1 / 26

Legal, Regulatory & Public Policy Constraints on Risk Analysis

Legal, Regulatory & Public Policy Constraints on Risk Analysis. John W. Bagby Prof. of IST IIP. Roles of Law/Reg/Policy in Risk Analysis & Risk Management. Law Resolves Disputes, Shifts Risk of Loss Risk Analysis Failure Shifts Liability Risks to Creator

haven
Download Presentation

Legal, Regulatory & Public Policy Constraints on Risk Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Legal, Regulatory & Public Policy Constraints on Risk Analysis John W. Bagby Prof. of IST IIP

  2. Roles of Law/Reg/Policy in Risk Analysis & Risk Management • Law Resolves Disputes, Shifts Risk of Loss • Risk Analysis Failure Shifts Liability Risks to Creator • Actual Injuries Trigger Disputes over Risk Duties • Law Defines Risks & Duties of Care • Crimes, Torts, Contracts, Standards, Determination of Injury • Law Dis-Incentivizes Risky Deeds (DD&tDDC) • Law Defines Risk Management Duties • Law Compensates Injuries Derived from • Law Defines/Constrains Damage Computation • Law Encourages Risk Mgt • Law Defines Risk Mgt Professionalism • Law Enforces Risk Shifting Contracts • Law Requires Risk Analysis & Impacts Methods • But Law may Disincentivize Introspection w/o Self-Eval Privilege • Law Regulates Risk Management Industry • Law Enforces Risk Mgt Profession’s Arrangements

  3. Risk Analysis is Sectoral • Risk Analysis Differs by Domain • Just like U.S. Privacy Law • Major Differences: Physical vs. Intangible Security • Most domains blend tangible w/ information • Many Key Domains Track Critical Infrastructures as defined in USA Patriot’s CIPA §1016(e) • “…systems and assets, whether physical or virtual, so vital to the U.S. that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” • telecommunications; electrical power systems; gas & oil storage & transportation; banking & finance; transportation; water supply systems; emergency services (e.g., medical, police, fire, & rescue), govt. continuity & CyberSpace • Calls for National Effort to Enhance Modeling & Analytical Capacities • appropriate mechanisms to ensure the stability [of] complex & interdependent systems, [incl] continuous viability & adequate protection of critical infrastructures • What is Shared Among these Vastly Different Sectors?

  4. Terrorism, Piracy Litigation Legislation Financial (Default, Systematic, Recordkeeping, Fraud, Derivatives) Environmental, Ecological, Toxic/Hazardous Substances, Pollution, Contaminants, Microbal NanoParticles Safety Political Design Manufacturing Intelligence Medicine Nuclear Power Construction Food Safety Drinking Water Foreign Trade Energy Availability/ Sustainability Climate, Natural Disasters & Response Infringements Public Health & Lifestyle Crime Malpractice, Fiduciary Breach Property, Casualty Data Availability/Integrity Cyber Attack Aerospace Chemicles Government/Regulation Defense SRA’s Profoundly Different Sectors

  5. Quantitative Statistical Actuarial Mortality & Morbidity Admissibility of Forensic Quality Expertise Decision Analysis Failure Analysis Qualitative Heuristic Visualization Interdependence Risk Assessment Education Demographics Risk Recognition Emotion Law Permits/Regulates Risk Analytics

  6. FIPP Std: Integrity &/or Security • Collector/Archiver/Custodians • Reasonable steps to assure accuracy of PII • Administrative & technical security measures • Standards: • Prevent unauthorized access • Prevent unauthorized disclosure • Prevent destruction • Prevent misuse • Relationship to SOX Internal Control & Data Security

  7. Financial Info Security Risks: FTC • FTC “Safeguards Rule” Imposes Standards for Safeguarding Customer Information • Regulated financial institutions must develop, implement & maintain reasonable, administrative, technical & physical safeguards to protect the security, confidentiality & integrity of customer information • Flexible: need be appropriate to institution’s size & complexity • Risk Analysis Required • Designate Data Security Employee(s) • Perform Risk Assessment, at least, evaluate risks in: • Employee training & management • Information systems, including, inter alia • Network & software design • Information processing, storage, transmission & disposal • Detecting, preventing & responding to attacks, intrusions or system failures

  8. Financial Info Security Risks: SEC • Financial Institutions w/in SEC Juris. Must: • Adopt written policies & procedures, reasonably designed to … • Insure security & confidentiality of customer records • Protect against anticipated threats or hazards • Protect against unauthorized access or use that could result in substantial harm or inconvenience • Disposal Rule: • must properly dispose of PII using reasonable measures to protect against unauthorized access to or use of PII

  9. Controls over Internal Risks COSO’s Definition of Internal Control • “a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives” in these categories: • effectiveness and efficiency of operations; • reliability of financial reporting; and • compliance with applicable laws and regulations. • Components of Internal Control are: - Control Environment - Risk Assessment - Control Activities - Information & Communication - Monitoring

  10. GLB Safeguards Rule • Financial institutions must design, implement and maintain safeguards • Purpose: to protect private info • Must implement written information security program • appropriate to company's size & complexity, nature & scope of activities, & sensitivity of customer data • Security program must also: • assign one or more employees to oversee program; • conduct risk assessment; • put safeguards in place to control risks identified in assessment then regularly test & monitor them • require service providers, by written contract, to protect customers' personal information; & • periodically update security program

  11. What Are OffShore Outsourcing Risks? • Cost Focus Myopia • Unwarranted due diligence suspension • Cultural Ignorance • Identifying Scalability Challenges • Remedies for Service Failure • Retrieving Hosted Assets • IP…Ip…ip • Transitioning to Substitute Service Provider • Designing Service Level Metrics, negotiating SLC • Incompatible Functions (security) • Lou Dobbs engenders grassroots political pressure to advance reactionary policies: • Protectionism, Xenophobia, Nationalism

  12. Admitting then Analyzing Outsourcing Risks • Not Outsourcing Risks Internal Failure • Interdependency Reduces (Some) Risks of Conflict • Outsourcing Sacrifices Monitoring Risking Injury from Diminished Control • Slipshod Rush to Outsource for $avings • Cross-Cultural Ignorance Obscures Outsourcing Vulnerabilities • SAS 70 Requires Outsourcing Risk Analysis/Mgt • SLC Negotiation Opportunities to Reduce Risk

  13. NIST Risk Mgt Method • Asset Valuation • Information, software, personnel, hardware, & physical assets • Intrinsic value & the near-term impacts & long-term consequences of its compromise • Consequence Assessment • Degree of harm or consequence that could occur • Threat Identification • Typical threats are error, fraud, disgruntled employees, fires, water damage, hackers, viruses

  14. NIST Risk Mgt Method • Vulnerability Analysis • Safeguard Analysis • Any action that reduces an entity’s vulnerability to a threat • Includes the examination of existing security measures & the identification of new safeguards • Risk Management Requires Risk Analysis • Analyzed in terms of missing safeguards“The Process of Identifying, Controlling and Minimizing the Impact of Uncertain Events” (NIST, 1995 @59) Source: NIST Handbook

  15. Law & Economics of Risk Analysis • The Micro-Economics Fundamentals define the Incentives to Invest & Innovate in Risk Reduction • Lack of incentive directly risks market loss • Security features are integral to products & services • Liability for product or service failure • Defective design • Defects in manufacturing • Defective Packaging or Transit • Failure to warn • Malpractice • Insufficient incentives for optimal security

  16. Externalities • Role of Externalities • Negative Externalities: • all costs not borne by actor but at least some by others • Positive Externalities: • all benefits not enjoyed by actor but at least some by others • Almost Always Free Rider Emerge when Externalities are Present • Classic case I: Pollution Control Requirements • Polluters save on controls, society suffers (e.g., health, quality of life) • Environmentalism costs polluters but society benefits • Incentives: • under-invest, hide activities, argue/lobby costs are speculative illusion to non-existent • Moral Hazard: person or organization does not bear full adverse consequences its actions • Classic Case II: Workplace Safety Regulation • Safety under-investment costs borne by workers • Classic Case III: privacy • Security under-investment costs borne by individuals

  17. Free Riders & Public Goods • Free Riders illustrate market failure • Cause negative externalities or benefit from positive externalities • Do not internalize their costs or benefits • Essentially ride free (enjoy) others’ investments & expenses • Public Goods • Non-rival, under-produced by competitive markets • Producers risk free riders who they cannot effectively exclude from positive externalities • Producers under-invest w/o clear business model & return • EX: defense, law enforcement, justice system, property rights, public transport centers (wharves, airports, roads), fireworks, lighthouses, environmental quality, some information goods (e.g, software development, authorship, invention), public educ. • How can you argue that Security is a public good? • What public responses might improve security • CyberCrime Enforcement

  18. Asymmetric Information Theory • Transactors have unequal bargaining pwr • Akerlof, George, The Market for Lemons: Quality Uncertainty & the Market Mechanism (1970) • Two transacting parties do not have the same relevant information • Classic Examples: • buyers know less than sellers about product quality • lenders know less about borrower’s propensity to default • Seller’s incentive to pass off low quality goods as higher quality, hide defects • Security performance generally unknown to customers • Security Breach Notification laws: classic legislation correcting market failure (asymmetric info)

  19. Adverse Selection • Asymmetries Induce Adverse Selection • Asymmetries lead to bad results when • Buyers purchase “bad” products or pay too much • Sellers select bad buyers or charge too little • As adverse selection experience grows: • Buyers retreat, seek intermediaries (assistance, repairs), suffer higher opportunity costs • Sellers lose money, use intermediaries, even fail • Sub-Optimal Signals • More bad sellers/buyers, fewer good products • Custodians & 3d P service providers untrustworthy

  20. Moral Hazard • Moral Hazard is a form of externality: • Person or organization fails to bear full costs of actions causing adverse selection • EX: Smokers/parachutists/drunks hide their habit or activities when buying health/life ins • EX: US vs. UK in re ATM & credit card fraud • US banks liable for card fraud, UK banks not • US banks invest more heavily to avoid losses • UK banks lazy & careless, suffer avalanche of fraud • Individuals s/could do more self-protection

  21. Least Cost Provider • Liability generally most justifiable for: • Party with greatest responsibility to analyze risk & safeguard safety, quality & security • Party w/ lowest cost of services • Party financially able to burden risk • Economics urges Public Policy to incentivize least cost provider • Who is info security’s least cost provider? • Individuals, ISP, s/w licensor, h/w supplier

  22. Risk Analysis & Management Aspects of Standardization • Standardization promises superior process design & best practice integration • Domain experts develop rather than meddlers • Standards Reduce Risks of Variety • Incompatibility, Incompetence • Conformity Assessment Analyzes Non-Compliance Risk, Provides Feedback • Incentivizes Compliance & Improvement • However, Standardization Risks Stagnancy & Communicates Widespread Vulnerability

  23. Standards ARE Important! • Standards Impact Nearly All Fields • SDA Participants,Affected Parties, Int’l Orgs, Gov’t Agencies, SROs, NGOs • eCommerce & Internet largely dependant on Stds: • EX: html, http, 802.11, x.25 packet switching … • Stds Embody Considerable Innovation • SDA have Innovation Life Cycle Independent of Products/Services Compliant w/ Std • Std Innovation Occurs in Various Venues • Inside innovating firms, inherent in many products, Inside technical domain groups (trade assoc. professional societies, indus. Consortia)

  24. Why are Standards Important? • Stds Increasingly an Emerging Source of Policy • Lessig’s Code cited for IT trend: • Public policy imbedded in s/w. f/w. h/w & ICT stds • Do SDA Approximate Traditional Policymaking? • Do SDA decrease public’s consideration/deliberation? • Are SDA transparent? • Are stds’ downstream impact so embodied w/in code or technical compatibility details they are obscured from public review? • SDA Participants Use Non-Gov’t Venues • Forum Shopping may be Widespread • Classic “Race to the Bottom”

  25. Why are Standards Important? • Stds are emerging from obscurity • More widely understood to impact most economic activity • Increasingly viewed less as technically objective matters; more as arbitrary choices from among near infinite alternatives • Increasingly perceived to favor particular nations, industries, identifiable groups or individual firms who participate most effectively

  26. Why Standards May Impact CyberSecurity Methods • Stds Create CyberSpace: html, ftp, http, 802.11 • General Advantages of Standardization • Facilitates comparison, interoperability, competition • Attracts investment in compatible technologies, products & services • General Disadvantages of Standardization • Lock in old/obsolete technology • Resists favorable evolution or adaptation • Favors particular groups & disfavors particular groups • Voluntary Consensus is really a Sub-optimal Compromise that Dictates too much Design

More Related