value of information in information security investment_v2.0
DESCRIPTION
Presentation on the Information Security InvestmentsTRANSCRIPT
1
VALUE OF INFORMATION IN INFORMATION SECURITY INVESTMENTSPresented by Kristina Egorova
2
Introduction: Security as a Process
Context
Information Security Process
Q2
Outcomes
Q4
Q4.2
Threats Protection
Q3
Information Assets
Q1
Q2
Info Security: How much do we spend?(1)
Investments are suboptimal
• Companies tend to underinvest• Gordon et al. 2015
• Overinvestments are possible, as well• Chen et al. 2011, Zhao et al. 2013
• Companies tend to be myopic• Kwon and Johnson 2014
How the problem was solved before?• How much to invest? (Gordon and Loeb 2002)
• What is the optimal amount of money?• What are the critical points for decision-making?
• When to invest?• Reactive or Proactive? (Kwon and Johnson 2014)• Respond immediately or remotely? (Tatsumi and Goto 2010)
• How to assess the critical variables?• Risks (Baskerville 1991, Rainer et al. 1991, Sun et al. 2006)• Losses (Wang et al. 2008)
• How to evaluate the investments?• How to evaluate the security software (Cavusoglu 2005)
How the problem was solved before?• How much to invest? (Gordon and Loeb 2002)
• What is the optimal amount of money?• What are the critical points for decision-making?
• When to invest?• Reactive or Proactive? (Kwon and Johnson 2014)• Respond immediately or remotely? (Tatsumi and Goto 2010)
• How to assess the critical variables?• Risks (Baskerville 1991, Rainer et al. 1991, Sun et al. 2006)• Losses (Wang et al. 2008)
• How to evaluate the investments?• How to evaluate the security software (Cavusoglu 2005)
Example: Gordon and Loeb set up
7
Example: How much to spend?
(Gordon and Loeb 2002): determine the optimal amount to invest to protect a given set of information
1. Consider the information set and list out the following:1. λ – loss if case of successful attack
2. t – threat probability, t ϵ [0, 1]
3. v – probability that attack is successful, v ϵ [0, 1]
2. Thus,1. Information is completely vulnerable if v = 1 and vice versa
2. λ*t*v – expected loss associated with the information set
3. Assume, that1. v is constant within a period time
2. L = λ*t, potential loss
3. C > 0 – investment
8
Example: How much to spend?
(Gordon and Loeb 2002): determine the optimal amount to invest to protect a given set of information
1. Consider the information set and list out the following:1. λ – loss if case of successful attack
2. t – threat probability, t ϵ [0, 1]
3. v – probability that attack is successful, v ϵ [0, 1]
2. Thus,1. Information is completely vulnerable if v = 1 and vice versa
2. λ*t*v – expected loss associated with the information set
3. Assume, that1. v is constant within a period time
2. L = λ*t, potential loss
3. C > 0 – investment
Money loss ($)
9
Example: How much to spend?
(Gordon and Loeb 2002): determine the optimal amount to invest to protect a given set of information
1. Consider the information set and list out the following:1. λ – loss if case of successful attack
2. t – threat probability, t ϵ [0, 1]
3. v – probability that attack is successful, v ϵ [0, 1]
2. Thus,1. Information is completely vulnerable if v = 1 and vice versa
2. λ*t*v – expected loss associated with the information set
3. Assume, that1. v is constant within a period time
2. L = λ*t, potential loss
3. C > 0 – investment
Money loss ($)
Money spent to prevent money loss
10
Simply: How much to spend?
How much to spend?
Maximize the security:v0
11
Simply: How much to spend?
How much to spend?
Minimize the loss L=λ*t
Maximize the security:v0
12
Simply: How much to spend?
How much to spend?
Minimize the loss L=λ*t
Maximize the security:v0
Maximize the wealth:WMax
13
Simply: How much to spend?
How much to spend?
Minimize the loss L=λ*t
Maximize the security:v0
Minimize the spend:C0
Maximize the wealth:WMax
14
Simply: How much to spend?
How much to spend?
Minimize the loss L=λ*t
Maximize the security:v0
Minimize the spend:C0
Maximize the wealth:WMax
15
Simply: How much to spend?
How much to spend?
Minimize the loss L=λ*t
Maximize the security:v0
Minimize the spend:C0
Maximize the wealth:WMax
A risk-neutral firm compares the benefits of the investment with cost of it
How the problem was solved before?• How much to invest? (Gordon and Loeb 2002)
• What is the optimal amount of money?• What are the critical points for decision-making?
• When to invest?• Reactive or Proactive? (Kwon and Johnson 2014)• Respond immediately or remotely? (Tatsumi and Goto 2010)
• How to assess the critical variables?• Risks (Baskerville 1991, Rainer et al. 1991, Sun et al. 2006)• Losses (Wang et al. 2008)
• How to evaluate the investments?• How to evaluate the security software (Cavusoglu 2005)
Problems in current literature• Level of analysis
• Most of the studies model the organizational decision making• The role of individual contributions is not clear• The decision-making process is not clear
• Lack of behavioral research• Investment literature is based on economic assumptions of
rationality
• Ignorance of information assets and their role• Investment and bigger security literature implicitly assumes that
information assets have non-zero value
Problems in current literature• Level of analysis
• Most of the studies model the organizational decision making• The role of individual contributions is not clear• The decision-making process is not clear
• Lack of behavioral research• Investment literature is based on economic assumptions of
rationality
• Ignorance of information assets and their role• Investment and bigger security literature implicitly assumes that
information assets have non-zero value
• Objective• To understand if the knowledge about information value leads to
more optimal investment in information security
Why knowing more is important in investment?
• Information Economics• Additional information changes the decision optimality* (Nadiminti
et al. 1996)• Decision accuracy depends on mental model & variables weights
(Heuer 1999)
• Information security: if you ignore…• Structure of the assets ~ overinvestment (Chen et al. 2011)• Interdependent risks ~ overinvestment (Zhao et al. 2013)• Interactions with hackers ~ loose the game (Cavusoglu et al. 2008)
• Accounting: Judgement Performance Model• Judgement performance depends on knowledge content and
structure, more task relevant content improves judgement** (Libby and Luft 1993)
Why knowing more is important in investment? (2)
• How knowing can value of the information asset help?• … I’m looking for the answer
• Investments / Behavioral finance• What are the critical information points?
• Insurance• Why do people buy insurance?• How does the value of insurance subject affect the decision?
• Psychology • What changes protective behaviors?• How protecting oneself is different from protecting others?
21
Problem Setting• We have
• Q1: Information assets with value V • Q2: Threat(s) with probability P & severity S, Risk = P*S• Q3: Protection - Investment with cost C• Q4: Outcome - Efficiency of investment
• They are related:• Expected loss EL = V*Risk• Investment decreases probability and severity: as C↑, Risk• As we invest money, excepted loss is decreasing: as C↑, EL
0 5 10 15 200
2
4
6
8
10
12
Expected loss
C, investment
22
Problem Setting• They are related:
• Expected loss EL = V*Risk• Investment decreases probability and severity: as C↑, Risk• As we invest money, excepted loss is decreasing: as C↑, EL
• How to calculate the efficiency of investment?• Remember,
we minimize expected loss EL and cost C
• Thus, we minimize them together:Total security cost = EL + C => TSC = EL + C => TSC = V*Risk + C
0 5 10 15 2005
1015
Expected loss
C, investment
23
Problem SettingHow to calculate the efficiency of investment?
• Remember, we minimize expected loss EL and cost C
• Thus, we minimize them together:Total security cost = EL + C => TSC = V*Risk + C
• Assume the values:V=10 000, Risk = 0.80, C = 1000, 2000, …
• Investing C decreases risk by ½
0 1000 2000 3000 4000 5000 6000 7000 80000
1000
2000
3000
4000
5000
6000
7000
8000
9000
Expected Loss Investment
Total Security Cost
C Risk Expected Loss
0 80% 8000
1000 40% 4000
2000 20% 2000
…
24
Problem Setting: Underinvestment
0 1000 2000 3000 4000 5000 6000 7000 80000
1000
2000
3000
4000
5000
6000
7000
8000
9000
Expected Loss Investment Total Security Cost
Total cost = 5000
Expected loss = 4000
Investment = 1000
25
Problem Setting: Optimal Investment
0 1000 2000 3000 4000 5000 6000 7000 80000
1000
2000
3000
4000
5000
6000
7000
8000
9000
Expected Loss Investment Total Security Cost
Total cost = 4000
Expected loss = 2000
Investment = 2000
26
Problem Setting: Overinvestment
0 1000 2000 3000 4000 5000 6000 7000 80000
1000
2000
3000
4000
5000
6000
7000
8000
9000
Expected Loss Investment Total Security Cost
Total cost = 5250
Expected loss = 250
Investment = 5000
27
So far… • We can fix these values
• Risk • Investments impact factor [aka protection efficiency]
• We can manipulate the information value• Unknown VS known ~ basic case
• We can calculate the investment efficiency• To have a baseline for performance for each individual
• We can test the conjecture:• Knowledge about the value of information assets will lead to more
optimal investment decisions
28
Methodology: An Experiment• The variable of interest – value of information:
• Group I: Value of information is given• Group II: Value of information is not given
• Series of tasks:• Several rounds of training • Vary probability – from 20% to 80% (with ∆20%)• Vary severity – from 20% to 80% (with ∆20%)• Vary investment impact – from , ,
29
Methodology: An Experiment• The variable of interest – value of information:
• Group I: Value of information is given• Group II: Value of information is not given
• Series of tasks:• Several rounds of training • Vary probability – from 20% to 80% (with ∆20%)• Vary severity – from 20% to 80% (with ∆20%)• Vary investment impact – from , ,
Make sure subjects understand the task
30
Methodology: An Experiment• The variable of interest – value of information:
• Group I: Value of information is given• Group II: Value of information is not given
• Series of tasks:• Several rounds of training • Vary probability – from 20% to 80% (with ∆20%)• Vary severity – from 20% to 80% (with ∆20%)• Vary investment impact – from , ,
These two are Risk
31
Methodology: An Experiment• The variable of interest – value of information:
• Group I: Value of information is given• Group II: Value of information is not given
• Series of tasks:• Several rounds of training • Vary probability – from 20% to 80% (with ∆20%)• Vary severity – from 20% to 80% (with ∆20%)• Vary investment impact – from , ,
This is response efficacy from Protection
Motivation theory
Methodology: Controls & Design• Controls
• Demographics (age, gender, income, education…)• IT & Information security background / knowledge• Difficulty of the task (perception)• Information processing ability (psychometric)
• Experiment design highlights• 4 levels of risk probability x 4 of severity x 3 of investment impact =
48 tasks ~ randomized order of tasks • Performance-based incentives (show up fee + premium)• Calculator to reduce the brain damage task load
Methodology: Participant View (1)• Group I: No information value
Methodology: Participant View (2)• Group II: Information Value is given
Methodology: Discussion• Group II: Information Value is given
Is it realistic number?
Fix or vary?
Do I need to explain what information
assets are?
Is the place right?Need to highlight
more?
Is the company size necessary?
Show the risk reduction, reduced risk probabilities or
reduced loss?
Show 0$ or 1000$ initially?
Methodology: Post Experimental Survey
• How did you determine the investment amount?
• How difficult was the task?• What was the purpose of the study?
21
3 4
5 6
Thank you!
Privacy Calculus Model
Protection Motivation Theory
Losses due to information security