted attacks to protectng aganst targeted attacks as the loss assocated wth the latter ncreases. As can be expected, such shfts begn to occur at lower vulnerabltes when the losses from targeted attacks are greater. Ths can be nterpreted as smply a case of placng more nvestment to protect aganst the greater loss. The nterestng outcome of the analyss, however, s that the fxed budget can very quckly get absorbed n protectng aganst targeted attacks wth slght ncreases n vulnerablty, exposng the frm to dstrbuted attacks wth non-zero potental losses. Further, when the total nvestment s small, the shft of allocaton from protectng aganst one threat to another s qucker. Ths result can be understood from the perspectve of the effectve use of nvestment: When the total budget s small, t may be better off for the frm to concentrate the nvestment n one class of attack when the other class poses relatve low rsks (.e., when L /L s small); but when the latter does mpose enough threat (as demonstrated by large enough L /L ) to justfy a dverson of funds from the frst one, allocaton goes up quckly, because a small porton of the already small total may not produce much effect. We also fnd that the nvestment allocaton to securng aganst targeted attacks ncreases wth an ncrease n the relatve effectveness of that nvestment. Ths s a reasonable response n any frm. However, our analyss also shows that beyond a certan level of ncreased relatve effectveness, allocaton of nvestment n that category peaks and then reduces relatve to the allocaton n the other category, mplyng that nvestment n the former s so effectve that less Huang, Hu, Behara (The Ffth Workshop on the Economcs of Informaton Securty) Page /33

23 allocaton s needed to acheve some requred level of securty. It s also nterestng to note that for smaller total budgets, the peak allocaton for protectng aganst targeted attacks occurs at a hgher relatve effectveness and a greater share of total budget. Ths result can sgnal the presence of a crtcal mass of nvestment for protectng aganst targeted attacks, rrespectve of the nvestment effectveness. The observaton of the optmal allocaton wth respect to the sze of budget constrant has nterestng practcal mplcatons. Under most crcumstances, when a frm faces both dstrbuted and targeted attacks, the percentage allocated to protectng aganst the latter goes up wth ncreasng securty budget. Ths can be understood from the fact that dstrbuted attacks are, n general, less sophstcated and stopped more effectvely wth relatvely low amount of securty nvestments. Thus, when the budget s small, t s more effectve to allocate the bulk of t to dstrbuted attacks; and wth an ncreased securty budget, more allocaton would go to targeted attacks. However, when the potental loss from targeted attacks s suffcently large, the frm wth a large nformaton systems vulnerablty and a very small securty budget would cast all securty nvestments aganst targeted attacks. It would gradually reduce the allocaton percentage wth ncreasng budget, but eventually start ncreasng the allocaton ultmately to 00%. When vulnerablty s large, the rsk from targeted attack s hgh and very real (due to hgh potental rsk), and allocatng the bulk of the securty budget would make sense even when t s very small. And the budget becomes larger, dstrbuted attack gets ts own share of nvestment, and the allocaton curve exhbts behavor common to other stuatons. In ths study, we analyze the securty nvestment decson for a frm facng multple attacks wth the help of economc modelng. Our results, n partcular, offer nsghts nto how a decson maker should allocate securty nvestment budget at varous levels of systems Huang, Hu, Behara (The Ffth Workshop on the Economcs of Informaton Securty) Page /33

24 vulnerablty, relatve potental loss, nvestment effectveness, and total budget. As wth all models, a number of assumptons are made to make our model manageable but may lmt ts applcablty to practce. For nstance, we follow a prevous study n assumng that the frm s rsk-neutral (Gordon and Loeb, 00), whle, n realty, many decson makers can be regarded rsk-averse. Also, our model assumes that the securty nvestments to counteract the two classes of attacks are ndependent of each other, whle, n realty, securty measures taken to prevent one class of attack may help prevent another class of attack. Future studes that relax these and other assumptons, as well as emprcal verfcatons of the modelng results, can help advance ths stream of research. References AT&T (004). Network securty: Managng the rsk and opportunty. AT&T Pont of Vew, July 004, -. Carr, N. G. (003). IT Doesn t Matter. Harvard Busness Revew, 8(5), 4-49 CSO (005). 005 E-Crme Watch Survey: Summary of Fndngs. Framngham, Mass.: CSO Magazne. Fegenbaum, A., and Thomas, H. (988). Atttudes toward rsk and the rsk-return paradox: Prospect theory explanatons. Academy of Management Journal, 3(), Gordon, L.A., and Loeb, M.P. (00). The Economcs of Informaton Securty Investment. ACM Transactons on Informaton and Systems Securty, 5(4), Gordon, L.A., Loeb, M.P., Lucyshyn, W., and Rchardson, R. (005). 005 CSI/FBI Computer Crme and Securty Survey. Computer Securty Insttute. Huang, Hu, Behara (The Ffth Workshop on the Economcs of Informaton Securty) Page 3/33

25 Huang, C.D., Hu, Q., and Behara, R. (005a). In search for optmal level of nformaton securty nvestment n rsk-averse frms. Proceedngs of the Thrd Annual Securty Symposum, Tempe, Arzona, September 8-9. Huang, C.D., Hu, Q., and Behara, R. (005b). Investment n nformaton securty by a rskaverse frm. Proceedngs of the 005 Softwars Conference, Las Vegas, Nevada, December 0-. Jegers, M. (99). Prospect theory and the rsk-return relaton: Some Belgan evdence. Academy of Management Journal, 34(), 5-5. Kaas, R., Gavaerts, M., Phaene, J., and Dennt, M. (00). Modern Actuaral Rsk Theory, Boston, Mass.: Kluwer Academc Publshers. Ogut, H., Menon, N., and Raghunathan, S. (005). Cyber Insurance and IT securty nvestment: Impact of nterdependent rsk. Proceedngs of the Workshop on the Economcs of Informaton Securty (WEIS05), Kennedy School of Government, Harvard Unversty, Cambrdge, Mass., June -3. Power, R. (003). 003 Global Securty Survey, Delotte Touche Tohmatsu. Accessed on March 7, 003, onlne at Schechter, S.E. (005). Toward econometrc models of the securty rsk from remote attacks. IEEE Securty & Prvacy, 3(), Huang, Hu, Behara (The Ffth Workshop on the Economcs of Informaton Securty) Page 4/33

26 Huang, Hu, Behara (The Ffth Workshop on the Economcs of Informaton Securty) Page 5/33

27 t Securty breach probablty ρ t κ S + Class II Class I 0 Vulnerablty v Fgure. Securty breach probablty functons vs. v Huang, Hu, Behara (The Ffth Workshop on the Economcs of Informaton Securty) Page 6/33

28 vt Securty breach probablty ρ Class I Class II 0 Securty nvestment S Fgure 3. Securty breach probablty functons vs. S Huang, Hu, Behara (The Ffth Workshop on the Economcs of Informaton Securty) Page 7/33

29 L > L Optmal Investment S* L < L L = L 0 Vulnerablty v Fgure 4. Optmal Informaton Securty Investment vs. v, Independent Investments wth No Addtonal Constrants Huang, Hu, Behara (The Ffth Workshop on the Economcs of Informaton Securty) Page 8/33

30 Huang, Hu, Behara (The Ffth Workshop on the Economcs of Informaton Securty) Page 9/33

31 Huang, Hu, Behara (The Ffth Workshop on the Economcs of Informaton Securty) Page 30/33

32 Huang, Hu, Behara (The Ffth Workshop on the Economcs of Informaton Securty) Page 3/33

33 Huang, Hu, Behara (The Ffth Workshop on the Economcs of Informaton Securty) Page 3/33

34 Huang, Hu, Behara (The Ffth Workshop on the Economcs of Informaton Securty) Page 33/33