Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Information Security and IT Risk Management in the Real World:

advertisement 
Information Security and IT Risk Management in
the Real World:
Results From Field Studies
Scott Dynes
Center for Digital Strategies
Tuck School of Business at Dartmouth College
What We Study
Risks firms face as a result of using the information
infrastructure to manager their extended enterprise
- How firms make InfoSec investment decisions
- Emergent risk from business networks
- Privacy
Field Study
Our Field Studies: Methods
Investigate a ‘host’ firm and a few suppliers of different
sizes.
At each firm conduct interviews to determine:
- How InfoSec investment decisions are made.
- How reliant the firm is on the information infrastructure
for its ability to produce product.
Understand the means by which the host and suppliers
communicate to gauge the internal IT risk due to
integration.
Supplier
Supplier
S
u
Host
Supplier
Field Study
Field Study Sector Coverage
Field Study
Key Results From Field Studies
Four Main Paradigms To Managing/Investing in
Information Security:
• The “Sore Thumb” Paradigm
• The “IT Risk” Paradigm
• The “Business Risk” Paradigm
• The “Systemic Risk” Paradigm
Field Study
Key Results From Field Studies
Four Main Paradigms To Managing/Investing in
Information Security:
• The “Sore Thumb” Paradigm
Low/No Economic Role
• The “IT Risk” Paradigm
• The “Business Risk” Paradigm
• The “Systemic Risk” Paradigm
High Economic Role
Field Study
Key Results From Field Studies
Firms Are Mainly Taking A Local View of
Information Security
• Risk in supply chain glitches, leading to business sector brittleness
• Hypothesis: Firms managing risk in the extended enterprise will
directly lead to greater sector resiliency
Field Study
Key Results From Field Studies
Local vs. Sector Views of Information Security
Field Study
Key Results From Field Studies
Firms Are Mainly Taking A Local View of
Information Risk
Field Study
Key Results From Field Studies
Firms Are Mainly Taking A Local View of
Information Risk
Field Study
Key Results From Field Studies
Firms Are Mainly Taking A Local View of
Information Risk
Field Study
Key Results From Field Studies
Notable Incentives/Drivers For InfoSec Investment:
• Customer requests - firms are very responsive
• Government regulation - have to do it, but firms feel largely ineffective
• Brand protection
• Insurance - in unexpected ways
Field Study
Conclusion
• Latent Market Forces Exist
• Proper Government Role: Create Markets Through Increasing
Transparency
• Key Challenge: Enabling Investment Against Intangible, NeverHappened-Before Risks
Field Study
Production resilience to cyber disruptions
Manufacturing sector: In general, production not
sensitive to internet outages; supply chain sensitive to
internet outages.
• Once beyond first tier of suppliers, reliance on information
infrastructure to manage supply chain is low
• Electrical BU supply chain has ‘learned behavior’
- High-volume supply relations have extensive forecasting
- Everyone would do the expected thing
- Pain comes in distribution
• Auto BU- centralized control strategy leads to lack of learned
behavior
Field Study
Production resilience to cyber disruptions
120%
Start of recovery
100%
Productivity
Productivity
100%
80%
60%
40%
20%
0%
0%
1
-1
3
2
0
1
2
3
4
5
6
7
8
9
10
11
12
Day
Time
10-day oil refiner SCADA event
120%
Productivity
100%
80%
60%
40%
20%
0%
-1
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
Day
10-day electrical supplier internet event
10-day auto supplier internet event
Input-Output Model
Leontief Model
Production
x
xo = Axi + c
A :=Technical Coefficient Matrix
calculated from U.S. Bureau of
Economic Analysis data
Consumption
c
Inoperability I-O Model (IIM)
Terrorist Attack
c*
qo
*
=A
qi +
*
c
A* := Interdependency Matrix
Inoperability
q
Ripple Effects
Sector A
Input-Output Model
Sector A
Sector B
Sector n
Sector A
Sector B
Disruptive
Event
Sector A
Sector B
Sector n
Sector n
Sector A
Sector B
Sector n
Economic Costs of Cyber-events
Total Loss (in $mm)
10-Day Cyberevent for Electrical Sector
6.00
5.00
Manufacturer represents 5% of national capacity
4.00
Indirect
3.00
Direct
2.00
1.00
Integrated loss of 10-day event: $22.6 Million
0.00
1
2
3
4
5
6
7
8
9
10 11 12 13 14
Day
10-Day Cyberevent for Auto Sector
Total Loss ($mm)
25.00
Manufacturer represents 5% of national capacity
20.00
15.00
Indirect Loss
10.00
Direct Loss
Integrated loss of 10-day event: $65 Million
5.00
0.00
1
2
3
4
5
6
7
8
9
10 11
Day
Total Loss (in $mm)
10-Day Cyberevent for Oil & Gas Sector
50.00
Refiner represents 10% of national capacity
40.00
30.00
Indirect Loss
20.00
Direct Loss
Integrated loss of 10-day event: $405 Million
10.00
0.00
1
2
3
4
5
6
7
Day
8
9
10 11 12
Economic Costs of Cyber-events
10 days of U.S. GDP:
~ 330,000 MM
16,000
14,000
12,000
10,000
U.S.Dollars (MM)
8,000
6,000
4,000
Oil Refiner
2,000
0
Auto Supplier
Integrated loss
from 10-day event integrated loss of
entire sec tor for 10
days
Take-Aways
• The first demonstration of an empirically-based approach to
estimating national economic consequences of cyber events
• The economic costs of the cyber events investigated may not be
that great from a sector and national perspective.
• For the sectors presented (Manufacturing, Oil Refining), supply
chains are largely resilient to cyber disruptions.
•Economic consequences due to cyber events depend on how, not
whether firms use technology.
Incentives
What is an incentive?
Example: UK/US ATM regulations
Example: Attendee badges at RSA Security conference
Example: The “Commons”
Example: Stop Signs
Incentives - Information Security
Home Users
- What are they motivated to do?
- Privacy - not necessarily important
- Use of machine - is important
- Result: no real incentive to protect machine until something bad happens
- Bad things:
- Assimilation by Bot network; Spam generator
- Spyware/virii: machine becomes ever more unstable
Incentives - Information Security
Business Users
- What are they motivated to do?
Make Money! (rational market assumption)
Economic Costs - Information Security
Economic Costs of Cyber Events:
InfoSec Adoption by Firms
In a rational market, firms will maximize profit.
After Gordon and Loeb 2002
InfoSec Adoption by Firms
This ‘Optimal Spending’ approach requires:
-Titration of cyber losses and cyber spending
- Some idea of what effect cyber spending has on cyber losses
- A good idea of the threat environment in which the firm lives
What are the incentives felt by directors of information security?
InfoSec Adoption by Firms
Drivers of Adoption of InfoSec
InfoSec Adoption by Firms
Drivers of Adoption of InfoSec - Inputs
Baseline level of InfoSec based on:
- Experience
- Input from trusted colleagues
- External Consultants
- Trade mags/ other press
Beyond baseline level, firms respond mainly to:
- Customer requests/questionnaires
- Government regulation
InfoSec Adoption by Firms
Drivers of Adoption of InfoSec - Prioritization
How were InfoSec recommendations prioritized, and
received by decision-makers?
At InfoSec manager’s level, InfoSec “wants” prioritized by:
- Cost
- Exposure
- Internal pain
InfoSec Adoption by Firms
Drivers of Adoption of InfoSec - Outcomes
Making the leap from InfoSec manager to business
managers, we found:
- InfoSec not an important issue
- InfoSec efforts largely reactive and tactical
- ROI measures mainly qualitative; investments seemingly
made to eliminate all InfoSec incidents (not explicitly to
minimize total costs)
- Most impressive firm didn’t even have the conversation.
InfoSec Adoption by Firms
Drivers of Adoption of InfoSec - Outcomes
Managing Risk - always implicit, was never explicit
Info on threats - same as inputs
Info on probabilities came from:
- History
- Industry pubs
- Gartner/Meta/etc.
- Gut
- “Al”
- Tech Republic
Info on costs of attacks came from:
-Gut
InfoSec Adoption by Firms
Drivers of Adoption of InfoSec
All firms thought of InfoSec as an expense
Most thought of InfoSec as a qualifier, even though none
had any InfoSec requirements of their business partners
Few gave examples of InfoSec as a competitive advantage
InfoSec Adoption by Firms
Summary: 4 Paradigms for InfoSec Risk Management:
-The ‘Sore Thumb’ Approach
-The ‘IT Risk’ Approach
-The ‘Business Risk’ Approach
- The ‘Systemic Risk’ Approach
In most business sectors, InfoSec is not a technical
challenge, but a social/organizational challenge
Incentives - Information Security
Government/National Level
- What are they motivated to do?
Incentives - Information Security
Government/National Level
Incentives - Information Security
Government/National Level
Incentives - Information Security
Government/National Level
Freeman Drivers:
- Market Forces
- Government Regulation
- Litigation
- Government Spending
Incentives - Information Security
Intellectual Property loss - the real worry?
Start of recovery
Productivity
100%
0%
0
1
Time
2
3
Incentives - Information Security
Government/National Level
120%
Productivity
100%
80%
60%
40%
20%
0%
-1
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
Day
Effects on Production of a 10-day Internet
Outage at an Electrical Goods Manufacturer
Incentives - Information Security
Government/National Level
Total Loss (in $mm)
10-Day Cyberevent for Electrical Sector
6.00
5.00
4.00
Indirect
3.00
Direct
2.00
1.00
0.00
1
2
3
4
5
6
7
8
9
10 11 12 13 14
Day
Total Economic Effects on Production of a
10-day Internet Outage at an Electrical
Goods Manufacturer - $22.6 Million
Managing Cyber Risk
Globally Known
Viruses
Web Site Defacement
Locally
Known
Globally Unknown
Other OS bugs
Phishing
OS bugs
Best practices
Applied Research
???
(Phishing)
Locally
Unknown
Education
Basic Research
Managing Cyber Risk
Reactive IS
Globally Known
Viruses
Web Site Defacement
Locally
Known
Other OS bugs
Phishing
OS bugs
Implement
Locally
Unknown
Globally Unknown
Wait for patch
???
---
Unprepared when
something happens
Managing Cyber Risk
Proactive IS
Globally Known
Viruses
Web Site Defacement
Locally
Known
Other OS bugs
Phishing
OS bugs
Implement
Locally
Unknown
Globally Unknown
Listen, work to
mitigate outcomes
???
---
Watch, try to ID bad
outcomes
Managing Cyber Risk: Mind The Gap:
• Manufacturer: Manager of InfoSec wants to patch critical
vulnerability. Business manager would rather risk infection of
machines and close the quarter.
• Oil refinery: Manager of InfoSec wants better SCADA security;
VP refining: “How is more SCADA security going to help me
make better oil?”
• Hospital: IS thinks virus event was mainly an IS event and had
minor impact on clinical units; clinical unit manager : “It was a
living hell”
• Most every InfoSec manager: information security is not a
priority with business managers.
Related documents
Introduction to the Management of Information Security
Introduction to the Management of Information Security
Introduction
Introduction
TEL2813/IS2820 Security Management
TEL2813/IS2820 Security Management
mis311_infosec2012
mis311_infosec2012
Download
advertisement