1 / 47

Scott Dynes Center for Digital Strategies Tuck School of Business at Dartmouth College

Scott Dynes Center for Digital Strategies Tuck School of Business at Dartmouth College. Information Security and IT Risk Management in the Real World: Results From Field Studies. What We Study

teal
Download Presentation

Scott Dynes Center for Digital Strategies Tuck School of Business at Dartmouth College

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Scott DynesCenter for Digital StrategiesTuck School of Business at Dartmouth College Information Security and IT Risk Management in the Real World: Results From Field Studies

  2. What We Study • Risks firms face as a result of using the information infrastructure to manager their extended enterprise • How firms make InfoSec investment decisions • Emergent risk from business networks • Privacy

  3. Supplier Supplier Host Su Supplier Field Study Our Field Studies: Methods Investigate a ‘host’ firm and a few suppliers of different sizes. At each firm conduct interviews to determine: - How InfoSec investment decisions are made. - How reliant the firm is on the information infrastructure for its ability to produce product. Understand the means by which the host and suppliers communicate to gauge the internal IT risk due to integration.

  4. Field Study Field Study Sector Coverage

  5. Field Study • Key Results From Field Studies Four Main Paradigms To Managing/Investing in Information Security: • The “Sore Thumb” Paradigm • The “IT Risk” Paradigm • The “Business Risk” Paradigm • The “Systemic Risk” Paradigm

  6. Field Study • Key Results From Field Studies Four Main Paradigms To Managing/Investing in Information Security: • The “Sore Thumb” Paradigm • The “IT Risk” Paradigm • The “Business Risk” Paradigm • The “Systemic Risk” Paradigm Low/No Economic Role High Economic Role

  7. Field Study • Key Results From Field Studies Firms Are Mainly Taking A Local View of Information Security • Risk in supply chain glitches, leading to business sector brittleness • Hypothesis: Firms managing risk in the extended enterprise will directly lead to greater sector resiliency

  8. Field Study • Key Results From Field Studies Local vs. Sector Views of Information Security

  9. Field Study • Key Results From Field Studies Firms Are Mainly Taking A Local View of Information Risk

  10. Field Study • Key Results From Field Studies Firms Are Mainly Taking A Local View of Information Risk

  11. Field Study • Key Results From Field Studies Firms Are Mainly Taking A Local View of Information Risk

  12. Field Study • Key Results From Field Studies Notable Incentives/Drivers For InfoSec Investment: • Customer requests - firms are very responsive • Government regulation - have to do it, but firms feel largely ineffective • Brand protection • Insurance - in unexpected ways

  13. Field Study • Conclusion • Latent Market Forces Exist • Proper Government Role: Create Markets Through Increasing Transparency • Key Challenge: Enabling Investment Against Intangible, Never-Happened-Before Risks

  14. Field Study • Production resilience to cyber disruptions Manufacturing sector: In general, production not sensitive to internet outages; supply chain sensitive to internet outages. • Once beyond first tier of suppliers, reliance on information infrastructure to manage supply chain is low • Electrical BU supply chain has ‘learned behavior’ • High-volume supply relations have extensive forecasting • Everyone would do the expected thing • Pain comes in distribution • Auto BU- centralized control strategy leads to lack of learned behavior

  15. Start of recovery 100% Productivity 0% 1 3 2 Time 10-day electrical supplier internet event 10-day auto supplier internet event 10-day oil refiner SCADA event Field Study • Production resilience to cyber disruptions

  16. Input-Output Model Leontief Model xo = Axi + c Production x Consumption c A :=Technical Coefficient Matrix calculated from U.S. Bureau of Economic Analysis data Inoperability I-O Model (IIM) qo = A* qi + c* Terrorist Attack c* Inoperability q A* := Interdependency Matrix

  17. Sector A Sector A Sector A Sector B Sector B Sector B Sector A Sector n Sector n Sector n Sector A Sector B Disruptive Event Sector n Input-Output Model Ripple Effects

  18. Manufacturer represents 5% of national capacity Integrated loss of 10-day event: $22.6 Million Manufacturer represents 5% of national capacity Integrated loss of 10-day event: $65 Million Refiner represents 10% of national capacity Integrated loss of 10-day event: $405 Million Economic Costs of Cyber-events

  19. Economic Costs of Cyber-events 10 days of U.S. GDP: ~ 330,000 MM

  20. Take-Aways • The first demonstration of an empirically-based approach to estimating national economic consequences of cyber events • The economic costs of the cyber events investigated may not be that great from a sector and national perspective. • For the sectors presented (Manufacturing, Oil Refining), supply chains are largely resilient to cyber disruptions. • Economic consequences due to cyber events depend on how, not whether firms use technology.

  21. Incentives What is an incentive? Example: UK/US ATM regulations Example: Attendee badges at RSA Security conference Example: The “Commons” Example: Stop Signs

  22. Incentives - Information Security • Home Users • What are they motivated to do? • Privacy - not necessarily important • Use of machine - is important • Result: no real incentive to protect machine until something bad happens • Bad things: • Assimilation by Bot network; Spam generator • Spyware/virii: machine becomes ever more unstable

  23. Incentives - Information Security • Business Users • What are they motivated to do? • Make Money! (rational market assumption)

  24. Economic Costs - Information Security Economic Costs of Cyber Events:

  25. InfoSec Adoption by Firms In a rational market, firms will maximize profit. After Gordon and Loeb 2002

  26. InfoSec Adoption by Firms This ‘Optimal Spending’ approach requires: • Titration of cyber losses and cyber spending • Some idea of what effect cyber spending has on cyber losses • A good idea of the threat environment in which the firm lives What are the incentives felt by directors of information security?

  27. InfoSec Adoption by Firms Drivers of Adoption of InfoSec

  28. InfoSec Adoption by Firms Drivers of Adoption of InfoSec - Inputs Baseline level of InfoSec based on: - Experience - Input from trusted colleagues - External Consultants - Trade mags/ other press Beyond baseline level, firms respond mainly to: - Customer requests/questionnaires - Government regulation

  29. InfoSec Adoption by Firms Drivers of Adoption of InfoSec - Prioritization • How were InfoSec recommendations prioritized, and received by decision-makers? • At InfoSec manager’s level, InfoSec “wants” prioritized by: • - Cost • Exposure • Internal pain

  30. InfoSec Adoption by Firms Drivers of Adoption of InfoSec - Outcomes • Making the leap from InfoSec manager to business managers, we found: • InfoSec not an important issue • InfoSec efforts largely reactive and tactical • ROI measures mainly qualitative; investments seemingly made to eliminate all InfoSec incidents (not explicitly to minimize total costs) • Most impressive firm didn’t even have the conversation.

  31. InfoSec Adoption by Firms Drivers of Adoption of InfoSec - Outcomes Managing Risk - always implicit, was never explicit Info on threats - same as inputs Info on probabilities came from: - History - Industry pubs - Gartner/Meta/etc. - Gut - “Al” - Tech Republic Info on costs of attacks came from: -Gut

  32. InfoSec Adoption by Firms Drivers of Adoption of InfoSec All firms thought of InfoSec as an expense Most thought of InfoSec as a qualifier, even though none had any InfoSec requirements of their business partners Few gave examples of InfoSec as a competitive advantage

  33. InfoSec Adoption by Firms Summary: 4 Paradigms for InfoSec Risk Management: • The ‘Sore Thumb’ Approach • The ‘IT Risk’ Approach • The ‘Business Risk’ Approach • The ‘Systemic Risk’ Approach • In most business sectors, InfoSec is not a technical challenge, but a social/organizational challenge

  34. Incentives - Information Security • Government/National Level • What are they motivated to do?

  35. Incentives - Information Security Government/National Level

  36. Incentives - Information Security Government/National Level

  37. Incentives - Information Security Government/National Level Freeman Drivers: • - Market Forces • Government Regulation • Litigation • Government Spending

  38. Incentives - Information Security Intellectual Property loss - the real worry?

  39. Incentives - Information Security Government/National Level Effects on Production of a 10-day Internet Outage at an Electrical Goods Manufacturer

  40. Incentives - Information Security Government/National Level Total Economic Effects on Production of a 10-day Internet Outage at an Electrical Goods Manufacturer - $22.6 Million

  41. Managing Cyber Risk Globally Known Globally Unknown Viruses Other OS bugs Web Site Defacement Locally Known Phishing OS bugs Best practices Applied Research ? ? ? (Phishing) Locally Unknown Education Basic Research

  42. Managing Cyber Risk Reactive IS Globally Known Globally Unknown Viruses Other OS bugs Web Site Defacement Locally Known Phishing OS bugs Implement Wait for patch ? ? ? Locally Unknown --- Unprepared when something happens

  43. Managing Cyber Risk Proactive IS Globally Known Globally Unknown Viruses Other OS bugs Web Site Defacement Locally Known Phishing OS bugs Listen, work to mitigate outcomes Implement ? ? ? Locally Unknown --- Watch, try to ID bad outcomes

  44. Managing Cyber Risk: Mind The Gap: • Manufacturer: Manager of InfoSec wants to patch critical vulnerability. Business manager would rather risk infection of machines and close the quarter. • Oil refinery: Manager of InfoSec wants better SCADA security; VP refining: “How is more SCADA security going to help me make better oil?” • Hospital: IS thinks virus event was mainly an IS event and had minor impact on clinical units; clinical unit manager : “It was a living hell” • Most every InfoSec manager: information security is not a priority with business managers.

More Related