Presentation is loading. Please wait.

Presentation is loading. Please wait.

Scott Dynes Center for Digital Strategies Tuck School of Business at Dartmouth College Information Security and IT Risk Management in the Real World:

Similar presentations


Presentation on theme: "Scott Dynes Center for Digital Strategies Tuck School of Business at Dartmouth College Information Security and IT Risk Management in the Real World:"— Presentation transcript:

1

2 Scott Dynes Center for Digital Strategies Tuck School of Business at Dartmouth College Information Security and IT Risk Management in the Real World: Results From Field Studies

3 What We Study Risks firms face as a result of using the information infrastructure to manager their extended enterprise - How firms make InfoSec investment decisions - Emergent risk from business networks - Privacy

4 Our Field Studies: Methods Investigate a ‘host’ firm and a few suppliers of different sizes. At each firm conduct interviews to determine: - How InfoSec investment decisions are made. - How reliant the firm is on the information infrastructure for its ability to produce product. Understand the means by which the host and suppliers communicate to gauge the internal IT risk due to integration. Host Supplier SuSu Field Study

5 Field Study Sector Coverage Field Study

6 Key Results From Field Studies Field Study Four Main Paradigms To Managing/Investing in Information Security: The “Sore Thumb” Paradigm The “IT Risk” Paradigm The “Business Risk” Paradigm The “Systemic Risk” Paradigm

7 Key Results From Field Studies Field Study Four Main Paradigms To Managing/Investing in Information Security: The “Sore Thumb” Paradigm The “IT Risk” Paradigm The “Business Risk” Paradigm The “Systemic Risk” Paradigm Low/No Economic Role High Economic Role

8 Key Results From Field Studies Field Study Firms Are Mainly Taking A Local View of Information Security Risk in supply chain glitches, leading to business sector brittleness Hypothesis: Firms managing risk in the extended enterprise will directly lead to greater sector resiliency

9 Key Results From Field Studies Field Study Local vs. Sector Views of Information Security

10 Key Results From Field Studies Field Study Firms Are Mainly Taking A Local View of Information Risk

11 Key Results From Field Studies Field Study Firms Are Mainly Taking A Local View of Information Risk

12 Key Results From Field Studies Field Study Firms Are Mainly Taking A Local View of Information Risk

13 Key Results From Field Studies Field Study Notable Incentives/Drivers For InfoSec Investment: Customer requests - firms are very responsive Government regulation - have to do it, but firms feel largely ineffective Brand protection Insurance - in unexpected ways

14 Conclusion Field Study Latent Market Forces Exist Proper Government Role: Create Markets Through Increasing Transparency Key Challenge: Enabling Investment Against Intangible, Never- Happened-Before Risks

15

16 Production resilience to cyber disruptions Manufacturing sector: In general, production not sensitive to internet outages; supply chain sensitive to internet outages. Field Study Once beyond first tier of suppliers, reliance on information infrastructure to manage supply chain is low Electrical BU supply chain has ‘learned behavior’ - High-volume supply relations have extensive forecasting - Everyone would do the expected thing - Pain comes in distribution Auto BU- centralized control strategy leads to lack of learned behavior

17 Production resilience to cyber disruptions Time Productivity 100% 0% Start of recovery 10-day auto supplier internet event 10-day oil refiner SCADA event 10-day electrical supplier internet event Field Study

18 q o = A * q i + c * Terrorist Attack c* Inoperability q A :=Technical Coefficient Matrix calculated from U.S. Bureau of Economic Analysis data Production x Consumption c Leontief Model Inoperability I-O Model (IIM) x o = Ax i + c A* := Interdependency Matrix Input-Output Model

19 Ripple Effects Disruptive Event Sector A Sector B Sector n Sector A Sector B Sector n Sector A Sector B Sector n Sector A Sector B Sector n Input-Output Model

20 Refiner represents 10% of national capacity Integrated loss of 10-day event: $405 Million Manufacturer represents 5% of national capacity Integrated loss of 10-day event: $22.6 Million Manufacturer represents 5% of national capacity Integrated loss of 10-day event: $65 Million Economic Costs of Cyber-events

21 10 days of U.S. GDP: ~ 330,000 MM

22 Take-Aways The first demonstration of an empirically-based approach to estimating national economic consequences of cyber events The economic costs of the cyber events investigated may not be that great from a sector and national perspective. For the sectors presented (Manufacturing, Oil Refining), supply chains are largely resilient to cyber disruptions. Economic consequences due to cyber events depend on how, not whether firms use technology.

23

24 Incentives What is an incentive? Example: UK/US ATM regulations Example: Attendee badges at RSA Security conference Example: The “Commons” Example: Stop Signs

25 Incentives - Information Security Home Users - What are they motivated to do? - Privacy - not necessarily important - Use of machine - is important - Result: no real incentive to protect machine until something bad happens - Bad things: - Assimilation by Bot network; Spam generator - Spyware/virii: machine becomes ever more unstable

26 Incentives - Information Security Business Users - What are they motivated to do? Make Money! (rational market assumption)

27 Economic Costs - Information Security Economic Costs of Cyber Events:

28 InfoSec Adoption by Firms In a rational market, firms will maximize profit. After Gordon and Loeb 2002

29 This ‘Optimal Spending’ approach requires: -Titration of cyber losses and cyber spending - Some idea of what effect cyber spending has on cyber losses - A good idea of the threat environment in which the firm lives What are the incentives felt by directors of information security? InfoSec Adoption by Firms

30 Drivers of Adoption of InfoSec InfoSec Adoption by Firms

31 Drivers of Adoption of InfoSec - Inputs Baseline level of InfoSec based on: - Experience - Input from trusted colleagues - External Consultants - Trade mags/ other press Beyond baseline level, firms respond mainly to: - Customer requests/questionnaires - Government regulation InfoSec Adoption by Firms

32 Drivers of Adoption of InfoSec - Prioritization How were InfoSec recommendations prioritized, and received by decision-makers? At InfoSec manager’s level, InfoSec “wants” prioritized by: - Cost - Exposure - Internal pain InfoSec Adoption by Firms

33 Drivers of Adoption of InfoSec - Outcomes Making the leap from InfoSec manager to business managers, we found: - InfoSec not an important issue - InfoSec efforts largely reactive and tactical - ROI measures mainly qualitative; investments seemingly made to eliminate all InfoSec incidents (not explicitly to minimize total costs) - Most impressive firm didn’t even have the conversation. InfoSec Adoption by Firms

34 Drivers of Adoption of InfoSec - Outcomes Managing Risk - always implicit, was never explicit Info on threats - same as inputs Info on probabilities came from: - History - Industry pubs - Gartner/Meta/etc. - Gut - “Al” - Tech Republic Info on costs of attacks came from: -Gut InfoSec Adoption by Firms

35 Drivers of Adoption of InfoSec All firms thought of InfoSec as an expense Most thought of InfoSec as a qualifier, even though none had any InfoSec requirements of their business partners Few gave examples of InfoSec as a competitive advantage InfoSec Adoption by Firms

36 Summary: 4 Paradigms for InfoSec Risk Management: -The ‘Sore Thumb’ Approach -The ‘IT Risk’ Approach -The ‘Business Risk’ Approach - The ‘Systemic Risk’ Approach In most business sectors, InfoSec is not a technical challenge, but a social/organizational challenge InfoSec Adoption by Firms

37 Incentives - Information Security Government/National Level - What are they motivated to do?

38 Incentives - Information Security Government/National Level

39 Incentives - Information Security Government/National Level

40 Incentives - Information Security Government/National Level Freeman Drivers: - Market Forces - Government Regulation - Litigation - Government Spending

41 Incentives - Information Security Intellectual Property loss - the real worry?

42 Incentives - Information Security Government/National Level Effects on Production of a 10-day Internet Outage at an Electrical Goods Manufacturer

43 Incentives - Information Security Government/National Level Total Economic Effects on Production of a 10-day Internet Outage at an Electrical Goods Manufacturer - $22.6 Million

44 Managing Cyber Risk Globally KnownGlobally Unknown Locally Known Locally Unknown Viruses Web Site Defacement Phishing Other OS bugs OS bugs ? ? ? (Phishing) Best practicesApplied Research Education Basic Research

45 Managing Cyber Risk Reactive IS Globally KnownGlobally Unknown Locally Known Locally Unknown Viruses Web Site Defacement Phishing Other OS bugs OS bugs ? ? ? ImplementWait for patch --- Unprepared when something happens

46 Managing Cyber Risk Proactive IS Globally KnownGlobally Unknown Locally Known Locally Unknown Viruses Web Site Defacement Phishing Other OS bugs OS bugs ? ? ? Implement Listen, work to mitigate outcomes --- Watch, try to ID bad outcomes

47 Managing Cyber Risk: Mind The Gap: Manufacturer: Manager of InfoSec wants to patch critical vulnerability. Business manager would rather risk infection of machines and close the quarter. Oil refinery: Manager of InfoSec wants better SCADA security; VP refining: “How is more SCADA security going to help me make better oil?” Hospital: IS thinks virus event was mainly an IS event and had minor impact on clinical units; clinical unit manager : “It was a living hell” Most every InfoSec manager: information security is not a priority with business managers.

48


Download ppt "Scott Dynes Center for Digital Strategies Tuck School of Business at Dartmouth College Information Security and IT Risk Management in the Real World:"

Similar presentations


Ads by Google