INVESTING IN CYBERSECURITY: Lawrence A. Gordon Insights from the Gordon-Loeb Model

advertisement
INVESTING IN CYBERSECURITY:
Insights from the Gordon-Loeb Model
Lawrence A. Gordon
EY Alumni Professor of Managerial
Accounting & Information Assurance
Affiliate Professor in University of Maryland
Institute for Advanced Computer Studies
The Robert H. Smith School of Business
http://scholar.rhsmith.umd.edu/lgordon
April 2015
1
© [email protected]
Basic Facts
Cybersecurity Breaches are Growing at an Alarming Rate
100% Security Is Not Possible
Large Share of Infrastructure Assets Owned by
Private Sector Corporations
Investments in Cybersecurity Involve Resource Allocation
Decisions (i.e., Cost-Benefit Decisions or Making the
Business Case)
Cybersecurity Strategy is a National Policy Priority -Economics is Key Component of this Strategy*
2
*See Report by OECD (2012)
© [email protected]
Costs of Cybersecurity Breaches to
Corporations
Explicit Costs (e.g., Detecting and Correcting Breaches)
Implicit Costs (e.g., Reputation Effect, Potential Liability)
Impact of Breaches on Corporations
• Breaches Impact Annual Earnings of Corporations
• Large % of Breaches Do Not Have a Significant Impact
on Stock Market Returns of Firms* -- but Some Do!
• Firms Have Strengthened Remediation Strategies
(Important Part of Cybersecurity Risk Management)
• Stockholders Have Become Tolerant of Breaches
*See Appendix A for Methodology.
3
© [email protected]
Why Are Cybersecurity
Investments
So Difficult to
Justify?
They are primarily Cost Savings Projects rather than
Revenue Generating Projects (and Among the
Most Difficult Cost Savings Projects to Justify)
Their Benefits and Risks are Impossible to Measure
Precisely (Wait-and-See approach is often
Rational from an Economics perspective due to
Deferment Option)
Externalities are Important, but Hard to Justify on a
Cost-Benefit basis
4
© [email protected]
Figure 1: Benefits and Cost of an Investment
in Cyber/Information Security*
$
Cost of
Investment
vL
Expected Benefits of
Investment=(v-S[z,v])L
Benefits are Increasing
at a Decreasing Rate
v = Vulnerability/Threat
L = Potential Loss
vL = Expected Loss
z = Level of Investment
100% Security is Not
Possible
450
5
z*
Level of investment in information security
*Adapted from Gordon and Loeb, 2002a (see Appendix B).
vL
z
© [email protected]
Results of Gordon-Loeb Model*
Key Components of Optimal Amount to Invest:
• Potential Losses (Cost Savings)
• Vulnerabilities/Threats
• Productivity of Investments
Optimal Level of Cybersecurity Investments Does
Not Always Increase with Level of Vulnerability
Firms should Generally Invest ≤ 37% of Expected
Loss (i.e., Invest, but Invest Wisely)
*Economic models should be viewed as a complement to,
not as a substitute for, sound business judgment!
6
© [email protected]
How Can Organizations Use the
Gordon-Loeb Model?*
*Adapted from Gordon and Loeb, 2011 (Wall Street Journal)
Step 1. Estimate the Potential Loss (L) from a Security Breach
for each Set of Information (Info. Segmentation is Important).
Step 2. Estimate the Likelihood that an Information Set will be
Breached, by examining its Vulnerability/Threat (v) to Attack.
Step 3. Create a Grid with all the Possible Combinations of the
First Two Steps, from Low Value, Low Vulnerability/Threat to
High Value, High Vulnerability/Threat.
Step 4. Focus Spending where it Should Reap the Largest Net
Benefits Based on Productivity of Investments.
7
© [email protected]
Figure 2: Potential Loss from Information
Security Breach
Value of Information Sets (in $M)*
Medium
High
Vulnerability/Threat**
Low
Low
Medium
10%
10
1
20
2
30
3
40
4
50
5
60
6
70
7
80
8
90
9
100
10
20%
2
4
6
8
10
12
14
16
18
20
30%
3
6
9
12
15
18
21
24
27
30
40%
4
8
12
16
20
24
28
32
36
40
50%
5
10
15
20
25
30
35
40
45
50
60%
6
12
18
24
30
36
42
48
54
60
70%
7
14
21
28
35
42
49
56
63
70
80%
8
16
24
32
40
48
56
64
72
80
90%
100%
9
18
27
36
45
54
63
72
81
90
10
20
30
40
50
60
70
80
90
100
*Value of Information = Potential Loss (L)
** Vulnerability/Threat = v
8
High
Low: vL <30
Medium: 69 ≥ VL ≥ 30
High: vL ≥ 70
© [email protected]
PRODUCTIVITY OF INVESTMENTS
IN CYBERSECURITY
(Example 1)
z
S(z,Low v )
S'
S(z,Mediun v)
S(z,High v)
S'
1
0.500
0.500
0.250
0.750
0.125 0.875
2
0.333
0.167
0.111
0.139
0.037 0.088
3
0.250
0.083
0.063
0.049
0.016 0.021
4
0.200
0.050
0.040
0.023
0.008 0.008
5
0.167
0.033
0.028
0.012
0.005 0.003
6
0.143
0.024
0.020
0.007
0.003 0.002
Low Prodcutivity = v/(1+z) for Low Vulnerability/Threat
Medium Productivity = v/(1+z)² for Medium Vulnerability/Threat
High Productivity = v/(1+z)³ for High Vulnerability/Threat
9
S'
Follow the Yellow Brick Road
© [email protected]
Figure 3: Cost Savings from 1st $M
Investments
Value of Information Sets (in $M)
Low
20 30 40 50 60 High
70 80 90 100 10% 0.50 1.00 1.50 2.00 2.50 3.00 3.50 4.00 4.50 5.00 20% 1.00 2.00 3.00 4.00 5.00 6.00 7.00 8.00 9.00 10.00 30% 1.50 3.00 4.50 6.00 7.50 9.00 10.50 12.00 13.50 15.00 Medium
40% 3.00 6.00 9.00 12.00 15.00 18.00 21.00 24.00 27.00 30.00 50% 3.75 7.50 11.25 15.00 18.75 22.50 26.25 30.00 33.75 37.50 60% 4.50 9.00 13.50 18.00 22.50 27.00 31.50 36.00 40.50 45.00 70% 5.25 10.50 15.75 21.00 26.25 31.50 36.75 42.00 47.25 52.50 High
Vulnerability/Threat
Low
10 Medium
80% 7.00 14.00 21.00 28.00 35.00 42.00 49.00 56.00 63.00 70.00 90% 7.88 15.75 23.63 31.50 39.38 47.25 55.13 63.00 70.88 78.75 100% 8.75 17.50 26.25 35.00 43.75 52.50 61.25 70.00 78.75 87.50 10
© [email protected]
Figure 4: Incremental Cost Savings from
2nd $M Investments
Value of Information Sets (in $M)
Low
10 20 Medium
30 40 50 High
60 70 80 90 100 20% 0.33 0.67 1.00 1.33 1.67 2.00 2.33 2.67 3.00 3.33 30% 0.50 1.00 1.50 2.00 2.50 3.00 3.50 4.00 4.50 5.00 Medium
40% 0.56 1.11 1.67 2.22 2.78 3.33 3.89 4.44 5.00 5.56 50% 0.69 1.39 2.08 2.78 3.47 4.17 4.86 5.56 6.25 6.94 60% 0.83 1.67 2.50 3.33 4.17 5.00 5.83 6.67 7.50 8.33 70% 0.97 1.94 2.92 3.89 4.86 5.83 6.81 7.78 8.75 9.72 80% 0.70 1.41 2.11 2.81 3.52 4.22 4.93 5.63 6.33 7.04 High
Vulnerability/Threat
Low
10% 0.17 0.33 0.50 0.67 0.83 1.00 1.17 1.33 1.50 1.67 90% 0.79 1.58 2.38 3.17 3.96 4.75 5.54 6.33 7.13 7.92 100% 0.88 1.76 2.64 3.52 4.40 5.28 6.16 7.04 7.92 8.80 11
© [email protected]
Figure 5: Incremental Cost Savings from
3rd $M Investments
Value of Information Sets
Low
Medium
High
Vulnerability/Threat
Low
10 12
20 Medium
30 40 50 High
60 70 80 90 100 10% 0.08 0.17 0.25 0.33 0.42 0.50 0.58 0.67 0.75 0.83 20% 0.17 0.33 0.50 0.67 0.83 1.00 1.17 1.33 1.50 1.67 30% 0.25 0.50 0.75 1.00 1.25 1.50 1.75 2.00 2.25 2.50 40% 0.19 0.39 0.58 0.78 0.97 1.17 1.36 1.56 1.75 1.94 50% 0.24 0.49 0.73 0.97 1.22 1.46 1.70 1.94 2.19 2.43 60% 0.29 0.58 0.88 1.17 1.46 1.75 2.04 2.33 2.63 2.92 70% 0.34 0.68 1.02 1.36 1.70 2.04 2.38 2.72 3.06 3.40 80% 0.17 0.34 0.51 0.69 0.86 1.03 1.20 1.37 1.54 1.71 90% 0.19 0.39 0.58 0.77 0.96 1.16 1.35 1.54 1.73 1.93 100% 0.21 0.43 0.64 0.86 1.07 1.28 1.50 1.71 1.93 2.14 © [email protected]
Figure 6: Incremental Cost Savings from
4th $M Investments
Value of Information Sets (in $M)
Low
20 30 40 50 60 High
70 80 90 100 10% 0.05 0.10 0.15 0.20 0.25 0.30 0.35 0.40 0.45 0.50 20% 0.10 0.20 0.30 0.40 0.50 0.60 0.70 0.80 0.90 1.00 30% 0.15 0.30 0.45 0.60 0.75 0.90 1.05 1.20 1.35 1.50 Medium
40% 0.09 0.18 0.27 0.36 0.45 0.54 0.63 0.72 0.81 0.90 50% 0.11 0.23 0.34 0.45 0.56 0.68 0.79 0.90 1.01 1.13 60% 0.14 0.27 0.41 0.54 0.68 0.81 0.95 1.08 1.22 1.35 70% 0.16 0.32 0.47 0.63 0.79 0.95 1.10 1.26 1.42 1.58 High
VulnerabilityThreat
Low
10 Medium
80% 0.06 0.12 0.18 0.24 0.31 0.37 0.43 0.49 0.55 0.61 90% 0.07 0.14 0.21 0.27 0.34 0.41 0.48 0.55 0.62 0.69 100% 0.08 0.15 0.23 0.31 0.38 0.46 0.53 0.61 0.69 0.76 13
© [email protected]
Figure 7: Investment Amounts
(Example 1)
Value of Information Sets (in $M)
Low
10% <1M 20% Medium
20 30 40 50 1M <2M <2M <2M 1M <2M 30% <2M 2M <3M <3M 2M <3M High
60 70 80 90 100 2M <3M <3M <3M <3M 3M <4M <4M <4M 4M 3M <4M <4M >4M >4M >4M >4M 40% <2M <3M <3M <3M <3M <4M <4M <4M <4M <4M 50% <2M <3M <3M <3M <4M <4M <4M <4M >4M >4M 60% <2M <3M <3M <4M <4M <4M <4M >4M >4M >4M 70% <2M <3M <4M <4M <4M <4M >4M >4M >4M >4M High
VulnerabilityThreat
Low
10 Medium
80% <2M <3M <3M <3M <3M <4M <4M <4M <4M <4M 90% <2M <3M <3M <3M <3M <4M <4M <4M <4M <4M 100% <2M <3M <3M <3M <4M <4M <4M <4M <4M <4M 14
© [email protected]
PRODUCTIVITY OF INVESTMENTS
IN CYBERSECURITY
(Example 2)
z
S(z,Low v)
S'
S(z,High V)
S'
1
0.500
0.500
0.125
0.875
2
0.333
0.167
0.037
0.088
3
0.250
0.083
0.016
0.021
4
0.200
0.050
0.008
0.008
5
0.167
0.033
0.005
0.003
6
0.143
0.024
0.003
0.002
Low Prodcutivity = v/(1+z) for v = 10%, 20%, 30%, 40% and 50%
High Productivity = v/(1+z)³ for v = 60%, 70%, 80%, 90% and 100%
15
© [email protected]
Figure 7: Investment Amounts
(Example 2)
Value of Information Sets (in $M)
Low
10 Low
20% 1M <2M 30% <2M 30 40 50 1M <2M <2M <2M 2M <3M <3M 2M <3M 40% <2M <3M High
60 70 80 90 100 2M <3M <3M <3M <3M 3M <4M <4M <4M 4M 3M <4M <4M >4M >4M >4M >4M 3M <4M 50% <2M <3M <4M 4M >4M >4M >4M >4M >4M 4M >4M >4M >4M >4M >4M >4M 60% <2M <3M <3M <3M <3M <3M <3M <4M <4M <4M High
Vulnerability/Threat
10% <1M 20 Medium
70% <2M <3M <3M <3M <3M <3M <4M <4M <4M <4M 80% <2M <3M <3M <3M <3M <4M <4M <4M <4M <4M 90% <2M <3M <3M <3M <3M <4M <4M <4M <4M <4M 100% <2M <3M <3M <3M <4M <4M <4M <4M <4M <4M 16
© [email protected]
PRODUCTIVITY OF INVESTMENTS
IN CYBERSECURITY
(Example 3)
z S(z, Lev1) S' S(z, Lev2) s' S(z, Lev3) s' S(z, Lev4) s' S(z, Lev5) s' 1 0.500 0.500 0.354 0.646 0.250 0.750 0.177 0.823 0.125 0.875 2 0.333 0.167 0.192 0.161 0.111 0.139 0.064 0.113 0.037 0.088 3 0.250 0.083 0.125 0.067 0.063 0.049 0.031 0.033 0.016 0.021 4 0.200 0.050 0.089 0.036 0.040 0.023 0.018 0.013 0.008 0.008 5 0.167 0.033 0.068 0.021 0.028 0.012 0.011 0.007 0.005 0.003 6 0.143 0.024 0.054 0.014 0.020 0.007 0.008 0.004 0.003 0.002 Productivity Lev1 = v/(1+z) for v = 10, 20% Productivity Lev2 = v/(1+z)^1.5 for v = 30, 40% Productivity Lev3 = v/(1+z)^2 for v = 50, 60% Productivity Lev4 = v/(1+z)^2.5 for v = 70, 80% Productivity Lev5 = v/(1+z)^3 for v = 90, 100% 17
© [email protected]
Figure 7: Investment Amounts
(Example 3)
Value of Information Sets (in $M)
Low
v1
10 10% <1M v2
30 40 50 1M <2M <2M <2M 1M <2M 2M <3M <3M High
60 v3
70 80 90 100 2M <3M <3M <3M <3M 3M <4M <4M <4M 4M 30% <2M <2M <3M <3M <4M <4M <4M <4M <4M >4M 40% <2M <3M <3M <4M <4M <4M 4M >4M >4M >4M 50% <2M <3M <3M <3M <4M <4M <4M <4M >4M >4M v4
60% <2M <3M <3M <4M <4M <4M <4M >4M >4M >4M 70% <2M <3M <3M <3M <4M <4M <4M <4M <4M <4M 80% <2M <3M <3M <4M <4M <4M <4M <4M <4M >4M v5
Vulnerabilities/Threats
20% 20 Medium
90% <2M <3M <3M <3M <3M <4M <4M <4M <4M <4M 100% <2M <3M <3M <3M <4M <4M <4M <4M <4M <4M 18
© [email protected]
Concluding Comments
I. Cybersecurity Investments Are Hard To Justify
They are Cost Savings, Not Revenue Generating, Projects
You Can’t See Savings
Most Breaches Do Not Have Significant Effect on Stock Prices
II. Invest, but Invest Wisely
Conduct Cost-Benefit Analysis (Making the Business Case)
On Average, Invest ≤ 37% of Expected Loss per Info. Set
Wait-n-See Approach is Rational from Economics Perspective
Key Factors for each Information Set: (a) Potential Loss,
(b) Vulnerability/Threat, (c) Productivity of Investment
Gather Data & Conduct Analyses on Above Factors
III. Optimal Level of Investment Does Not Always
Increase With The Level of Vulnerability/Threat
Best Payoff Often Comes from Mid-level Vulnerability/Threat
19
© [email protected]
SELECTED REFERENCES
Gordon, L.A. and M.P. Loeb. 2011,“You May Be Fighting the Wrong Security Battles: How IT executives can determine the right amount to spend—and where to spend
it,” The Wall Street Journal, September 26, 2011.
Gordon, L.A. and M.P. Loeb. 2006. MANAGING CYBERSECURITY RESOURCES: A Cost-Benefit Analysis (McGraw-Hill).
Gordon, L.A. and M.P. Loeb. 2006. “Information Security Budgeting Process: An Empirical Study,” Communications of the ACM /
Gordon, L.A., M.P. Loeb. 2006. “Economic Aspects of Information Security: An Emerging Field of Research,” Information System Frontiers.
Gordon, L.A. and M.P. Loeb. 2002a. “The Economics of Information Security Investment,” ACM Transactions on Information and System Security.
Gordon, L.A. and M.P. Loeb. 2002b. “Return on Information Security Investments: Myths vs. Reality,” Strategic Finance.
Gordon, L.A., M.P. Loeb, and W. Lucyshyn. 2014. “Cybersecurity Investments in the Private Sector: The Role of Governments,” Georgetown Journal of International
Affairs.
Gordon, L.A., M.P. Loeb, and W. Lucyshyn. 2003. “Sharing Information on Computer Systems Security: An Economic Analysis,” Journal of Accounting and Public Policy.
Gordon, L.A., M.P. Loeb, and W. Lucyshyn. 2003. “Information Security Expenditures and Real Options: A Wait-and-See Approach,” Computer Security Journal.
Gordon, L.A., M.P Loeb, W. Lucyshyn, and R. Richardson. 2004. “CSI/FBI Computer Crime and Security Survey,” Computer Security Journal.
Gordon, L.A., M.P. Loeb, W. Lucyshyn, and L. Zhou. Forthcoming. “The Impact of Information Sharing on Cybersecurity Underinvestment: A Real Options Perspective,”
Journal of Accounting and Public Policy.
Gordon, L.A., M.P. Loeb, W. Lucyshyn, and L. Zhou. 2015. “Externalities and the Magnitude of Cybersecurity Underinvestment by Private Sector Firms: A Modification
of the Gordon-Loeb Model,” Journal of Information Security.
Gordon, L.A., M.P. Loeb and T. Sohail. 2010. “Market Value of Voluntary Disclosures Concerning Information Security,” MIS Quarterly.
Gordon, L.A., M.P. Loeb, and T. Sohail. 2003. “A Framework for Using Insurance for Cyber-Risk Management,” Communications of the ACM.
Gordon, L.A., M.P. Loeb, T. Sohail. C-Y Tseng and L. Zhou. 2008. “Cybersecurity Capital Allocation and Management Control Systems,” European Accounting Review.
Gordon, L.A., M.P. Loeb, and L. Zhou. 2011. “The Impact of Information Security Breaches: Has There Been a Downward Shift in Costs?” Journal of Computer Security.
Lelarge, M. 2012. “Coordination in network security games: A monotone comparative statics approach. Selected Areas in Communications, IEEE Journal on Selected
Areas in Communications .
OECD (Organization for Economic Cooperation and Development). 2012. “Cybersecurity Policy Making at a Turning Point.”
20
© [email protected]
Appendix A: Research Methodology for
Studying Cybersecurity Breaches
One-factor Model (Basic CAPM)
Rit − RFt = ai + bi ( RM t − RFt ) + ε it
Abnormal Returns:
ARit = ( Rit − RFt ) − [aˆi + bˆi ( RM t − RFt )]
Cumulative Abnormal Returns:
CARi = ∑ ARit ,
t2
t =t1
Average CAR across Firms:
─ 
─ 
21
CAR =
1 N
∑ CARi
N i =1
Rit: firm’s return, RFt: risk-free rate, RMt: market’s return
bi; the CAPM market model’s slope parameter (i.e., the systematic risk of the return for firm i, relative to the
return of the entire market place, and often call the firm’s beta)
© [email protected]
Appendix B: Optimal Amount to Invest in
Cybersecurity (Gordon-Loeb Model)*
Expected benefits of an investment in information security, denoted as EBIS, are equal
to the reduction in the firm's expected loss attributable to the extra security.
EBIS(z) = [v- S(z,v)] L
[1]
EBIS is written above as a function of z, since the investment in information security is
the firm’s only decision variable (v and L are parameters of the information set). The
expected net benefits from an investment in information security, denoted ENBIS, equal
EBIS less the cost of the investment, or:
ENBIS(z) = [v -S(z,v)]L -z
[2]
Maximizing [2] is equivalent to minimizing:
S(z,v)L +z
[3]
Interior maximum z*>0 is characterized by the first-order condition for maximizing [2] (or
minimizing [3]) :
-Sz(z*,v)L =1
22
*Adapted from Gordon and Loeb, 2002a.
[4]
© [email protected]
Download