Date post: | 19-Jan-2016 |
Category: |
Documents |
Upload: | jovani-gillick |
View: | 213 times |
Download: | 0 times |
Scott Dynes
Center for Digital StrategiesTuck School of Business at Dartmouth College
Information Security and IT Risk Management in the Real World:
Results From Field Studies
What We Study
Risks firms face as a result of using the information infrastructure to manager their extended enterprise
- How firms make InfoSec investment decisions
- Emergent risk from business networks
- Privacy
Our Field Studies: Methods
Investigate a ‘host’ firm and a few suppliers of different sizes.
At each firm conduct interviews to determine:- How InfoSec investment decisions are made.- How reliant the firm is on the information infrastructure for its ability to produce product.
Understand the means by which the host and suppliers communicate to gauge the internal IT risk due to integration.
Host
Supplier
Supplier
Supplier
Su
Field Study
Field Study Sector Coverage
Field Study
Key Results From Field Studies
Field Study
Four Main Paradigms To Managing/Investing in Information Security:
• The “Sore Thumb” Paradigm
• The “IT Risk” Paradigm
• The “Business Risk” Paradigm
• The “Systemic Risk” Paradigm
Key Results From Field Studies
Field Study
Four Main Paradigms To Managing/Investing in Information Security:
• The “Sore Thumb” Paradigm
• The “IT Risk” Paradigm
• The “Business Risk” Paradigm
• The “Systemic Risk” Paradigm
Low/No Economic Role
High Economic Role
Key Results From Field Studies
Field Study
Firms Are Mainly Taking A Local View of Information Security
• Risk in supply chain glitches, leading to business sector brittleness
• Hypothesis: Firms managing risk in the extended enterprise will directly lead to greater sector resiliency
Key Results From Field Studies
Field Study
Local vs. Sector Views of Information Security
Key Results From Field Studies
Field Study
Firms Are Mainly Taking A Local View of Information Risk
Key Results From Field Studies
Field Study
Firms Are Mainly Taking A Local View of Information Risk
Key Results From Field Studies
Field Study
Firms Are Mainly Taking A Local View of Information Risk
Key Results From Field Studies
Field Study
Notable Incentives/Drivers For InfoSec Investment:
• Customer requests - firms are very responsive
• Government regulation - have to do it, but firms feel largely ineffective
• Brand protection
• Insurance - in unexpected ways
Conclusion
Field Study
• Latent Market Forces Exist
• Proper Government Role: Create Markets Through Increasing Transparency
• Key Challenge: Enabling Investment Against Intangible, Never-Happened-Before Risks
Production resilience to cyber disruptionsManufacturing sector: In general, production not sensitive to internet outages; supply chain sensitive to internet outages.
Field Study
• Once beyond first tier of suppliers, reliance on information infrastructure to manage supply chain is low
• Electrical BU supply chain has ‘learned behavior’
- High-volume supply relations have extensive forecasting
- Everyone would do the expected thing
- Pain comes in distribution
• Auto BU- centralized control strategy leads to lack of learned behavior
Production resilience to cyber disruptions
Time
Prod
ucti
vity
100%
0%1 2 3
Start of recovery
10-day auto supplier internet event
0%
20%
40%
60%
80%
100%
120%
-1 0 1 2 3 4 5 6 7 8 9 10 11 12
Day
Pro
du
cti
vit
y
10-day oil refiner SCADA event
0%
20%
40%
60%
80%
100%
120%
-1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14
Day
Pro
du
ctiv
ity
10-day electrical supplier internet event
Field Study
qqoo = A = A** q qii + c + c**Terrorist Attackc*
Inoperabilityq
A :=Technical Coefficient Matrix A :=Technical Coefficient Matrix calculated from U.S. Bureau of calculated from U.S. Bureau of
Economic Analysis dataEconomic Analysis data
Productionx
Consumptionc
Leontief Model
Inoperability I-O Model (IIM)
xxoo = Ax = Axii + c + c
A* := Interdependency MatrixA* := Interdependency Matrix
Input-Output Model
Ripple Effects
DisruptiveEvent
Sector A
Sector A
Sector B
Sector n
Sector A
Sector B
Sector n
Sector A
Sector B
Sector n
Sector A
Sector B
Sector n
Input-Output Model
10-Day Cyberevent for Oil & Gas Sector
0.00
10.00
20.00
30.00
40.00
50.00
1 2 3 4 5 6 7 8 9 10 11 12
Day
Tota
l L
os
s (
in $
mm
)
Indirect Loss
Direct Loss
Refiner represents 10% of national capacity
Integrated loss of 10-day event: $405 Million
Manufacturer represents 5% of national capacity
Integrated loss of 10-day event: $22.6 Million
10-Day Cyberevent for Electrical Sector
0.00
1.00
2.00
3.00
4.00
5.00
6.00
1 2 3 4 5 6 7 8 9 10 11 12 13 14
Day
Tota
l L
os
s (
in $
mm
)
Indirect
Direct
10-Day Cyberevent for Auto Sector
0.00
5.00
10.00
15.00
20.00
25.00
1 2 3 4 5 6 7 8 9 10 11
Day
Tota
l L
oss
($m
m)
Indirect Loss
Direct Loss
Manufacturer represents 5% of national capacity
Integrated loss of 10-day event: $65 Million
Economic Costs of Cyber-events
Economic Costs of Cyber-events
Integrated lossfrom 10-day event integrated loss of
entire sector for 10days
Auto Supplier
Oil Refiner
0
2,000
4,000
6,000
8,000
10,000
12,000
14,000
16,000
U.S.Dollars (MM)
10 days of U.S. GDP:~ 330,000 MM
Take-Aways
• The first demonstration of an empirically-based approach to estimating national economic consequences of cyber events
• The economic costs of the cyber events investigated may not be that great from a sector and national perspective.
• For the sectors presented (Manufacturing, Oil Refining), supply chains are largely resilient to cyber disruptions.
•Economic consequences due to cyber events depend on how, not whether firms use technology.
Incentives
What is an incentive?
Example: UK/US ATM regulations
Example: Attendee badges at RSA Security conference
Example: The “Commons”
Example: Stop Signs
Incentives - Information Security
Home Users
- What are they motivated to do?
- Privacy - not necessarily important
- Use of machine - is important
- Result: no real incentive to protect machine until something bad happens
- Bad things:
- Assimilation by Bot network; Spam generator
- Spyware/virii: machine becomes ever more unstable
Incentives - Information Security
Business Users
- What are they motivated to do?
Make Money! (rational market assumption)
Economic Costs - Information Security
Economic Costs of Cyber Events:
InfoSec Adoption by Firms
In a rational market, firms will maximize profit.
After Gordon and Loeb 2002
This ‘Optimal Spending’ approach requires:
-Titration of cyber losses and cyber spending
- Some idea of what effect cyber spending has on cyber losses
- A good idea of the threat environment in which the firm lives
What are the incentives felt by directors of information security?
InfoSec Adoption by Firms
Drivers of Adoption of InfoSec
InfoSec Adoption by Firms
Drivers of Adoption of InfoSec - Inputs
Baseline level of InfoSec based on:- Experience- Input from trusted colleagues- External Consultants- Trade mags/ other press
Beyond baseline level, firms respond mainly to:- Customer requests/questionnaires- Government regulation
InfoSec Adoption by Firms
Drivers of Adoption of InfoSec - Prioritization
How were InfoSec recommendations prioritized, and received by decision-makers?
At InfoSec manager’s level, InfoSec “wants” prioritized by: - Cost- Exposure- Internal pain
InfoSec Adoption by Firms
Drivers of Adoption of InfoSec - Outcomes
Making the leap from InfoSec manager to business managers, we found:
- InfoSec not an important issue- InfoSec efforts largely reactive and tactical- ROI measures mainly qualitative; investments seemingly made to eliminate all InfoSec incidents (not explicitly to minimize total costs)- Most impressive firm didn’t even have the conversation.
InfoSec Adoption by Firms
Drivers of Adoption of InfoSec - Outcomes
Managing Risk - always implicit, was never explicit
Info on threats - same as inputs
Info on probabilities came from:- History- Industry pubs- Gartner/Meta/etc.- Gut- “Al”- Tech Republic
Info on costs of attacks came from:-Gut
InfoSec Adoption by Firms
Drivers of Adoption of InfoSec
All firms thought of InfoSec as an expense
Most thought of InfoSec as a qualifier, even though none had any InfoSec requirements of their business partners
Few gave examples of InfoSec as a competitive advantage
InfoSec Adoption by Firms
Summary: 4 Paradigms for InfoSec Risk Management:
-The ‘Sore Thumb’ Approach
-The ‘IT Risk’ Approach
-The ‘Business Risk’ Approach
- The ‘Systemic Risk’ Approach
In most business sectors, InfoSec is not a technical challenge, but a social/organizational challenge
InfoSec Adoption by Firms
Incentives - Information Security
Government/National Level
- What are they motivated to do?
Incentives - Information Security
Government/National Level
Incentives - Information Security
Government/National Level
Incentives - Information Security
Government/National Level
Freeman Drivers:
- Market Forces
- Government Regulation
- Litigation
- Government Spending
Incentives - Information Security
Intellectual Property loss - the real worry?
Time
Prod
uctiv
ity100%
0%
1 2 3
Start of recovery
0
Time
Prod
uctiv
ity100%
0%
1 2 3
Start of recovery
0
Incentives - Information Security
Government/National Level
0%
20%
40%
60%
80%
100%
120%
-1 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14
Day
Pro
du
cti
vity
Effects on Production of a 10-day Internet Outage at an Electrical Goods Manufacturer
Incentives - Information Security
Government/National Level
Total Economic Effects on Production of a 10-day Internet Outage at an Electrical Goods Manufacturer - $22.6 Million
10-Day Cyberevent for Electrical Sector
0.00
1.00
2.00
3.00
4.00
5.00
6.00
1 2 3 4 5 6 7 8 9 10 11 12 13 14
Day
Tota
l L
oss
(in
$m
m)
Indirect
Direct
Managing Cyber Risk
Globally Known Globally Unknown
LocallyKnown
LocallyUnknown
Viruses
Web Site Defacement
Phishing
Other OS bugs
OS bugs
? ? ?(Phishing)
Best practices Applied Research
Education Basic Research
Managing Cyber RiskReactive IS
Globally Known Globally Unknown
LocallyKnown
LocallyUnknown
Viruses
Web Site Defacement
Phishing
Other OS bugs
OS bugs
? ? ?
Implement Wait for patch
---Unprepared when something happens
Managing Cyber RiskProactive IS
Globally Known Globally Unknown
LocallyKnown
LocallyUnknown
Viruses
Web Site Defacement
Phishing
Other OS bugs
OS bugs
? ? ?
ImplementListen, work to
mitigate outcomes
--- Watch, try to ID bad outcomes
Managing Cyber Risk: Mind The Gap:
• Manufacturer: Manager of InfoSec wants to patch critical vulnerability. Business manager would rather risk infection of machines and close the quarter.
• Oil refinery: Manager of InfoSec wants better SCADA security; VP refining: “How is more SCADA security going to help me make better oil?”
• Hospital: IS thinks virus event was mainly an IS event and had minor impact on clinical units; clinical unit manager : “It was a living hell”
• Most every InfoSec manager: information security is not a priority with business managers.