注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

恰巧路过人间

 
 
 

日志

 
 

A system dynamics model for information security management  

2015-01-15 10:49:27|  分类: 默认分类 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |
A B S T R A C T 
Managing security for information assets is a critically important and challenging task. As organizations provide clients with ubiquitous access to information systems and the frequency and sophistication of security threats grows, the need to provide security assumes greater importance. Effective information security management requires security resources be deployed on multiple fronts, including attack prevention, vulnerability reduction, and threat deterrence. Using a system dynamics model, this study evaluates alternative security management strategies through an investment and security cost lens, to provide managers guidance for security decisions. The results suggest that investing in security detection tools has a higher payoff than does deterrence investment. 
2014 Elsevier B.V. All rights reserved.

1. Introduction 
Information security remains a key issue in the IT industry, as indicated by recent surveys [54]. Security incidents continue to increase in frequency and sophistication [41]. As consumers push for greater access to data and applications in an increasingly connected world, the opportunities for security breaches will increase. Part of this growing awareness is reflected in the inclusion of security- related sections in IT publications and in the emergence of several new publications devoted to IT security. Though most organizations have taken a number of steps to fortify information security, it has been suggested that security investments are typically a response to perceived and materialized threats rather than a response to more rigorous analyses of the effectiveness of solutions in combating such threats [17]. Applying a cost-benefit approach to the problem is often not effective because many models tend to omit qualitative or nonfinancial criteria, which comprises a significant aspect of inform- ation security [9]. 

Information security managers are tasked with a variety of functions, including security planning, policy formation, staffing, risk management, security technology selection, threat assessment, countermeasure implementation, performance monitoring, and maintenance [73]. Selecting countermeasures to security threats remains one of the more pressing issues that requires attention on a continual basis. Managers can elect to counter a wide variety of security threats that are present with several strategies including detection, deterrence, vulnerability reduction, education and training. Clearly, a portfolio of strategies is preferred over the adoption of a single solution. Each security strategy entails different costs, effectiveness, and potential benefits; many of these are difficult to quantify. The business value derived from information security investment, although undeniable, may be difficult to estimate. This difficulty arises because of the uncertainties of threat manifestation, the extent of damage incurred, the ability to recover from successful attacks, any ripple effects to other parts of the business affected by a successful attack, and a loss of reputation. Many factors affect these assessments, including innate vulner- abilities, the perceived attractiveness of targets (both organization and individual application), the number and sophistication of attackers, the availability of attack tools and vectors, and the extent and nature of backup facilities. 

Clearly, assembling an accurate business case can prove challenging. Nonetheless, information security managers need to select security strategies on a periodic basis. In the absence of adequate tools to support these decisions, managers will speculate about whether the decisions that were made were appropriate for the task. A model that captures the complexities of the security decision while permitting the systematic exploration of alternative security decisions would be an invaluable aid to managers. Using the design science research methodology [34], this paper develops a model that allows information security managers to examine the effects of alternative security decisions on the organization’s information assets. Given the need to capture the dynamic and fluid nature of the problem and to revisit the decision on a periodic basis, system dynamics is chosen as the modeling environment. The model simulates the security decisions over a 30-month horizon and can be adapted and calibrated for different organization contexts. The remainder of the paper is organized as follows. A review of the extant information security literature pertaining to simulating security decisions serves as the foundation for building the information security management model; this is presented in the next section. A dynamic model of the mechanics underlying the impact and implications of security attacks is assembled and presented thereafter. The model is used to examine the implications of alternative security investment strategies in a variety of scenarios. Research and managerial implications of the simulations are discussed. Limitations and future extensions complete the paper.

1. Review of relevant literature 

Security in the information systems discipline has represented an area of interest for years, with studies appearing in mainstream Information Systems (IS) journals in the early 1990s [5,64]. Several aspects of security have been studied, including internal abuse [30,32,65], external attacks [57,72], acceptable use policies [56,61,63,71], computer crime [18,60], and password security [40,75]. Research in the field is clearly growing; a survey identified 240 security-related articles published in 10 leading IS journals in the period 2000–2007 [13]. Much of the research is directed at individual behavior and spans topics such as Internet abuse [47], compliance with organization norms, ethical practice regarding computers, and the effect of deterrence on user behavior [36]. Studies at the organizational level are comparatively fewer and are decreasing in frequency. Some studies describe the adoption of security technology and practices [46], whereas others address the difficulties in adopting security standards [59] and relying on traditional methods [58]. The relative paucity of firm-level research may reflect the reluctance of organizations to reveal information regarding their security procedures and breaches; hence, firms elect to avoid participation in security studies [44]. The most recent security study, which surveyed security personnel, indicated a drop in the number of responses and the response rate compared with prior studies [54]. 


A number of meta-analyses in information security have emerged [5,21,58,66] that advocate for a more holistic approach to addressing information security issues. These studies identify several areas for research in security, including the need for models to gain a better understanding of information security. Several different types of models exist in the information security discipline. These include formal models for access, economic models for security, and simulation models for gaining insight into the dynamics of information security; these models are briefly reviewed. 

2.1. Models for information security access 

Formal models for information security were proposed years ago [45]. These are usually grounded in military computing and typically seek to formalize the basis for protecting information and network assets through access and usage patterns. Among the early models of access was the Bell-LaPadula model [7], which sought to maintain the confidentiality of information through controlled access by assigning distinct security levels to people and assets. A slightly different set of security principles was adopted in the Biba model [8], which focused more on data integrity through the restriction of content accessibility and updatability. Formal models to access programs and other objects at the operating system level were also addressed [33]. In this extension of prior work, the ability to add and delete new assets and people and to alter current authorizations is considered from a security perspective. Adapting previous models for military computing security to corporate applications and rules to govern security was proposed in the Clark-Wilson model [15]. This approach expands the set of rules to address a more varied set of business transactions. A related problem involving the restriction of information in which conflict of interest and insider information issues arise was addressed through the Chinese Wall model [10]. The approach was initially designed for investment banking scenarios, although it has also been used in legal firms. Though these models are effective at formalizing and enforcing policy at an asset and individual level, they are of limited utility at the firm level. In an increasingly connected world, information security managers need to focus more on threats and countermeasures at the entire computing infrastructure level, rather than at an individual asset level. 


2.2. Economic models of information security 

Economists have examined the interplay between economics and security for a considerable period. However, the emphasis on the economic aspects of information system security has only recently gained more attention. Several streams of research are identifiable. One stream is devoted to the economic modeling of security investments using a net present value approach. Research in this area examines the effectiveness of optimal expenditure levels [28], risk management [35], and the rate at which certain types of attacks bypass the existing security mechanisms and cause damage [3]. A different stream uses classic economic analysis, adopting the utility maximization principle to derive optimal investment levels of a firm under a limited number of constraining conditions [26,38,39]. A variant examines the use of financial options to examine the effect of deferred security investment on security breaches [29]. Still other approaches utilize the principle of equating marginal financial benefits of information security to the marginal financial costs of such security [27]. A survey of economic models of information security is presented in [2], where models are classified based on whether they address vulnerabilities, privacy, security mechanisms, or incentives and deterrence. 

Economic models of information security generally adopt aquantitative approach. However, security goes beyond that andtypically includes qualitative and non-functional aspects. In an effortto include these aspects, some researchers have employed theanalytic hierarchy process to combine quantitative and qualitativecriteria [9]. These studies often adopt a static view of the informationsecurity problem. However, in actuality, information security is acomplex system that embodies many closely coupled variables;it involves people, organizational factors, technology, tasks, andthe working environment [11]. In addition, the security manage-ment system often involves multiple controls, including technicalcontrols, formal controls, and informal controls [20]; these call for amore dynamic approach to modeling information security.

3. Information security management model 


The simulation model for information security management represents an integration of concepts covering several facets of information security. The model draws from multiple areas, including software vulnerability, risk assessment, attack motiva-tion, threat detection, deterrence, and security costing. It is based on an earlier model for information security management [50]. The model has been enhanced with the inclusion of additional constructs and refined through the recalibration of equations to ensure that potentially anomalous situations are prevented. The model is depicted in Fig. 1. 
Fig. 1. Information security management model. 

3.1. Model description
A quick overview of the notation is provided. Items in rectangles represent stocks that can accumulate or deplete over time. Stocks are affected by flows, which are represented by a double arrow and valve symbol. Flows draw from or empty into infinite reservoirs; however, in reality, organizations will have resource constraints. Other variables on the diagram represent converters, which have values that are specified for the given time period. Values of converters are determined by other converters through connectors. Connectors are notated with positive or negative signs to indicate whether an increase in one will lead to an increase in another. The signs help characterize any loops in the model. Loops can be reinforcing (all positive signs) or balancing (at least one negative sign). Reinforcing loops, if unchecked, will eventually lead to zero or infinite values for the converters involved. Balancing loops will lead to oscillatory behavior and possibly to equilibrium. The model comprises several segments addressing attacks, software risk, recovery, vulnerability, and economic considerations. In assembling the model, the emphasis has been on creating a quantifiable and more easily verifiable model. Additionally, the model is pitched more at the organizational level than at the individual or perceptual levels. Models have been assembled to assess motivation for attacks at an individual level [25,49]. However, the quantifiability of some constructs proves challenging. Similarly, models can be assembled using organizational perceptions toward information security, including constructs such as security culture, security risk perception, security leadership, threat assessment, effectiveness of security processes, training, and employee adherence to security policies [1,16,22,43,48]. These constructs are more effectively studied through a survey-driven empirical analysis. In contrast, the model is slanted more toward an economic perspective that is suitable for a manager than toward a perceptual construct model that is better suited to survey-driven empirical analysis. 

The driver for most information security investment and controls is threats and attacks; this part of the model is described first. The organization’s image combined with the perceived target value shape the target attractiveness. Clearly, some organizations are preferred targets either due to financial considerations or the perceived notoriety of a successful attack. The probability of attack is shaped by the target attractiveness in conjunction with the attacker’s motivation, the perceived vulnerability of the organiza- tion’s information assets, and the deterrence mechanisms in place. With the exception of the latter construct, all other determinants have a positive influence on the probability. Perceived vulnerability has a steadily increasing effect on the probability of attack, though at a diminishing rate; it is modeled using an approximation of a negative exponential function. The same concave relation applies for target attractiveness and attacker motivation, although the impact of the former is more pronounced. Conversely, deterrence impact has a characteristic inverse relation with the probability of attack and is modeled as a simple decreasing convex function. Care is taken to ensure that the cumulative effects of the four constructs result in a probability of attack that falls in the 0–1 range. Extensive testing of the function during its formulation established that the resulting attack probabilities are consistent with expectation. 

Attacks can originate from inside or outside the organization. The number of attackers and the availability of tools to launch the attack determine the number of attacks the organization faces. At this point, the model does not differentiate between internal or external attackers. Similarly, it does not differentiate between attacks on different information assets. It is expected that the success rate for internal attackers and external attackers will not be identical, nor will the impact on different assets. In accordance with the need to inform managers of the aggregate level of threats, the model does not delve to this level of detail; in contrast, it focuses more on the aggregate picture. Similarly, the model does not parse the attacks into different types, e.g., denial of service, hacking, phishing, keystroke capture, virus attacks, and SQL injection. It is expected that a majority of the attacks will be detected by existing security tools, e.g., firewalls, intrusion detection systems, anti-virus programs, malware detection programs, and spam detection programs. These are characterized as prevented attacks. The remainder represent successful attacks. Detection ability is based on the investment in security tools. Investment in security tools does not need to be continuous because a prior investment in security tools will allow the firm to detect attacks. Thus, cumulative security tool investment is used to assess detection ability. This is modeled as a negative exponential function, which exhibits an increased detection ability at greater security tool investment although, eventually, at a diminishing rate. As the detection ability increases, the number of prevented attacks also increases, with the balance representing successful attacks. Successful attacks will manifest in various capacities and have considerably different effects. Some will cause little damage, whereas others will have a more pronounced impact. The damage caused by successful attacks is captured in two dimensions: the magnitude of the damage and the urgency required to act to recover from the damage, which is termed damage immediacy in the model. Successful attacks will also generate publicity; this iscaptured as attack reports in the model. Attack reports aremanifest in publicized and unpublicized means. These include siteunavailability, asset unavailability, public acknowledgment ofsuccessful attacks, claims made by the attackers, and reports filedwith governmental agencies for compliance purposes. It should benoted that some stocks are introduced into the model solely forconvenience purposes. Thus, for example, the total preventedattacks and accumulated security costs are used to accumulatevalues throughout the simulation, and these are not determinate ofother variables.

The damage magnitude, damage immediacy, and number of successful attacks shape the extent of attack reports. Publicized attack reports will determine the perceived vulnerability of the organization’s information assets, thereby completing the attack loop. This is a reinforcing loop, indicating that successful breaches will lead to more attacks and that the effective prevention of attacks will cause attackers to seek other easier or more attractive targets. In an extreme scenario, a reinforcing loop drives the values of all constructs in the loop to either zero or infinity. However, if the model is constructed carefully, the behavior can be controlled and the extreme cases avoided. 


Another segment of the model addresses recovery, system vulnerabilities, and residual risk. Damage sustained through a successful attack will invariably initiate a recovery effort. Depending on the nature and extent of the damage, the recovery effort may range from simple to complex and may involve a trivial to a substantial amount of time. Recovery could be as simple as restoring data from a backup or may involve rebuilding several servers, including software and hardware reconstruction. The damage magnitude will also trigger a fresh risk assessment effort; this will more likely be an incremental assessment, not a complete reassessment that will identify new and unaddressed vulnerabilities and trigger activity to reduce these vulnerabilities. These activities could take many forms, including the application of software patches, software upgrades, and changes to access and security procedures. Software vulnerabilities may be present in any portion of the software development environment, including the operating system, operating environment, and tools used to assemble software. These often take the form of known bugs and trapdoors that can be fixed through patches and upgrades; they are characterized as base software flaws in the model. Vulnerabilities can also be present in the code that is written in-house; these often manifest as lax security, a lack of appropriate encryption, no checks for security bypass attempts, improper validation, and ineffective audit trails. As indicated in the model, these vulnerabilities are inversely related to the vulnerability reduction effort, which suggests that they are expected to diminish with higher levels of vulnerability reduction effort. The vulnerabilities in the base and developed software combined with the strength of the securityprocedures will determine the overall system vulnerability.System vulnerability is determined through the combined effectsof security procedures and software security risk. The former has asimple inverse exponential relationship, which means that as moreeffective security procedures are implemented, software vulnerabilitytapers. In contrast, software security risk has a more directimpact and is modeled as a positive linear relationship. The combinedeffect leads to pronounced system vulnerability for casesinvolving ineffectual security procedures combined with significantsoftware security risk; in addition, it leads to moremanageable vulnerabilities in other cases. Reports of systemvulnerability will shape the vulnerability perceived by theattackers. The perceived vulnerability is based on cumulativereports of vulnerability; although steps may be taken to eliminatesome vulnerabilities, these steps will not affect the perceivedvulnerability of the asset base unless they are publicized. Perceived vulnerability will increase the probability of attack, thereby completing a second loop. This is a balancing loop and will tend to seek equilibrium; it will also compensate for the reinforcing loop on attacks. 

 

 

The final segment of the model relates to security investment and costs. Organizations invest in deterrent actions and security tools to detect and prevent attacks, and these represent the input costs in this case. Deterrence actions are typically targeted at internal attackers and appear as a variety of sanctions. The evidence for the impact of deterrence on attack intentions is mixed, with support in studies conducted in the US [19] and little to no support in a study conducted in China [37]. Deterrence has even less impact for external attackers, other than the threat of prosecution, and is rarely effective in these cases. In contrast, investment in security tools is likely to have a more pronounced effect. Some tools target threats specifically, e.g., antivirus software, spyware detection software, and anti-spam software. Others adopt a more general set of rules to recognize and thwart attacks, e.g., firewalls, intrusion detection software, and the like. Continued investments in these areas typically have a cumu- lative effect, although not in a strictly linear fashion. The cumulative security tools investment determines the ability to detect and thwart attacks. Similarly, the cumulative deterrence investment shapes the deterrence impact, which forms part of the attack loop. Investments in security tools and deterrence represent costs to the organization and combined with the vulnerability reduction effort, these constitute the security investment for the organization. Risk assessment costs and recovery costs further contribute to the overall firm security cost. For convenience, a stock is used to compute total security expenditure over the course of the simulation. 

 

The model includes one reinforcing loop and three balancing loops. The reinforcing loop is centered around security attacks, where successful attacks generate publicity regarding perceived vulnerability, thereby drawing more attackers. This behavior would continue unabated but is held in check by the balancing loops that involve system vulnerabilities. The detection of successful attacks leads to a variety of vulnerability reduction activities, including patching base software flaws, eliminating developed software flaws, and implementing new security procedures. 

 

The equations employed in the model appear in Appendix. The stocks are simple accumulations starting from zero values, with the exception of deterrence investment and security tools investment that start at $2000 and $10,000, respectively. The majority of the inputs are established on a normalized 0–1 scale, with values chosen in the middle to represent a middle-of-the-road scenario. This permits subsequent exploration in conditions involving greater or reduced security threats. For the initial trials, the number of attackers in the system is pegged at 100, and the value of the asset base is set to $5 million. Deterrence investment occurs every six months, whereas security tool investment is an annual outlay. The values will vary with the scenario studied. Equations for the converter variables are also included. 

 

3.2. Model validation

 

 Validation of a system dynamics model is generally performed using two approaches. A structural validation of the model seeks to determine whether it reflects the real world accurately [24]. Behav- ioral assessment focuses on the model behavior during execution and assesses the degree of confidence that can be placed in the results [4]. Structural validation was performed using structural verification and extreme condition analysis. Structural verification addresses whether the model structure is consistent with the descriptive knowledge regarding the real world phenomenon being modeled. The constructs used in the model, i.e., attacks, damages, risk, vulnerability, and costs, are all drawn from the information security literature. Extreme condition analysis assesses whether the parameters in the model behave appropriately under extreme conditions. To assess this response, surfaces were compiled for each endogenous variable. The results were examined for any incongru- ous behavior and for consistency with logical expectation. The former assesses whether any parameters take on values outside the prescribed limits, e.g., probabilities greater than 1. The latter examines the response of the endogenous variable to changes in the inputs. Behavior that does not conform to constraints and expectation triggers a more introspective evaluation of the equation. The bulk of the structural validation effort is targeted at model behavior within a given time period. Behavioral assessment requires executing the entire model and examining the results. In this case, parameters are varied systematically to assess whether the entire model is functioning as expected. In addition, the behavior of individual constructs is tracked over time. The temporal behavior is analyzed for oscillations and trends toward extreme values. Any aberrant behavior triggers a closer examination of the relevant constructs and may require recalibration and restructuring of the model. The model was validated structurally and behaviorally. One case of range violation was noted, with the attack probability falling outside the 0–1 range under extreme conditions. Two stocks were introduced to stabilize the behavior, and the equations were recalibrated to address this anomaly. A subsequent round of validation indicated no further anomalies. 


Another segment of the model addresses recovery, system vulnerabilities, and residual risk. Damage sustained through a successful attack will invariably initiate a recovery effort. Depending on the nature and extent of the damage, the recovery effort may range from simple to complex and may involve a trivial to a substantial amount of time. Recovery could be as simple as restoring data from a backup or may involve rebuilding several servers, including software and hardware reconstruction. The damage magnitude will also trigger a fresh risk assessment effort; this will more likely be an incremental assessment, not a complete reassessment that will identify new and unaddressed vulnerabilities and trigger activity to reduce these vulnerabilities. These activities could take many forms, including the application of software patches, software upgrades, and changes to access and security procedures. Software vulnerabilities may be present in any portion of the software development environment, including the operating system, operating environment, and tools used to assemble software. These often take the form of known bugs and trapdoors that can be fixed through patches and upgrades; they are characterized as base software flaws in the model. Vulnerabilities can also be present in the code that is written in-house; these often manifest as lax security, a lack of appropriate encryption, no checks for security bypass attempts, improper validation, and ineffective audit trails. As indicated in the model, these vulnerabilities are inversely related to the vulnerability reduction effort, which suggests that they are expected to diminish with higher levels of vulnerability reduction effort. The vulnerabilities in the base and developed software combined with the strength of the securityprocedures will determine the overall system vulnerability.System vulnerability is determined through the combined effectsof security procedures and software security risk. The former has asimple inverse exponential relationship, which means that as moreeffective security procedures are implemented, software vulnerabilitytapers. In contrast, software security risk has a more directimpact and is modeled as a positive linear relationship. The combinedeffect leads to pronounced system vulnerability for casesinvolving ineffectual security procedures combined with significantsoftware security risk; in addition, it leads to moremanageable vulnerabilities in other cases. Reports of systemvulnerability will shape the vulnerability perceived by theattackers. The perceived vulnerability is based on cumulativereports of vulnerability; although steps may be taken to eliminatesome vulnerabilities, these steps will not affect the perceivedvulnerability of the asset base unless they are publicized. Perceived vulnerability will increase the probability of attack, thereby completing a second loop. This is a balancing loop and will tend to seek equilibrium; it will also compensate for the reinforcing loop on attacks. 


The final segment of the model relates to security investment and costs. Organizations invest in deterrent actions and security tools to detect and prevent attacks, and these represent the input costs in this case. Deterrence actions are typically targeted at internal attackers and appear as a variety of sanctions. The evidence for the impact of deterrence on attack intentions is mixed, with support in studies conducted in the US [19] and little to no support in a study conducted in China [37]. Deterrence has even less impact for external attackers, other than the threat of prosecution, and is rarely effective in these cases. In contrast, investment in security tools is likely to have a more pronounced effect. Some tools target threats specifically, e.g., antivirus software, spyware detection software, and anti-spam software. Others adopt a more general set of rules to recognize and thwart attacks, e.g., firewalls, intrusion detection software, and the like. Continued investments in these areas typically have a cumu- lative effect, although not in a strictly linear fashion. The cumulative security tools investment determines the ability to detect and thwart attacks. Similarly, the cumulative deterrence investment shapes the deterrence impact, which forms part of the attack loop. Investments in security tools and deterrence represent costs to the organization and combined with the vulnerability reduction effort, these constitute the security investment for the organization. Risk assessment costs and recovery costs further contribute to the overall firm security cost. For convenience, a stock is used to compute total security expenditure over the course of the simulation. 

The model includes one reinforcing loop and three balancing loops. The reinforcing loop is centered around security attacks, where successful attacks generate publicity regarding perceived vulnerability, thereby drawing more attackers. This behavior would continue unabated but is held in check by the balancing loops that involve system vulnerabilities. The detection of successful attacks leads to a variety of vulnerability reduction activities, including patching base software flaws, eliminating developed software flaws, and implementing new security procedures. 

The equations employed in the model appear in Appendix. The stocks are simple accumulations starting from zero values, with the exception of deterrence investment and security tools investment that start at $2000 and $10,000, respectively. The majority of the inputs are established on a normalized 0–1 scale, with values chosen in the middle to represent a middle-of-the-road scenario. This permits subsequent exploration in conditions involving greater or reduced security threats. For the initial trials, the number of attackers in the system is pegged at 100, and the value of the asset base is set to $5 million. Deterrence investment occurs every six months, whereas security tool investment is an annual outlay. The values will vary with the scenario studied. Equations for the converter variables are also included. 

3.2. Model validation

Validation of a system dynamics model is generally performed using two approaches. A structural validation of the model seeks to determine whether it reflects the real world accurately [24]. Behav- ioral assessment focuses on the model behavior during execution and assesses the degree of confidence that can be placed in the results [4]. Structural validation was performed using structural verification and extreme condition analysis. Structural verification addresses whether the model structure is consistent with the descriptive knowledge regarding the real world phenomenon being modeled. The constructs used in the model, i.e., attacks, damages, risk, vulnerability, and costs, are all drawn from the information security literature. Extreme condition analysis assesses whether the parameters in the model behave appropriately under extreme conditions. To assess this response, surfaces were compiled for each endogenous variable. The results were examined for any incongru- ous behavior and for consistency with logical expectation. The former assesses whether any parameters take on values outside the prescribed limits, e.g., probabilities greater than 1. The latter examines the response of the endogenous variable to changes in the inputs. Behavior that does not conform to constraints and expectation triggers a more introspective evaluation of the equation. The bulk of the structural validation effort is targeted at model behavior within a given time period. Behavioral assessment requires executing the entire model and examining the results. In this case, parameters are varied systematically to assess whether the entire model is functioning as expected. In addition, the behavior of individual constructs is tracked over time. The temporal behavior is analyzed for oscillations and trends toward extreme values. Any aberrant behavior triggers a closer examination of the relevant constructs and may require recalibration and restructuring of the model. The model was validated structurally and behaviorally. One case of range violation was noted, with the attack probability falling outside the 0–1 range under extreme conditions. Two stocks were introduced to stabilize the behavior, and the equations were recalibrated to address this anomaly. A subsequent round of validation indicated no further anomalies.


4.1. Base scenario 

The base scenario was calibrated for a small organization, using median values for the dimensionless constructs and a set of plausible values for other constructs. This involved an asset base of $5,000,000 and an attacker population of 100; in addition, the security tool investment was set at $5000 at the start of every year, with deterrence expenses of $2000 every six months. After running the model, the numbers of attacks, total damages, and overall security costs were tracked. These results appear in Fig. 2. 

Monthly data for the constructs tend to be jagged in nature, and an aggregation over time provides a better picture of the trends involved. The number of attacks demonstrates an increasing trend punctuated with lulls in the pattern. From the data, it is clear that not all of the attacks are successful and that only some cause damage. Variation in the attack severity explains the variability in the damages incurred. Any damage incurred triggers a recovery effort and a risk reduction effort; thus, the security costs tend to mirror the damage. An examination of the other constructs in the simulation indicated that they were consistent with expectations. In a further effort to behaviorally validate the model, the model was subjected to sensitivity and perturbation analysis. This was done by systematically varying key input parameters. No untoward patterns were observed, suggesting that the model was behaving satisfactorily. 

4.2. Alternative security investment scenarios

After establishing that the model was structurally sound and that its behavior was consistent with expectations, the model was used to investigate the impact of different information security invest- ment decisions. The security tool investment was varied from $3000 to $7000 in $1000 increments, maintaining the deterrence invest- ment at the same level. Cumulative successful attacks, damages, and security costs were compiled for these scenarios and are presented in Table 1. 

The overall trend in these results is moderately predictable. As the level of security tool investment decreases, the number of successful attacks increases and, correspondingly, the damages incurred and the overall security cost increase. Other security costs also increase, including recovery costs and vulnerability reduction costs. As the level of security tool investment increases, the cumulative successful attacks, damages, and overall security costs all decrease, and they do so dramatically. A similar analysis was performed for deterrence investment, varying it from $0 to $4000 in $1000 increments. These results appear in Table 2.

As before, the overall trend is predictable. However, the effects are considerably less pronounced in this case. This difference necessitated some additional investigation into the components that determined the overall security dimensions of interest. A more detailed exploration of the underlying constructs was performed, and traces of the constructs of interest yielded additional insight. These results are depicted in Figs. 3–5. Security tool and deterrence investments are contrasted for varying levels, and their impact on cumulative successful attacks, damages, and overall security costs are depicted during the simulation runs.

These graphs provide greater insight, though a more telling observation is the relative impact of different forms of security investment. Investment in detection and prevention has a considerably larger impact than does investment in deterrence. Detection and prevention tools help reduce the number of successful attacks. Reduction in investment in this area has a significant impact on the number of successful attacks, whereas added investment reduces that number considerably. In contrast, investment in deterrence has a smaller impact. Deterrence is primarily aimed at internal attackers; it is suggested that this is occasionally a greater threat than external attackers [49]. However, this is rarely an effective de-motivator for a determined attacker. Additionally, sophisticated external attackers are not significantly influenced by deterrence practices because the probability of trace-back is often low and because prosecution thereafter is extremely unlikely. It is interesting to note that a 75% reduction in successful attacks can be achieved through added security tool investment compared with a 37% decrease for added deterrence investment. However, that interpretation would skew the true implications because the number of successful attacks is nearly double for low security tool investment. 



An examination of the implications of these attacks was subsequently conducted, and focusing on the magnitude of the damages incurred provided additional insights. Because not all successful attacks have the same severity of impact, a slightly more choppy response surface can be expected for cumulative damages. Indeed, the data bear this out. A similar trend is noted, with consi- derably greater variations noted for security tool investment than deterrence investment. Though many possible interpretations are available, the appropriate implication is that changes in the level of deterrence investment have little impact on damages incurred. Conversely, appropriate investment in security tools has a considerable impact; in addition, when that investment is reduced, a strong negative impact materializes.

The impact on overall security costs proved to be equally insightful. The overall security costs also include recovery costs, risk assessment costs, and vulnerability reduction efforts. Recovery costs are driven by the extent of the damage incurred, though with a short lag. Risk assessment costs represent a smaller cost component but are also driven by the extent of damage. Similarly, vulnerability reduction effort is an outcome of risk reassessment; this, in turn, is influenced by the extent of damage. However, in these cases, the lag is more pronounced. The cumulative effect of these costs is a magnifying effect. As a result, the overall security costs vary considerably with investment in security tools, compared to deterrence investment. Even with no deterrence investment, the impact on overall security costs is minimal, and doubling the investment from the base scenario provides little overall impact. The same cannot be said for security tool investment, with greater investment leading to a substantial reduction in overall costs, and cutbacks in investment leading to far greater security costs. 

In an effort to isolate the effect of each investment, variations of investment were considered and graphed. These results appear in Fig. 6. The interpretation for security tool investment is relatively clear; additional investment has a predictable impact on reducing overall security costs. The impact of deterrence investment proved to be less predictable; for this, the overall costs increased, then decreased, and then increased again. Nonetheless, a closer examination can illustrate this apparent paradox. Deterrence does have an impact on reducing successful attacks and, hence, overall security costs. However, this impact is relatively small, particularly at low levels of deterrence investment. Therefore, the savings generated through reduced recovery efforts are not offset by the deterrence investment, and the total security costs continue to rise. Slightly higher levels of deterrence investment generate an inflection point, and the reduction in successful attacks has a more dramatic payoff. In this segment, the benefit from deterrence investment outweighs the cost, and the overall trend is downward. When the number of successful attacks is driven to nearly zero, spending more on deterrence is fruitless because the marginal savings due to diminished attacks is clearly outweighed by the increased deterrence investment. It should also be noted that the overall variation is relatively small compared with that of security tool investment. 


To understand the combined effects of both security tool and deterrence investment, a grid search was performed varying both inputs systematically for a total of 25 simulation runs. The effect on overall security costs is depicted in Fig. 7. The impact of security tool investment was consistent; overall security costs decreased in a convex manner at all levels of deterrence investment, with the effect being more pronounced at low to zero deterrence investment. The impact of deterrence investment is slightly more ambiguous; at low levels of security tool investment, increases in deterrence invest- ment lead to lower overall security costs. However, at higher levels of security tool investment, the impact of deterrence at the extreme points starts to decrease, and the cost of deterrence begins to outweigh the investment. The effect is first noticed at the low end of deterrence values, and later manifests at higher deterrence values. Finally, at high levels of security tool investment, the overall impact of deterrence investment is negligible.


5. Managerial and research implications 

At a fundamental level, the model provides managers with clear guidelines regarding investment in security and the impact of this investment. The reinforcing loop on security attacks illustrates that if left unchecked, successful attacks will increase perceptions regarding system vulnerability, drawing more attacks and eventu- ally leading to untenable situations regarding the protection of information assets. However, investing in suitable vulnerability reduction activities combined with implementing improved securi- ty procedures can effectively combat this situation. It is important to note that the expenses incurred in damage recovery, although extremely necessary, do not contribute to a reduction in attacks. A reduction is accomplished solely through patches to software flaws and changes in security procedures. Managers must be vigilant in taking action to eliminate vulnerabilities to safeguard the firm’s information assets. 

The information security management model indicates that different security investments have different implications for the overall costs associated with providing security for information assets. Several key implications can be inferred, some of which are expected, but others provide different insights. At the most basic level, overall security costs decrease with increased investment in information security. However, this is not an unbounded relation because at some point, the security costs from the investments will outweigh any benefits achieved through reduced damages and recovery efforts. This is due to the inverse nature of the relation between security investment and attacks. No amount of investment can eliminate all successful attacks. However, at high levels of security investment, additional security investment does not materially change the number of successful attacks, thereby incurring additional costs and no material benefits. 

An examination of the different security investment channels reveals that not all investment has the same payoff. Investment in tools for detecting and preventing security attacks yielded the greatest payoff. In a similar vein, a cutback on investment in this area had the most deleterious effect. A variety of tools are available in this category that address specific and overlapping threats. These include anti-virus programs, malware and spyware detection programs, firewalls, intrusion detection systems (network and host versions), and practices to mitigate SQL injection. Improved detection leads to fewer successful attacks and less damage to information assets. The implication for security managers is that this area of security investment cannot be overlooked. An organization’s information assets are likely to be distributed across many platforms and reside at multiple locations. A combination of security tools needs to be deployed to counter the attacks and secure the multiple information assets at multiple locations. The effectiveness of these tools will predictably degrade over time, as newer versions of attack vectors and newer attack vectors are developed. Security managers need to be constantly vigilant and maintain a current portfolio of security tools. Some tools may be automatically updated, e.g., anti-virus programs, and malware and spyware detection programs. Others, such as firewalls and intrusion detection systems, will entail periodic reconfiguration to address new attack vectors, new sources of attack, and new assets to safeguard. Though such reconfiguration invariably involves time and effort, the implications are clear. Any attack prevented has definite payoff in terms of reduced damage potential, recovery effort, and subsequent risk assessment and vulnerability reduction effort. Because the effect was observed at all levels of deterrence investment, managers who are lax regarding security tool maintenance do so at their peril. 


Investment in deterrence had a considerably smaller payoff. Deterrence activities take many forms, including formulating policies and procedures to reduce attacks and procedures to address identified attackers. Most deterrence activities rely on compliance by employees, which make it a weaker aspect of security. Users often employ easily broken passwords, change them rarely if at all, and do not protect them sufficiently. Newly installed software is frequ- ently not adequately secured, typically manifest as default master accounts not appropriately reconfigured. Lax practice by employees may result in data breaches or leakage, putting the organization and its clients at risk. In addition, internal attackers may have a significant advantage as they may be privy to current security procedures and cause significant damage through sabotage [49]. Deterrence policies for internal attackers are not always effective. For example, despite threats of discipline and termination for snooping among protected data, including dismissals for high profile cases involving medical data, employees often engage in these activities. Deterrence has even less effect or disincentive for external attackers because they are often not detected, or may be difficult to successfully prosecuted. However, although it will not prevent attacks, investment in security deterrence is necessary. Two important implications for managers emerge from these simula- tions. The first is that more investment in deterrence does not automatically equate to lower overall security costs due to the muted benefits. The second is that the effect of deterrence investment does vary with the level of security tool investment; in some cases the payoff is minimal but, in other cases, it does make a difference. Knowing when deterrence investment has an impact will allow managers to deploy their security resources more effectively. 


The model also indicates that investment in certain areas is more beneficial than investment in others. This finding is in contrast to earlier research that suggests that across the board investment leads to fewer attacks than does differential investment [6]. It is important to note that this research has focused on cost, whereas earlier system dynamics models focused on attacks. Nonetheless, when managers choose to allocate resources based on potential impact, it is important to note that reducing investment to zero in any area is not recommended under any circumstances because all cutbacks invariably lead to increased security costs. 

There are several implications for researchers. This research developed a model that can be used to explore and understand the implications of different investments in security decisions. The findings indicate that investment in security tools has a higher impact than does investment in deterrence. Further exploration is needed to determine whether security tool investment always has a positive payoff. It is likely that at some point, the marginal cost will outweigh the marginal benefit; this introduces the notion of an optimal investment level. The model can also be used to investigate the security under a number of different conditions. These conditions include, for example, if the organization is a more attractive target, the number of attackers is considerably higher, new attack vectors are developed that lead to more successful attacks, or the organization acquires a portfolio of new information assets through a merger or acquisition. These would all involve changes to the input variables and thus represent further areas for research. These extensions will require systematic exploration of the search space and detailed structural analyses to ensure that intermediate variables are behaving appropriately. 


6. Conclusions 

Securing information assets is of critical importance for orga- nizations. Although it is unlikely that all assets can be made absolutely secure and although it may be prohibitively expensive, organizations need to invest appropriately in security endeavors. This research examined the effect of investing in different areas of information security and using a system dynamics model to understand the implications of these investments. The model incorporates many aspects of a security practice, including attacks, detection, recovery, risk assessment, and vulnerability reduction. Simulations using the model indicate that investments in security tools designed to detect attacks led to a better payoff than in deterrence activities. These simulations also indicate that invest- ment in all areas of security is needed to effectively protect information assets. The model can be used in various capacities by practitioners and researchers. The model can serve as a decision support tool, recommending the preferred ways in which to expend security investments. It can also serve as a design tool, wherein competing security policies can be evaluated under a variety of different circumstances with a view to identifying best practices. The model can serve as an explanation tool through a systematic explication of the structural relations that link attacks to overall security costs. In summary, the model provides researchers with a rich environment to better understand the implications of security decisions under a variety of circumstances; in addition, it assists practitioners in making better decisions concerning information security.

  评论这张
 
阅读(459)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017