economic models approaches in information security for computer networks n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Authors : P. Souras et al . Submission : International Journal of Network Security PowerPoint Presentation
Download Presentation
Authors : P. Souras et al . Submission : International Journal of Network Security

Loading in 2 Seconds...

play fullscreen
1 / 19

Authors : P. Souras et al . Submission : International Journal of Network Security - PowerPoint PPT Presentation


  • 65 Views
  • Uploaded on

Economic Models & Approaches in Information Security for Computer Networks. Authors : P. Souras et al . Submission : International Journal of Network Security Reporter : Chun-Ta Li. Outline. Introduction Networks & Security Risk Management

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Authors : P. Souras et al . Submission : International Journal of Network Security' - avari


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
economic models approaches in information security for computer networks

Economic Models & Approaches in Information Security for Computer Networks

Authors: P. Souras et al.

Submission: International Journal of Network Security

Reporter: Chun-Ta Li

outline
Outline
  • Introduction
  • Networks & Security
  • Risk Management
  • Financial Approaches in Information Security
  • Return on Security Information
  • Conclusion
  • Comments
introduction
Introduction
  • An organization consists of logical and physical assets that can be grouped into smaller elements [Wei 2001]
introduction cont
Introduction (cont.)
  • An information security system
    • Protection from unauthorized access
    • Protection of information from integrity flaws
    • Detection and correction of information security breaches
  • The potential decrease in Market Value due to IT security breaches is composed of both tangible and intangible assets
    • Loss of productivity, cost of system repair, insurance
    • Loss of reputation, reduction in brand value, legal implications
introduction cont1
Introduction (cont.)
  • Key issues in this paper
    • Economic models
      • Evaluation of an information security investment
      • Calculating information security risk
      • Annual Loss Expectancy (ALE)
      • Cost To Break metric
      • Set the rules for the calculation of the Return on Information Security
networks security
Networks & Security
  • Organizations typically employ multiple security technologies
    • Firewalls
    • Intrusion Detection Systems (IDS)
  • Three basic types of cryptography
    • Bulk encryption, Message authentication, Data integrity
  • Three types of cryptographic systems
    • Totally secret, Public algorithms, Public key systems
networks security cont
Networks & Security (cont.)
  • Possible ways of attack to the encrypted data
    • Calculation of the Password
    • Dictionary Attack
    • Packet Modification
    • Replay Attack
    • Evil Twin (man-in-the middle)
risk management
Risk Management
  • Quantification of risk [Reavis 2004][Schechter 2004]
    • RISK = VA*SV*LA
    • RISK = LLE*CLE
    • SecurityRisk = LSB*CSB
    • SecurityRisk = SBR*ACPB
risk management cont
Risk Management (cont.)
  • Annual Loss Expectancy (ALE) [National Bureau of Standards 1979][Hoo 2000][Schrecher 2004]
    • ALE = expected rate of loss * value of loss
financial approaches in information security
Financial Approaches in Information Security
  • Information security investment
    • Cost (implementing infrastructure)
    • Benefit (prevention of losses by security breaches)
  • Optimization economic model [Gordon and Loeb 2001]
    • G(S) = B(S) – C(S)
      • B: implementation of information security infrastructure
      • C: total cost of that implementation
      • S: different levels of information security
      • G: determine the point where the gain
financial approaches in information security cont
Financial Approaches in Information Security (cont.)
  • Total annual security expenditure [Mizzi 2005]
    • Es = F + B + M
    • LT = LI + A(t) + r(t)
    • A(t) = I*t/365
financial approaches in information security cont1
Financial Approaches in Information Security (cont.)
  • The security implementation is viable if

ES < LT

(F+B+M) < [LI+A(t)+r(t)]

  • Cost to repair annual damages

D = DD + DI

(F+B+M) < (LT+A(t)+r(t)+D)

financial approaches in information security cont2
Financial Approaches in Information Security (cont.)
  • Annual Cost To Break [Mizzi 2005][Schrecher 2002]

CTB = CD + CV

CTB > ES

CTB > (F+B+M)

return on security information
Return on Security Information
  • ALE framework had seven basic elements[Campbell et al. 1979]
    • Requirements, R= [R1, R2, …, Ri]
    • Assets, A = [A1, A2, …, Ak]
    • Security Concerns, C= [C1, …, Cs]
    • Threats, T= [T1, T2, …, Tm]
    • Safeguards, S= [S1, S2, …, Sp]
    • Vulnerabilities, V= [V1, V2, …, Vq]
    • Outcome, O= [O1, O2, …, Or]
  • Three associated quantities
    • Asset Values: Aval = [A1val, A2val, …, Akval]
    • Safeguard Effectiveness: Seff = [S1eff, S2eff, …, Speff]
    • Outcome Severity: Osev = [O1sev, O2sev, …, Orsev]
return on security information cont
Return on Security Information (cont.)
  • Identification of the security requirements
    • Security concerns, possible threats et al.
  • Analysis phase
    • Threat analysis, Vulnerability analysis, Scenario analysis
  • Risk measurement (potential impact and probability)
    • Acceptability test, cost-benefit analysis
  • Decisions on safeguards
return on security information cont1
Return on Security Information (cont.)
  • The reduction in ALE[Schrecher 2004]

S = ALEBASELINE – ALEWITH NEW SAFEGUARDS

  • Total annual benefit B

B = S + (profit from new ventures)

  • Return on security investment
return on security information cont2
Return on Security Information (cont.)
  • Internal Rate of Return (IRR) [Gordon and Loeb 2002]
conclusion
Conclusion
  • Investment of information security
  • Risk quantification methods – ALE
  • Return on security investment (ROSI)
comments
Comments
  • Evaluation of Paper
    • Sound but dull
  • Recommendation
    • Reject
  • All of the economic models and approaches are previous research results.
  • The authors must proposed some brand-new concepts or models to evaluate the information security in the organization to enhance the contribution of this article.