Presentation is loading. Please wait.

Presentation is loading. Please wait.

Economic Models & Approaches in Information Security for Computer Networks Authors: P. Souras et al. Submission: International Journal of Network Security.

Published byChristine Austin Modified over 8 years ago

Similar presentations

Presentation on theme: "Economic Models & Approaches in Information Security for Computer Networks Authors: P. Souras et al. Submission: International Journal of Network Security."— Presentation transcript:

1 Economic Models & Approaches in Information Security for Computer Networks Authors: P. Souras et al. Submission: International Journal of Network Security Reporter: Chun-Ta Li

2 2 2 Outline IntroductionIntroduction Networks & SecurityNetworks & Security Risk ManagementRisk Management Financial Approaches in Information SecurityFinancial Approaches in Information Security Return on Security InformationReturn on Security Information ConclusionConclusion CommentsComments

3 3 3 Introduction An organization consists of logical and physical assets that can be grouped into smaller elements [Wei 2001]An organization consists of logical and physical assets that can be grouped into smaller elements [Wei 2001]

4 4 4 Introduction (cont.) An information security systemAn information security system –Protection from unauthorized access –Protection of information from integrity flaws –Detection and correction of information security breaches The potential decrease in Market Value due to IT security breaches is composed of both tangible and intangible assetsThe potential decrease in Market Value due to IT security breaches is composed of both tangible and intangible assets –Loss of productivity, cost of system repair, insurance –Loss of reputation, reduction in brand value, legal implications

5 5 5 Introduction (cont.) Key issues in this paperKey issues in this paper –Economic models Evaluation of an information security investmentEvaluation of an information security investment Calculating information security riskCalculating information security risk Annual Loss Expectancy (ALE)Annual Loss Expectancy (ALE) Cost To Break metricCost To Break metric Set the rules for the calculation of the Return on Information SecuritySet the rules for the calculation of the Return on Information Security

6 6 6 Networks & Security Organizations typically employ multiple security technologiesOrganizations typically employ multiple security technologies –Firewalls –Intrusion Detection Systems (IDS) Three basic types of cryptographyThree basic types of cryptography –Bulk encryption, Message authentication, Data integrity Three types of cryptographic systemsThree types of cryptographic systems –Totally secret, Public algorithms, Public key systems

7 7 7 Networks & Security (cont.) Possible ways of attack to the encrypted dataPossible ways of attack to the encrypted data –Calculation of the Password –Dictionary Attack –Packet Modification –Replay Attack –Evil Twin (man-in-the middle)

8 8 8 Risk Management Quantification of risk [Reavis 2004][Schechter 2004]Quantification of risk [Reavis 2004][Schechter 2004] –RISK = VA*SV*LA –RISK = LLE*CLE –SecurityRisk = LSB*CSB –SecurityRisk = SBR*ACPB

9 9 9 Risk Management (cont.) Annual Loss Expectancy (ALE) [National Bureau of Standards 1979][Hoo 2000][Schrecher 2004]Annual Loss Expectancy (ALE) [National Bureau of Standards 1979][Hoo 2000][Schrecher 2004] –ALE = expected rate of loss * value of loss

10 10 Financial Approaches in Information Security Information security investmentInformation security investment –Cost (implementing infrastructure) –Benefit (prevention of losses by security breaches) Optimization economic model [Gordon and Loeb 2001]Optimization economic model [Gordon and Loeb 2001] –G(S) = B(S) – C(S) B: implementation of information security infrastructureB: implementation of information security infrastructure C: total cost of that implementationC: total cost of that implementation S: different levels of information securityS: different levels of information security G: determine the point where the gainG: determine the point where the gain

11 11 Financial Approaches in Information Security (cont.) Total annual security expenditure [Mizzi 2005]Total annual security expenditure [Mizzi 2005] –E s = F + B + M –L T = L I + A(t) + r(t) –A(t) = I*t/365

12 12 Financial Approaches in Information Security (cont.) The security implementation is viable ifThe security implementation is viable if E S < L T E S < L T (F+B+M) < [L I +A(t)+r(t)] (F+B+M) < [L I +A(t)+r(t)] Cost to repair annual damagesCost to repair annual damages D = D D + D I D = D D + D I (F+B+M) < (L T +A(t)+r(t)+D) (F+B+M) < (L T +A(t)+r(t)+D)

13 13 Financial Approaches in Information Security (cont.) Annual Cost To Break [Mizzi 2005][Schrecher 2002]Annual Cost To Break [Mizzi 2005][Schrecher 2002] CTB = C D + C V CTB = C D + C V CTB > E S CTB > E S CTB > (F+B+M) CTB > (F+B+M)

14 14 Return on Security Information ALE framework had seven basic elements [Campbell et al. 1979]ALE framework had seven basic elements [Campbell et al. 1979] –Requirements, R= [R1, R2, …, Ri] –Assets, A = [A1, A2, …, Ak] –Security Concerns, C= [C1, …, Cs] –Threats, T= [T1, T2, …, Tm] –Safeguards, S= [S1, S2, …, Sp] –Vulnerabilities, V= [V1, V2, …, Vq] –Outcome, O= [O1, O2, …, Or] Three associated quantitiesThree associated quantities –Asset Values: Aval = [A1val, A2val, …, Akval] –Safeguard Effectiveness: Seff = [S1eff, S2eff, …, Speff] –Outcome Severity: Osev = [O1sev, O2sev, …, Orsev]

15 15 Return on Security Information (cont.) Identification of the security requirements –Security concerns, possible threats et al. Analysis phase –Threat analysis, Vulnerability analysis, Scenario analysis Risk measurement (potential impact and probability) –Acceptability test, cost-benefit analysis Decisions on safeguards

16 16 Return on Security Information (cont.) The reduction in ALE [Schrecher 2004]The reduction in ALE [Schrecher 2004] S = ALE BASELINE – ALE WITH NEW SAFEGUARDS S = ALE BASELINE – ALE WITH NEW SAFEGUARDS Total annual benefit BTotal annual benefit B B = S + (profit from new ventures) B = S + (profit from new ventures) Return on security investmentReturn on security investment

17 17 Return on Security Information (cont.) Internal Rate of Return (IRR) [Gordon and Loeb 2002]Internal Rate of Return (IRR) [Gordon and Loeb 2002]

18 18 Conclusion Investment of information securityInvestment of information security Risk quantification methods – ALERisk quantification methods – ALE Return on security investment (ROSI)Return on security investment (ROSI)

19 19 Comments Evaluation of PaperEvaluation of Paper –Sound but dull RecommendationRecommendation –Reject All of the economic models and approaches are previous research results.All of the economic models and approaches are previous research results. The authors must proposed some brand-new concepts or models to evaluate the information security in the organization to enhance the contribution of this article.The authors must proposed some brand-new concepts or models to evaluate the information security in the organization to enhance the contribution of this article.

Download ppt "Economic Models & Approaches in Information Security for Computer Networks Authors: P. Souras et al. Submission: International Journal of Network Security."

Similar presentations

Network Security: an Economic Perspective Marc Lelarge (INRIA-ENS) currently visiting STANFORD TRUST seminar, Berkeley 2011.

Network Security: an Economic Perspective Marc Lelarge (INRIA-ENS) currently visiting STANFORD TRUST seminar, Berkeley 2011.
Enhancing Security Using Mobile Based Anomaly Detection in Cellular Mobile Networks Bo Sun, Fei Yu, KuiWu, Yang Xiao, and Victor C. M. Leung. Presented.

Enhancing Security Using Mobile Based Anomaly Detection in Cellular Mobile Networks Bo Sun, Fei Yu, KuiWu, Yang Xiao, and Victor C. M. Leung. Presented.
1 Security Policy and Financial Costs (original slides from Josh Kaplan, Stephanie Losi, and Eric Chang)

1 Security Policy and Financial Costs (original slides from Josh Kaplan, Stephanie Losi, and Eric Chang)
Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,

Further improvement on the modified authenticated key agreement scheme Authors: N.Y. Lee and M.F. Lee Source: Applied Mathematics and Computation, Vol.157,
1 SANS Technology Institute - Candidate for Master of Science Degree 1 A Preamble into Aligning Systems Engineering and Information Security Risk Dr. Craig.

1 SANS Technology Institute - Candidate for Master of Science Degree 1 A Preamble into Aligning Systems Engineering and Information Security Risk Dr. Craig.
The costs and benefits related to cyber security breaches Chapter 3 – Gordon & Loeb.

The costs and benefits related to cyber security breaches Chapter 3 – Gordon & Loeb.
The Economics of Investment in Information Assurance: An Empirical Investigation By Dr. Lawrence A. Gordon* and Dr. Martin P. Loeb* * Robert H. Smith School.

The Economics of Investment in Information Assurance: An Empirical Investigation By Dr. Lawrence A. Gordon* and Dr. Martin P. Loeb* * Robert H. Smith School.
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
Security Controls – What Works

Security Controls – What Works
A Robust Process Model for Calculating Security ROI Ghazy Mahjub DePaul University M.S Software Engineering.

A Robust Process Model for Calculating Security ROI Ghazy Mahjub DePaul University M.S Software Engineering.
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Stephen S. Yau CSE465 & CSE591, Fall 2006 1 Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,

Stephen S. Yau CSE465 & CSE591, Fall Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
Introduction to Network Defense

Introduction to Network Defense
1 ECE453 – Introduction to Computer Networks Lecture 19 – Network Security (II)

1 ECE453 – Introduction to Computer Networks Lecture 19 – Network Security (II)

Similar presentations

Ads by Google