Presentation is loading. Please wait.

Presentation is loading. Please wait.

Center for Risk Management of Engineering Systems University of Virginia Linking the Economics of Cyber Security and Corporate Reputation Barry Horowitz.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Center for Risk Management of Engineering Systems University of Virginia Linking the Economics of Cyber Security and Corporate Reputation Barry Horowitz."— Presentation transcript:

1 Center for Risk Management of Engineering Systems University of Virginia Linking the Economics of Cyber Security and Corporate Reputation Barry Horowitz University of Virginia January 19 th, 2007 Reverse Engineering of Rationale for Decisions

2 Center for Risk Management of Engineering Systems University of Virginia 2 Outline Reverse Engineering Concept Breach Disclosure Laws Impetus for Research Methodology Results Conclusions

3 Center for Risk Management of Engineering Systems University of Virginia 3 Reverse Engineering Actual Decisions Multi-Objective Analytical Model for Decision Support Implied Values of the Decision Makers Uses of Reverse Engineering Results Provide decision-makers an opportunity to reconsider Evaluate the values of others (competitors, adversaries, constituents)

4 Center for Risk Management of Engineering Systems University of Virginia 4 Economics of Cyber Security New Technologies = New Risks Evolution of various cyber attacks –Short-term Disruptions: Denial of Service Attacks Viruses Worms –Long-term Disruptions: Loss of Reputation Loss of Intellectual Property Legal Liability Substantial Internet Infrastructure Outages

5 Center for Risk Management of Engineering Systems University of Virginia 5 Breach Disclosure Laws Growth of e-commerce sector and companies’ growing dependence on the internet and digitized data has garnered attention to cyber security A newspaper article publicizing a cyber security breach can: –Damage reputation –Damage consumer confidence –Damage supply chain relations –Lower revenues Companies invest to minimize the probability of being highlighted in a news article by: –Increasing cyber investment –Keeping cyber breaches & corresponding impacts secret Prior to 2003 - no laws enacted requiring security breach reporting

6 Center for Risk Management of Engineering Systems University of Virginia 6 Breach Disclosure Laws Recent events have led to a movement on the state and national level towards mandating companies to report on cyber breaches –California Security Breach Notification Law (July, 2003) – first state to enact legislation that requires any company operating within the state to report any compromise of private information to the affected parties –ChoicePoint Security Breach (February, 2005) – company announced that it had unwittingly sold the personal information of at least 145,000 Americans to identity thieves in 2004

7 Center for Risk Management of Engineering Systems University of Virginia 7 Federal Legislation No direct mention of breach notification requirements, but gives authority to create them Gramm-Leach-Bliley Act –Requires financial institutions to protect the security and confidentiality of their customers’ nonpublic personal information Health Insurance Portability and Accountability Act (HIPAA) –Require health plans and health care providers to take appropriate safeguards to ensure the integrity and confidentiality of health information Sarbanes-Oxley Act (SOX) –Authorizes the SEC to prescribe regulations requiring companies to report on the assessment of the security of information technology

8 Center for Risk Management of Engineering Systems University of Virginia 8 State Legislation 34 states currently have legislation enacted –California enacted legislation in 2003, other states follow by 2005 2003: 1 2004: 0 2005: 11 2006: 17 2007: 5 (1/07) Laws require responsible parties to report the breach to affected party and in some cases: –identify the likelihood of harm –offer assistance in limiting potential harm Out of the 34 states that have enacted legislation –27 state laws apply to businesses within the state –14 state laws apply to state agencies –1 state law applies to insurers

9 Center for Risk Management of Engineering Systems University of Virginia 9 Breach Disclosure Laws Impetus for Research Methodology Results Conclusions

10 Center for Risk Management of Engineering Systems University of Virginia 10 Bi-Products of Legislation Bi-product of change in breach reporting - visibility to the press Given that the press has interest in reporting cyber breaches, this gives visibility to the public Thus, a company’s reputation now can be impacted in a manner that it hasn’t been in the past

11 Center for Risk Management of Engineering Systems University of Virginia 11 Research Questions Question Raised - How will companies invest in cyber security given its impact on their reputation and corresponding impacts on their revenues and profits? We would like to understand: –How reporting laws could effect companies’ actions with regard to cyber security investments –The differences between various industries regarding how they relate cyber security investments and protecting their reputation: Example: A bank would be more concerned with protecting its reputation and bolstering customer confidence through heightened cyber security than a manufacturing company.

12 Center for Risk Management of Engineering Systems University of Virginia 12 Breach Disclosure Laws Impetus for Research Methodology Results Conclusions

13 Center for Risk Management of Engineering Systems University of Virginia 13 Methodology - Model

14 Center for Risk Management of Engineering Systems University of Virginia 14 Methodology - Assumptions β = current observed annual probability of a security breach being publicized, no differentiation among companies in the same sector The added cyber security investment is made in the hope that the probability of a publicized cyber attack will be reduced to zero (α=0) The value of K 2 is the same from one company to another –Treat this in a manner similar to insurance Rates are risk-based Rates are the same from buyer to buyer when the risks are the same Investment decisions are made on expected value analyses that compare costs with potential consequences of successful attacks

15 Center for Risk Management of Engineering Systems University of Virginia 15 Methodology - Variables β: # Companies (>5000 Employees) with Publicized Cyber Breach # Companies (>5000 Employees) in Industry –# companies with publicized cyber breach determined from online databases of published newspaper articles –# companies in industry determined from Census Bureau data C: (% Revenue Spent on IT) * (% IT Spent on Cyber Security) –Percentages determined from Forrester Group reports PM: –Financial data taken from Yahoo Finance and Morningstar.com

16 Center for Risk Management of Engineering Systems University of Virginia 16 Methodology - Variables K 1 : –Representation of how a company is concerned about its reputation with respect to its cyber security spending –K 1 ratio quantitatively shows how much one industry believes cyber security has an impact on its reputation compared to another K 2 : –Assume equal from company to company - K 2 ratio = 1 V: –Likely correlation with K 1 ratio –If companies have different revenues at risk and one has a sense of it, it can be plugged into the equation

17 Center for Risk Management of Engineering Systems University of Virginia 17 Methodology Three industries compared: –Finance Bank, Insurance, and Credit Sectors –Retail –Manufacturing Three sets of results: –Reputation-based financial loss due to a news article: Independent of the details of the breach When breach impacts customers for the company’s products When breach impacts company employees & supply chain partners β ’s calculated for period between October 1, 2005 and September 30, 2006

18 Center for Risk Management of Engineering Systems University of Virginia 18 Breach Disclosure Laws Impetus for Research Methodology Results Conclusions

19 Center for Risk Management of Engineering Systems University of Virginia 19 Results – β’s

20 Center for Risk Management of Engineering Systems University of Virginia 20 Results – K 1 Ratios

21 Center for Risk Management of Engineering Systems University of Virginia 21 Results – V Ratio Ind Var

22 Center for Risk Management of Engineering Systems University of Virginia 22 Results - Interpretations Unbiased Reader –β Finance:.0648 Retail:.0111 Manufacturing:.0110 –K 1 ratios Finance allocates 6.72 and 3.37 times more than retail and manufacturing Manufacturing industry allocates twice as much as retail

23 Center for Risk Management of Engineering Systems University of Virginia 23 Results - Interpretations Customers –No data for manufacturing – combined manufacturing and retail for analysis –β Finance:.0605 Retail:.0093 Retail & Manufacturing:.0043 –K 1 ratios Finance allocates 7.52 times more than retail Finance allocates 11.01 times more than retail and manufacturing combined –Financial institutions most concerned with reputation with customers –Retailers more with customer reputation than manufacturers Retailers work more directly with customers, depend more on customer trust

24 Center for Risk Management of Engineering Systems University of Virginia 24 Results - Interpretations Supply Chain –β Finance:.0086 Retail:.0019 Manufacturing:.0110 –K 1 ratios Manufacturing allocates 11.95 and 2 times more than retail and finance, respectively Finance allocates 5.37 times more than retail –Manufacturers are willing to invest more to protect reputation with their partner companies and employees Depend greatly on supply chain partners Customers of manufacturers are often other companies

25 Center for Risk Management of Engineering Systems University of Virginia 25 Breach Disclosure Laws Impetus for Research Methodology Results Conclusions

26 Center for Risk Management of Engineering Systems University of Virginia 26 Conclusion - Results This is one analysis, but others could be conducted… –Example: different results likely from an analysis of reputation effects of policies concerning intellectual property protection Results support the claims that: –A financial institution has greater concern about protecting against reputation-based financial loss due to publicized security breaches than a retailer or manufacturer –Closer to end customers → care more about negative publicity than suppliers to those companies Policy makers should take into account the likelihood that different sectors will have different responses to certain policies

27 Center for Risk Management of Engineering Systems University of Virginia 27 Future Work –Bringing in time as a Variable Reputation-based financial effects seen as a function of time: –the actual attacks –the reporting of those attacks by law –the reporting of those attacks by the media Policy makers must be wary of companies covering up security breaches Evaluating the alternatives of avoiding reporting and adding security Assume companies cannot control the media Can only reduce effects by: –Decreasing probability of an attack –Decreasing probability of an attack becoming visible to the public Reducing visibility < reducing the probability of an attack? Evaluating the behavior of the press as reported cases increase over time

28 Center for Risk Management of Engineering Systems University of Virginia 28 Addressing Lack of Data We try to understand decision-making even though we lack fundamental data: –Specific cyber security investments –Cyber attacks –Cyber attack financial effects Using reverse engineering, we make inferences from limited available financial data, news articles, and prior research and data collection efforts We hope our study encourages future research efforts related to reverse engineering of decisions, and that more innovative ideas emerge that can work around data limitations

Download ppt "Center for Risk Management of Engineering Systems University of Virginia Linking the Economics of Cyber Security and Corporate Reputation Barry Horowitz."

Similar presentations

IT Security Policy Framework

IT Security Policy Framework
Cyber Security and Data Protection Presented by Mrs Drudeisha Madhub (Data Protection Commissioner ) Tel:+230 201 36 04 Helpdesk:+230.

Cyber Security and Data Protection Presented by Mrs Drudeisha Madhub (Data Protection Commissioner ) Tel: Helpdesk:+230.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
THE ROLE OF THE ACTUARY IN THE ECONOMY

THE ROLE OF THE ACTUARY IN THE ECONOMY
CSI 2005 Computer Crime Survey Put together by J. Scott, 2006 Using Graphics and Text from the Published CSI/FBI 2005 Crime Survey.

CSI 2005 Computer Crime Survey Put together by J. Scott, 2006 Using Graphics and Text from the Published CSI/FBI 2005 Crime Survey.
The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.

The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.
ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.

ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
8 - 1 ©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder Audit Planning and Analytical Procedures Chapter 8.

8 - 1 ©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder Audit Planning and Analytical Procedures Chapter 8.
The costs and benefits related to cyber security breaches Chapter 3 – Gordon & Loeb.

The costs and benefits related to cyber security breaches Chapter 3 – Gordon & Loeb.
Brief Synopsis of Computer Security Standards. Tenets of Information Systems Security Confidentiality Integrity Availability Over the years, standards.

Brief Synopsis of Computer Security Standards. Tenets of Information Systems Security Confidentiality Integrity Availability Over the years, standards.
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
Audit Planning and Analytical Procedures Chapter 8.

Audit Planning and Analytical Procedures Chapter 8.
E-Commerce: Legal and Practical Issues Legal Issues: Security – December 2, 2005 Stephen M. Foxman Philadelphia.

E-Commerce: Legal and Practical Issues Legal Issues: Security – December 2, 2005 Stephen M. Foxman Philadelphia.
Security of Computerized Medical Information: Threats from Authorized Users James G. Anderson, Ph.D. Purdue University.

Security of Computerized Medical Information: Threats from Authorized Users James G. Anderson, Ph.D. Purdue University.
Are Large Scale Data Breaches Inevitable? Douglas E. Salane Center for Cybercrime Studies John Jay College of Criminal Justice Cyber Infrastructure Protection.

Are Large Scale Data Breaches Inevitable? Douglas E. Salane Center for Cybercrime Studies John Jay College of Criminal Justice Cyber Infrastructure Protection.
The ChoicePoint Attack – Case Study. Team F Susan Crowley Nafisah Hunter Beata Kolodziej Ingrid Macias Toni Steiner Maria Velasco.

The ChoicePoint Attack – Case Study. Team F Susan Crowley Nafisah Hunter Beata Kolodziej Ingrid Macias Toni Steiner Maria Velasco.
The Accountant’s Role in the Organization

The Accountant’s Role in the Organization
IT Security Challenges In Higher Education Steve Schuster Cornell University.

IT Security Challenges In Higher Education Steve Schuster Cornell University.
Auditing II Unit 1 : Audit Procedures Unit 2: Audit of Limited Companies Unit 3: Audit of Government Companies.

Auditing II Unit 1 : Audit Procedures Unit 2: Audit of Limited Companies Unit 3: Audit of Government Companies.

Similar presentations

Ads by Google