Modelling and Economics of IT Risk Management and
Download
Report
Transcript Modelling and Economics of IT Risk Management and
Modelling and Economics
of IT Risk Management and Insurance
Stefanos Gritzalis
Costas Lambrinoudakis
Dept. of Information and Communication Systems Engineering
University of the Aegean - GREECE
{sgritz, clam}@aegean.gr
Thanassis Yannacopoulos
Dept. of Statistics & Actuarial-Financial Mathematics
University of the Aegean - GREECE
[email protected]
University of the Aegean, Greece
Introduction
Information systems security has become a
top priority issue for most organisations
worldwide.
They have started to invest in Security
Enhancing Technologies, but:
How much should they invest ?
Can they evaluate the effectiveness of the
security measures that they invest on ?
Are they aware of the residual risk ?
Are they aware of the consequences that they
will face in the event of a security incident ?
University of the Aegean, Greece
Risk Analysis and Management
Measure
Asset
Threat
Vulnerability
Calculate
Risk
Select
Countermeasures
University of the Aegean, Greece
Impact
We need better solutions
An option could be to transfer specific risks to an
insurance company, in order to:
– avoid implementing too expensive technical countermeasures, and
– cover the financial losses that the organisation may experience in
case of a security incident
Clearly, such an approach will not replace technical
security measures, but it will act complementary
University of the Aegean, Greece
Issues that must be addressed
From the Organization Point of View
– How much money should be invested in technical security
measures ?
– Which is the financial loss that the organization will
experience as a result of a security incident due to the
residual risk ?
From the Insurance Company Point of View
– How secure – well protected against potential risks - is the
information system ?
– Which is the financial loss that the organization will
experience as a result of every possible security incident ?
– What should the structure of the contract be (i.e. premium,
compensation) ?
University of the Aegean, Greece
Modelling the System (1/3)
Use of a probabilistic structure, in the form of a
Markov model, that provides detailed
information about all possible transitions of the
system state in the course of time.
We are dealing with transitions from the fully
operational system state to some other nonfully operational state that may result as the
effect of a security incident.
University of the Aegean, Greece
Modelling the System (2/3)
– Assumption 1: The transitions allowed are from the
fully operational state to some other non-fully
operational state.
– Assumption 2: Non-operational states are considered
absorbing states.
Security
Incident
N/A
Loss of
Confidentiality
System
State
i
Transition Rate from
state 0 in state i
S(u)=0 S(t)=i
Impact
Value
(Loss) Li
State 0
N/A
N/A
…………
…………
…………
State 10
μ04(u)
L10
State 11
μ05(u)
L11
State 12
μ06(u)
L12
…………
…………
…………
University of the Aegean, Greece
Comments
System fully operational. No
Security Incidents have
occurred.
…………
Data (asset Ak) disclosed to
Insiders
Data (asset Ak) disclosed to
Outsiders
Data (asset Ak) disclosed to
Service Providers
…………
Modelling the System (3/3)
The use of the Markov model allows us to :
– Find the probability of the system being in different states
– thus find the probability of different financial losses (L)
This approach is useful in cases where:
– The transition rates are accurate
– The Loss (impact values) figures are accurate (objective)
University of the Aegean, Greece
Using the Model: An Overview
OBJECTIVE 1: Calculating the Optimal Security Investment
– Max I E [ U(W – L(I) – I ]
Where I is the maximum amount available for security measures
W is the initial wealth of the company and
L is the expected loss, that of course depends on the amount I
OBJECTIVE 2: Designing the Optimal Insurance Contract
– U(W – π) = Ε [ U(W – L + C – π)]
Where W is the initial wealth of the company
π is the premium that the company has to pay to the insurer
L is the expected loss
C is the compensation that the insurer will pay in case of a security incident
University of the Aegean, Greece
OBJECTIVE 1: Calculating the Optimal
Security Investment (1/3)
How much should a company invest in
security?
Given a security budget, how should this be
allocated with respect to the different risks
so as to minimize the expected loss of the
company?
University of the Aegean, Greece
An Illustrative Example (2/3)
Assume two Threats of
equal probability to occur
and equally harmful
Assume that we invest zi
for security measures that
address Threat I, i=1,2
It can be noticed that the
optimal choice is z1=z2
z1
University of the Aegean, Greece
z2
An Illustrative Example (3/3)
Assume two Threats equally
harmful
Assume that the first Threats is
more likely to occur
Assume that we invest zi for
security measures that address
Threat I, i=1,2
It can be noticed that the
optimal budget allocates more
expenditure towards the facing
of the first threat
z1
z2
University of the Aegean, Greece
OBJECTIVE 2: Design the Optimal
Insurance Contract (1/7)
Following the investment of an amount of
money for security measures, the company
still needs to deal with the residual risk.
An option could be to divert the risk into an
alternative market: An Insurance Company
The model presented may support us in
designing and pricing insurance contracts
University of the Aegean, Greece
A Case Study (2/7)
Suppose a firm A subcontracts specific IT tasks to
a firm B
Unfortunately A cannot be aware of B’s intentions
(e.g. B may disclose data in an unauthorized way,
for profit)
Can A and B enter into an insurance contract
through an insurer I so that all three parties are
better off with the contract than without?
University of the Aegean, Greece
A Case Study (3/7)
ν: Probability that B plays fair
d: Probability that the fraud passes undiscovered
p1: Given that B plays fair, probability of no
security incident at all
p2: Given that B plays fair, probability of a
security incident due to unforeseen circumstances
or due to negligence of A
University of the Aegean, Greece
A Case Study (4/7)
University of the Aegean, Greece
Premium for A (5/7)
Premium Maximum Value
(1) when:
d = 1 and ν = 0 (B acts
maliciously and the
fraud will not be
discovered)
Premium Minimum Value
when:
ν = 1 and d = 0 (B is
reliable and in case it
commits a fraud it will
be discovered)
University of the Aegean, Greece
Premium for B (6/7)
The introduction of the
fine (F) lowers
considerably the premium
for B.
The fine plays the role
of compensation to the
insurer in case of
deliberate fraudulent
behavior and as such
reduces the risk of the
insurer
University of the Aegean, Greece
Optimal coverage for A and utility
difference (7/7)
University of the Aegean, Greece
Future Directions
We are currently thinking of ways to cope with:
– Non-absorbing states
– Approximate transition rates
– Subjective figures for the Loss (An indicative
example is Privacy Violation)
– More complex models that in order to calculate the
transition probability of the system to a different
state take into account the full history of transitions
– Use of real data for Model Calibration
University of the Aegean, Greece
Thank you for your attention..
http://www.aegean.gr/Info-Sec-Lab/
University of the Aegean, Greece