190 likes | 273 Views
Economic Models & Approaches in Information Security for Computer Networks. Authors : P. Souras et al . Submission : International Journal of Network Security Reporter : Chun-Ta Li. Outline. Introduction Networks & Security Risk Management
E N D
Economic Models & Approaches in Information Security for Computer Networks Authors: P. Souras et al. Submission: International Journal of Network Security Reporter: Chun-Ta Li
Outline • Introduction • Networks & Security • Risk Management • Financial Approaches in Information Security • Return on Security Information • Conclusion • Comments
Introduction • An organization consists of logical and physical assets that can be grouped into smaller elements [Wei 2001]
Introduction (cont.) • An information security system • Protection from unauthorized access • Protection of information from integrity flaws • Detection and correction of information security breaches • The potential decrease in Market Value due to IT security breaches is composed of both tangible and intangible assets • Loss of productivity, cost of system repair, insurance • Loss of reputation, reduction in brand value, legal implications
Introduction (cont.) • Key issues in this paper • Economic models • Evaluation of an information security investment • Calculating information security risk • Annual Loss Expectancy (ALE) • Cost To Break metric • Set the rules for the calculation of the Return on Information Security
Networks & Security • Organizations typically employ multiple security technologies • Firewalls • Intrusion Detection Systems (IDS) • Three basic types of cryptography • Bulk encryption, Message authentication, Data integrity • Three types of cryptographic systems • Totally secret, Public algorithms, Public key systems
Networks & Security (cont.) • Possible ways of attack to the encrypted data • Calculation of the Password • Dictionary Attack • Packet Modification • Replay Attack • Evil Twin (man-in-the middle)
Risk Management • Quantification of risk [Reavis 2004][Schechter 2004] • RISK = VA*SV*LA • RISK = LLE*CLE • SecurityRisk = LSB*CSB • SecurityRisk = SBR*ACPB
Risk Management (cont.) • Annual Loss Expectancy (ALE) [National Bureau of Standards 1979][Hoo 2000][Schrecher 2004] • ALE = expected rate of loss * value of loss
Financial Approaches in Information Security • Information security investment • Cost (implementing infrastructure) • Benefit (prevention of losses by security breaches) • Optimization economic model [Gordon and Loeb 2001] • G(S) = B(S) – C(S) • B: implementation of information security infrastructure • C: total cost of that implementation • S: different levels of information security • G: determine the point where the gain
Financial Approaches in Information Security (cont.) • Total annual security expenditure [Mizzi 2005] • Es = F + B + M • LT = LI + A(t) + r(t) • A(t) = I*t/365
Financial Approaches in Information Security (cont.) • The security implementation is viable if ES < LT (F+B+M) < [LI+A(t)+r(t)] • Cost to repair annual damages D = DD + DI (F+B+M) < (LT+A(t)+r(t)+D)
Financial Approaches in Information Security (cont.) • Annual Cost To Break [Mizzi 2005][Schrecher 2002] CTB = CD + CV CTB > ES CTB > (F+B+M)
Return on Security Information • ALE framework had seven basic elements[Campbell et al. 1979] • Requirements, R= [R1, R2, …, Ri] • Assets, A = [A1, A2, …, Ak] • Security Concerns, C= [C1, …, Cs] • Threats, T= [T1, T2, …, Tm] • Safeguards, S= [S1, S2, …, Sp] • Vulnerabilities, V= [V1, V2, …, Vq] • Outcome, O= [O1, O2, …, Or] • Three associated quantities • Asset Values: Aval = [A1val, A2val, …, Akval] • Safeguard Effectiveness: Seff = [S1eff, S2eff, …, Speff] • Outcome Severity: Osev = [O1sev, O2sev, …, Orsev]
Return on Security Information (cont.) • Identification of the security requirements • Security concerns, possible threats et al. • Analysis phase • Threat analysis, Vulnerability analysis, Scenario analysis • Risk measurement (potential impact and probability) • Acceptability test, cost-benefit analysis • Decisions on safeguards
Return on Security Information (cont.) • The reduction in ALE[Schrecher 2004] S = ALEBASELINE – ALEWITH NEW SAFEGUARDS • Total annual benefit B B = S + (profit from new ventures) • Return on security investment
Return on Security Information (cont.) • Internal Rate of Return (IRR) [Gordon and Loeb 2002]
Conclusion • Investment of information security • Risk quantification methods – ALE • Return on security investment (ROSI)
Comments • Evaluation of Paper • Sound but dull • Recommendation • Reject • All of the economic models and approaches are previous research results. • The authors must proposed some brand-new concepts or models to evaluate the information security in the organization to enhance the contribution of this article.