1 / 19

Authors : P. Souras et al . Submission : International Journal of Network Security

Economic Models & Approaches in Information Security for Computer Networks. Authors : P. Souras et al . Submission : International Journal of Network Security Reporter : Chun-Ta Li. Outline. Introduction Networks & Security Risk Management

avari
Download Presentation

Authors : P. Souras et al . Submission : International Journal of Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Economic Models & Approaches in Information Security for Computer Networks Authors: P. Souras et al. Submission: International Journal of Network Security Reporter: Chun-Ta Li

  2. Outline • Introduction • Networks & Security • Risk Management • Financial Approaches in Information Security • Return on Security Information • Conclusion • Comments

  3. Introduction • An organization consists of logical and physical assets that can be grouped into smaller elements [Wei 2001]

  4. Introduction (cont.) • An information security system • Protection from unauthorized access • Protection of information from integrity flaws • Detection and correction of information security breaches • The potential decrease in Market Value due to IT security breaches is composed of both tangible and intangible assets • Loss of productivity, cost of system repair, insurance • Loss of reputation, reduction in brand value, legal implications

  5. Introduction (cont.) • Key issues in this paper • Economic models • Evaluation of an information security investment • Calculating information security risk • Annual Loss Expectancy (ALE) • Cost To Break metric • Set the rules for the calculation of the Return on Information Security

  6. Networks & Security • Organizations typically employ multiple security technologies • Firewalls • Intrusion Detection Systems (IDS) • Three basic types of cryptography • Bulk encryption, Message authentication, Data integrity • Three types of cryptographic systems • Totally secret, Public algorithms, Public key systems

  7. Networks & Security (cont.) • Possible ways of attack to the encrypted data • Calculation of the Password • Dictionary Attack • Packet Modification • Replay Attack • Evil Twin (man-in-the middle)

  8. Risk Management • Quantification of risk [Reavis 2004][Schechter 2004] • RISK = VA*SV*LA • RISK = LLE*CLE • SecurityRisk = LSB*CSB • SecurityRisk = SBR*ACPB

  9. Risk Management (cont.) • Annual Loss Expectancy (ALE) [National Bureau of Standards 1979][Hoo 2000][Schrecher 2004] • ALE = expected rate of loss * value of loss

  10. Financial Approaches in Information Security • Information security investment • Cost (implementing infrastructure) • Benefit (prevention of losses by security breaches) • Optimization economic model [Gordon and Loeb 2001] • G(S) = B(S) – C(S) • B: implementation of information security infrastructure • C: total cost of that implementation • S: different levels of information security • G: determine the point where the gain

  11. Financial Approaches in Information Security (cont.) • Total annual security expenditure [Mizzi 2005] • Es = F + B + M • LT = LI + A(t) + r(t) • A(t) = I*t/365

  12. Financial Approaches in Information Security (cont.) • The security implementation is viable if ES < LT (F+B+M) < [LI+A(t)+r(t)] • Cost to repair annual damages D = DD + DI (F+B+M) < (LT+A(t)+r(t)+D)

  13. Financial Approaches in Information Security (cont.) • Annual Cost To Break [Mizzi 2005][Schrecher 2002] CTB = CD + CV CTB > ES CTB > (F+B+M)

  14. Return on Security Information • ALE framework had seven basic elements[Campbell et al. 1979] • Requirements, R= [R1, R2, …, Ri] • Assets, A = [A1, A2, …, Ak] • Security Concerns, C= [C1, …, Cs] • Threats, T= [T1, T2, …, Tm] • Safeguards, S= [S1, S2, …, Sp] • Vulnerabilities, V= [V1, V2, …, Vq] • Outcome, O= [O1, O2, …, Or] • Three associated quantities • Asset Values: Aval = [A1val, A2val, …, Akval] • Safeguard Effectiveness: Seff = [S1eff, S2eff, …, Speff] • Outcome Severity: Osev = [O1sev, O2sev, …, Orsev]

  15. Return on Security Information (cont.) • Identification of the security requirements • Security concerns, possible threats et al. • Analysis phase • Threat analysis, Vulnerability analysis, Scenario analysis • Risk measurement (potential impact and probability) • Acceptability test, cost-benefit analysis • Decisions on safeguards

  16. Return on Security Information (cont.) • The reduction in ALE[Schrecher 2004] S = ALEBASELINE – ALEWITH NEW SAFEGUARDS • Total annual benefit B B = S + (profit from new ventures) • Return on security investment

  17. Return on Security Information (cont.) • Internal Rate of Return (IRR) [Gordon and Loeb 2002]

  18. Conclusion • Investment of information security • Risk quantification methods – ALE • Return on security investment (ROSI)

  19. Comments • Evaluation of Paper • Sound but dull • Recommendation • Reject • All of the economic models and approaches are previous research results. • The authors must proposed some brand-new concepts or models to evaluate the information security in the organization to enhance the contribution of this article.

More Related