Economic and social impact of cyber attacks

1. Economic and social impact of cyber attacks Johnny Flowers and Yuliya Shymanovska

2. Outline Measuring the economic impact of cyber attacks Motivations Methods Difficulties Measuring the social impact of cyber attacks Approaches

3. Why model impacts? Without a model, burden is on security personnel to convince management to spend to protect against threats that may not be realized Unconvinced managers are often left spending extra resources on recovery In last 6 months, US DoD spent $100 mil. on response and repair efforts resulting from cyber attacks

4. Risk Management Assess risks and related policy options with the goal of reducing, removing, or reallocating risk Used in insurance industry Takes responsibility from “mysterious” security experts and places it on quantitative methods

5. Data, data, data However, the insurance industry has vast amounts of historical data on which to base their models Data related to computer security incidents is much more difficult to obtain Can a reliable quantitative model be constructed?

6. 1979 – National Bureau of Standards proposed the Annual Loss Expectancy metric Does not differentiate between high-frequency, low-impact events and low-frequency, high-impact events Conventional Approach

7. Improved Approach An improved approach suggested by Soo Hoo uses a top-down, iterative framework Model is broken down into modules with associated degrees of certainty After performing sensitivity analysis on input variables, process is repeated, paying closer attention to variables to which outcomes are sensitive

8. Basic Elements Requirements Assets Security concerns Threats Safeguards Vulnerabilities Outcomes Asset values Safeguard effectiveness Outcome severity

9. Shortcomings Model requires security and business personnel to develop predictive models for each module While the iterative framework allows some modules to be completed with little detail, saving time and money, models would ideally be at least partially constructed automatically based on a computer system’s characteristics

10. Data Collection Difficulties Publicly available data lacks consistency in its collection Of the three most prominent surveys, “none claims to be statistically representative of any population or group” (Soo Hoo) Organizations may fear potential harm to reputation or liability issues caused by making cyber attack data available

11. Social Impact

12. Seven approaches for risk perception evaluation Actuarial Toxicological-epidemiological Engineering (probabilistic) Economic Psychological Sociological Cultural

13. Major Application

14. Psychological approach Individuals respond to an event according to their perception of risk and not according to an objective risk level or the scientific assessment of risk. Scientific assessments are part of the individual response to risk only to the degree that they are integrated in the individual perceptions.

15. Sociological approach The sociological analysis of risks links social judgments about risks to individual and social interests and values. The society’s risk perception is counted. Six different sociological theories can be used for this approach.

16. Cultural approach The cultural perspective assumes that cultural patterns construct the mind-set of individuals and social organizations to adopt certain values and reject others. There are 4 types of such cultural patterns.

17. Risk Taking in the Context of Cultural Prototypes

18. Article: Formulating information systems risk management strategies through cultural theory. Authors consider the cultural theory (four cultural prototypes) applied to IS risk management for companies with different predominant employee types. For example, at the first stage of risk management , initiation, identifying of stakeholders’ cultural bias is very important, because it affects the effectiveness of the risk management method that is selected.

19. Bureaucrats – value an interventionist and regulatory approach to risk management, based on institutional advice provided by experts and universally accepted safety standards. Egalitarians - tend to support decision-making processes that encourage public participation. Entrepreneurs - prefer methods that are based on economic factors, and in particular cost-benefit analysis. Atomized - feel that decisions are beyond their control and feel Individuals obliged to accept whatever is imposed upon them, therefore, tend to be indifferent to the selection of risk management methods.

20. Examples In the case of a risk analysis review for a large social security organization with a strong bureaucrat culture, the authors emphasized on the strict application of a formal risk analysis method (CRAMM) that has been a standard in the UK. In the case of a risk management review for a private oil company, where entrepreneurs formed the majority, emphasis was placed on the financial implications of unresolved risks, and therefore a cost- benefit analysis approach was followed.

21. References Baldor, Lolita C. “Pentagon spends $100 million to fix cyber attacks.” Associated Press. April 7, 2009. Online: http://www.google.com/hostednews/ap/article/ALeqM5i-l6vKmsnP1XSIDouvQ2hcc2mNTAD97DPBPO0. Barnes, Paul. Approaches to community safety: risk perception and social meaning. Online: http://eprints.qut.edu.au/606/1/Community-safety-riskperception.pdf. Krimsky, S. and Golding, D., editors. Social Theories of Risk. Praeger, 1992. Soo Hoo, Kevin J. How Much Is Enough? A Risk-Management Approach to Computer Security. June 2000. Online: http://iis-db.stanford.edu/pubs/11900/soohoo.pdf. Tsohou, A.; Karyda, M.; Kokolakis, S.; and Kiountouzis, E. Formulating information systems risk management strategies through cultural theory. Department of Information and Communication Systems Engineering, University of the Aegean, Samos, Greece.

22. Questions?