Scott Dynes Center for Digital Strategies Tuck School of Business at Dartmouth College Information...

Scott Dynes

Center for Digital StrategiesTuck School of Business at Dartmouth College

Information Security and IT Risk Management in the Real World:

Results From Field Studies

What We Study

Risks firms face as a result of using the information infrastructure to manager their extended enterprise

- How firms make InfoSec investment decisions

- Emergent risk from business networks

- Privacy

Our Field Studies: Methods

Investigate a ‘host’ firm and a few suppliers of different sizes.

At each firm conduct interviews to determine:- How InfoSec investment decisions are made.- How reliant the firm is on the information infrastructure for its ability to produce product.

Understand the means by which the host and suppliers communicate to gauge the internal IT risk due to integration.

Host

Supplier

Supplier

Supplier

Su

Field Study

Field Study Sector Coverage

Field Study

Key Results From Field Studies

Field Study

Four Main Paradigms To Managing/Investing in Information Security:

• The “Sore Thumb” Paradigm

• The “IT Risk” Paradigm

• The “Business Risk” Paradigm

• The “Systemic Risk” Paradigm


Field Study

Four Main Paradigms To Managing/Investing in Information Security:

• The “Sore Thumb” Paradigm

• The “IT Risk” Paradigm

• The “Business Risk” Paradigm

• The “Systemic Risk” Paradigm

Low/No Economic Role

High Economic Role


Field Study

Firms Are Mainly Taking A Local View of Information Security

• Risk in supply chain glitches, leading to business sector brittleness

• Hypothesis: Firms managing risk in the extended enterprise will directly lead to greater sector resiliency


Field Study

Local vs. Sector Views of Information Security


Field Study

Firms Are Mainly Taking A Local View of Information Risk


Field Study



Field Study



Field Study

Notable Incentives/Drivers For InfoSec Investment:

• Customer requests - firms are very responsive

• Government regulation - have to do it, but firms feel largely ineffective

• Brand protection

• Insurance - in unexpected ways

Conclusion

Field Study

• Latent Market Forces Exist

• Proper Government Role: Create Markets Through Increasing Transparency

• Key Challenge: Enabling Investment Against Intangible, Never-Happened-Before Risks

Production resilience to cyber disruptionsManufacturing sector: In general, production not sensitive to internet outages; supply chain sensitive to internet outages.

Field Study

• Once beyond first tier of suppliers, reliance on information infrastructure to manage supply chain is low

• Electrical BU supply chain has ‘learned behavior’

- High-volume supply relations have extensive forecasting

- Everyone would do the expected thing

- Pain comes in distribution

• Auto BU- centralized control strategy leads to lack of learned behavior

Production resilience to cyber disruptions

Time

Prod

ucti

vity

100%

0%1 2 3

Start of recovery

10-day auto supplier internet event

0%

20%

40%

60%

80%

100%

120%

-1 0 1 2 3 4 5 6 7 8 9 10 11 12

Day

Pro

du

cti

vit

y

10-day oil refiner SCADA event

0%

20%

40%

60%

80%

100%

120%

-1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14

Day

Pro

du

ctiv

ity

10-day electrical supplier internet event

Field Study

qqoo = A = A** q qii + c + c**Terrorist Attackc*

Inoperabilityq

A :=Technical Coefficient Matrix A :=Technical Coefficient Matrix calculated from U.S. Bureau of calculated from U.S. Bureau of

Economic Analysis dataEconomic Analysis data

Productionx

Consumptionc

Leontief Model

Inoperability I-O Model (IIM)

xxoo = Ax = Axii + c + c

A* := Interdependency MatrixA* := Interdependency Matrix

Input-Output Model

Ripple Effects

DisruptiveEvent

Sector A

Sector A

Sector B

Sector n

Sector A

Sector B

Sector n

Sector A

Sector B

Sector n

Sector A

Sector B

Sector n

Input-Output Model

10-Day Cyberevent for Oil & Gas Sector

0.00

10.00

20.00

30.00

40.00

50.00

1 2 3 4 5 6 7 8 9 10 11 12

Day

Tota

l L

os

s (

in $

mm

)

Indirect Loss

Direct Loss

Refiner represents 10% of national capacity

Integrated loss of 10-day event: $405 Million

Manufacturer represents 5% of national capacity

Integrated loss of 10-day event: $22.6 Million

10-Day Cyberevent for Electrical Sector

0.00

1.00

2.00

3.00

4.00

5.00

6.00

1 2 3 4 5 6 7 8 9 10 11 12 13 14

Day

Tota

l L

os

s (

in $

mm

)

Indirect

Direct

10-Day Cyberevent for Auto Sector

0.00

5.00

10.00

15.00

20.00

25.00

1 2 3 4 5 6 7 8 9 10 11

Day

Tota

l L

oss

($m

m)

Indirect Loss

Direct Loss

Manufacturer represents 5% of national capacity

Integrated loss of 10-day event: $65 Million

Economic Costs of Cyber-events

Economic Costs of Cyber-events

Integrated lossfrom 10-day event integrated loss of

entire sector for 10days

Auto Supplier

Oil Refiner

0

2,000

4,000

6,000

8,000

10,000

12,000

14,000

16,000

U.S.Dollars (MM)

10 days of U.S. GDP:~ 330,000 MM

Take-Aways

• The first demonstration of an empirically-based approach to estimating national economic consequences of cyber events

• The economic costs of the cyber events investigated may not be that great from a sector and national perspective.

• For the sectors presented (Manufacturing, Oil Refining), supply chains are largely resilient to cyber disruptions.

•Economic consequences due to cyber events depend on how, not whether firms use technology.

Incentives

What is an incentive?

Example: UK/US ATM regulations

Example: Attendee badges at RSA Security conference

Example: The “Commons”

Example: Stop Signs

Incentives - Information Security

Home Users

- What are they motivated to do?

- Privacy - not necessarily important

- Use of machine - is important

- Result: no real incentive to protect machine until something bad happens

- Bad things:

- Assimilation by Bot network; Spam generator

- Spyware/virii: machine becomes ever more unstable


Business Users


Make Money! (rational market assumption)

Economic Costs - Information Security

Economic Costs of Cyber Events:

InfoSec Adoption by Firms

In a rational market, firms will maximize profit.

After Gordon and Loeb 2002

This ‘Optimal Spending’ approach requires:

-Titration of cyber losses and cyber spending

- Some idea of what effect cyber spending has on cyber losses

- A good idea of the threat environment in which the firm lives

What are the incentives felt by directors of information security?


Drivers of Adoption of InfoSec


Drivers of Adoption of InfoSec - Inputs

Baseline level of InfoSec based on:- Experience- Input from trusted colleagues- External Consultants- Trade mags/ other press

Beyond baseline level, firms respond mainly to:- Customer requests/questionnaires- Government regulation


Drivers of Adoption of InfoSec - Prioritization

How were InfoSec recommendations prioritized, and received by decision-makers?

At InfoSec manager’s level, InfoSec “wants” prioritized by: - Cost- Exposure- Internal pain


Drivers of Adoption of InfoSec - Outcomes

Making the leap from InfoSec manager to business managers, we found:

- InfoSec not an important issue- InfoSec efforts largely reactive and tactical- ROI measures mainly qualitative; investments seemingly made to eliminate all InfoSec incidents (not explicitly to minimize total costs)- Most impressive firm didn’t even have the conversation.


Drivers of Adoption of InfoSec - Outcomes

Managing Risk - always implicit, was never explicit

Info on threats - same as inputs

Info on probabilities came from:- History- Industry pubs- Gartner/Meta/etc.- Gut- “Al”- Tech Republic

Info on costs of attacks came from:-Gut


Drivers of Adoption of InfoSec

All firms thought of InfoSec as an expense

Most thought of InfoSec as a qualifier, even though none had any InfoSec requirements of their business partners

Few gave examples of InfoSec as a competitive advantage


Summary: 4 Paradigms for InfoSec Risk Management:

-The ‘Sore Thumb’ Approach

-The ‘IT Risk’ Approach

-The ‘Business Risk’ Approach

- The ‘Systemic Risk’ Approach

In most business sectors, InfoSec is not a technical challenge, but a social/organizational challenge



Government/National Level








Freeman Drivers:

- Market Forces

- Government Regulation

- Litigation

- Government Spending


Intellectual Property loss - the real worry?

Time

Prod

uctiv

ity100%

0%

1 2 3

Start of recovery

0

Time

Prod

uctiv

ity100%

0%

1 2 3

Start of recovery

0



0%

20%

40%

60%

80%

100%

120%

-1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14

Day

Pro

du

cti

vity

Effects on Production of a 10-day Internet Outage at an Electrical Goods Manufacturer



Total Economic Effects on Production of a 10-day Internet Outage at an Electrical Goods Manufacturer - $22.6 Million

10-Day Cyberevent for Electrical Sector

0.00

1.00

2.00

3.00

4.00

5.00

6.00

1 2 3 4 5 6 7 8 9 10 11 12 13 14

Day

Tota

l L

oss

(in

$m

m)

Indirect

Direct

Managing Cyber Risk

Globally Known Globally Unknown

LocallyKnown

LocallyUnknown

Viruses

Web Site Defacement

Phishing

Other OS bugs

OS bugs

? ? ?(Phishing)

Best practices Applied Research

Education Basic Research

Managing Cyber RiskReactive IS


LocallyKnown

LocallyUnknown

Viruses

Web Site Defacement

Phishing

Other OS bugs

OS bugs

? ? ?

Implement Wait for patch

---Unprepared when something happens

Managing Cyber RiskProactive IS


LocallyKnown

LocallyUnknown

Viruses

Web Site Defacement

Phishing

Other OS bugs

OS bugs

? ? ?

ImplementListen, work to

mitigate outcomes

--- Watch, try to ID bad outcomes

Managing Cyber Risk: Mind The Gap:

• Manufacturer: Manager of InfoSec wants to patch critical vulnerability. Business manager would rather risk infection of machines and close the quarter.

• Oil refinery: Manager of InfoSec wants better SCADA security; VP refining: “How is more SCADA security going to help me make better oil?”

• Hospital: IS thinks virus event was mainly an IS event and had minor impact on clinical units; clinical unit manager : “It was a living hell”

• Most every InfoSec manager: information security is not a priority with business managers.

Date post:	19-Jan-2016
Category:	Documents
Upload:	jovani-gillick
View:	213 times
Download:	0 times

Scott Dynes Center for Digital Strategies Tuck School of Business at Dartmouth College Information...

Documents