Legal, Regulatory & Public Legal, Regulatory & Public Policy Constraints on Risk Policy Constraints on Risk

AnalysisAnalysis

John W. BagbyJohn W. Bagby

Prof. of IST Prof. of IST

IIPIIP

Roles of Law/Reg/Policy in Risk Roles of Law/Reg/Policy in Risk Analysis & Risk ManagementAnalysis & Risk Management

Law Resolves Disputes, Shifts Risk of Loss Law Resolves Disputes, Shifts Risk of Loss Risk Analysis Failure Shifts Liability Risks to CreatorRisk Analysis Failure Shifts Liability Risks to Creator Actual Injuries Trigger Disputes over Risk Duties Actual Injuries Trigger Disputes over Risk Duties

Law Defines Risks & Duties of Care Law Defines Risks & Duties of Care Crimes, Torts, Contracts, Standards, Determination of Injury Crimes, Torts, Contracts, Standards, Determination of Injury Law Dis-Incentivizes Risky Deeds (DD&tDDC)Law Dis-Incentivizes Risky Deeds (DD&tDDC)

Law Defines Risk Management Duties Law Defines Risk Management Duties Law Compensates Injuries Derived from Law Compensates Injuries Derived from Law Defines/Constrains Damage ComputationLaw Defines/Constrains Damage Computation

Law Encourages Risk Mgt Law Encourages Risk Mgt Law Defines Risk Mgt Professionalism Law Defines Risk Mgt Professionalism Law Enforces Risk Shifting ContractsLaw Enforces Risk Shifting Contracts Law Requires Risk Analysis & Impacts Methods Law Requires Risk Analysis & Impacts Methods But Law may Disincentivize Introspection w/o Self-Eval But Law may Disincentivize Introspection w/o Self-Eval

Privilege Privilege Law Regulates Risk Management Industry Law Regulates Risk Management Industry Law Enforces Risk Mgt Profession’s Arrangements Law Enforces Risk Mgt Profession’s Arrangements

Risk Analysis is SectoralRisk Analysis is Sectoral Risk Analysis Differs by Domain Risk Analysis Differs by Domain

Just like U.S. Privacy LawJust like U.S. Privacy Law Major Differences: Physical vs. Intangible Security Major Differences: Physical vs. Intangible Security

Most domains blend tangible w/ information Most domains blend tangible w/ information Many Key Domains Track Critical Infrastructures as Many Key Domains Track Critical Infrastructures as

defined in USA Patriot’s CIPA §1016(e) defined in USA Patriot’s CIPA §1016(e) “…“…systems and assets, whether physical or virtual, so vital to systems and assets, whether physical or virtual, so vital to

the U.S. that the incapacity or destruction of such systems the U.S. that the incapacity or destruction of such systems and assets would have a debilitating impact on security, and assets would have a debilitating impact on security, national economic security, national public health or safety, national economic security, national public health or safety, or any combination of those matters.” or any combination of those matters.”

telecommunications; electrical power systems; gas & oil telecommunications; electrical power systems; gas & oil storage & transportation; banking & finance; transportation; storage & transportation; banking & finance; transportation; water supply systems; emergency services (e.g., medical, water supply systems; emergency services (e.g., medical, police, fire, & rescue), govt. continuity & CyberSpacepolice, fire, & rescue), govt. continuity & CyberSpace

Calls for National Effort to Enhance Modeling & Analytical Capacities Calls for National Effort to Enhance Modeling & Analytical Capacities appropriate mechanisms to ensure the stability [of] complex & appropriate mechanisms to ensure the stability [of] complex &

interdependent systems, [incl] continuous viability & adequate protection interdependent systems, [incl] continuous viability & adequate protection of critical infrastructuresof critical infrastructures

What is Shared Among these Vastly Different What is Shared Among these Vastly Different Sectors?Sectors?

SRA’s Profoundly Different SectorsSRA’s Profoundly Different Sectors Terrorism, Piracy Terrorism, Piracy LitigationLitigation LegislationLegislation Financial (Default, Financial (Default,

Systematic, Systematic, Recordkeeping, Fraud, Recordkeeping, Fraud, Derivatives)Derivatives)

Environmental, Ecological, Environmental, Ecological, Toxic/Hazardous Toxic/Hazardous Substances, Pollution, Substances, Pollution, Contaminants, MicrobalContaminants, Microbal

NanoParticles NanoParticles SafetySafety PoliticalPolitical DesignDesign Manufacturing Manufacturing IntelligenceIntelligence MedicineMedicine Nuclear Power Nuclear Power ConstructionConstruction

Food SafetyFood Safety Drinking WaterDrinking Water Foreign Trade Foreign Trade Energy Availability/ Energy Availability/

Sustainability Sustainability Climate, Natural Disasters Climate, Natural Disasters

& Response & Response Infringements Infringements Public Health & Lifestyle Public Health & Lifestyle CrimeCrime Malpractice, Fiduciary Malpractice, Fiduciary

Breach Breach Property, Casualty Property, Casualty Data Availability/Integrity Data Availability/Integrity Cyber Attack Cyber Attack AerospaceAerospace ChemiclesChemicles Government/Regulation Government/Regulation DefenseDefense

Law Permits/Regulates Risk AnalyticsLaw Permits/Regulates Risk Analytics

QuantitativeQuantitative Statistical Statistical ActuarialActuarial Mortality & Mortality &

MorbidityMorbidity Admissibility of Admissibility of

Forensic Quality Forensic Quality Expertise Expertise

Decision AnalysisDecision Analysis Failure Analysis Failure Analysis

Qualitative Qualitative HeuristicHeuristic Visualization Visualization Interdependence Interdependence Risk Assessment Risk Assessment

Education Education Demographics Demographics Risk RecognitionRisk Recognition EmotionEmotion

FIPP Std: Integrity &/or SecurityFIPP Std: Integrity &/or Security

Collector/Archiver/CustodiansCollector/Archiver/Custodians Reasonable steps to assure accuracy of PII Reasonable steps to assure accuracy of PII Administrative & technical security measures Administrative & technical security measures

Standards: Standards: Prevent unauthorized access Prevent unauthorized access Prevent unauthorized disclosurePrevent unauthorized disclosure Prevent destruction Prevent destruction Prevent misuse Prevent misuse

Relationship to SOX Internal Control & Relationship to SOX Internal Control & Data SecurityData Security

Financial Info Security Risks: FTCFinancial Info Security Risks: FTC

FTC “Safeguards Rule” Imposes Standards for FTC “Safeguards Rule” Imposes Standards for Safeguarding Customer Information Safeguarding Customer Information Regulated financial institutions must develop, implement Regulated financial institutions must develop, implement

& maintain reasonable, administrative, technical & & maintain reasonable, administrative, technical & physical safeguards to protect the security, physical safeguards to protect the security, confidentiality & integrity of customer information confidentiality & integrity of customer information

Flexible: need be appropriate to institution’s size & Flexible: need be appropriate to institution’s size & complexitycomplexity

Risk Analysis RequiredRisk Analysis Required Designate Data Security Employee(s) Designate Data Security Employee(s) Perform Risk Assessment, at least, evaluate risks Perform Risk Assessment, at least, evaluate risks

in:in: Employee training & management Employee training & management Information systems, including, Information systems, including, inter aliainter alia

Network & software design Network & software design Information processing, storage, transmission & disposal Information processing, storage, transmission & disposal Detecting, preventing & responding to attacks, intrusions or Detecting, preventing & responding to attacks, intrusions or

system failures system failures

Financial Info Security Risks: SECFinancial Info Security Risks: SEC

Financial Institutions w/in SEC Juris. Must:Financial Institutions w/in SEC Juris. Must: Adopt Adopt writtenwritten policies & procedures, reasonably policies & procedures, reasonably

designed to … designed to … Insure security & confidentiality of customer Insure security & confidentiality of customer

recordsrecords Protect against anticipated threats or hazards Protect against anticipated threats or hazards Protect against unauthorized access or use that Protect against unauthorized access or use that

could result in substantial harm or inconvenience could result in substantial harm or inconvenience Disposal Rule: Disposal Rule:

must properly dispose of PII using reasonable must properly dispose of PII using reasonable measures to protect against unauthorized access measures to protect against unauthorized access to or use of PII to or use of PII

Controls over Internal RisksControls over Internal Risks

COSO’s Definition of Internal ControlCOSO’s Definition of Internal Control ““a process, effected by an entity’s board of a process, effected by an entity’s board of

directors, management and other personnel, directors, management and other personnel, designed to provide reasonable assurance designed to provide reasonable assurance regarding the achievement of objectives” in regarding the achievement of objectives” in these categories:these categories:

effectiveness and efficiency of operations; effectiveness and efficiency of operations; reliability of financial reporting; and reliability of financial reporting; and compliance with applicable laws and regulations.compliance with applicable laws and regulations.

Components of Internal Control are: Components of Internal Control are: - Control Environment- Control Environment- - Risk AssessmentRisk Assessment - Control Activities- Control Activities- Information & Communication- Information & Communication- - MonitoringMonitoring

GLB Safeguards RuleGLB Safeguards Rule Financial institutions must design, implement and Financial institutions must design, implement and

maintain safeguards maintain safeguards Purpose: to protect private infoPurpose: to protect private info Must implement written information security program Must implement written information security program

appropriate to company's size & complexity, nature & appropriate to company's size & complexity, nature & scope of activities, & sensitivity of customer datascope of activities, & sensitivity of customer data

Security program must also:Security program must also: assign one or more employees to oversee program; assign one or more employees to oversee program; conduct risk assessment; conduct risk assessment; put safeguards in place to control risks identified in put safeguards in place to control risks identified in

assessment then regularly test & monitor themassessment then regularly test & monitor them require service providers, by written contract, to protect require service providers, by written contract, to protect

customers' personal information; & customers' personal information; & periodically update security programperiodically update security program

What Are OffShore Outsourcing Risks?What Are OffShore Outsourcing Risks?

Cost Focus Myopia Cost Focus Myopia Unwarranted due diligence suspension Unwarranted due diligence suspension Cultural Ignorance Cultural Ignorance

Identifying Scalability ChallengesIdentifying Scalability Challenges Remedies for Service FailureRemedies for Service Failure Retrieving Hosted AssetsRetrieving Hosted Assets

IP…Ip…ipIP…Ip…ip Transitioning to Substitute Service Provider Transitioning to Substitute Service Provider Designing Service Level Metrics, negotiating SLCDesigning Service Level Metrics, negotiating SLC Incompatible Functions (security)Incompatible Functions (security) Lou Dobbs engenders grassroots political Lou Dobbs engenders grassroots political

pressure to advance reactionary policies: pressure to advance reactionary policies: Protectionism, Xenophobia, Nationalism Protectionism, Xenophobia, Nationalism

Admitting then Analyzing Admitting then Analyzing Outsourcing Risks Outsourcing Risks

Not Outsourcing Risks Internal Failure Not Outsourcing Risks Internal Failure Interdependency Reduces (Some) Risks of Interdependency Reduces (Some) Risks of

Conflict Conflict Outsourcing Sacrifices Monitoring Risking Outsourcing Sacrifices Monitoring Risking

Injury from Diminished Control Injury from Diminished Control Slipshod Rush to Outsource for $avings Slipshod Rush to Outsource for $avings Cross-Cultural Ignorance Obscures Outsourcing Cross-Cultural Ignorance Obscures Outsourcing

Vulnerabilities Vulnerabilities SAS 70 Requires Outsourcing Risk SAS 70 Requires Outsourcing Risk

Analysis/MgtAnalysis/Mgt SLC Negotiation Opportunities to Reduce Risk SLC Negotiation Opportunities to Reduce Risk

NIST Risk Mgt MethodNIST Risk Mgt Method

Asset ValuationAsset Valuation Information, software, personnel, hardware, & Information, software, personnel, hardware, &

physical assetsphysical assets Intrinsic value & the near-term impacts & long-Intrinsic value & the near-term impacts & long-

term consequences of its compromiseterm consequences of its compromise Consequence AssessmentConsequence Assessment

Degree of harm or consequence that could occurDegree of harm or consequence that could occur Threat IdentificationThreat Identification

Typical threats are error, fraud, disgruntled Typical threats are error, fraud, disgruntled employees, fires, water damage, hackers, employees, fires, water damage, hackers, virusesviruses

Vulnerability AnalysisVulnerability Analysis Safeguard AnalysisSafeguard Analysis

Any action that reduces an entity’s vulnerability Any action that reduces an entity’s vulnerability to a threatto a threat

Includes the examination of existing security Includes the examination of existing security measures & the identification of new safeguardsmeasures & the identification of new safeguards

Risk Management Requires Risk AnalysisRisk Management Requires Risk Analysis Analyzed in terms of missing safeguardsAnalyzed in terms of missing safeguards“ The

Process of Identifying, Controlling and Minimizing the Impact of Uncertain Events” (NIST, 1995 @59)

NIST Risk Mgt MethodNIST Risk Mgt Method

Source: NIST Handbook

Law & Economics of Risk Analysis Law & Economics of Risk Analysis

The Micro-Economics Fundamentals define The Micro-Economics Fundamentals define the Incentives to Invest & Innovate in Risk the Incentives to Invest & Innovate in Risk ReductionReduction Lack of incentive directly risks market lossLack of incentive directly risks market loss Security features are integral to products & Security features are integral to products &

services services Liability for product or service failure Liability for product or service failure

Defective designDefective design Defects in manufacturingDefects in manufacturing Defective Packaging or TransitDefective Packaging or Transit Failure to warn Failure to warn Malpractice Malpractice

Insufficient incentives for optimal securityInsufficient incentives for optimal security

Externalities Externalities Role of ExternalitiesRole of Externalities

Negative Externalities: Negative Externalities: all costs not borne by actor but at least some by othersall costs not borne by actor but at least some by others

Positive Externalities: Positive Externalities: all benefits not enjoyed by actor but at least some by othersall benefits not enjoyed by actor but at least some by others

Almost Always Free Rider Emerge when Externalities are Almost Always Free Rider Emerge when Externalities are Present Present

Classic case I: Pollution Control RequirementsClassic case I: Pollution Control Requirements Polluters save on controls, society suffers (e.g., health, quality Polluters save on controls, society suffers (e.g., health, quality

of life) of life) Environmentalism costs polluters but society benefits Environmentalism costs polluters but society benefits Incentives: Incentives:

under-invest, hide activities, argue/lobby costs are speculative under-invest, hide activities, argue/lobby costs are speculative illusion to non-existentillusion to non-existent

Moral Hazard: person or organization does not bear full adverse Moral Hazard: person or organization does not bear full adverse consequences its actions consequences its actions

Classic Case II: Workplace Safety Regulation Classic Case II: Workplace Safety Regulation Safety under-investment costs borne by workersSafety under-investment costs borne by workers

Classic Case III: privacy Classic Case III: privacy Security under-investment costs borne by individualsSecurity under-investment costs borne by individuals

Free Riders & Public GoodsFree Riders & Public Goods Free Riders illustrate market failure Free Riders illustrate market failure

Cause negative externalities or benefit from positive Cause negative externalities or benefit from positive externalities externalities

Do not internalize their costs or benefits Do not internalize their costs or benefits Essentially ride free (enjoy) others’ investments & Essentially ride free (enjoy) others’ investments &

expensesexpenses Public Goods Public Goods

Non-rival, under-produced by competitive markets Non-rival, under-produced by competitive markets Producers risk free riders who they cannot effectively Producers risk free riders who they cannot effectively

exclude from positive externalitiesexclude from positive externalities Producers under-invest w/o clear business model & returnProducers under-invest w/o clear business model & return EX: defense, law enforcement, justice system, property EX: defense, law enforcement, justice system, property

rights, public transport centers (wharves, airports, roads), rights, public transport centers (wharves, airports, roads), fireworks, lighthouses, environmental quality, some fireworks, lighthouses, environmental quality, some information goods (e.g, software development, authorship, information goods (e.g, software development, authorship, invention), public educ.invention), public educ.

How can you argue that Security is a public good?How can you argue that Security is a public good? What public responses might improve securityWhat public responses might improve security CyberCrime EnforcementCyberCrime Enforcement

Asymmetric Information TheoryAsymmetric Information Theory

Transactors have unequal bargaining pwr Transactors have unequal bargaining pwr Akerlof, George, Akerlof, George, The Market for Lemons: Quality The Market for Lemons: Quality

Uncertainty & the Market MechanismUncertainty & the Market Mechanism (1970) (1970) Two transacting parties do not have the Two transacting parties do not have the

same relevant informationsame relevant information Classic Examples:Classic Examples:

buyers know less than sellers about product qualitybuyers know less than sellers about product quality lenders know less about borrower’s propensity to lenders know less about borrower’s propensity to

default default Seller’s incentive to pass off low quality Seller’s incentive to pass off low quality

goods as higher quality, hide defectsgoods as higher quality, hide defects Security performance generally unknown to customersSecurity performance generally unknown to customers Security Breach Notification laws: classic legislation Security Breach Notification laws: classic legislation

correcting market failure (asymmetric info)correcting market failure (asymmetric info)

Adverse SelectionAdverse Selection

Asymmetries Induce Adverse SelectionAsymmetries Induce Adverse Selection Asymmetries lead to bad results whenAsymmetries lead to bad results when

Buyers purchase “bad” products or pay too much Buyers purchase “bad” products or pay too much Sellers select bad buyers or charge too little Sellers select bad buyers or charge too little

As adverse selection experience grows:As adverse selection experience grows: Buyers retreat, seek intermediaries (assistance, Buyers retreat, seek intermediaries (assistance,

repairs), suffer higher opportunity costs repairs), suffer higher opportunity costs Sellers lose money, use intermediaries, even failSellers lose money, use intermediaries, even fail

Sub-Optimal SignalsSub-Optimal Signals More bad sellers/buyers, fewer good productsMore bad sellers/buyers, fewer good products Custodians & 3d P service providers Custodians & 3d P service providers

untrustworthyuntrustworthy

Moral HazardMoral Hazard

Moral Hazard is a form of externality: Moral Hazard is a form of externality: Person or organization fails to bear full costs of Person or organization fails to bear full costs of

actions causing adverse selection actions causing adverse selection EX: Smokers/parachutists/drunks hide their habit EX: Smokers/parachutists/drunks hide their habit

or activities when buying health/life ins or activities when buying health/life ins EX: US vs. UK in re ATM & credit card fraudEX: US vs. UK in re ATM & credit card fraud

US banks liable for card fraud, UK banks notUS banks liable for card fraud, UK banks not US banks invest more heavily to avoid lossesUS banks invest more heavily to avoid losses UK banks lazy & careless, suffer avalanche of UK banks lazy & careless, suffer avalanche of

fraudfraud Individuals s/could do more self-protection Individuals s/could do more self-protection

Least Cost Provider Least Cost Provider

Liability generally most justifiable for:Liability generally most justifiable for: Party with greatest responsibility to analyze Party with greatest responsibility to analyze

risk & safeguard safety, quality & securityrisk & safeguard safety, quality & security Party w/ lowest cost of servicesParty w/ lowest cost of services Party financially able to burden riskParty financially able to burden risk

Economics urges Public Policy to Economics urges Public Policy to incentivize least cost providerincentivize least cost provider

Who is info security’s least cost Who is info security’s least cost provider?provider? Individuals, ISP, s/w licensor, h/w supplier Individuals, ISP, s/w licensor, h/w supplier

Risk Analysis & Management Risk Analysis & Management Aspects of StandardizationAspects of Standardization

Standardization promises superior process Standardization promises superior process design & best practice integration design & best practice integration Domain experts develop rather than meddlers Domain experts develop rather than meddlers

Standards Reduce Risks of Variety Standards Reduce Risks of Variety Incompatibility, Incompetence Incompatibility, Incompetence

Conformity Assessment Analyzes Non-Conformity Assessment Analyzes Non-Compliance Risk, Provides FeedbackCompliance Risk, Provides Feedback Incentivizes Compliance & ImprovementIncentivizes Compliance & Improvement

However, Standardization Risks Stagnancy However, Standardization Risks Stagnancy & Communicates Widespread Vulnerability & Communicates Widespread Vulnerability

Standards ARE Important!Standards ARE Important!

Standards Impact Nearly All Fields Standards Impact Nearly All Fields SDA Participants,Affected Parties, Int’l Orgs, SDA Participants,Affected Parties, Int’l Orgs,

Gov’t Agencies, SROs, NGOsGov’t Agencies, SROs, NGOs eCommerce & Internet largely dependant on eCommerce & Internet largely dependant on

Stds:Stds: EX: html, http, 802.11, x.25 packet switching …EX: html, http, 802.11, x.25 packet switching …

Stds Embody Considerable InnovationStds Embody Considerable Innovation SDA have Innovation Life Cycle Independent of SDA have Innovation Life Cycle Independent of

Products/Services Compliant w/ StdProducts/Services Compliant w/ Std Std Innovation Occurs in Various VenuesStd Innovation Occurs in Various Venues

Inside innovating firms, inherent in many products, Inside innovating firms, inherent in many products, Inside technical domain groups (trade assoc. Inside technical domain groups (trade assoc. professional societies, indus. Consortia)professional societies, indus. Consortia)

Why are Standards Important?Why are Standards Important?

Stds Increasingly an Emerging Source of PolicyStds Increasingly an Emerging Source of Policy Lessig’s Lessig’s CodeCode cited for IT trend: cited for IT trend:

Public policy imbedded in s/w. f/w. h/w & ICT stds Public policy imbedded in s/w. f/w. h/w & ICT stds Do SDA Approximate Traditional Policymaking?Do SDA Approximate Traditional Policymaking?

Do SDA decrease public’s consideration/deliberation?Do SDA decrease public’s consideration/deliberation? Are SDA transparent? Are SDA transparent? Are stds’ downstream impact so embodied w/in code Are stds’ downstream impact so embodied w/in code

or technical compatibility details they are obscured or technical compatibility details they are obscured from public review?from public review?

SDA Participants Use Non-Gov’t VenuesSDA Participants Use Non-Gov’t Venues Forum Shopping may be Widespread Forum Shopping may be Widespread

Classic “Race to the Bottom”Classic “Race to the Bottom”

Why are Standards Important?Why are Standards Important?

Stds are emerging from obscurityStds are emerging from obscurity More widely understood to impact most More widely understood to impact most

economic activityeconomic activity Increasingly viewed Increasingly viewed lessless as technically as technically

objective matters; objective matters; moremore as arbitrary choices as arbitrary choices from among near infinite alternativesfrom among near infinite alternatives

Increasingly perceived to favor particular Increasingly perceived to favor particular nations, industries, identifiable groups or nations, industries, identifiable groups or individual firms who participate most individual firms who participate most effectively effectively

Why Standards May Impact Why Standards May Impact CyberSecurity MethodsCyberSecurity Methods

Stds Create CyberSpace: html, ftp, http, 802.11Stds Create CyberSpace: html, ftp, http, 802.11 General Advantages of StandardizationGeneral Advantages of Standardization

Facilitates comparison, interoperability, competition Facilitates comparison, interoperability, competition Attracts investment in compatible technologies, Attracts investment in compatible technologies,

products & servicesproducts & services General Disadvantages of StandardizationGeneral Disadvantages of Standardization

Lock in old/obsolete technologyLock in old/obsolete technology Resists favorable evolution or adaptationResists favorable evolution or adaptation Favors particular groups & disfavors particular Favors particular groups & disfavors particular

groupsgroups Voluntary Consensus is really a Sub-optimal Voluntary Consensus is really a Sub-optimal

Compromise that Dictates too much DesignCompromise that Dictates too much Design