Managing Information Risk and the Economics of Security: Difference between revisions
Line 67: | Line 67: | ||
</blockquote> | </blockquote> | ||
<blockquote | <blockquote> | ||
One reason for this pedagogical failure is that the highly specialized security domain is difficult to penetrate for the average manager with a background in business administration or economics. Consequently, the entities and metrics used by the security community to evaluate security risks and their consequences usually tell very little to people involved in security investment decisions. | One reason for this pedagogical failure is that the highly specialized security domain is difficult to penetrate for the average manager with a background in business administration or economics. Consequently, the entities and metrics used by the security community to evaluate security risks and their consequences usually tell very little to people involved in security investment decisions. | ||
</blockquote> | </blockquote> | ||
Line 98: | Line 98: | ||
** The Impact of Incentives on Notice and Take-down | ** The Impact of Incentives on Notice and Take-down | ||
<blockquote> | <blockquote> | ||
We consider a number of notice and take-down regimes for Internet content. These differ in the incentives for removal, the legal framework for compelling action, and the speed at which material is removed. By measuring how quickly various types of content are removed, we determine that the requester’s incentives outweigh all other factors, from the penalties available, to the methods used to obstruct take-down. | |||
</blockquote> | </blockquote> | ||
** Studying Malicious Websites and the Underground Economy on the Chinese Web | ** Studying Malicious Websites and the Underground Economy on the Chinese Web |
Revision as of 10:06, 29 June 2010
Full Title of Reference
Managing Information Risk and the Economics of Security
Full Citation
M. Eric Johnson, Managing Information Risk and the Economics of Security (2008). Purchase
Categorization
- Overview: Books
- Threats and Actors: Financial Institutions and Networks; States
- Issues: Cybercrime; Economics of Cybersecurity; Incentives; Information Sharing/Disclosure; Insurance; Metrics; Risk Management and Investment
- Approaches: Deterrence; Regulation/Liability
Key Words
Antivirus, Botnet, Cyber Crime, Cyber Security as an Externality, Disclosure Policy, Information Asymmetries, Internet Service Providers, Malware, Notice and Take-down, Patching, Phishing, Risk Modeling, SPAM, State Affiliation, Tragedy of Commons, Transparency
Synopsis
TThe lifeblood of the global economy, information has become a source of growing risk as more firms maintain information online. With risks now fueled by sophisticated, organized, malicious groups, information security requires not only technology, but a clear understanding of potential risks, decision-making behaviors, and metrics for evaluating business and policy options.
Managing Information Risk and the Economics of Security, an edited volume contributed by well-established researchers in the field worldwide, presents the latest research on economics driving both the risks and the solutions. Covering the implications of policy within firms and across countries, this volume provides managers and policy makers with new thinking on how to manage risk. The chapters are broken down into five major sections:
- Cyber Policy and Regulation
- Nonbanks and Risk in Retail Payments: EU and U.S.
This chapter documents the importance of nonbanks in retail payments in the United States and in 15 European countries and analyses the implications of the importance and multiple roles played by nonbanks on retail payment risks. Nonbanks play multiple roles along the entire payment processing chain. They are prominent in the United States and their presence is high and growing in Europe as well, although there are differences among the various countries and payments classes. The presence of nonbanks has shifted the locus of risks in retail payments towards greater relevance of operational and fraud risk. The chapter reviews the main safeguards in place, and concludes that there may be a need to reconsider some of them in view of the growing role of nonbanks and of the global reach of risks in the electronic era.
- Security Economics and European Policy
In September 2007, we were awarded a contract by the European Network and Information Security Agency (ENISA) to investigate failures in the market for secure electronic communications within the European Union, and come up with policy recommendations. In the process, we spoke to a large number of stakeholders, and held a consultative meeting in December 2007 in Brussels to present draft proposals, which established most had wide stakeholder support. The formal outcome of our work was a detailed report, “Security Economics and the Internal Market”, published by ENISA in March 2008. This chapter presents a much abridged version: in it, we present the recommendations we made, along with a summary of our reasoning.
- Risk Management and Security Investment
- BORIS –Business Oriented management of Information Security
The present chapter aims to successfully deal with the needs of information security functions by providing a management tool which links business and information security objectives. In the past terms, information security has fortunately become a top management topic due to the recognition of the continuously increasing dependencies of the overall business success in secure information and information processing technologies and means. While the focus of information security management primarily lay on the implementation of solutions to assure the achievement of the enterprises’ security objectives and their management, the business oriented management objectives were typically not regarded as major concern. Today, information security management executives are severely confronted with a different situation. An increasing pressure forces them to manage the security measures not only using their security, but also business glasses. To handle this challenge, a framework is presented in this chapter. It supports any information security functions with a strong economic focus, whereby it specifically links business and information security objectives. The core of the presented methodology has proven to be reliable, user friendly, consistent and precise under real conditions over several years.
- Productivity Space of Information Security in an Extension of the Gordon-Loeb’s Investment Model
Information security engineers provide some countermeasures so that attacks will fail. This is vulnerability reduction. In addition, they provide other countermeasures so that attacks will not occur. This is threat reduction. In order to study how the optimal investment for information security is influenced by these reductions, this chapter introduces a productivity space of information security. In the same manner as in the Gordon-Loeb model, where vulnerability reduction is only considered, I suppose a productivity of information security characterizes economic effects of information security investment. In particular, I consider a productivity regarding threat reduction as well as a productivity regarding vulnerability reduction, and investigate a two-dimensional space formed by the two productivities. The investigation shows that the productivity space is divided into three areas: the no-investment area where both the productivities are low, the mid-vulnerability intensive area where the vulnerability reduction productivity is high but the threat reduction productivity is low, and the high-vulnerability intensive area where the threat reduction productivity is high.
- Communicating the Economic Value of Security Investments; Value at Security Risk
The information and data security communities and their individual practitioners have long experienced the pedagogical difficulties in communicating to management or funding bodies the importance and relevance of sufficient investments in information and data security.
One reason for this pedagogical failure is that the highly specialized security domain is difficult to penetrate for the average manager with a background in business administration or economics. Consequently, the entities and metrics used by the security community to evaluate security risks and their consequences usually tell very little to people involved in security investment decisions.
<blockquote Historically, Return on Investment (RoI) has been used for this purpose. However, RoI is not an ideal entity to use, since it generates misunderstanding and misinterpretation. Companies and enterprises already have tools, methods and metrics to express risk levels and their economic consequences: we refer to Value-at-Risk and Value-at-Risk-type metrics.
<blockquote This contribution transforms or transfers entities and metrics used by the information and data security communities into Value-at-Risk-type entities and metrics. This will allow management to understand, compare and evaluate security risks and their economic consequences with risks generated by other sources, strategies or investment decisions and givemanagement a firmer and more rational basis for security investment decisions.
- Technology and Policy Adoption
- Modelling the Human and Technological Costs and Benefits of USB Memory Stick Security
Organizations deploy systems technologies in order to support their operations and achieve their business objectives. In so doing, they encounter tensions between the confidentiality, integrity, and availability of information, and must make investments in information security measures to address these concerns. We discuss how a macroeconomics-inspired model, analogous to models of interest rate policy used by central banks, can be used to understand trade-offs between investments against threats to confidentiality and availability. We investigate how such a model might be formulated by constructing a process model, based on empirically obtained data, of the use of USB memory sticks by employees of a financial services company.
- The Value of Escalation and Incentives in Managing Information Access
Managing information access within large enterprises is increasingly challenging. With thousands of employees accessing thousands of applications and data sources, managers strive to ensure the employees can access the information they need to create value while protecting information from misuse. We examine an information governance approach based on controls and incentives, where employees’ self-interested behavior can result in firm-optimal use of information. Using insights gained from a game-theoretic model, we illustrate how an incentives-based policy with escalation can control both over and under-entitlement while maintaining the flexibility.
- Combating Cybercrime
- Reinterpreting the Disclosure Debate for Web Infections
Internet end users increasingly face threats of compromise by visiting seemingly innocuous websites that are themselves compromised by malicious actors. These compromised machines are then incorporated into bot networks that perpetuate further attacks on the Internet. Google attempts to protect users of its search products from these hidden threats by publicly disclosing these infections in interstitial warning pages behind the results. This chapter seeks to explore the effects of this policy on the economic ecosystem of webmasters, web hosts, and attackers by analyzing the experiences and data of the StopBadware project. The StopBadware project manages the appeals process whereby websites whose infections have been disclosed by Google get fixed and unquarantined. Our results show that, in the absence of disclosure and quarantine, certain classes of webmasters and hosting providers are not incentivized to secure their platforms and websites and that the malware industry is sophisticated and adapts to this reality. A delayed disclosure policy may be appropriate for traditional software products. However, in the web infection space, silence during this period leads to further infection since the attack is already in progress. We relate specific examples where disclosure has had beneficial effects, and further support this conclusion by comparing infection rates in the U.S. where Google has high penetration to China where its market penetration rate is much lower.
- The Impact of Incentives on Notice and Take-down
We consider a number of notice and take-down regimes for Internet content. These differ in the incentives for removal, the legal framework for compelling action, and the speed at which material is removed. By measuring how quickly various types of content are removed, we determine that the requester’s incentives outweigh all other factors, from the penalties available, to the methods used to obstruct take-down.
- Studying Malicious Websites and the Underground Economy on the Chinese Web
- Botnet Economics: Uncertainty Matters
- Cyber Insurance as an Incentive for Internet Security
- Privacy and Trust
- Conformity or Diversity: Social Implications of Transparency in Personal Data Processing
- Is Distributed Trust More Trustworthy?
Managing Information Risk and the Economics of Security is designed for managers, policy makers, and researchers focusing on economics of information security, as well as for advanced-level students in computer science, business management and economics.
Additional Notes and Highlights