1 / 24

Security Standardization in the Presence of Unverifiable Control

The University of Texas at Dallas. Chul Ho Lee With Dr. Geng and Dr. Raghunathan. Security Standardization in the Presence of Unverifiable Control. 2011. 6.15. Agenda. Introduction & Research Question . Literature Review. Model Setup. Model Analysis .

nicodemus
Download Presentation

Security Standardization in the Presence of Unverifiable Control

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. The University of Texas at Dallas Chul Ho Lee With Dr. Geng and Dr. Raghunathan Security Standardization in the Presence of Unverifiable Control 2011. 6.15

  2. Agenda Introduction & Research Question Literature Review Model Setup Model Analysis

  3. Introduction – The emergence of security standard • Damages from security breaches often go beyond the organizational boundary • 2006, U.S. Department of Veterans affairs lost 26.5 million of personal information • 2007, retailer TJX Companies lost 46.2 million credit and debit cards • 2005, Identity theft resulted in corporate and consumer losses of $56 billion dollars • Firms do not have incentive to protect stakeholder value out of their boundaries • “Regulation forces companies to take security more seriously”. - Bruce Schneier (2008) • for payment card industry, PCI-DSS • Among the Level 1 retailers Gartner surveyed, an average of 2.7 million was spent to become PCI compliant. • for all federal government agencies, NIST security standards

  4. Introduction- But do security standards really help? The number of breached companies keeps increasing since 2005. The Number of Breached Companies (Business Company) 2004 2005 2006 2007 2008 2009 Sep. 2006 Oct. 2010 Dec. 2004 Oct. 2008 PCI DSS Released Version 1.1 Released Version 2.0 Released Version 1.2 Released

  5. Is it just a coincidence? Introduction- Relaxing of PCI-DSS standard • On October 1, 2008, PCI-DSS version 1.2 was adopted • A major change in this version is the relaxation of some standards • “changed frequency of rule set review from quarterly to at least every six months.” • Why relaxing the standards? • # of security breaches decreased since the same year ?

  6. security configurations are different Introduction – Security Configuration Digital Assets Digital Assets

  7. Why some security controls are not regulated by standards? Introduction- What is breached is often not regulated What is breached is often not regulated • Heartland Payment Systems: data in transit is stolen • Miller and Tucker (2010) state “the focus on encryption as a solution may be misplaced, because so many instances of electronic data loss are due to negligence or internal fraud rather than direct instances of hacking.” The evidences that attackers deliberately target unregulated security controls. • targeting on data in transit (Heartland Payment Systems) • targeting on wireless network (TJX company) • Some controls are difficult to measure or to use as court evidence • Some controls are measureable but cost-prohibitive • New security controls constantly emerge because of fast-evolving nature of information security. In this paper we refer to such security controls as unverifiable controls

  8. Liability Reduction Introduction – Standard compliance helps not only in fighting security attacks, but also in fights in courts • Heartland Payment Systems and TJX Company • Heartland and TJX was certified as being PCI compliant at the time of the breach and had received this certification several times • When they breached, both companies used being PCI compliant as court evidence • QIRA(Qualified Incident Response Assessors) makes a decision to assess the merchant’s PCI compliance for the lawsuit (Navetta, 2009) • The actual legal obligations in the event of a security breach includes not only the contract itself but also the specific mandates of the payment card operating regulations • A report by QIRA coming down on the side of non-compliance can be extremely damaging to the company. Standard serves dual roles

  9. Introduction – A research on security standardization that highlights unverifiable controls and liability reduction effect We consider two security controls scenario where one is verifiable and the other is unverifiable We consider the liability reduction effect We seek to explain the counter-intuitive data mentioned before We consider two security configuration; parallel configuration and serial configuration

  10. Introduction – Research Question How does standard on a verifiable control affect firm effort on an unverifiable control? • How does standard on a verifiable control affect overall firm security? How do security configuration and liability reduction affect overall firm security? • How does unobservability affect overall firm security? How does attack strategy affect firm effort and security standard?

  11. Agenda Introduction & Research Question Literature Review Model Description Model Analysis

  12. Literature Review Empirical papers Economics Model • Romanosky et al (2009) • the adoption of data breach disclosure laws has marginal effect on the reduction in incidences of identity thefts. • Bernheim and Whinston (1998) • it is often optimal to specify an incomplete contract, when some aspects of performance are unverifiable. • Hendricks and McAfee (2006) • consider signaling model to analyze attacker-defender games. What is new? Related Research from Accounting • Dye (1993) • the average quality of audits may decline as auditing standard becomes tougher. • Schwarts (1998) • the socially optimal commitment according to standards is achievable if the auditor’s legal liability regime is strict liability and is independent of the actual investment. • Ewert and Wagenhofer (2005) • tighter accounting standards reduce earnings management and provide more relevant information to the capital market. • This is the first paper to deal with security standard from a policy maker’s perspective. • We consider a model in which multiple security controls exists and standards cannot be imposed on all of them. • We consider strategic attackers who may use information from standards and change their attack strategy.

  13. Agenda Introduction & Research Question Literature Review Model Description Model Analysis

  14. Model Setup We are interested in the scenario where, if the digital asset or service is compromised by attacks, damages go beyond the firm boundary. • Players • One firm that is in charge of protecting a digital asset or service using two security controls • A representative attack that may assail the security controls in order to compromise the digital asset/service • One policy maker that aims to optimize social welfare • Security Controls • In order to protect the digital asset, the firm needs to invest in two security controls, V (Verifiable) and N (Nonverifiable). • Breach probability functions • parallel configuration • serial configuration • strategic attacker

  15. Model Setup While the direct control of security investments is in the hands of the firm, the policy maker can indirectly affect firm investments through standards • Social Welfare • Firm’s Payoff • For the scope of this paper, we focus on security standards that have strict enforcement power, so that the affected firm has to unconditionally confirm.

  16. policy maker announces standard Model Setup Timing of the Model

  17. Agenda Introduction & Research Question Literature Review Model Description Model Analysis

  18. Model Analysis – The impact of standard Unverifiable control • The firm’s effort on an unverifiable control can increase or decrease in security standard. Overall security • High security standard can help or hurt the firm’s overall security.

  19. Model Analysis – The impact of security configuration Parallel configuration • The firm’s effort on an unverifiable control can decrease in high security standard. • Overall firm security can decrease in high security standard Serial configuration • The firm’s effort on unverifiable control decrease in security standard. • Overall firm security can decrease in low security standard

  20. Model Analysis – The impact of standard (Comparative Statistics) High liability reduction • If liability reduction effect is high enough, higher security standard hurts the firm’s security under parallel configuration. • If liability reduction effect is high enough, lower security standard can hurts the firm’s security under serial configuration. Low liability reduction • If liability reduction effect is low, security standard improve the firm’s security under parallel configuration. • If liability reduction effect is low, security standard improve the firm’s security under serial configuration.

  21. Model Analysis – The impact of Unobservability and Unverifiability Naïve Standard - Unobservability • The policy maker does not recognize the existence of the unverifiable control N. • Naïve standard over-estimates the marginal value of improving control V • Naïve standard maker oversets the security standard. First Best Standard - Unverifiability • The policy maker believes that he can control both security controls. • First best standard maker oversets the security standard under parallel configuration. • First best standard maker may overset or underset the security standard under serial configuration.

  22. Model Analysis – The impact of attack strategy Strategic attack • Strategic attacker’s behavior • First identify (or infer in equilibrium) the weakest link • Then concentrate on this weakest link • Relevant only to the parallel configuration

  23. Model Analysis – The impact of attack strategy Lower effective standard (i.e. ) • Strategic attacks provide supplement incentive for the firm to secure up the unverifiable control • Strategic attacks can benefit firm security Higher effective standard (i.e. ) • All attacks focus on the unverifiable control • Under a very high standard, since strategic attacks are all directed to the unverifiable control, standard does not improve the overall security but rather decrease the effort of the unverifiable control. Therefore a standard harms security.

  24. What we have found is as follows… Conclusion • This paper is a first study, from a policy maker’s perspective, on whether and how the existence of an unverifiable security control and strategic attack affect on firm security. • Under parallel configuration increasing security standard may harm firm security • Under serial configuration, increasing security standard help firm security • Boundly rational policy maker will overestimate the optimal standard • Strategic attacks may benefit firm security under lower standard • Higher effective standard makes the firm very risky

More Related