Managing information risk and the economics of security

Managing Information

Risk and the

Economics of Security

Managing Information

Risk and the

Economics of Security

Edited by

M. Eric Johnson

Center for Digital Strategies

Tuck School of Business at Dartmouth

Hanover, NH, USA

© Springer Science+Business Media, LLC 2009

All rights reserved. This work may not be translated or copied in whole or in part without the written

permission of the publisher (Springer Science+Business Media, LLC, 233 Spring Street, New York,

NY 10013, USA), except for brief excerpts in connection with reviews or scholarly analysis. Use in

connection with any form of information storage and retrieval, electronic adaptation, computer

software, or by similar or dissimilar methodology now known or hereafter developed is forbidden.

The use in this publication of trade names, trademarks, service marks, and similar terms, even if they

are not identified as such, is not to be taken as an expression of opinion as to whether or not they are

subject to proprietary rights.

Library of Congress Control Number: 2008936480

ISBN: 978-0-387-09761-9 e-ISBN: 978-0-387-09762-6

Printed on acid-free paper

springer.com

Editor

Dr. M. Eric Johnson

Tuck School of Business Administration

Dartmouth College

Hanover, NH 03755, USA

[email protected]

List of Contributors

Managing Information Risk and Economics of Security

M. Eric Johnson, Tuck School of Business at Dartmouth

Nonbanks and Risk in Retail Payments

Terri Bradford, Federal Reserve Bank-Kansas City

Fumiko Hayashi, Federal Reserve Bank-Kansas City

Christian Hung, Federal Reserve Bank-Kansas City

Stuart Weiner, Federal Reserve Bank-Kansas City

Zhu Wang, Federal Reserve Bank-Kansas City

Richard Sullivan, Federal Reserve Bank-Kansas City

Simonetta Rosati, European Central Bank

Security Economics and European Policy

Ross Anderson, University of Cambridge

Rainer Boehme, Dresden University of Technology

Richard Clayton, University of Cambridge

Tyler Moore, University of Cambridge

BORIS – Business-Oriented Management of Information Security

Sebastian Sowa, Ruhr-University of Bochum

Lampros Tsinas, Munich Re

Roland Gabriel, Ruhr-University of Bochum

Productivity Space of Information Security in an Extension of the

Kanta Matsuura, University of Tokyo

Communicating the Economic Value of Security Investments;

Value at Security Risk

Rolf Hulthén, TeliaSonera AB

Modelling the Human and Technological Costs and Benefits

of USB Memory Stick Security

Adam Beautement, UCL

Robert Coles, Merrill Lynch

Jonathan Griffin, HP Labs

Christos Ioannidis, University of Bath

Brian Monahan, HP Labs

David Pym, HP Labs and University of Bath

Angela Sasse, UCL

Mike Wonham, HP Labs

Gordon-Loeb’s Investment Model

Xia Zhao, Tuck School of Business at Dartmouth College

M. Eric Johnson, Tuck School of Business at Dartmouth College

Reinterpreting the Disclosure Debate for Web Infections

Oliver Day, Harvard University

Rachel Greenstadt, Harvard University

Brandon Palmen, Harvard University

The Impact of Incentives on Notice and Take-down

Tyler Moore, University of Cambridge

Richard Clayton, University of Cambridge

Studying Malicious Websites and the Underground Economy

on the Chinese Web

Jianwei Zhuge, Peking University

Thorsten Holz, University of Mannheim

Chengyu Song, Peking University

Jinpeng Guo, Peking University

Xinhui Han, Peking University

Wei Zou, Peking University

Botnet Economics: Uncertainty Matters

Zhen Li, Albion College

Qi Liao, University of Notre Dame

Aaron Striegel, University of Notre Dame

Cyber Insurance as an Incentive for IT Security

Jean Bolot, Sprint

Marc Lelarge, INRIA-ENS

Conformity or Diversity: Social Implications of Transparency

in Personal Data Processing

Rainer Böhme, Technische Universitat Dresden

Is Distributed Trust More Trustworthy?

Kurt Nielsen, University of Copenhagen

vi List of Contributors

Information Access

The Value of Escalation and Incentives in Managing

Preface

Security has been a human concern since the dawn of time. With the rise of the

digital society, information security has rapidly grown to an area of serious study

and ongoing research. While much research has focused on the technical aspects of

computer security, far less attention has been given to the management issues of

information risk and the economic concerns facing firms and nations. Managing

Information Risk and the Economics of Security provides leading edge thinking on

the security issues facing managers, policy makers, and individuals. Many of the

chapters of this volume were presented and debated at the 2008 Workshop on the

Economics of Information Security (WEIS), hosted by the Tuck School of Business

at Dartmouth College. Sponsored by Tuck’s Center for Digital Strategies and the

Institute for Information Infrastructure Protection (I3P), the conference brought

together over one hundred information security experts, researchers, academics,

reporters, corporate executives, government officials, cyber crime investigators and

prosecutors. The group represented the global nature of information security with

participants from China, Italy, Germany, Canada, Australia, Denmark, Japan,

Sweden, Switzerland, the United Kingdom and the US.

This volume would not be possible without the dedicated work Xia Zhao (of

Dartmouth College and now the University of North Carolina, Greensboro) who

acted as the technical editor. I am also grateful for the service of the WEIS program

committee: Alessandro Acquisti (Carnegie Mellon University), Ross Anderson

(Cambridge University), Jean Camp (Indiana University), Huseyin Cavusoglu

(University of Texas, Dallas), Ramnath Chellappa (Emory University), Neil Gandal

(Tel Aviv University), Anindya Ghose (New York University), Eric Goetz

(Dartmouth College), Larry Gordon (University of Maryland), Karthik Kannan

(Purdue University), Marty Loeb (University of Maryland), Tyler Moore

(Cambridge University), Andrew Odlyzko (University of Minnesota), Brent Rowe

(RTI), Stuart Schechter (Microsoft), Bruce Schneier (BT Counterpane), Sean Smith

(Dartmouth College), Rahul Telang (Carnegie Mellon University), Catherine

Tucker (MIT), and Hal Varian (University of California, Berkeley).

Many thanks also go to the individuals and the organizations that helped us

organize WEIS: Hans Brechbühl, Jennifer Childs, Scott Dynes, Eric Goetz, David

Kotz, Xia Zhao (all of Dartmouth), and Stuart Schechter (Microsoft), as well as the

support of Tuck School of Business and Thayer School of Engineering at

Dartmouth College; the Institute for Information Infrastructure Protection (I3P); the

Institute for Security Technology Studies; and Microsoft. WEIS and the efforts to

compile this book were partially supported by the U.S. Department of Homeland

Security under Grant Award Number 2006-CS-001-000001, under the auspices of

the Institute for Information Infrastructure Protection (I3P) and through the Institute

for Security Technology Studies (ISTS). The I3P is managed by Dartmouth

College. The views and conclusions contained in this book are those of the authors

and should not be interpreted as necessarily representing the official policies, either

expressed or implied, of the U.S. Department of Homeland Security, the I3P, ISTS,

or Dartmouth College.

September 2008 M. Eric Johnson

viii Preface

Table of Contents

List of Cintributors ................................................................................................... v

Preface ....................................................................................................................vii

Managing Information Risk and the Economics of Security............................. 1

1 Introduction .................................................................................................. 1

2 Communicating Security – The Role of Media............................................ 2

3 Investigating and Prosecuting Cybercrime................................................... 6

4 CISO Perspective – Evaluating and Communicating Information Risk...... 8

4.1 Ranking the Information Threats........................................................ 8

4.2 Communicating the Information Risks............................................. 11

4.3 Measuring Progress........................................................................... 13

5 Overview of Book ...................................................................................... 14

References .............................................................................................................. 15

1 Introduction ................................................................................................ 17

2 Nonbanks in Retail Payment Systems........................................................ 18

2.1 Methodology ..................................................................................... 18

2.2 Definitions......................................................................................... 19

2.3 Payment Types and Payment Activities ........................................... 20

2.4 Nonbank Prevalence ......................................................................... 21

3 Risks in Retail Payments Processing.......................................................... 33

3.1 Risks in Retail Payments .................................................................. 33

3.2 Risks along the Processing Chain..................................................... 36

4 Impact of Nonbanks on Risk ...................................................................... 42

4.1 Changing Risk Profile....................................................................... 42

4.2 Risk Management ............................................................................. 45

5 Conclusions and Closing Remarks............................................................. 49

Acknowledgments .................................................................................................. 51

References .............................................................................................................. 51

Security Economics and European Policy ......................................................... 55

1 Introduction ................................................................................................ 55

2 Information Asymmetries .......................................................................... 59

2.1 Security-Breach Notification ............................................................ 59

2.2 Further Data Sources......................................................................... 60

3 Externalities................................................................................................ 63

3.1 Who Should Internalise the Costs of Malware? ............................... 63

3.2 Policy Options for Coping with Externalities................................... 64

4 Liability Assignment.................................................................................. 66

1.1 Economic Barriers to Network and Information Security................... 57

Nonbanks and Risk in Retail Payments: EU and U.S. ..................................... 17

x Table of Contents

4.1 Software and Systems Liability Assignment.................................... 67

4.2 Patching............................................................................................. 68

4.3 Consumer Policy............................................................................... 70

5 Dealing with the Lack of Diversity............................................................ 73

5.1 Promoting Logical Diversity ............................................................ 73

5.2 Promoting Physical Diversity in CNI ............................................... 74

6 Fragmentation of Legislation and Law Enforcement ................................ 75

7 Security Research and Legislation............................................................. 76

8 Conclusions ................................................................................................ 77

Acknowledgments .................................................................................................. 78

References .............................................................................................................. 78

BORIS –Business ORiented management of Information Security................ 81

1 Introduction ................................................................................................ 81

1.1 Background ....................................................................................... 81

1.2 Terms ................................................................................................ 82

1.3 Goals ................................................................................................. 83

2 BORIS design............................................................................................. 84

2.1 Overview........................................................................................... 84

2.2 Business Strategic Methods .............................................................. 84

2.3 Process Tactical Methods ................................................................. 87

2.4 Financial Tactical Methods............................................................... 89

2.5 Operational Evaluation and Optimization Methods ......................... 90

2.6 Integrated Program Management...................................................... 93

3 Evaluation................................................................................................... 94

4 Conclusion and Outlook ............................................................................. 95

References .............................................................................................................. 96

Productivity Space of Information Security in an Extension of the

Gordon-Loeb’s Investment Model...................................................................... 99

1 Introduction ................................................................................................ 99

2 The Two Reductions................................................................................. 100

2.1 Vulnerability Reduction.................................................................. 100

2.2 Threat Reduction............................................................................. 101

3 Productivity Space of Information Security............................................. 102

3.1 Threat Reduction Productivity........................................................ 102

3.2 Optimal Investment......................................................................... 103

3.3 Productivity Space .......................................................................... 104

4 Implications and Limitations.................................................................... 110

4.1 Different Investment Strategies ...................................................... 110

4.2 Influence of Productivity-Assessment Failures .............................. 110

4.3 Upper Limit of the Optimal Investment ......................................... 110

4.4 Influence of Countermeasure Innovation ....................................... 111

4.5 Trade-off between Vulnerability Reduction

and Threat Reduction............................................................................... 115

5 Concluding Remarks ................................................................................ 116

Table of Contents xi

Acknowledgments ................................................................................................ 116

References ............................................................................................................ 117

Appendix .............................................................................................................. 118

Communicating the Economic Value of Security Investments:

Value at Security Risk........................................................................................ 121

1 Introduction and Problem Situation.......................................................... 121

2 Background and Preliminaries ................................................................. 123

3 Problem Formulations: Value-at-Risk...................................................... 124

4 Value-at-Security Risk Model: Assumptions........................................... 124

5 Our Parametric Model .............................................................................. 125

5.1 Some Observations on fL (x;t) and gL (x)........................................ 127

5.2 A Special Case: Constant

6 Value-at-Security Risk Entities ................................................................ 129

7 Analysis of Authentic Data: Model Evaluation ....................................... 131

7.1 Number of Incidents per Time Unit................................................ 131

7.2 Breach Loss Model ......................................................................... 134

8 Comments and Conclusions: Present and Future Work........................... 138

References ............................................................................................................ 139

Modelling the Human and Technological Costs and Benefits

of USB Memory Stick Security ......................................................................... 141

1 Introduction .............................................................................................. 141

2 The Central Bank Problem and Information Security.............................. 143

3 An Empirical Study .................................................................................. 145

4 The Conceptual Model ............................................................................. 147

5 An Executable Model ............................................................................... 155

6 The Experimental Space........................................................................... 157

6.1 Exploratory Fit of Additional Calibration Parameters.................... 158

6.2 Some Confirmation of Expected Behaviour................................... 158

6.3 Results............................................................................................. 159

6.4 A Utility Function........................................................................... 160

7 Conclusions and Directions...................................................................... 161

Acknowledgments ................................................................................................ 162

References ............................................................................................................ 162

The Value of Escalation and Incentives in Managing Information Access .. 165

1 Introduction .............................................................................................. 165

2 Background and Solution Framework...................................................... 167

2.1 Access Control Policies .................................................................. 167

2.2 Security and Flexibility of Access Control Policies....................... 168

2.3 Access Governance System with Escalation .................................. 169

3 Literature Review ..................................................................................... 170

4 Economic Modeling of an Information Governance System................... 170

λ and v ................................................. 128

xii Table of Contents

5 Overview of Insights and Results............................................................. 172

5.1 Employee ........................................................................................ 173

5.2 Firm................................................................................................. 174

6 Conclusion................................................................................................ 175

References ............................................................................................................ 176

Reinterpreting the Disclosure Debate for Web Infections ............................. 179

1 Introduction .............................................................................................. 179

2 Attack Trends ........................................................................................... 181

2.1 Drive-By Downloads ...................................................................... 183

2.2 Weaponized Exploit Packs ............................................................. 185

3 Market Failure: Consumer Webmasters and Mid-Tier Web Hosts.......... 186

4 Vulnerability Disclosure........................................................................... 188

5 Methods for Identifying Most-Infected Web Hosts ................................. 190

6 Web Host Infection Results...................................................................... 191

6.1 The Panda in the Room................................................................... 192

7 Recommendations .................................................................................... 194

8 Conclusion................................................................................................ 196

Acknowledgments ................................................................................................ 196

References ............................................................................................................ 196

The Impact of Incentives on Notice and Take-down ...................................... 199

1 Introduction .............................................................................................. 199

2 Defamation ............................................................................................... 200

3 Copyright Violations ................................................................................ 202

4 Child Sexual Abuse Images...................................................................... 203

5 Phishing .................................................................................................... 205

5.1 Free Web-hosting............................................................................ 207

5.2 Compromised Machines ................................................................. 207

5.3 Rock-phish and Fast-flux Attacks................................................... 209

5.4 Common Features of Phishing Website Removal.......................... 210

6 Fraudulent Websites ................................................................................. 211

6.1 Fake Escrow Agents ....................................................................... 211

6.2 Mule-recruitment Websites............................................................. 212

6.3 Online Pharmacies Hosted on Fast-flux Networks......................... 215

7 Spam, Malware and Viruses..................................................................... 216

8 Comparing Take-down Effectiveness ...................................................... 217

8.1 Lifetimes of Child Sexual Abuse Image Websites ......................... 219

9 Conclusion................................................................................................ 221

Acknowledgments ................................................................................................ 222

References ............................................................................................................ 222

Studying Malicious Websites and the Underground Economy

on the Chinese Web............................................................................................ 225

1 Introduction .............................................................................................. 225

2 Related Work............................................................................................ 227

Table of Contents xiii

3 Underground Economy Model................................................................. 228

3.1 Modeling the Individual Actors...................................................... 228

3.2 Market Interaction........................................................................... 230

3.3 Case Study: PandaWorm ................................................................ 232

4 Mechanisms Behind Malicious Websites on the Chinese Web ............... 232

4.1 Overall Technical Flow................................................................... 232

4.2 Web-based and Conventional Trojans............................................ 233

4.3 Vulnerabilities Used for Web-based Trojans in China................... 235

4.4 Strategies for Redirecting Visitors to Web-based Trojans ............. 236

5 Measurements and Results ....................................................................... 238

5.1 Measurements on the Underground Black Market......................... 238

5.2 Measurements on the Public Virtual Assets Marketplace .............. 239

5.3 Malicious Websites on the Chinese Web ....................................... 240

6 Conclusions .............................................................................................. 243

References ............................................................................................................ 244

Botnet Economics: Uncertainty Matters.......................................................... 245

1 Introduction .............................................................................................. 245

2 Background and Related Work ................................................................ 247

3 The Benchmark Model ............................................................................. 249

3.1 Profit-driven Cybercriminals .......................................................... 249

3.2 Assumptions.................................................................................... 250

3.3 Model Without Virtual Machines................................................... 251

4 Optimization Model With Virtual Machines............................................ 253

4.1 Fixed Probability for a Rental Bot Being Virtual........................... 253

4.2 Uncertainty for a Rental Bot Being Virtual.................................... 256

5 Further Discussion and Case Study.......................................................... 259

5.1 Countervirtual Strategies ................................................................ 259

5.2 Examples and Illustration ............................................................... 260

5.3 Technical Challenges...................................................................... 264

6 Conclusion and Future Work.................................................................... 266

References ............................................................................................................ 267

Cyber Insurance as an Incentive for Internet Security .................................. 269

1 Introduction .............................................................................................. 269

2 Related Work............................................................................................ 272

3 Insurance and Self-protection: Basic Concepts........................................ 275

3.1 Classical Models for Insurance....................................................... 275

3.2 A Model for Self-protection ........................................................... 276

3.3 Interplay between Insurance and Self-protection ........................... 277

4 Interdependent Security and Insurance: the 2-agent Case ....................... 278

4.1 Interdependent Risks for 2 Agents.................................................. 279

4.2 IDS and Mandatory Insurance ........................................................ 280

4.3 IDS and Full Coverage Insurance................................................... 281

Acknowledgments ................................................................................................ 244

xiv Table of Contents

5 Interdependent Security and Insurance on a Network.............................. 282

5.1 The Complete Graph Network........................................................ 283

5.2 The Star-shaped Network ............................................................... 285

6 Discussion................................................................................................. 286

7 Conclusion................................................................................................ 287

References ............................................................................................................ 288

Conformity or Diversity: Social Implications of Transparency

in Personal Data Processing .............................................................................. 291

1 Introduction .............................................................................................. 291

1.1 From PETs to TETs ........................................................................ 292

1.2 TETs and Individual Behaviour...................................................... 293

2 Model........................................................................................................ 293

2.1 Assumptions.................................................................................... 294

2.2 Problem Statement.......................................................................... 295

2.3 Rationales for the Assumptions ...................................................... 295

2.4 Analytical Approach ....................................................................... 297

3 Results ...................................................................................................... 302

4 Discussion................................................................................................. 304

5 Related Work............................................................................................ 306

6 Summary and Outlook.............................................................................. 307

Acknowledgments ................................................................................................ 308

References ............................................................................................................ 308

Appendix .............................................................................................................. 311

Is Distributed Trust More Trustworthy?......................................................... 313

1 Introduction .............................................................................................. 313

2 Threshold Trust......................................................................................... 316

3 The Game-Theoretic Modeling ................................................................ 318

3.1 The Basic Model............................................................................. 319

3.2 The Extended Model....................................................................... 321

3.3 The Choice of N and T.................................................................... 324

3.4 The Payoff Matrix........................................................................... 326

4 Discussion and Policy Recommendation ................................................. 327

4.1 NT-TTP Has a Different Cost Structure......................................... 327

4.2 Breakdown of The NT-TTP............................................................ 327

4.3 Counteract Stable Coalitions .......................................................... 328

4.4 NT-TTP and Leniency Programs.................................................... 329

5 Conclusion................................................................................................ 330

Acknowledgments ................................................................................................ 331

References ............................................................................................................ 331

Index..................................................................................................................... 333

Managing Information Risk and the Economics

of Security

M. Eric Johnson1

Center for Digital Strategies, Tuck School of Business, Dartmouth College

Abstract Information risk and the economics of managing security is a concern of

private-sector executives, public policy makers, and citizens. In this introductory

chapter, we examine the nature of information risk and security economics from

multiple perspectives including chief information security officers of large firms,

representatives from the media that cover information security for both technical

and mass media publications, and agencies of the government involved in cyber

crime investigation and prosecution. We also briefly introduce the major themes

covered in the five primary sections of the book.

1 Introduction

Information is the lifeblood of the global economy. With more and more organi￾zations maintaining information online, that information has also become a source

of growing risk. Once viewed as little more than the occasional teenage hacker

creating a nuisance, risks today are fueled by more sophisticated, organized, mali￾cious groups. The evolving risks impact the reliability of national infrastructures

1Many people contributed to this overview by framing panel discussions at WEIS, recording panelist

discussions, and directly contributing to related publications. In particular, I thank Jane Applegate of

Tuck’s Center for Digital Strategies and Eric Goetz of the I3P for their direct contributions to this

manuscript. This material is based upon work partially supported by the U.S. Department of Homeland

Security under Grant Award Numbers 2006-CS-001-000001 and 2003-TK-TX-0003, under the

auspices of the Institute for Information Infrastructure Protection (I3P) and through the Institute for

Security Technology Studies (ISTS). The I3P is managed by Dartmouth College. The views and

conclusions contained in this document are those of the authors and should not be interpreted as

necessarily representing the official policies, either expressed or implied, of the U.S. Department of

Homeland Security, the I3P, ISTS, or Dartmouth College.

1

DOI: 10.1007/978-0-387-09762-6_1, © Springer Science + Business Media, LLC 2009

M.E. Johnson (ed.), Managing Information Risk and the Economics of Security,