270 likes | 407 Views
Legal, Regulatory & Public Policy Constraints on Risk Analysis. John W. Bagby Prof. of IST IIP. Roles of Law/Reg/Policy in Risk Analysis & Risk Management. Law Resolves Disputes, Shifts Risk of Loss Risk Analysis Failure Shifts Liability Risks to Creator
E N D
Legal, Regulatory & Public Policy Constraints on Risk Analysis John W. Bagby Prof. of IST IIP
Roles of Law/Reg/Policy in Risk Analysis & Risk Management • Law Resolves Disputes, Shifts Risk of Loss • Risk Analysis Failure Shifts Liability Risks to Creator • Actual Injuries Trigger Disputes over Risk Duties • Law Defines Risks & Duties of Care • Crimes, Torts, Contracts, Standards, Determination of Injury • Law Dis-Incentivizes Risky Deeds (DD&tDDC) • Law Defines Risk Management Duties • Law Compensates Injuries Derived from • Law Defines/Constrains Damage Computation • Law Encourages Risk Mgt • Law Defines Risk Mgt Professionalism • Law Enforces Risk Shifting Contracts • Law Requires Risk Analysis & Impacts Methods • But Law may Disincentivize Introspection w/o Self-Eval Privilege • Law Regulates Risk Management Industry • Law Enforces Risk Mgt Profession’s Arrangements
Risk Analysis is Sectoral • Risk Analysis Differs by Domain • Just like U.S. Privacy Law • Major Differences: Physical vs. Intangible Security • Most domains blend tangible w/ information • Many Key Domains Track Critical Infrastructures as defined in USA Patriot’s CIPA §1016(e) • “…systems and assets, whether physical or virtual, so vital to the U.S. that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” • telecommunications; electrical power systems; gas & oil storage & transportation; banking & finance; transportation; water supply systems; emergency services (e.g., medical, police, fire, & rescue), govt. continuity & CyberSpace • Calls for National Effort to Enhance Modeling & Analytical Capacities • appropriate mechanisms to ensure the stability [of] complex & interdependent systems, [incl] continuous viability & adequate protection of critical infrastructures • What is Shared Among these Vastly Different Sectors?
Terrorism, Piracy Litigation Legislation Financial (Default, Systematic, Recordkeeping, Fraud, Derivatives) Environmental, Ecological, Toxic/Hazardous Substances, Pollution, Contaminants, Microbal NanoParticles Safety Political Design Manufacturing Intelligence Medicine Nuclear Power Construction Food Safety Drinking Water Foreign Trade Energy Availability/ Sustainability Climate, Natural Disasters & Response Infringements Public Health & Lifestyle Crime Malpractice, Fiduciary Breach Property, Casualty Data Availability/Integrity Cyber Attack Aerospace Chemicles Government/Regulation Defense SRA’s Profoundly Different Sectors
Quantitative Statistical Actuarial Mortality & Morbidity Admissibility of Forensic Quality Expertise Decision Analysis Failure Analysis Qualitative Heuristic Visualization Interdependence Risk Assessment Education Demographics Risk Recognition Emotion Law Permits/Regulates Risk Analytics
FIPP Std: Integrity &/or Security • Collector/Archiver/Custodians • Reasonable steps to assure accuracy of PII • Administrative & technical security measures • Standards: • Prevent unauthorized access • Prevent unauthorized disclosure • Prevent destruction • Prevent misuse • Relationship to SOX Internal Control & Data Security
Financial Info Security Risks: FTC • FTC “Safeguards Rule” Imposes Standards for Safeguarding Customer Information • Regulated financial institutions must develop, implement & maintain reasonable, administrative, technical & physical safeguards to protect the security, confidentiality & integrity of customer information • Flexible: need be appropriate to institution’s size & complexity • Risk Analysis Required • Designate Data Security Employee(s) • Perform Risk Assessment, at least, evaluate risks in: • Employee training & management • Information systems, including, inter alia • Network & software design • Information processing, storage, transmission & disposal • Detecting, preventing & responding to attacks, intrusions or system failures
Financial Info Security Risks: SEC • Financial Institutions w/in SEC Juris. Must: • Adopt written policies & procedures, reasonably designed to … • Insure security & confidentiality of customer records • Protect against anticipated threats or hazards • Protect against unauthorized access or use that could result in substantial harm or inconvenience • Disposal Rule: • must properly dispose of PII using reasonable measures to protect against unauthorized access to or use of PII
Controls over Internal Risks COSO’s Definition of Internal Control • “a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives” in these categories: • effectiveness and efficiency of operations; • reliability of financial reporting; and • compliance with applicable laws and regulations. • Components of Internal Control are: - Control Environment - Risk Assessment - Control Activities - Information & Communication - Monitoring
GLB Safeguards Rule • Financial institutions must design, implement and maintain safeguards • Purpose: to protect private info • Must implement written information security program • appropriate to company's size & complexity, nature & scope of activities, & sensitivity of customer data • Security program must also: • assign one or more employees to oversee program; • conduct risk assessment; • put safeguards in place to control risks identified in assessment then regularly test & monitor them • require service providers, by written contract, to protect customers' personal information; & • periodically update security program
What Are OffShore Outsourcing Risks? • Cost Focus Myopia • Unwarranted due diligence suspension • Cultural Ignorance • Identifying Scalability Challenges • Remedies for Service Failure • Retrieving Hosted Assets • IP…Ip…ip • Transitioning to Substitute Service Provider • Designing Service Level Metrics, negotiating SLC • Incompatible Functions (security) • Lou Dobbs engenders grassroots political pressure to advance reactionary policies: • Protectionism, Xenophobia, Nationalism
Admitting then Analyzing Outsourcing Risks • Not Outsourcing Risks Internal Failure • Interdependency Reduces (Some) Risks of Conflict • Outsourcing Sacrifices Monitoring Risking Injury from Diminished Control • Slipshod Rush to Outsource for $avings • Cross-Cultural Ignorance Obscures Outsourcing Vulnerabilities • SAS 70 Requires Outsourcing Risk Analysis/Mgt • SLC Negotiation Opportunities to Reduce Risk
NIST Risk Mgt Method • Asset Valuation • Information, software, personnel, hardware, & physical assets • Intrinsic value & the near-term impacts & long-term consequences of its compromise • Consequence Assessment • Degree of harm or consequence that could occur • Threat Identification • Typical threats are error, fraud, disgruntled employees, fires, water damage, hackers, viruses
NIST Risk Mgt Method • Vulnerability Analysis • Safeguard Analysis • Any action that reduces an entity’s vulnerability to a threat • Includes the examination of existing security measures & the identification of new safeguards • Risk Management Requires Risk Analysis • Analyzed in terms of missing safeguards“The Process of Identifying, Controlling and Minimizing the Impact of Uncertain Events” (NIST, 1995 @59) Source: NIST Handbook
Law & Economics of Risk Analysis • The Micro-Economics Fundamentals define the Incentives to Invest & Innovate in Risk Reduction • Lack of incentive directly risks market loss • Security features are integral to products & services • Liability for product or service failure • Defective design • Defects in manufacturing • Defective Packaging or Transit • Failure to warn • Malpractice • Insufficient incentives for optimal security
Externalities • Role of Externalities • Negative Externalities: • all costs not borne by actor but at least some by others • Positive Externalities: • all benefits not enjoyed by actor but at least some by others • Almost Always Free Rider Emerge when Externalities are Present • Classic case I: Pollution Control Requirements • Polluters save on controls, society suffers (e.g., health, quality of life) • Environmentalism costs polluters but society benefits • Incentives: • under-invest, hide activities, argue/lobby costs are speculative illusion to non-existent • Moral Hazard: person or organization does not bear full adverse consequences its actions • Classic Case II: Workplace Safety Regulation • Safety under-investment costs borne by workers • Classic Case III: privacy • Security under-investment costs borne by individuals
Free Riders & Public Goods • Free Riders illustrate market failure • Cause negative externalities or benefit from positive externalities • Do not internalize their costs or benefits • Essentially ride free (enjoy) others’ investments & expenses • Public Goods • Non-rival, under-produced by competitive markets • Producers risk free riders who they cannot effectively exclude from positive externalities • Producers under-invest w/o clear business model & return • EX: defense, law enforcement, justice system, property rights, public transport centers (wharves, airports, roads), fireworks, lighthouses, environmental quality, some information goods (e.g, software development, authorship, invention), public educ. • How can you argue that Security is a public good? • What public responses might improve security • CyberCrime Enforcement
Asymmetric Information Theory • Transactors have unequal bargaining pwr • Akerlof, George, The Market for Lemons: Quality Uncertainty & the Market Mechanism (1970) • Two transacting parties do not have the same relevant information • Classic Examples: • buyers know less than sellers about product quality • lenders know less about borrower’s propensity to default • Seller’s incentive to pass off low quality goods as higher quality, hide defects • Security performance generally unknown to customers • Security Breach Notification laws: classic legislation correcting market failure (asymmetric info)
Adverse Selection • Asymmetries Induce Adverse Selection • Asymmetries lead to bad results when • Buyers purchase “bad” products or pay too much • Sellers select bad buyers or charge too little • As adverse selection experience grows: • Buyers retreat, seek intermediaries (assistance, repairs), suffer higher opportunity costs • Sellers lose money, use intermediaries, even fail • Sub-Optimal Signals • More bad sellers/buyers, fewer good products • Custodians & 3d P service providers untrustworthy
Moral Hazard • Moral Hazard is a form of externality: • Person or organization fails to bear full costs of actions causing adverse selection • EX: Smokers/parachutists/drunks hide their habit or activities when buying health/life ins • EX: US vs. UK in re ATM & credit card fraud • US banks liable for card fraud, UK banks not • US banks invest more heavily to avoid losses • UK banks lazy & careless, suffer avalanche of fraud • Individuals s/could do more self-protection
Least Cost Provider • Liability generally most justifiable for: • Party with greatest responsibility to analyze risk & safeguard safety, quality & security • Party w/ lowest cost of services • Party financially able to burden risk • Economics urges Public Policy to incentivize least cost provider • Who is info security’s least cost provider? • Individuals, ISP, s/w licensor, h/w supplier
Risk Analysis & Management Aspects of Standardization • Standardization promises superior process design & best practice integration • Domain experts develop rather than meddlers • Standards Reduce Risks of Variety • Incompatibility, Incompetence • Conformity Assessment Analyzes Non-Compliance Risk, Provides Feedback • Incentivizes Compliance & Improvement • However, Standardization Risks Stagnancy & Communicates Widespread Vulnerability
Standards ARE Important! • Standards Impact Nearly All Fields • SDA Participants,Affected Parties, Int’l Orgs, Gov’t Agencies, SROs, NGOs • eCommerce & Internet largely dependant on Stds: • EX: html, http, 802.11, x.25 packet switching … • Stds Embody Considerable Innovation • SDA have Innovation Life Cycle Independent of Products/Services Compliant w/ Std • Std Innovation Occurs in Various Venues • Inside innovating firms, inherent in many products, Inside technical domain groups (trade assoc. professional societies, indus. Consortia)
Why are Standards Important? • Stds Increasingly an Emerging Source of Policy • Lessig’s Code cited for IT trend: • Public policy imbedded in s/w. f/w. h/w & ICT stds • Do SDA Approximate Traditional Policymaking? • Do SDA decrease public’s consideration/deliberation? • Are SDA transparent? • Are stds’ downstream impact so embodied w/in code or technical compatibility details they are obscured from public review? • SDA Participants Use Non-Gov’t Venues • Forum Shopping may be Widespread • Classic “Race to the Bottom”
Why are Standards Important? • Stds are emerging from obscurity • More widely understood to impact most economic activity • Increasingly viewed less as technically objective matters; more as arbitrary choices from among near infinite alternatives • Increasingly perceived to favor particular nations, industries, identifiable groups or individual firms who participate most effectively
Why Standards May Impact CyberSecurity Methods • Stds Create CyberSpace: html, ftp, http, 802.11 • General Advantages of Standardization • Facilitates comparison, interoperability, competition • Attracts investment in compatible technologies, products & services • General Disadvantages of Standardization • Lock in old/obsolete technology • Resists favorable evolution or adaptation • Favors particular groups & disfavors particular groups • Voluntary Consensus is really a Sub-optimal Compromise that Dictates too much Design