Application 2 – Annotated Bibliography

tchyar
INFORMATIONSECURITYAND.pdf
Home>Information Systems homework help>Application 2 – Annotated Bibliography

64 April 2008/Vol. 51, No. 4 COMMUNICATIONS OF THE ACM

INFORMATION SECURITY AND RISK MANAGEMENT

T he economic framework explored in [3, 6, 7] is useful for evaluating information security activities. A key con- cept in this framework is the notion of risk management. Even though organizations try to avoid any breach of infor-

mation security, they cannot make all their information 100% secure all the time. Thus, managing the risk associated with potential breaches is an integral part of resource-alloca- tion decisions associated with information-secu- rity activities.1 To make such decisions, the chief information security officer (CISO) needs to first be clear as to what is meant by risk. Risk involves multiple dimensions and mean-

ings within the context of information security. Here, we discuss three measures that capture var-

Use the new PCR risk metric to find ways to enhance security, avoiding one-dimensional metrics like ALE that could risk an organization’s survivability.

1 See [5] for a framework for cyber risk management that incorporates insurance.

Gordon_April_lo.qxp:Intro_ lo 3/31/08 7:51 AM Page 64

By LAWRENCE D. BODIN, LAWRENCE A. GORDON,

and MARTIN P. LOEB

COMMUNICATIONS OF THE ACM April 2008/Vol. 51, No. 4 65

ious aspects of information security risk and pro- pose a methodology that allows decision makers to combine them into a single composite met- ric—the perceived composite risk, or PCR. We recommend using the Analytic Hierarchy

Process (AHP) [8] to determine the weighting factors needed to combine risk measures into the PCR. We offer an example of how decision mak- ers can use the PCR to evaluate proposals for enhancing an organization’s information-security system. Here, we build on the AHP analysis in [1] for assisting CISOs ranking proposals intended to enhance their organizations’ informa- tion security systems.2

Three measures that capture commonly con- sidered facets of risk are the expected loss, expected severe loss, and standard deviation of the loss. The expected loss is calculated by adding

together the product of each loss with its respec- tive probability.3 The expected loss is conceptu- ally equivalent to the popular Annual Loss Expectancy (ALE) measure (see, for example, [3]). Based on this measure, the larger the expected loss, the larger would be the risk associ- ated with a breach of information security. The expected severe loss focuses on the

breaches that would put the survivability of the organization at risk. In order to calculate the expected severe loss, the decision maker (such as a CISO) first specifies the magnitude of a loss that, were it to occur, would threaten the organi- zation’s survivability. The expected severe loss is calculated by adding together the product of each loss that is greater than or equal to the specified threshold loss with its respective probability. Based on this metric, the larger the expected severe loss, the larger would be the risk associated with a breach of information security. The standard deviation of loss (the square root

of the variance of loss) represents the dispersion 2 For more on the allocation of resources in information security, see [2, 4]. 3 We assume loss is a discrete random variable.

Gordon_April_lo.qxp:Intro_ lo 3/31/08 7:51 AM Page 65

66 April 2008/Vol. 51, No. 4 COMMUNICATIONS OF THE ACM

around the expected loss. It is computed by taking the square root of the product of squares of the deviation of each loss from the expected loss with the probabil- ity of that loss. Based on this metric, the larger the standard deviation, the larger would be the risk asso- ciated with a security breach. We used the standard deviation of loss rather than the variance of loss because the standard deviation of loss is measured in the same units (for example, dollars) as both the expected loss and the expected severe loss. To illustrate the three

metrics, let X be a ran- dom variable represent- ing the loss (in millions of dollars) attributable to a breach. In a proposal (Proposal 1) for enhanc- ing information security activities, X has the fol- lowing discrete uniform distribution:

P[X=x] = .1 for x = 0, 1, 2, ..., 9.

T he expected loss from a breach, E[X], under Proposal 1 is equal to $4.5 million, as shown by the calculation in the figure here. In order to calculate the expected severe loss, the decision maker must first specify a threshold level. Suppose that level, denoted by T, is judged to be 8, that is, any

breach that costs $8 mil- lion or more is believed to put the survivability of the organization at risk. The expected severe loss, E[XIX ≥ T], under Pro- posal 1 is equal to $1.7 million, as shown by the calculation in the figure. The standard deviation of loss, denoted by �,

under the loss function defined for Proposal 1 is equal to $2.87 million, as shown by the calculation in the figure.

COMPUTING EXPECTED PCR For a given set of information-security activities, the PCR is a linear combination of the expected loss, the expected severe loss, and the standard deviation of loss that can be attributable to a breach:

PCR = E[X]+[B/A] E[XIX≥T]+[C/A] �

where the weights A, B, and C are determined from the AHP. These weights are positive, sum to one, and reflect the relative importance of the perfor- mance metrics to the decision maker. An overview of the AHP (in an information-security-investment context) is given in [1]. Before turning to the question of how these

weights are derived through AHP, consider three properties of the PCR:

• It equals the expected loss plus two penalty terms;

• The penalty term, [B/A] E[XIX≥T], mea- sures an additional per- ceived loss due to the occurrence of a severe loss; and

• The penalty term, [C/A] �, measures an additional perceived loss due to variability in predicting the loss.

The weights A, B, and C measure the emphasis the CISO wants to place on the three risk measures: expected loss, expected severe loss, and standard deviation. The weights on the three terms are 1, B/A, and C/A. Without the loss of gen- erality, one can normalize the weights on the terms in

the PCR so the weight on the expected loss, E[X], is equal to one. In that way, a decision maker who wants the PCR to equal the expected loss would set B = 0 and C = 0 in the equation defining PCR. To illustrate the AHP

method for determining the values of the weights, we consider a numerical

example. Table 1 lists a pairwise comparison matrix of the three measures: expected loss, expected severe loss, and standard deviation of the loss. The pairwise com- parison matrix is made up of columns 2–4 and rows 2–4 in the table. The final column lists the weights as determined by the eigenvector associated with the maximum eigenvalue for the pairwise comparison

Expected Loss E[X]

Expected SevereLoss E[X|X T]

Standard Deviation of Loss

Expected Loss E[X]

1

1

1/2

Standard Deviation of

Loss

2

2

1

Expected Severe Loss E[X|X T]

1

1

1/2

Weights

.4

.4

.2

Expected loss:

Expected severeloss:

Standard deviation of loss:

X = random variable representing the loss in millions of dollars attributable to a breach P [X=x] = probability the loss attributable to the breach equals x x = 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 T = $8 million (threshold loss)

Table 1. Pairwise comparison matrix and weights for the example.

Calculation of expected loss, expected severe loss, and standard deviation of loss in Proposal 1.

Gordon_April_lo.qxp:Intro_ lo 3/31/08 7:51 AM Page 66

matrix in columns and rows 2–4 in the table (for more, see [1]). In establishing this pairwise

comparison matrix, the assump- tion in the example is that the expected loss (E[X]) and expected severe loss (E[X|X≥T]) are equally important criteria, both slightly more preferred than the standard-deviation-of-loss (�) criterion. The pairwise com- parisons that represent this judg- ment are realized by setting a12 = 1, a21 = 1, a13 = 2, a23 = 2, a31 = 1/2, and a32 = 1/2. Fur- ther, the diagonal elements, a11, a22, and a33, are set equal to 1, since a criterion is equally important as itself. For a given decision maker for which AHP reveals

these weights—A = 0.4, B = 0.4, and C = 0.2—here is the value of the PCR for Proposal 1:

PCR (Proposal 1) = $4.5+[.4/.4] [$1.7M]+[.2/.4].[$2.872M]=$4.5M+$1.7M+$1.43 6M=$7.636M

EVALUATING FOUR PROPOSALS In order to demonstrate PCR use, assume that the CISO must select from among four equal cost proposals for enhancing an organization’s information security. Suppose the CISO and his/her staff have estimated the loss prob- abilities associated with the three proposed sets of information security activities. The estimated loss probabilities associated with each proposal are bro- ken down into the 10 discrete amounts in Table 2. We continue to assume that the threshold level, T,

of a severe loss is $8 million. Table 3 lists the values of

the three risk measures for each of the three proposals; it also lists the value of the PCR for each proposal, assuming that A = 0.4, B = 0.4, and C = 0.2. Some problems with using the popular metric of

expected loss as a sole measure of risk are apparent by examining Tables 2 and 3. According to the expected loss metric, Proposal 3 is the preferred proposal, fol- lowed in order by Proposal 1, Proposal 2, and Pro- posal 4. Note that although Proposal 3 minimizes the expected loss, it also generates the second highest probability of threatening the survivability of the organization (Pr [X≥8]=0.4) and generates the highest standard deviation of loss. Table 3 also indicates that based on the expected

severe loss criterion, Proposal 2 is the preferred pro- posal, followed in order by Proposal 1, Proposal 3, and Proposal 4. Further, based on the standard deviation criterion, Pro- posal 4 is the preferred proposal, followed in order by Proposal 2, Pro- posal 1, and Proposal 3. Thus, a decision maker interested in minimizing the risk of a breach could

rationally select Proposal 2, Proposal 3, or Proposal 4, depending on the risk metric being considered. The PCR combines the three risk measures

through a procedure that determines the decision maker’s relative weighting of the risk criteria. The

COMMUNICATIONS OF THE ACM April 2008/Vol. 51, No. 4 67

Other values

Probability of Loss Proposal 1

Probability of Loss Proposal 2

Probability of Loss Proposal 3

Probability of Loss Proposal 4

0

0

0

0

9

.1

0

.3

.1

8

.1

.2

.1

.45

7

.1

.1

.05

.45

6

.1

0

.05

0

5

.1

.5

0

0

4

.1

0

0

0

3

.1

0

0

0

2

.1

.2

0

0

1

.1

0

.2

.0

0

.1

0

.3

.0

Losses from an information security breach (in $ millions)

Bold indicates column minimums

Proposal 1

Proposal 2

Proposal 3

Proposal 4

Expected Loss E[X]

14.5

5.2

4.35

7.65

Standard Deviation of

Loss

2.872

1.990

4.028

0.654

Expected Severe Loss E[X|X T]

1.7

1.6

3.5

4.5

Perceived Composite Risk

PCR

7.636

7.795

9.864

12.477

Table 3. Risk measures for the three proposals (where T=8, A=0.4, B=0.4, and C=0.2.

Table 2. Probability of losses under three information security project proposals.

The approach of using the expected loss due to a breach as the ranking criterion gives the CISO a narrow analysis of the alternatives

and may lead to misleading results.

Gordon_April_lo.qxp:Intro_ lo 3/31/08 7:51 AM Page 67

weights are decision-maker dependent, so the rank- ings based on the PCR are likely to vary from person to person. With the values of A, B, and C given by 0.4, 0.4, and 0.2, respectively, Proposal 1 is preferred to Proposal 2, which in turn is preferred to Proposal 3, which is preferred to Proposal 4. It is interesting to note that Proposal 1 has the smallest value of the PCR, even though it did not dominate any individual metric. However, if the decision maker’s weights were A = 0.1, B = 0.2, and C = 0.7, then based on the PCR, Proposal 4 is preferred to Proposal 2, which is pre- ferred to Proposal 1, which is preferred to Proposal 3.4

The approach of using the expected loss due to a breach as the ranking criterion gives the CISO a nar- row analysis of the alternatives and may lead to mis- leading results. Examining these other risk measures helps determine the best proposal for implementa- tion. Although we formed the PCR as a linear com- bination of expected loss, expected severe loss, and standard deviation of loss, the method of forming a single PCR type of metric from a set of criteria is a general methodology. The decision maker can use any set of criteria to form a PCR type of metric and the AHP to determine the weighting factors. In that way, no matter what aspects of risk a decision maker wishes to consider, a PCR type of metric can serve as a powerful decision-making tool.

CONCLUSION Anyone responsible for information security must be able to manage risk. However, the initial step in such management—defining risk—is far from easy. Popular risk metrics (such as expected loss from a breach and the standard deviation of a loss from a breach) capture only narrow aspects of risk. Here, we’ve introduced a new metric—the PCR—to eval- uate investment proposals for enhanced information security and recommended using AHP to determine the weights in the PCR. The PCR gives the user powerful new tools for analyzing proposals for enhancing an organization’s information security

system. This analysis complements [1], which detailed how to spend an information-security bud- get, taking into account both financial and nonfi- nancial aspects of proposed information security projects.

REFERENCES 1. Bodin, L., Gordon, L., and Loeb, M. Evaluating information security investments using the analytic hierarchy. Commun. ACM 48, 2 (Feb. 2005), 461–485.

2. Gordon, L. and Loeb, M. Budgeting process for information security expenditures: Empirical evidence. Commun. ACM 49, 1 (Jan. 2006), 121–125.

3. Gordon, L. and Loeb, M. Managing Cybersecurity Resources: A Cost-Ben- efit Analysis. McGraw-Hill, New York, 2006.

4. Gordon, L., Loeb, M., and Lucyshyn, W. Sharing information on com- puter systems: An economic analysis. Journal of Accounting and Public Policy 22, 6 (Nov.-Dec. 2003), 461–485.

5. Gordon, L., Loeb, M., and Sohail, T. A framework for using insurance for cyber risk management. Commun. ACM 46, 3 (Mar. 2003), 81–85.

6. Gordon, L. and Loeb, M. The economics of investment in information security. ACM Transactions on Information and System Security 5, 4 (Nov. 2002), 438–457.

7. Gordon, L. and Loeb, M. A framework for using information security as a response to competitor analysis systems. Commun. ACM 44, 9 (Sept. 2001), 70–75.

8. Saaty, T. The Analytic Hierarchy Process. McGraw-Hill, New York, 1980.

Lawrence D. Bodin (lbodin@rhsmith.umd.edu) is Professor Emeritus in the Robert H. Smith School of Business at the University of Maryland, College Park, MD. Lawrence A. Gordon (lgordon@rhsmith.umd.edu) is the Ernst & Young Alumni Professor of Managerial Accounting and Information Assurance in the Robert H. Smith School of Business at the University of Maryland, College Park, where he is also an affiliate professor in the University of Maryland Institute for Advanced Computer Studies. Martin P. Loeb (mloeb@rhsmith.umd.edu) is a professor of accounting and information assurance and a Deloitte & Touche faculty fellow in the Robert H. Smith School of Business at the University of Maryland, College Park, where he is also an affiliate professor in the University of Maryland Institute for Advanced Computer Studies.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full cita- tion on the first page. To copy otherwise, to republish, to post on servers or to redis- tribute to lists, requires prior specific permission and/or a fee.

© 2008 ACM 0001-0782/08/0400 $5.00

DOI: 10.1145/1330311.1330325

c

68 April 2008/Vol. 51, No. 4 COMMUNICATIONS OF THE ACM

Popular risk metrics (such as expected loss from a breach and the standard deviation of a loss from a breach) capture

only narrow aspects of risk.

4 In this case, PCR(Proposal 4)=$21.227 million, PCR(Proposal 2)=$22.330 million, PCR(Proposal 1)=$28.006 million, and PCR(Proposal 3)=$39.548 million.

Gordon_April_lo.qxp:Intro_ lo 3/31/08 7:51 AM Page 68