Expert Systems with Applications 42 (2015) 6132–6146
Contents lists available at ScienceDirect
Expert Systems with Applications
j o u r n a l h o m e p a g e : w w w . e l s e v i e r . c o m / l o c a t e / e s w a
Game of information security investment: Impact of attack types and network vulnerability
http://dx.doi.org/10.1016/j.eswa.2015.03.033 0957-4174/� 2015 Elsevier Ltd. All rights reserved.
⇑ Corresponding author at: School of Management, Xi’an Jiaotong University, 710049, No. 28 Xiannin Road, Xi’an, Shaanxi, China.
E-mail addresses: [email protected] (Y. Wu), [email protected] (G. Feng), [email protected] (N. Wang), [email protected] (H. Liang).
Yong Wu a,b, Gengzhong Feng a,c, Nengmin Wang a,c,⇑, Huigang Liang d a School of Management, Xi’an Jiaotong University, 710049, No. 28 Xiannin Road, Xi’an, Shaanxi, China b Department of Systems Engineering and Engineering Management, City University of Hong Kong, Hong Kong, China c The Key Lab of the Ministry of Education for Process Control & Efficiency Engineering, 710049, No. 28 Xiannin Road, Xi’an, Shaanxi, China d Department of Management Information Systems, College of Business, East Carolina University, Greenville, NC 27858, United States
a r t i c l e i n f o
Article history: Available online 8 April 2015
Keywords: Information security investment Attack types Network vulnerability Game theory Economic incentives
a b s t r a c t
The level of firms’ information security investment has recently become a critical issue in the manage- ment of IT infrastructure. Prior studies have not considered attack types and firms interconnection simultaneously when investigating the optimisation of such investment. Using game theory, we demon- strate that the optimal security investment level of an interconnected firm against targeted attacks is dif- ferent from that against opportunistic attacks. Our model shows that not all information security risks are worth fighting against. As the potential loss increases, it is unadvisable to increase the security invest- ment proportionately. Firms should increase investments with intrinsic vulnerability when facing target attacks, but focus on those systems that fall into the midrange of intrinsic vulnerability when facing opportunistic attacks. Firms are unwilling to invest in security and often offload reliability problems onto others when the trusted interdependence relationship becomes tighter in the absence of economic incen- tives. Thus we also discuss two economic incentives to motivate firms: liability and security information sharing. We find that if the rules are set properly, both economic incentives are effective to not only inter- nalise the negative externality and improve a firm’s security level, but also reduce the total expected cost. We show that firms’ optimal investments of liability always increase with the increasing number of firms, but the optimal investments on security information sharing increase only when the number of firms is large enough. These insights draw attention to many trade-offs firms often face and the importance of accurate assessment of firms’ security environment. Future research directions are discussed based on the limitations and possible extensions of this study.
� 2015 Elsevier Ltd. All rights reserved.
1. Introduction
Information security investments are usually decided based on various economic models which assume that there is no difference in attack types and firms’ information systems are independent of each other. However, these two assumptions deviate from the rea- lity that firms usually face different types of attacks and their sys- tems are interconnected with one another. The security of information systems can be seriously affected by attack types and firms interconnection. For example, according to the CSI (Computer Security Institute) survey (Richardson, 2011), the respondents who suffer from malware infections is four times as
many as those who suffer from denial of service, and the loss from theft of information is three times as much as that from virus. Another survey by PWC shows that 22% of the respondents have begun to conduct incident response planning with their partners, in which they agree to share information or allow network access with each other (PWC, 2013). In December 2013, the security breach of the giant US retailer, Target Corporation, exposed credit card and personal data of more than 110 million consumers. It started with a malware-laced phishing email sent to employees at an HVAC firm that is a vendor of Target (Krebs, 2014). Because Target’s information systems are difficult to breach, the hackers chose to attack the HVAC firm’s information systems that are con- nected with the Target’s but easier to breach. Thus, the effect of attack types and system interconnection is not limited to a single firm’s security but also the security of its partners.
Firms continuously face many different types of attacks. CSI classifies attacks into three categories: basic attacks, malware attacks and attack 2.0 (Attack 2.0 refers to the advanced persistent
Y. Wu et al. / Expert Systems with Applications 42 (2015) 6132–6146 6133
threats) (Richardson, 2011). Another research segregates attacks into two types: ‘‘High-Frequency-Low-Impact’’ and ‘‘Low- Frequency-High-Impact’’ attacks (Wang, Chaudhury, & Rao, 2008). This classification is similar to many other researchers’: they segre- gate attacks into two categories, targeted attack and opportunistic attack, based on whether the attacks have a specific target (targeted attack) or a number of intermediate targets to fulfil the hacker’s end goal (opportunistic attack) (Casey, 2003; Collins, Gates, & Kataria, 2006; Huang & Behara, 2013; Huang, Hu, & Behara, 2008). For instance, denial of service, website defacement and a purposeful penetration into a bank’s system to steal money are typical targeted attacks, while a virus, worm, malware infection and spam e-mail are typical opportunistic attacks (Huang & Behara, 2013).
The trusted interdependence relationship between firms is re- flected in two ways based on the PWC survey (PWC, 2013): net- work connection and information sharing. First, firms’ information systems are physically interconnected via a trusted network such as a joint design network. Because the configuration of a network is composed of various interconnected systems, the network becomes vulnerable if any one of the systems is insecure. An organisation’s system is at risk if a hacker gains access to its partner’s system (Zhao, Xue, & Whinston, 2013). For instance, Walmart allows Proctor & Gamble (P&G) to access information in Walmart’s information system via a trusted point-to-point Electronic Data Interchange (EDI), and vice versa. Their ongoing communication and collaboration are conducted through the EDI. This makes it possible that a virus or a hacker breaches the infor- mation systems of P&G through the Internet firstly, and then probabilistically break into Walmart’s systems via the EDI link. This is possible because Walmart trusts the EDI connection with P&G and therefore will not reject the access request. Second, many firms achieve product innovation or value creation via network economy. As a result, many firms’ information is shared with their partners. These firms could suffer information loss together because of information sharing. For example, Walmart and P&G share retail sales information on P&G products at Walmart stores. The retail sales information is stored on servers of both firms. If hackers breach Walmart’s server, they can obtain Walmart’s pri- vate information, which causes losses to Walmart directly, as well as the retail sales information of P&G, which imposes losses on P&G indirectly. Thus sharing valued information is also a form of the trusted interdependence relationship between firms.
Given that the consequences of security breaches are influenced by attack types (Ponemon, 2013) and the interconnectivity of infor- mation systems has increased their insecurity (Gordon, Loeb, & Lucyshyn, 2003), this research investigates the impacts of attack types and firms interconnection on the information security invest- ments. In this study we use game theory to model the information security investment problem for two firms that attempt to min- imise their total expected losses from security breaches. Because of the prisoner’s dilemma1 in the information security investment game, firms are not always willing to invest in security and often off- load reliability problems onto others. The only way to encourage firms to invest in security when they face the possibility of contam- ination from others is to develop a set of economic incentives (either positive or negative) that make it more attractive for firms to make more investments (Kunreuther & Heal, 2003). Therefore, after investigating the features of optimal information security invest- ment, we also discuss two effective economic incentives: liability and security information sharing to solve the prisoner’s dilemma.
Our findings shed light on firms’ information security invest- ment behaviours. First, we demonstrate that the optimal security
1 The prisoner’s dilemma is a classical phenomenon in economics games. I suggests that two purely rational individuals will not always cooperate, even if i appears that cooperation is in their best interests.
t t
investment level of an interconnected firm against targeted attacks is different from that against opportunistic attacks. Second, in the absence of economic incentives, an interconnected firm is unwilling to increase its security investment when its trusted interdepen- dence relationship with partners becomes tighter. In addition, if the rules of economic incentives are set properly, both liability and security information sharing are effective to not only inter- nalise the negative externality and improve a firm’s security level, but also reduce the total expected cost. We find that the firm’s opti- mal investment of liability always increase as the number of firms increases, but the optimal investment of security information shar- ing increases only when the number of firms is large enough.
The rest of the paper is organised as follows. In Section 2, we review the literature on the economics of information security. In Section 3, we introduce the features of information systems, attack types and network vulnerability. In Section 4, we investigate the features of an interconnected firm’s optimal information security investment for both attack types. In Section 5, we discuss two eco- nomic incentives for information security investments. We extend our model to the case of three or more firms in Section 6. We pre- sent the study’s conclusions in Section 7.
2. Literature review
Information security has been a focus of the information sys- tems discipline since the 1990s and become a main stream topic recently (e.g. Parker, 1997; Straub, 1990; Straub, Goodman, & Baskerville, 2008). Although research into the information security has received some attention, economics considerations related to information security investments are rare. As an important deci- sion of information security, information security investments face many uncertainties and should be taken seriously. Since attack types play an important role in information security investment decision, many researchers have studied this issue. Gordon and Loeb (2002) use an economic benefit maximisation method to analyse a firm that faces two different breach probability functions. They show that a firm’s optimal information security investment would not exceed 36.8% of the potential loss. Extending the Gordon and Loeb model, Huang et al. (2008) use expected utility theory to analyse a firm facing two attack types: targeted attack and distributed attack. They identify a minimum potential loss, below which a firm does not necessarily invest in information security, and indicate that the information security investment does not necessarily increase with a higher level of risk aversion. Huang and Behara (2013) study the allocation mechanism of a firm’s limited information security budget to concurrently defend against two attack types (targeted and opportunistic attack). They find that a firm with a limited security budget should allocate most or all of the investment to prevent one type of attack, even when they simultaneously face different attack types. Cezar, Cavusoglu, and Raghunathan (2014) group the nature of security function into two categories (prevention and detection) and pro- pose a complementarity mechanism to enhance the advantages offered by both functions. Huang, Behara, and Goo (2014) examine the investment made by an organisation in a Healthcare Information Exchange to prevent opportunistic attacks. Besides the economics of information security investments, attack types have also been examined from other information security perspec- tives. For example, He, Chen, Su, and Sun (2014) propose a scheme to protect users from identity theft attacks in online social net- working sites. A commonality of these previous studies is that they focus on a single firm who faces different attack types. However, the security investment decisions may be very different when mul- tiple firms are involved, because firms’ interconnection through trusted networks and information sharing make it possible for a firm to suffer from indirect attacks due to other firms’
Fig. 1. The conceptual description of the model.
2 In a single-event, one firm only suffers one (direct or indirect) breach. In a single- eriod economic model, all decisions and outcomes occur in a simultaneous instant. 3 A risk-neutral firm is indifferent to investments that have the same expected
alue, even though the investments may have varying amounts of risk. For example, vestment #1 that generates either a net return of $200,000 or a net loss of $100,000
ach with probability of 0.5, and Investment #2 that generates a net return of either 40,000 or $60,000 each with probability of 0.5. Notice that Investment #1 has more sk (i.e., larger standard deviation around the expected value) than investment #2. r a risk-neutral firm, the two investments are considered equal. But a risk-averse
rm would require a higher expected value for an investment with a higher risk ordon & Loeb, 2002).
6134 Y. Wu et al. / Expert Systems with Applications 42 (2015) 6132–6146
vulnerability. Thus, this paper complements the IT security litera- ture by considering interconnectivity between firms under differ- ent types of attacks.
Protecting interconnected information systems from viruses or hackers can be considered as an interdependent security (IDS) problem. Many problems, such as fire protection, theft protection, vaccinations and airline security, are typical IDS problems. All IDS problems share a common characteristic: the network consisting of the interconnected agents has negative externality, i.e. the agents in the network will increasingly attempt to offload reliabil- ity duties onto other agents as the degree of interconnectivity increases. Kunreuther and Heal (2003) study the airline security interdependence problem and find that an airline has much fewer economic incentives to invest in a security system if it believes that other airlines will not make similar investments. Varian (2004) provides a simple model to explain the free rider problem with three prototypical interdependence cases.
In reality, network insecurity is somewhat like air pollution or traffic congestion, in which a firm that connects insecure machines to the Internet does not bear the full consequences of its actions (Anderson & Moore, 2006). In addition, each firm within a network can make its own decision on security investment, but a firm’s secur- ity risks depend not only on its own security practices but also on the security practices of other firms (Zhao et al., 2013). Traditional eco- nomic models such as economic benefit maximisation and expected utility theory do not allow a firm’s information security investment behaviour to influence another’s. Yet, a model for analysing informa- tion security investments should capture the strategic interaction between interconnected firms (Cavusoglu, Raghunathan, & Yue, 2008). Game theory is appropriate to model such strategic interac- tions. The game players could be firms trying to protect their infor- mation systems and hackers trying to attack the information systems. Alternatively, players could be interconnected firms that try to individually or jointly fend off attacks. Cavusoglu, Mishra, and Raghunathan (2005) apply game theory to explain that a firm can obtain a positive value from an intrusion detection system if the detection rate is greater than a threshold and will obtain a non- negative value from an optimally configured intrusion detection system. Hui, Hui, and Yue (2012) use game theory to analyse how the system interdependency risks interact with a mandatory secur- ity requirement to affect the equilibrium behaviours of a managed security service provider and its clients.
Because of the negative externality of interdependent security, many studies apply economic incentives to solve the IDS problem. Gordon et al. (2003) use game theory to show that information shar- ing can increase the level of information security and propose some incentive mechanisms for sharing information. Zhao et al. (2013) examine two alternative risk management approaches (risk pooling arrangements and managed security services) to solve the interdependency risks. Fang, Parameswaran, Zhao, and Whinston (2014) use game theory to model the interdependent security risk of inter-organisational information systems and propose an incen- tive mechanism to solve this problem. Only a few studies investigate the interdependent security risk from economic consideration of information security investments. For example, Ogut, Menon, and Raghunathan (2005) use game theory to analyse the impact of interdependent risks in cyber insurance and IT security investment and find that the interdependence of cyber-risk reduces a firm’s investment in security technologies and cyber insurance. Kolfal, Patterson, and Yeo (2013) analyse optimal security investment deci- sions based on customer response to adverse IT security events.
Our literature review shows that prior studies have focused on many aspects of information security with interdependent risks. However, little research reveals how interdependent risks affect firms’ information security investments when facing different attack types, and how economic incentives should be actualised
to solve the negative externality of information security invest- ments. We intend to fill these research gaps by developing a game-theoretical model to consider the optimal information secur- ity investments and the optimal economic incentives when inter- connected firms face different attack types.
3. Model preliminaries
To model information security investments, we consider a sin- gle-event, single-period security breach,2 with a probability p, of two risk-neutral3 firms who face two attack types, targeted attack and opportunistic attack. The two firms’ information systems are interconnected through trusted network or storing mutual informa- tion, as shown by Fig. 1. The case of three or more firms is similar and will be discussed in Section 6.
3.1. Information system features
When attackers successfully breach a firm’s information system that stores confidential information, the firm may suffer a loss. We use L to denote the totality of loss this firm suffers. L includes not only direct losses such as those resulting from bank accounts sto- len but also indirect losses such as the damage to a firm’s rep- utation due to the security breach.
Because of the limitation of security technology and the com- plexity of security issues, perfect security is impossible for an information system (PWC, 2013; Zhang, Deng, Wei, & Deng, 2012). A firm could spend a certain amount of money to decrease the risk by reducing the breach probability. Many previous articles (e.g., Gordon & Loeb, 2002; Huang et al., 2008) show that the breach probability of a given information system can be charac- terised by three parameters: v, t and S. Let p be the breach proba- bility, expressed as pðv; t; SÞ. The first parameter, v, denotes the information system’s intrinsic vulnerability, i.e. without security protection, the success probability of an attack once launched. Note that the parameter v is intrinsic to the given information sys- tem and is only determined by the information system’s config- uration, i.e. v is fixed for a given information system and is not affected by the external environment, such as attack types. Because v is a probability, 0 < v < 1.
The second parameter, t, represents the attack probability, or the probability for the information system to receive a certain type of attacks. We assume that a firm’s security investment is
p
v In e $ ri Fo fi (G
Y. Wu et al. / Expert Systems with Applications 42 (2015) 6132–6146 6135
confidential to the attackers, thus the security investment does not affect the hackers’ attack probability. In other words, t is exoge- nous to a firm’s information system, and we fix the attack probabil- ity at 0 < t < 1.
The third parameter, S, represents the information security investment. It can take many forms, such as purchasing firewall, installing intrusion detection systems or training users. Developing effective security investment strategies can prevent the damage from attackers (Andoh-Baidoo & Osei-Bryson, 2007). Thus the purpose of investing in information security is to decrease the breach probability. We formalise the above observations in the following assumption about the breach probability:
Assumption 1. We assume the law of diminishing return, which yields the following: p0 < 0 and p00 > 0 where p0 denotes the partial derivative of p with respect to S and p00 denotes the partial derivative of p0 with respect to S.
3.2. Attack types
The difference between targeted attack and opportunistic attack in our model is shown in breach probability functions. We adopt the typical breach probability functions used in previous studies4
(Gordon & Loeb, 2002; Huang & Behara, 2013; Huang et al., 2008):
pI ¼ vtI
kSI þ 1 ð1Þ
pII ¼ tII v kS IIþ1 ð2Þ
Formula (1) represents targeted attack, which is called Class I below. Formula (2) represents opportunistic attack, which is called Class II below. Compared to a targeted attack, an opportunistic attack may be more pervasive, massive, easier to address and tends to cause less damages to firms (Huang & Behara, 2013; Kim, Im, & Park, 2010). In contrast, firms may be less likely to encounter a tar- geted attack but tend to suffer from significant losses if a targeted attack is successful. As mentioned before, according to the CSI sur- vey (Richardson, 2011), the respondents who suffer from malware infections (opportunistic attack) is four times as many as those who suffer from denial of service (targeted attack), and the loss from theft of information (targeted attack) is three times as much as that from virus (opportunistic attack). Thus, we formalize the above observations in the following assumption about attack types:
Assumption 2. We assume that the threat probability of an opportunistic attack is greater than that of a targeted attack and the loss caused by a targeted attack is greater than that caused by an opportunistic attack, i.e. tII ¼ ntI , where n > 1 and LI ¼ mLII where m > 1.
The parameter k in the two formulas represents the security investment effectiveness. Because intrinsic vulnerability is not related to attack types and we assume that investment effectiveness for both attack types are equal, other parameters, such as S and t, have the superscript in both breach probability functions. Both of the two formulas satisfy the conditions of the breach probability function, pðv; t; SÞ, described above, which can be easily verified.
The two breach probability functions indicate that the breach probability and the threat probability is linear, given a reasonable assumption that threat probability is outside of the firms’ control. However, the breach probability shows quite different
4 Note that in the following sections, we use superscript I and II to represent the attack types, and used subscript 1 and 2 to represent the sequence of firms.
characteristics with respect to the intrinsic vulnerability and the security investment. The breach probability is more convex in an opportunistic attack than in a targeted attack with respect to the intrinsic vulnerability. This relationship indicates that the breach probability of an opportunistic attack increases more slowly than that of a target attack when the intrinsic vulnerability is small, but once the intrinsic vulnerability crosses a certain threshold, the breach probability of an opportunistic attack increases more rapidly than that of a target attack. The breach probability is also more convex in an opportunistic attack than in a targeted attack with respect to the security investment. This relationship indicates that an initial investment more significantly affects opportunistic attacks. Furthermore, it also explains why opportunistic attacks can be more easily addressed than targeted attacks.
3.3. Network vulnerability
As shown in Fig. 1, attackers can successfully attack firm 1 (or firm 2) in two ways: direct or indirect. A direct breach of firm 1 occurs when attackers breach its information system directly, that is, the direct breach happens because of the firm’s own security lapse. An indirect breach of firm 1 occurs when attackers breach the security of firm 2 firstly and the breach spreads to firm 1 through their trusted interdependence relationship. We assume that the probability that an indirect breach of firm 1 occurs is a constant, q, given that firm 2 has been breached. This parameter measures the extent of trust interdependence relationship between a firm and its partner, and does not change with self-security investment. q is high when the extent of system access authority is high. q is also high when firms share more information. Because q is a probability, 0 < q < 1. Based on the description of network vulnerability, firm 1’s investment can only reduce its own direct breach probability but cannot reduce its indirect breach probability. Firms can reduce indirect breach probability by redefining the trusted interdependence relationship with their partners (for instance, reducing the extent of system access authority or the extent of information sharing). We make the following assumptions about the total breach probability:
Assumption 3. The total breach probability of firm 1 depends on not only the probability of direct breaches but also the probability of indirect breaches which is equal to the direct breach probability of firm 2 multiplied by the network vulnerability, q.
Thus the total probability of a successful breach for firm 1 can be expressed as follows:
P1 ¼ 1 �ð1 � p1Þð1 � qp2Þ; ð3Þ
where p1 is the direct breach probability of firm 1, qp2 is the indirect breach probability of firm 1, and ð1 � p1Þð1 � qp2Þ is the probability that firm 1 cannot be breached. We can define a similar breach probability for firm 2. Table 1 summarises the parameters and vari- ables used in our model. The last four parameters will be introduced later.
4. Optimal security investments
We now examine the optimal information security investments for the two interconnected firms. We impose symmetric conditions on the two firms, i.e. v 1 ¼ v 2, t1 ¼ t2, L1 ¼ L2 and k1 ¼ k2. In the fol- lowing sections, we omit the subscript when the two firms’ vari- ables are equal. Firm 1 aims to select a security investment level to maximise its expected net benefit, i.e. minimising the total expected cost. The total expected cost consists of the information security investment plus the expected loss, and the expected loss equals to the potential loss multiplied by its total breach
Table 1 Summary of notations.
Notation Name Condition
L Potential loss L P 0 v Intrinsic vulnerability 0 < v < 1 t Threat probability 0 < t < 1 S Security investment S P 0 k Investment effectiveness k > 0 p Breach probability pðv; t; SÞ q Network vulnerability 0 < q < 1 n Ratio of threat probability n > 1 m Ratio of potential loss m > 1 C Total expected cost C P 0 k Portion of liability 0 < k < 1 h Portion of security information sharing 0 < h < 1 N The number of firms N > 2
6136 Y. Wu et al. / Expert Systems with Applications 42 (2015) 6132–6146
probability. Thus, we can calculate firm 1’s total expected cost as follows:
C ¼ ½1 �ð1 � p1Þð1 � qp2Þ�L þ S1 ð4Þ
After rearranging the first-order condition and the second-order condition, we obtain the following:
@C @S1 ¼ p01ð1 � qp2ÞL þ 1 ð5Þ
@ 2 C
@S21 ¼ p001ð1 � qp2ÞL ð6Þ
Because (6) is greater than zero, the total expected cost function is convex and there exists an optimal security investment to min- imise the total expected cost. When substituting the two breach probability functions (1) and (2) into (5), we can obtain the relationship between S1 and S2. For Class I, we obtain the following:
@CI
@S1 ¼�
kvtI
ðkSI1 þ 1Þ 2
1 � q vtI
kSI2 þ 1
! LI þ 1 ð7Þ
For Class II, we obtain the following:
@CII
@S1 ¼ kðln vÞtII v kS
II 1þ1ð1 � qtIIv kS
II 2þ1ÞLII þ 1 ð8Þ
Both firms simultaneously determine their investments, and the total expected cost is a multivariate continuous function. We can use the two reaction curve S2ðS1Þ and S1ðS2Þ to obtain each player’s game strategy based on the other player’s strategy. Solving the intersection of the two reaction curves and this inter- section is our Nash equilibrium of the information security invest- ment game. The Nash equilibrium is a solution concept of a non- cooperative game involving two or more players, in which each player is assumed to know the equilibrium strategies of the other players, and no player has anything to gain by changing only their own strategy. Since we assume that the two firms are identical, these factors such as potential loss and intrinsic vulnerability are common knowledge for both firms. Thus, both firms know the other’s strategy based on common knowledge. The two firms will not unilaterally change their decision at the equilibrium state. More costs will be incurred if they choose other investment levels outside of the equilibrium strategy. Thus maintaining the Nash equilibrium is the best strategy for both firms.
By symmetry, the reaction curves of both firms are identical. Thus the Nash equilibrium of two firms are equal for both attack
types, i.e. SI �
1 ¼ S I�
2 and S II�
1 ¼ S II�
2 . To simplify, we use S I� and SII
� to
represent the optimal investment for both attack types. The slope of S2ðS1Þ should be higher than the slope of S1ðS2Þ to make the two reaction curves intersect to ensure the existence of the Nash equilibrium.
From (7), for Class I, we obtain the slope of two reaction curves in Nash equilibrium:
@SI2 @SI1 ¼
2ðkSI � þ 1 � qvtIÞ qvtI
! >
@SI1 @SI2 ¼
qvtI
2ðkSI � þ 1 � qvtIÞ
! ð9Þ
From (8), for Class II, we obtain the slope of two reaction curves in Nash equilibrium:
@SII2 @SII1 ¼
1 � qtIIv kS II�þ1
qtII v kSII � þ1
! >
@SII1 @SII2 ¼
qtII v kS II�þ1
1 � qtIIv kSII � þ1
! ð10Þ
From (9), we obtain 3qvtI < 2ðkSI � þ 1Þ for any SI
� . Thus, we can
obtain qvtI < 23 for Class I. From (10), we obtain 2qv kSII � þ1 tII < 1 for
any SII � . Thus, we obtain qvtII < 12 for Class II. We establish the
boundary for Class I in a tighter condition to comparatively analyse both attack types at the same condition. In other words, we assume that both attack types satisfy the condition qvt < 12, which is a suf- ficient but not necessary condition. Because our study focuses on the impact of the network vulnerability, we assume that the condi- tion vt < 12 holds to ensure that the problem always contains an optimal investment for all values of network vulnerability.
Setting (5) to zero can yield the optimal security investment of firm 1 for both attack types:
S ¼ p0�1 �1=L
1 � qpðS�Þ
� � ð11Þ
Because closed-form solutions for optimal security investment are too complex, we adopt the implicit function analysis method. Thus, the optimal security investment of the targeted attack for firm 1 satisfies the following:
FI ¼� kvtI
ðkSI � þ 1Þ
2 1 � q
vtI
kSI � þ 1
� � LI þ 1 ¼ 0 ð12Þ
Furthermore, the optimal security investment of the oppor- tunistic attack for firm 1 satisfies the following relationship:
FII ¼ kðln vÞtIIv kS II�þ1ð1 � qtII v kS
II�þ1ÞLII þ 1 ¼ 0 ð13Þ
By setting y ¼ SI �
or y ¼ SII �
and x as each parameter above, we can use dydx ¼�
@F=@x @F=@y to examine the relationship between the opti-
mal security investment and these parameters.
4.1. Optimal investment and potential loss
First, we examine the relationship between the optimal invest- ment and the potential loss. Using implicit functions (11) and (12) for analysis, we obtain the following for Class I:
@SI �
@LI ¼ ðkSI
� þ 1ÞðkSI
� þ 1 � qvtIÞ
kLIð2kSI � þ 2 � 3qvtIÞ
ð14Þ
sign @
2SI �
@LI2
! ¼�sign kSI
� þ 1 �
3 2
qvtI � �2
þ 3 4 ðqvtIÞ2
! ð15Þ
For Class II, we obtain the following:
@SII �
@LII ¼
1 � qtIIv kS II�þ1
kðln vÞLIIð2qtII v kSII � þ1 � 1Þ
ð16Þ
sign @
2SII �
@LII2
! ¼�sign 2qtIIv kS
II�þ1 � 3 4
� �2 þ
7 16
! ð17Þ
We can easily identify that (14) and (16) are both greater than zero and (15) and (17) are both less than zero. Thus, we can con- clude that the optimal security investment increases with the potential loss at a decreasing rate for both attack types.
Fig. 2. Optimal investment with potential loss.
Fig. 3. Optimal investment with loss.
Y. Wu et al. / Expert Systems with Applications 42 (2015) 6132–6146 6137
By using (12) and (13) and setting SI � ¼ 0 and SII
� ¼ 0, we can
obtain the minimum potential loss, below which firm 1’s optimal security investment is zero. For Class I, we obtain LI0 ¼ 1ktI vð1�qtI vÞ and for Class II, we obtain LII0 ¼ 1kðln vÞtII vðqtII v�1Þ. Based on these two
formulas we can deduce that LI0 < �nðln vÞL II 0 . Therefore, firms have
a higher incentive to not invest in targeted attack when the poten- tial loss caused by both attack types is so small that firms do not need to invest in security and v is greater than e�1n . In general, the minimum potential loss of targeted attacks is greater than that of opportunistic attacks. The condition above is tight; for instance, if n ¼ 2, the minimum potential loss of opportunistic attack can be greater than that of targeted attack only when v > 0:61. If n ¼ 10, the minimum potential loss of opportunistic attack can be greater than that of a targeted attack only when v > 0:91, but an informa- tion system with such a large intrinsic vulnerability is unlikely to be used.
The above analysis can be further illustrated with numerical examples. Fig. 2 shows the results of the numerical analysis when v ¼ 0:7; k ¼ 0:000005; 2tI ¼ tII ¼ 0:7 and q ¼ 0:5. (The results are similar when we vary the values of v; k; t and q). The optimal infor- mation security investments of both attack types clearly increase with the potential loss at a decreasing rate. Furthermore, the two curves do not originate at zero. Therefore, both attack types feature a minimum potential loss as described above.
We also drew Fig. 3, in which the ordinate is the proportion of optimal investment and potential loss to find the change of the optimal investment when the potential loss increases. Fig. 3 shows
that once L > L0 , both S I� =L and SII
� =L increase rapidly to reach a
peak and then decrease slowly to zero. Therefore, the optimal security investment increases with the potential loss but ulti- mately reaches a plateau as the potential loss increases for both attack types.
We now show the impact of potential loss on the optimal investments of firms.
Proposition 1. For both attack types, there exists a minimum potential loss, below which an interconnected firm does not need to invest in security and above which the firm’s optimal invest- ment increases with the potential loss at a decreasing rate, but ultimately reaches a plateau.
Several interesting implications emerge from this proposition. First, if the potential loss caused by an information security breach is sufficiently small, firms benefit from bearing the risk and not investing in security, even though firms simultaneously face direct and indirect attacks. In general, the minimum potential loss of tar- geted attacks below which firms have no incentive to invest in security is greater than that of opportunistic attacks. However, the minimum potential loss of opportunistic attacks can be greater than that of targeted attacks under some tight conditions. This
Fig. 4. Optimal investment with intrinsic vulnerability.
6138 Y. Wu et al. / Expert Systems with Applications 42 (2015) 6132–6146
finding highlights the importance of adequate assessment of firms’ potential loss and identifying the nature of attacks, because whether a firm would invest in security or not depends on the val- ues of both potential loss and attack types.
Second, for both attack types, the optimal security investment increases with the potential loss at a decreasing rate, and finally reaches a plateau. This finding is in contrast to Huang et al. (2008), who reported that the optimal security investment of a sin- gle firm increases rapidly and then reaches a plateau as the poten- tial loss increases for targeted attacks. For opportunistic attacks, they reported that the optimal security investment of a single firm increases rapidly and then becomes a percentage of potential loss as the potential loss increases. In other words, our analysis shows that a firm’s optimal investment will ultimately reach a plateau irrespective of the attack types. Based on (14) and (16), both
@SI � =@LI and @SII
� =@LII are close to zero when L approaches infinity.
Thus, the optimal investment in information security will finally reach a plateau for an interconnected firm when the potential loss increases, irrespective of the attack types. This relationship is understandable when we consider formula (4): the expected cost is equal to the total breach probability multiplied by the potential loss, but the total breach probability and the potential loss are independent of each other. Thus, the investment will lower the total breach probability and thereby lower the expected cost when the potential losses from both attack types are moderate or low. However, when the potential losses are high and result in catas- trophic damages, investing in security to lower the total breach probability cannot reduce the expected cost to a range that firms could accept. In this situation, a better solution for firms is to adopt other measures, such as buying cyber insurance to compensate for the catastrophic loss. This finding also highlights the importance of adequate assessment of firms’ potential loss, because firms should stop investing in security and adopt other measures when the potential loss is catastrophic.
4.2. Optimal investment and intrinsic vulnerability
Next, we examine the relationship between the optimal secur- ity investment and the intrinsic vulnerability. First, we discuss Class I with the help of (12) to obtain the following:
@SI �
@v ¼ ðkSI
� þ 1ÞðkSI
� þ 1 � 2qtI vÞ
kvð2kSI � þ 2 � 3qtI vÞ
ð18Þ
sign @
2 SI �
@v I2
! ¼�sign kSI
� þ 1 �
3 2
qvtI � �2
þ 3 4 ðqvtIÞ2
! ð19Þ
Eq. (18) is greater than zero and (19) is less than zero, i.e. for the tar- geted attack, the optimal security investment increases with the intrinsic vulnerability at a decreasing rate.
Let SI � ¼ 0 in (12) to obtain v 0ð1 � qtIv 0Þ¼ 1ktI LI . We then solve
this formula to obtain v 0 ¼ 1�
ffiffiffiffiffiffiffiffi 1�4q
kLI
q 2qtI
(we abandoned the other value
because the intrinsic vulnerability is less than one), where v 0 is the minimum intrinsic vulnerability that makes SI
� equal to zero and
after v 0 , S I� is greater than zero and increases with v. Fig. 4 shows
the computational results of the above analysis, where k ¼ 0:000005; 2tI ¼ tII ¼ 0:5; q ¼ 0:5 and LI ¼ 2LII ¼ $4M. (The results are similar when we varied the values of k; t; q and L). Fig. 4 shows that a minimum vulnerability, v 0 , exists that sets the optimal security investment to zero. Beyond this minimum, the optimal security investment increases with the intrinsic vulnerability at a decreasing rate.
We then discussed Class II with the help of implicit function (13) to obtain the following:
@SII �
@v ¼�
kSII � þ 1
kvðln vÞ þ
1 � qtIIv kS II�þ1
kvðln vÞ2ð1 � 2qtII v kSII � þ1Þ
" # ð20Þ
We examine two extreme cases of v ! 0 and v ! 1. With the help of L’Hôpital’s Rule, we find @S
II�
@v
��� v¼0þ
¼ limv!0þ 1k ðkSII
� þ1Þðln vÞþ1 vðln vÞ2
¼
1 k limv!0þ
ðkSII � þ1Þ=v
ðln vÞ2þ2ðln vÞ ¼ 1k limv!0þ
kSII � þ1
2v ¼þ1: Because limv!1 kSII � þ1
kvðln vÞ
¼þ1 and limv!1 1�qt II v kS
II�þ1
kvðln vÞ2ð1�2qtII v kSII � þ1Þ ¼þ1, we obtain @S
II�
@v
��� v¼1 ¼�1.
We set (13) equal zero and obtain vð� ln vÞð1 � qtII vÞ¼ 1 ktII LII
.
Note that vt < 12, we can obtain vð� ln vÞ > 2
ktII LII for 0 < v < 1.
Furthermore, �vlnv takes on a maximum at v ¼ 1e and approaches 0 when v approaches either 0 or 1. Thus, for a given k; tII; q and LII , there exists a lower limit, v 0, and an upper limit, v 1, such that SII � ¼ 0 when 0 < v < v 0 or v 1 < v < 1 and SII
� > 0 when
v 0 < v < v 1. To determine if the v0 that maximises S II� is unique,
we set @S II�
@v ¼ 0; which yield F ¼ðkS II� þ 1Þðln vÞð1 � 2qtIIv kS
II�þ1Þþ 1 � qtII v kS
II�þ1 ¼ 0. We also obtain @F @v ¼�
kSII � þ1
v ð2kS II�ðln vÞ
qtIIv kS II�þ1 þ 2ðln vÞqtIIv kS
II�þ1 þ 3qtIIv kS II�þ1 � 1Þ. Thus, as a sufficient
but not necessary condition, when vt < 13, @F @v > 0. Therefore, the
value of v0 that maximises SII �
is unique in this situation.
In summary, we obtain that SII �
increases from �1 when v ¼ 0 to zero when v ¼ v 0 . It increases to a positive maximum when v ¼ v0 and then decreases to zero where v ¼ v 1. It further decreases to �1 when v approaches 1. Although closed-form solutions for v 0; v 1 and v0 could not be found, we can determine these values with numerical solutions. Fig. 4 shows the computational results of the above analysis, where q ¼ 0:5; k ¼ 0:000005; 2tI ¼ tII ¼ 0:5 and LI ¼ 2LII ¼ $4M (The results are similar when we vary the value of q; k; t and L). Fig. 4 shows that there exists a lower limit v 0 and an upper limit v 1 such that S
II� ¼ 0 when 0 < v < v 0 or v 1 < v < 1 and SII � > 0 when v 0 < v < v 1 . Furthermore, the v0 that maximises S
II� is unique. We now show the impact of intrinsic vulnerability on the optimal investments of firms.
Proposition 2. An interconnected firm that faces targeted attacks features a minimum intrinsic vulnerability, below which the optimal investment is zero and above which the optimal invest- ment increases with the intrinsic vulnerability at a decreasing rate.
Y. Wu et al. / Expert Systems with Applications 42 (2015) 6132–6146 6139
An interconnected firm that faces opportunistic attacks features a range of intrinsic vulnerability values, outside of which the optimal investment is zero and inside of which, the optimal investment is greater than zero and only one maximum exists.
Fig. 5. Optimal investment with network vulnerability.
Proposition 2 demonstrates that the impact of the intrinsic vul- nerability on a firm’s optimal security investment against targeted attacks is different from that against opportunistic attacks. We define a secure-configuration information system as one with which v < v0 and a dangerous-configuration information system as one with which v > v0.
In a secure-configuration, firms are willing to invest more in security as the intrinsic vulnerability increases, irrespective of attack types. In a dangerous-configuration, firms are still willing to invest more as the intrinsic vulnerability increases when they face targeted attacks, but are inclined to invest less as the intrinsic vulnerability increases when they face opportunistic attacks. Each firm strikes an appropriate balance between its risk exposure and the opportunity to mitigate the risk through investments in secur- ity (Cavusoglu et al., 2008). Thus firms face two risk types when they decide the security investment: risk of loss from security breach (security risk) and risk of over-spending in security (invest- ment risk). In a secure-configuration, firms are more concerned with security risks, irrespective of the attack type. In a dangerous- configuration, firms are still more concerned with security risks when they face targeted attacks, but care more about investment risks when they face opportunistic attacks.
Thus, firms should identify which attack type they mainly face and the extent of intrinsic vulnerability before deciding on infor- mation security investments. When firms mainly face targeted attacks, they can ignore systems that have low intrinsic vulnerabil- ity and invest in systems that have a moderate or high intrinsic vulnerability. Because the security risk always outweighs the investment risk, firms should correspondingly increase investment, irrespective of the level of intrinsic vulnerability. This consequence is understandable because attackers are more likely to attack a system with a high intrinsic vulnerability if two systems are of same value to attackers. In addition, once a determined attacker decides to hack the targeted system, he/she is not easily stopped and will make every effort to complete the attack, and the loss caused by the targeted attack is usually catastrophic. Thus the security risk is always greater than the investment risk and firms should be more cautious and prevent breaches in their system as much as possible when they are under targeted attacks.
When a firm mainly faces opportunistic attacks, it can ignore systems that have an overly low or overly high intrinsic vulnerabil- ity and invest in systems that have a moderate intrinsic vulnerabil- ity. We can explain this conclusion by analysing the features of an opportunistic attack. As described above, opportunistic attacks are pervasive, frequent, easy to address and tend to cause less damage to firms, and an initial investment has a more significant effect against opportunistic attack. Thus, opportunistic attacks do not easily breach the system when the intrinsic vulnerability is suffi- ciently small. However, an opportunistic attack could easily breach the system when the intrinsic vulnerability is sufficiently high so that the system is in a dangerous configuration. Furthermore, opportunistic attacks are usually contagious because they are per- vasive and frequent. In this situation, additional investment cannot prevent infections. Thus the investment risk outweighs the secur- ity risk and firms become more cautious about the investment risk. Ultimately, they are inclined to decrease the amount of invest- ment. Because the intrinsic vulnerability is decided by the config- uration of information system, firms should redefine system configuration that would reduce intrinsic vulnerability rather than invest against opportunistic attacks when the system is in a dangerous- configuration.
4.3. Optimal investment and network vulnerability
We now address the relationship between the optimal invest- ment and network vulnerability. Network vulnerability, q, repre- sents the extent of trusted interdependence relationship between two firms. Using (12) and (13) for analysis, we obtain the following for Class I:
@SI �
@q ¼�
vtIðkSI � þ 1Þ
kð2kSI � þ 2 � 3qvtIÞ
ð21Þ
sign @
2SI �
@q2
! ¼�signðkSI
� þ 1 � qvtIÞ ð22Þ
We obtain the following for Class II:
@SII �
@q ¼�
tIIv kS II�þ1
kðlnvÞð2qtIIv kSII � þ1 � 1Þ
ð23Þ
sign @
2SII �
@q2
! ¼�signð3 � 4v kS
II�þ1qtIIÞ ð24Þ
Eqs. (21) and (23) are both less than zero. Formula (22) and (24) are both less than zero, i.e. the optimal security investment decreases with the network vulnerability at a decreasing rate for both attack types. Therefore, information security systems indeed show interconnectivity with negative externality so that both firms are less willing to invest in security when their trusted interdepen- dence relationship is tighter.
Next, we compare the impact of network vulnerability on both
attack types. We substitute tII ¼ ntI into @S II�
@q and obtained @SII �
@q ¼
� tI v kS II�þ1
kðlnvÞð2qtI v kSII � þ1�1=nÞ
: If @S I�
@q < @SII �
@q , then 2 � 3qvt
kS�þ1 < ðlnvÞð2qvt � 1
nv kS� Þ
and 2 < ð�lnvÞð1 � 2qvtIIÞ, which yields v < e�2 . Thus, as a suffi- cient but not necessary condition, when v < e�2, @S
I�
@q < @SII �
@q .
Therefore, when the intrinsic vulnerability is less than e�2 , the network vulnerability has a stronger impact on a firm’s investment when it faces targeted attack as opposed to an opportunistic attack.
Fig. 5 shows the optimal security investment levels SI �
and SII �
with respect to the network vulnerability, for v = 0.4, k = 0.000005, 2tI = tII = 0.8 and LI ¼ 2LII ¼ $1M .
6140 Y. Wu et al. / Expert Systems with Applications 42 (2015) 6132–6146
We now show the impact of network vulnerability on the opti- mal investments of firms.
Proposition 3. For both attack types, an interconnected firm’s optimal investment decreases with the network vulnerability at a decreasing rate. When the network vulnerability is less than e�2, the network vulnerability has a stronger impact on a firm’s investment when firm faces a targeted attack than facing an opportunistic attack.
Proposition 3 demonstrates that the amount of investment will decrease more quickly when the network vulnerability increases. This conclusion seems counter-intuitive, because the network vul- nerability increases a firm’s total breach probability, firms expose more risks and thus should invest more in security. However, a firm’s indirect breach probability increases when the network vul- nerability increases. As we showed earlier, a firm’s investment can only reduce its direct breach probability and cannot reduce its indirect breach probability. Thus, firms do not invest at the same level when they are interconnected because the inefficiency of investment reduces a firm’s incentives to invest in security when its network vulnerability increases. We can use the IDS problem to explain this conclusion. Since the network consisting of the interconnected information systems shows negative externality, the firms in the network are more likely to attempt to offload relia- bility duties onto other firms when they become more intercon- nected. In order to solve the IDS problem, besides redefining the trusted interdependence relationship with their partners (for instance, reducing the extent of database access authority or the extent of information sharing) to reduce the network vulnerability, some economic incentives can be designed to internalize the nega- tive externality of information security. We discuss two economic incentives in Section 5.
5. Economic incentives
In Section 4, we have shown that if economic incentives are lacking, an interconnected firm tends to invest less in security as the network vulnerability increases. It would be more attractive to a firm if there are some economic incentives that not only can improve the firm’s security level but also can reduce its total expected cost. In this section, we discuss two such effective eco- nomic incentives: liability and security information sharing. As a benchmark, we start by characterising the socially optimal welfare. Then we show how to employ the two economic incentives to induce socially optimal welfare.
5.1. Joint decision
To evaluate the investment efficiency, we compare the firms’ investments of two economic incentives with the optimal invest- ment level. The optimal investment level is defined as the security investment level when all the firms jointly minimise their total expected costs. We should note the total expected cost of joint decision is also the social whole expected cost in security invest- ment. Thus, the optimal investment level of joint decision is also the optimal investment level of social welfare. The total expected cost of joint decisions is defined as follows5:
CJ ¼ ½p1 þð1 � p1Þqp2�L þ S1 þ½p2 þð1 � p2Þqp1�L þ S2 ð25Þ
Solving this formula can obtain firm 1’s optimal investment:
5 Note that in the following sections, subscript J represents the scenario of joint decision. Later, D, L and S represent the scenario of individual decision, liability, and security information sharing, respectively.
S�J ¼ p 0�1 �1=L
1 þ q � 2qpðS�J Þ
! ð26Þ
We now compare the optimal investment of joint decisions with that of individual decisions. Because both attack types satisfy the condition vt < 12, we obtain
�1=L 1�qpðS�DÞ
< �1=L
1þq�2qpðS�J Þ . Hence, we obtain
that S�D < S � J , which means the optimal investment of joint decisions
is higher than that of individual decisions. Hence the security level of joint decisions is higher than that of individual decisions.
Next we compare the total expected cost of joint decisions with that of individual decisions. Both expressions of total expected cost
have the same form, and @C � D
@S�D < 0 when L > L0, and S
� D < S
� J , thus we
can obtain that C�J < C � D, which means the total expected cost of
joint decisions is lower than that of individual decisions. Next we seek to find whether joint decision can internalize the
negative externality of interconnection. We differentiate S�J with
respect to q to get @S�J @q ¼
p00�1 1 ð1�2pÞ
Lð1þq�2qpÞ2 > 0, which means the optimal
security investment increases with the network vulnerability for both attack types when firms jointly decide their investments.
We now use a numerical analysis to illustrate the impacts of joint decision on different attack types. We set v ¼ 0:5; k ¼ 0:000005; 2tI ¼ tII ¼ 0:5 and LI ¼ 2LII ¼ $10M. For Class I, the optimal investment of individual decision is $0.3 M and the optimal investment of joint decision is $0.4 M. The per- centage of increase in investment relative to the loss is 1%. For Class II, the optimal investment of individual decision is $0.4 M and the optimal investment of joint decision is $1.2 M. The per- centage of increase in investment relative to the loss is 16%. Thus, the impacts of joint decision on opportunistic attacks are more intensive compare to that on targeted attacks.
Therefore, we can conclude that the optimal investment of joint decision can increase the security level and decrease the total expected cost, as well as internalise the negative externality of net- work vulnerability. Moreover, firms have more incentives to jointly decide their investments when they mainly face opportunistic instead of targeted attacks.
5.2. Liability
Liability offered by the legal system is an effective way to inter- nalize the negative externality of interconnection (Kunreuther & Heal, 2003). Breaches can be observable for a variety of legal and social reasons. Nowadays firms in the vast majority of the United States—46 states as of October 12, 2010—are legally required to disclose security breaches involving exposure of personal informa- tion. For breaches that lead to service disruptions to internal employees and external customers, social word-of-mouth can spread the breach information (Lee, Geng, & Raghunathan, 2013). Thus we assume that breaches can be observable and the legal sys- tem can identify whether a breach is direct or indirect. If a firm suf- fers an indirect breach, the other firm that provides access to attackers should bear the liability and compensate for the damage to the former. We used the parameter k to denote the intensity of the legal system’s punishment, i.e. the portion of liability. Therefore, if firm 1 suffers an indirect breach, firm 2 should com- pensate firm 1 for the damage of kL and vice versa. Firm 1 can suf- fer a breach in three ways. First, attackers directly breach firm 1 and then breach firm 2 indirectly via firm 1; this breach probability is given by p1qð1 � p2Þ. In this scenario, firm 1 should take on both firms’ losses; thus, firm 1’s expected cost is ð1 þ kÞL � p1qð1 � p2Þ. Second, attackers only breach firm 1 directly and do not breach firm 2 indirectly via firm 1; this breach probability is p1 � qp1ð1 � p2Þ. In this scenario, firm 1 should only undertake its own loss; thus, firm 1’s expected cost is L � ½p1 � qp1ð1 � p2Þ�.
Y. Wu et al. / Expert Systems with Applications 42 (2015) 6132–6146 6141
Third, attackers breach firm 2 directly and then breach firm 1 indirectly via firm 2, this breach probability is p2qð1 � p1Þ. In this scenario, firm 1 suffers a loss L and then obtain a compensation from firm 2; thus firm 1’s expected cost is ð1 � kÞL � p2qð1 � p1Þ. Therefore, the total expected cost of firm 1 is
CL ¼ ½p1ð1 þ kq � p2qÞþ p2 qð1 � kÞ�L þ S1 ð27Þ
Solving this formula can obtain firm 1’s optimal investment of
liability S�L ¼ p0�1 �1=L
1þðk�pðS�LÞÞq
� � : Comparing to the optimal investment
of individual decisions, we can obtain that S�D < S � L , which means
the optimal investment of liability is higher than that of individual decisions. Hence the security level of liability is higher than that of individual decisions.
Next we compare the total expected cost of liability with that of individual decisions. Because the information security investments of symmetric firms are equal, the total expected cost of liability can
be expressed as C�L ¼ ½pðS � LÞþ pðS
� LÞq � p2ðS
� LÞq�L þ S
� L . Since
@C�L @S�L
< 0
when L > L0, we can obtain that C � L < C
� D, which means the total
expected cost of liability is lower than that of individual decisions. Therefore, we can conclude that liability is an effective economic incentive that not only can improve an interconnected firm’s security level but also can reduce its total expected cost.
Next we seek to find whether liability can internalize the nega- tive externality of interconnection. We differentiated S�L with
respect to q to get @S � L
@q ¼ ðk�pÞp00�1
1
Lð1þðk�pÞqÞ2 , we obtain that @S
� L
@q > 0 only when
k > pðS�LÞ: That is, when k > pðS � LÞ, an interconnected firm’s optimal
security investment increases with the network vulnerability for both attack types. Therefore, the mechanism of liability can inter- nalise the negative externality of interconnection in the informa- tion security investment only when the portion of liability is greater than the breach probability.
We now deduce the relationship between the optimal invest- ments with the portion of liability. We note that @S�L @k ¼ qp
00�1 1
Lð1þðk�pðS�LÞÞqÞ 2 > 0, thus the optimal investment of liability
increases with the portion of liability. We also get that the firm will underinvest when k < 1 � 2pðS�J Þþ pðS
� LÞ and overinvest when
k > 1 � 2pðS�J Þþ pðS � LÞ: Therefore, the mechanism of liability can
make firms overinvest or underinvest in security if the intensity of the legal system’s punishment is set improperly.
Proposition 4. For both attack types, liability is an effective economic incentive that not only can improve an interconnected firm’s security level but also can reduce its total expected cost. An interconnected firm’s optimal investment increases with the network vulnerability once the portion of liability is greater than the breach probability.
Proposition 4 demonstrates that the mechanism of liability is an effective mechanism that can improve the security level, reduce the total expected cost, and internalise the negative externality of network vulnerability. However, the mechanism of liability only internalises the negative externality of interconnection and encourages firms to invest more in security when the portion of liability is greater than the breach probability. In order to over- come the negative externality of interconnection, the legal system should ensure that the portion of liability is greater than the breach probability. But if the punishment intensity is excessive, firms might overinvest in security. As a result, the mechanism of liability will cause misallocation and waste of resources. An appropriate level of punishment intensity needs to be set to appropriately motivate firms and increase the level of social welfare.
After determining the punishment intensity, the next question is how to make the mechanism of liability work. The mechanism of liability is similar to the risk pooling arrangement (RPA). An RPA
is a mutual form of insurance organisation in which the policyhold- ers are also the owners (Zhao et al., 2013). Before breaches occur, both firms give the same amount of money to a mutual insurer, like the legal system. Because the breaches can be observable and the legal system can identify whether a breach is direct or indirect, legal system can use the mutual insurance to compensate firms who suf- fer indirect breaches. For example, both firms give $40,000 to the legal system. If firm 1 suffers a direct breach and firm 2 suffers an indirect breach because of firm 1, and both firms’ losses are $30,000. According to the portion of liability (for example, k ¼ 13), firm 1 should compensate firm 2 for $10,000 and the legal system should use the mutual insurance to compensate firm 2 for $20,000. As a result, both firms have remaining $30,000 in the mutual insurance, and firm 1 suffers a loss of $40,000 and firm 2 suffers a loss of $20,000. If firm 2 suffers an indirect breach from firm 1, but firm 1 does not suffer a direct breach, this scenario is a possible case of crime committed by firm 1, and how to solve such a case is outside the scope of this paper. Since identifying the nature of attacks, direct or indirect and assigning blame on the responsible party is difficult in the network environment, we analyse another effective economic incentive: security information sharing.
5.3. Security Information sharing
Sharing information related to computer security breaches and unsuccessful breach attempts is a desirable way of supplementing the technical solutions to security problems for firms (Gordon et al., 2003). Because sharing alliances yield greater benefits in more competitive industries (Gal-Or & Ghose, 2005), the US gov- ernment has developed many security-based information sharing organisations, such as the CERT Coordination Centre, the Information Sharing Analysis Centres, the Secret Service Electron Crimes Task Force, etc. We discuss the benefit of security informa- tion sharing and provide insight into the impact of security infor- mation sharing on both attack types in this section.
We follow the formulation of Gordon et al. (2003) in defining security information sharing of information security investment. That is, if a firm shares security information with the other firm, a portion of the former’s information security investment will benefit the latter without diminishing (or enhancing) the benefit to the former. Essentially, the intuition is that the disclosure of vul- nerabilities in a particular type of security technology by one firm leads the other firm to invest less in that technology or procure a smaller amount of that product. A direct consequence of such security information sharing would be pre-emptive cost savings in technology investment (Gal-Or & Ghose, 2005). For simplify, we make the following assumptions about the security informa- tion sharing:
Assumption 4. we assume that if a firm obtain some others’ security information that the firm cannot get it freely, the others’ security investment will add to the firm’s. We also assume that the two firms share security information to each other without the risk of leakage.
We use hi to denote the portion of security information that firm i shares with the other firm. In other words, security informa- tion sharing by firm i will shift firm j0s information security invest- ment by hiSi . Thus, we can rewrite firm 1’s total expected cost in this scenario as follows:
CS ¼ ½p1ðS1 þ hS2Þþð1 � p1ðS1 þ hS2ÞÞqp2ðS2 þ hS1Þ�L þ S1 ð28Þ
Solving this formula can obtain firm 1’s optimal investment of security information sharing S�S ¼ p0�1ð
�1=L 1þqh�ð1þhÞqpðS�SÞ
Þ: Comparing to the optimal investment of security information sharing and that of individual decisions, we can obtain that S�D < S
� S , which means
6142 Y. Wu et al. / Expert Systems with Applications 42 (2015) 6132–6146
the optimal investment of security information sharing is higher than that of individual decisions. Hence the security level of secur- ity information sharing is higher than that of individual decisions.
Next we compare the total expected cost of security informa-
tion sharing with that of individual decisions. With @C � S
@h < 0,
C�S ¼ ½p1ðS � SÞþð1 � p1ðS
� SÞÞqp2ðS
� SÞ�L þ S
� S is the maximum total
expected cost of security information sharing. Given that @C � D
@S�D < 0
when L > L0, and S � D < S
� S , we can obtain that C
� S < C
� D, which means
the total expected cost of security information sharing is lower than that of individual decisions. Therefore, we can conclude that security information sharing is an effective economic incentive that not only can improve an interconnected firm’s security level but also can reduce its total expected cost.
Next we seek to find whether security information sharing can internalize the negative externality of interconnection. We differ-
entiate S�S with respect to q to get @S�S @q ¼
ðhð1�pÞ�pÞp00�1 1
Lð1þqh�ð1þhÞqpÞ2 . We obtain that
@S�S @q > 0 only when h >
pðS�SÞ 1�pðS�SÞ
. We define an ‘‘effective value’’ of
security information sharing as one in which h0 ¼ pðS�SÞ
1�pðS�SÞ , given an
information system and its environment. That is, when h > h0, an interconnected firm’s optimal security investment increases with the network vulnerability for both attack types. Therefore, the mechanism of security information sharing can internalise the negative externality of interconnection in the information security investment only when the portion of security information sharing is greater than the ‘‘effective value’’.
We now deduce the relationship between the optimal invest- ments with the portion of security information sharing. We note
that @S�S @h ¼ ðq�qpÞp
00�1 1
Lð1þqh�ð1þhÞqpÞ2 > 0, and S�S ¼ S
� D when h ¼ 0, and S
� S ¼ S
� J
when h ¼ 1. Therefore, the optimal investment increases with the portion of security information sharing, and the optimal invest- ment of security information sharing is equal to the optimal invest- ment of individual decisions if firms do not share security information. If firms share security information completely, the optimal investment of security information sharing is equal to the social optimal investment level.
Proposition 5. For both attack types, security information sharing is an effective economic incentive that not only can improve an interconnected firm’s security level but also can reduce its total expected cost. An interconnected firm’s optimal investment increases with the network vulnerability only when the portion of security information sharing is greater than an ‘‘effective value’’.
This proposition provides an interconnected firm with inspiration to adopt the mechanism of security information sharing. First, sharing security information is always beneficial and can improve the level of information security as well as reduce the total expected cost. Second, sharing information internalises the negative externality of interconnection and encourages firms to invest more in security only when the por- tion of security information sharing is greater than the ‘‘effec- tive value’’. Thus, in order to overcome the negative externality of interconnection, some associations like CERT Coordination Centre can play a coordinating role by stipulating that any member has to follow the rule that each member’s portion of security information sharing should be greater than the ‘‘effective value’’.
5.4. Numerical analysis
In this section, we conduct a numerical analysis to demonstrate these propositions. Because the numerical analysis of total expected cost is similar to that of the optimal security investment, we only show the latter’s numerical analysis. Specifically, we use
the following parameters for the numerical analysis (The results are similar when we varied these values):
v ¼ 0:5; k ¼ 0:000005; 2tI ¼ tII ¼ 0:8; LI ¼ 2LII ¼ $4M; q ¼f0:2; 0:4; 0:6; 0:8g; k ¼f0; 0:1; 0:2; . . . ; 1g; and h ¼f0; 0:1; 0:2; . . . ; 1g:
Table 2 shows the results for all 40 scenarios. It should be noted that the optimal investment of joint decisions is equal to the optimal investment of individual decisions when the network vulnerability equals zero. Based on the numerical results, the optimal investment of joint decisions is always greater than that of individual decisions, irrespective of attack types, and the optimal security investment of joint decisions increases with the network vulnerability.
We analyse the results via two plots. Because the plots for Class I and II are similar, we only provide pictures for the former. First, we plot the network vulnerability against the intensity of liability and the optimal investment to compare the mechanisms of joint decision and liability.
Fig. 6 shows that (1) the optimal investment of liability increases with the portion of liability; (2) the optimal investment of liability decreases with the network vulnerability when k < 0:1 and increases with the network vulnerability when k > 0:1; and (3) the optimal investment of liability is always less than the optimal investment of joint decision when k < 0:8 but greater than the optimal investment of joint decision when k > 0:8: These three findings verify proposition 4. In this situation, the minimum portion of the liability is 0.1 and the maximum por- tion of the liability is 0.8 within which the legal system will not cause a waste of resource.
Second we plot the network vulnerability against the portion of security information sharing and the optimal investment to com- pare the mechanisms of joint decision and security information sharing:
Fig. 7 shows that (1) the optimal investment of security infor- mation sharing increases with the portion of security information sharing; (2) the optimal investment of security information sharing decreases with the network vulnerability when h < 0:2 and increases with the network vulnerability when h > 0.2; and (3) the lower bound of the optimal investment of security information sharing is the optimal investment of individual decision, and the upper bound of the optimal investment of security information sharing is the optimal investment of joint decisions. These three findings verify proposition 5. In this situation, the ‘‘effective value’’ of security information sharing is equal to 0.2. The negative exter- nality of interconnection can be internalised only when h > 0:2. Thus associations of security information sharing should stipulate the rule that each member’s portion of security information shar- ing should be greater than 0.2.
6. Extension to three or more firms
In this section we extend the model from two firms to any finite number, N, of firms, where N > 2. Consider N symmetric fully interconnected firms, i.e., all firms are directly connected to each other. We use subscript N to denote this extension. For simplicity, we make the following assumption about the case of N firms:
Assumption 5. we only consider the first-order indirect attacks. That is, if more than two indirect attacks occur through firm 1, firm 1 only take the responsible for the first firm that is attacked indirectly. This assumption is reasonable when q is small. More than one sever security breach in a day is not likely to be very common, thus we also assume the loss is unchanged irrespective of the number of breaches. That is, the loss of another indirect attack can be ignored if the firm has already suffered an indirect attack.
Table 2
q Individual decisions Joint decisions Liability Information sharing
T O T O T O T O
k ¼ 0 h ¼ 0 0.2 1.959 2.855 2.314 3.345 1.959 2.855 1.959 2.855 0.4 1.917 2.759 2.614 3.726 1.917 2.759 1.917 2.759 0.6 1.874 2.652 2.902 4.080 1.874 2.652 1.874 2.652 0.8 1.829 2.530 3.179 4.407 1.829 2.530 1.829 2.530
k ¼ 0:1 h ¼ 0:1 0.2 1.959 2.855 2.314 3.345 2.000 2.916 1.996 2.907 0.4 1.917 2.759 2.614 3.726 2.000 2.888 1.992 2.869 0.6 1.874 2.652 2.902 4.080 2.000 2.857 1.988 2.827 0.8 1.829 2.530 3.179 4.407 2.000 2.824 1.983 2.782
k ¼ 0:2 h ¼ 0:2 0.2 1.959 2.855 2.314 3.345 2.040 2.975 2.032 2.959 0.4 1.917 2.759 2.614 3.726 2.081 3.010 2.065 2.976 0.6 1.874 2.652 2.902 4.080 2.122 3.050 2.098 2.994 0.8 1.829 2.530 3.179 4.407 2.163 3.083 2.132 3.013
k ¼ 0:3 h ¼ 0:3 0.2 1.959 2.855 2.314 3.345 2.080 3.033 2.068 3.009 0.4 1.917 2.759 2.614 3.726 2.160 3.126 2.137 3.080 0.6 1.874 2.652 2.902 4.080 2.240 3.221 2.206 3.152 0.8 1.829 2.530 3.179 4.407 2.319 3.317 2.276 3.228
k ¼ 0:4 h ¼ 0:4 0.2 1.959 2.855 2.314 3.345 2.120 3.090 2.104 3.059 0.4 1.917 2.759 2.614 3.726 2.237 3.238 2.208 3.179 0.6 1.874 2.652 2.902 4.080 2.354 3.385 2.312 3.303 0.8 1.829 2.530 3.179 4.407 2.469 3.530 2.415 3.429
k ¼ 0:5 h ¼ 0:5 0.2 1.959 2.855 2.314 3.345 2.158 3.146 2.140 3.108 0.4 1.917 2.759 2.614 3.726 2.314 3.345 2.278 3.277 0.6 1.874 2.652 2.902 4.080 2.465 3.539 2.415 3.447 0.8 1.829 2.530 3.179 4.407 2.614 3.726 2.551 3.616
k ¼ 0:6 h ¼ 0:6 0.2 1.959 2.855 2.314 3.345 2.197 3.201 2.175 3.157 0.4 1.917 2.759 2.614 3.726 2.388 3.448 2.347 3.372 0.6 1.874 2.652 2.902 4.080 2.574 3.684 2.517 3.584 0.8 1.829 2.530 3.179 4.407 2.754 3.908 2.683 3.792
k ¼ 0:7 h ¼ 0:7 0.2 1.959 2.855 2.314 3.345 2.235 3.254 2.210 3.205 0.4 1.917 2.759 2.614 3.726 2.462 3.547 2.415 3.464 0.6 1.874 2.652 2.902 4.080 2.680 3.822 2.616 3.716 0.8 1.829 2.530 3.179 4.407 2.890 4.078 2.812 3.958
k ¼ 0:8 h ¼ 0:8 0.2 1.959 2.855 2.314 3.345 2.273 3.307 2.245 3.252 0.4 1.917 2.759 2.614 3.726 2.533 3.643 2.482 3.554 0.6 1.874 2.652 2.902 4.080 2.783 3.952 2.713 3.842 0.8 1.829 2.530 3.179 4.407 3.022 4.237 2.937 4.116
k ¼ 0:9 h ¼ 0:9 0.2 1.959 2.855 2.314 3.345 2.311 3.358 2.279 3.300 0.4 1.917 2.759 2.614 3.726 2.605 3.735 2.549 3.641 0.6 1.874 2.652 2.902 4.080 2.884 4.077 2.809 3.963 0.8 1.829 2.530 3.179 4.407 3.150 4.387 3.059 4.265
k ¼ 1 h ¼ 1 0.2 1.959 2.855 2.314 3.345 2.348 3.408 2.314 3.345 0.4 1.917 2.759 2.614 3.726 2.675 3.824 2.614 3.726 0.6 1.874 2.652 2.902 4.080 2.983 4.196 2.902 4.080 0.8 1.829 2.530 3.179 4.407 3.275 4.530 3.179 4.407
In Table 2, all the level of investment should multiply 0.1 M. ‘‘T’’ represents targeted attack, and ‘‘O’’ represents opportunistic attack.
Y. Wu et al. / Expert Systems with Applications 42 (2015) 6132–6146 6143
First we discuss the situation of individual decision. The firm 1’s total expected cost of individual decision now is:
CDN ¼ ½1 �ð1 � p1Þ YN i¼2 ð1 � qpiÞ�L þ S1 ð29Þ
We can yield the optimal security investment of firm 1:
SDN ¼ p 0�1 �1=L ð1 � qpÞN�1
! ð30Þ
According to the first-order condition w.r.t. L, we get @S�DN @L ¼
p00�1 1
L2ð1�qpÞN�1 > 0, which means in the situation of individual
decision, the optimal security investment increases with the potential loss for both attack types when there are N firms.
According to the first-order condition w.r.t. q, we get @S�DN @q ¼
�p00�1 1
NP
Lð1�qpÞN < 0, which means in the situation of individual
decision, the optimal security investment decreases with the net- work vulnerability for both attack types when there are N firms.
Fig. 6. Comparison between joint decision and liability.
Fig. 7. Comparison between joint decision and security information sharing.
6144 Y. Wu et al. / Expert Systems with Applications 42 (2015) 6132–6146
According to the first-order condition w.r.t. N, we get @S�DN @N ¼
p00�1 1
lnð1�qpÞ Lð1�qpÞN�1
< 0, which means in the situation of individual
decision, the optimal security investment decreases with the num- ber of firms for both attack types when there are N firms.
Second we discuss the situation of joint decision. The firm 1’s total expected cost of joint decision now is:
CJN ¼ XN i¼1
1 � YN j¼1 ð1 � gpjÞ
" # L þ Si� ð31Þ
where g ¼ q i–j 1 i ¼ j
8< :
We can yield the optimal security investment of firm 1:
SJN ¼ p 0�1 �1=L ð1 � qpÞN�2ð1 þ Nq � Npq � qÞ
! ð32Þ
According to the first-order condition w.r.t q, we get @S�JN @q ¼
p00�1 1 L ðN�1ÞðpqðNpþ1�qÞþ1�2pÞ ð1�pqÞN�1ðNqðp�1Þþq�1Þ2
> 0, which means in the situation of
joint decision, the optimal security investment increases with the network vulnerability for both attack types when there are N firms.
According to the first-order condition w.r.t. N, we get @S�JN @N ¼
p00�1 1 ½lnð1�qpÞ�ðNqðp�1Þþq�1Þþqp�q� �Lð1�qpÞN�2ðNpq�Nqþq�1Þ2
, @S�JN @N > 0 only when
N < ð1�qÞ lnð1�qpÞþqð1�pÞlnð1�qpÞ�qðp�1Þ , which means in the situation of joint decision,
the optimal security investment increases with the number of firms for both attack types only when the number of firms is not too large.
Next we consider the scenario of liability. Similar to the situa- tion of liability with two firms, firm 1 can suffer a breach in three ways. First, attackers directly breach firm 1 and then breach one or N � 1 firms, firm 1 should take on all breached firms’ losses; thus, firm 1’s expected cost is
PN�1 i¼1 ð1 þ ikÞLp1 q
ið1 � pÞi . Second, attack- ers only breach firm 1 directly and do not breach any other firms indirectly via firm 1, firm 1 should only undertake its own loss;
thus, firm 1’s expected cost is ½p1 � PN�1
i¼1 p1 q ið1 � pÞi�L: Third,
attackers breach firm i directly and then breach firm 1 indirectly via firm i, firm 1 suffers a loss L and then obtain a compensation from firm i; because another indirect attack on firm 1 and an indi- rect attack from an indirect attack can be ignored, firm 1’s expected cost is ð1 � kÞL � piqð1 � p1Þ. Therefore, the firm 1’s total expected cost of liability now is:
CLN ¼ XN�1 i¼1 ½ikp1q
ið1 � pÞi�þ p1 þð1 � kÞpqð1 � p1Þ " #
L þ S1 ð33Þ
We can yield the optimal security investment of firm 1:
S�LN ¼ p 0�1 �1=LPN�1
i¼1 ½ikqið1 � pÞ i�þðk � 1Þpq þ 1
! ð34Þ
According to the first-order condition w.r.t q, we get @S�LN @q ¼
p00�1 1
PN�1 i¼1 ½i2 kqi�1ð1�pÞi�þðk�1Þp
� L PN�1
i¼1 ½ikqið1�pÞi�þðk�1Þpqþ1
� 2 ; we obtain that @S�LN@q > 0 only when k > pPN�1
i¼1 ½i2 qi�1ð1�pÞi�þp
: That is, in the situation of liability, an inter-
connected firm’s optimal security investment increases with the network vulnerability for both attack types only when the portion of liability is large enough. Therefore, similar to the situation of lia- bility with two firms, when there are N firms, the mechanism of liability can internalise the negative externality of interconnection in the information security investment only when the portion of liability is large enough.
According to the first-order condition w.r.t k; we get @S�LN @k ¼
p00�1 1 ½ PN�1
i¼1 ½iqið1�pÞi�þpq�
L PN�1
i¼1 ikqið1�pÞi½ �þðk�1Þpqþ1
� 2 > 0, which means in the situation of liability, the optimal security investment increases with the por- tion of liability for both attack types when there are N firms.
From(34), we can easy find that @S � LN
@N > 0, which means in the sit- uation of liability, the optimal security investment increases with the number of firms for both attack types.
In the end we discuss the scenario of security information shar- ing. The firm 1’s total expected cost of security information sharing now is:
CSN ¼ 1 � YN i¼1
1 � gp XN j¼1
xSj
!" #" # L þ S1 ð35Þ
where g ¼ q i–1 1 i ¼ 1
and x ¼ h i–j
1 i ¼ j
We can yield the optimal security investment of firm 1:
S�SN ¼ p 0�1 �1=L ð1 � pqÞN�1 þðN � 1Þð1 � pÞqh
! ð36Þ
According to the first-order condition w.r.t q, we get @S�SN @q ¼
p00�1 1 ð1�NÞ L
pð1�pqÞN�2�ð1�pÞh ½ð1�pqÞN�1þðN�1Þð1�pÞqh�
2 , we obtain that @S�SN @q > 0 only when
Y. Wu et al. / Expert Systems with Applications 42 (2015) 6132–6146 6145
h > pð1�pqÞ N�2
1�p : That is, in the situation of security information shar-
ing, an interconnected firm’s optimal security investment increases with the network vulnerability for both attack types only when the portion of security information sharing is large enough. Therefore, similar to the situation of security information sharing with two firms, when there are N firms, the mechanism of security information sharing can internalise the negative externality of interconnection in information security investment only when the portion of security information sharing is large enough.
According to the first-order condition w.r.t. h, we get @S�SN @h ¼ p
00�1 1 L
ðN�1Þð1�pÞq ½ð1�pqÞN�1þðN�1Þð1�pÞqh�
2 ; we obtain that @S�SN @h
> 0, which means
in the situation of security information sharing, the optimal security investment increases with the portion of security informa- tion sharing for both attack types when there are N firms.
According to the first-order condition w.r.t N, we get @S�SN @N ¼
p00�1 1 L ð1�pqÞN�1 lnð1�pqÞþð1�pÞqh ½ð1�pqÞN�1þðN�1Þð1�pÞqh�
2 ; we obtain that @S�SN @N > 0 only when
N > ln ðp�1Þqh
lnð1�pqÞ lnð1�pqÞþ 1, which means in the situation of security informa-
tion sharing, the optimal security investment increases with the number of firms for both attack types only when the number of firms is large enough.
Proposition 6. Given three or more firms, for both attack types, both economic incentives are effective to internalize the negative externality of interconnection if their rules are set properly. With increasing number of firms, the optimal investment of liability always increases but the optimal investment of security information sharing increases only when the number of firms is large enough.
Proposition 6 shows that both economic incentives are effective to internalize the negative externality of interconnection if their rules are set properly in the case of three or more firms. That is, the optimal investments of both economic incentives increase with the network vulnerability only when the portion of liability (or the portion of security information sharing) is large enough. In addition, the optimal investments of both economic incentives always increase with the portion of liability (or the portion of security information sharing), regardless of the number of firms. Compared to the case of two firms in Proposition 4 and Proposition 5, Proposition 6 offers some new insights. First, with increasing number of firms, the optimal security investment of individual decision always decreases, the optimal security invest- ment of liability always increases, the optimal security investment of joint decision increases only when the number of firms is not too large, and the optimal security investment of security information sharing increase only when the number of firms is large enough. Second, the portion of liability (or the portion of security information sharing) that can enable both economic incentives to internalize the negative externality of interconnection is decided not only by the breach probability, but also by the number of firms. These findings highlight the importance of adequate assessment of the number of firms’ partners, especially for those associations of security information sharing.
7. Conclusions
Although research into the information security has received some attention, economics considerations related to information security investment are rare. The current understanding of the optimal information security investment and the optimal economic incentives for interconnected firms is limited. In this paper, we employ game theory to model the relationship between the optimal information security investment and the characteris- tics of firms’ security environment, and propose two economic
incentives to solve the interdependent risk problem. In summary, we have made the following contributions to research. First, we model the optimal information security investments of firms by taking into account the reality that firms face different attack types. We follow prior studies by identifying targeted and oppor- tunistic attacks as two attack types that firms face and provide insights into firms’ characteristics to better understand of their behaviours under different scenarios. Second, our model considers the information systems of interconnected firms, which is a more realistic assumption than the individual systems assumed by prior studies. Lastly, our study extends prior studies by discussing two effective economic incentives that not only can internalise the negative externality and improve a firm’s security level but also can reduce its total expected cost.
Our results offer some insights into information security man- agement practices.
(1) Not all information security risks are worth fighting against. As the potential loss increases, it is unadvisable to increase the security investment proportionately. A firm is better off not investing in security until the potential loss reaches a certain value for a given attack type. Firms should stop investing in security and adopt other measures when the potential loss is catastrophic. These findings emphasise the importance of adequate assessment of firms’ potential loss and identifying the nature of attacks.
(2) A firm should correspondingly increase investment with intrinsic vulnerability when facing targeted attacks while focus on those systems that fall into the midrange of intrinsic vulnerability when facing opportunistic attacks. Since intrin- sic vulnerability is decided by the configuration of informa- tion system, firms should redefine system configuration that would reduce intrinsic vulnerability rather than invest against opportunistic attacks when the system is in a danger- ous- configuration.
(3) Firms are unwilling to invest in security and often offloading reliability problems on others when the trusted interdepen- dence relationship becomes tighter in the absence of eco- nomic incentives. When the network vulnerability is less than e�2, the network vulnerability has a stronger impact on a firm’s investment when firm faces targeted attacks than facing opportunistic attacks.
(4) The optimal investment of joint decision can increase the security level, decrease the total expected cost, and internalise the negative externality of network vulnerability. Firms have more incentives to jointly decide their investments when they mainly face opportunistic instead of targeted attacks.
(5) In order to solve the prisoner’s dilemma in the information security investment game, besides redefining the trusted interdependence relationship with their partners to reduce the network vulnerability, liability and security information sharing, two economic incentives, can be used to internalize the negative externality of information security. We find that if the rules are set properly, both of them can effectively internalise the negative externality, improve a firm’s secur- ity level, and reduce the total expected cost. For liability, the legal system should enact rules to specify the appropri- ate portion of liability. The negative externality of intercon- nection will not be overcome if the portion of liability is too low but overinvestment in security could result if the por- tion of liability is too high. For security information sharing, associations of security information sharing should stipulate the rule that each member’s portion of security information sharing should be greater than an ‘‘effective value’’ in order to overcome the negative externality of interconnection.
6146 Y. Wu et al. / Expert Systems with Applications 42 (2015) 6132–6146
(6) Both economic incentives are effective in the case of three or more firms. With more firms, the optimal investment of lia- bility always increases but the optimal investment of secur- ity information sharing increases only when the number of firms is large enough. In the case of three or more firms, the effective portion of liability (or the effective portion of security information sharing) is decided not only by the breach probability, but also by the number of firms. These insights draw attention to the many trade-offs firms often face and the importance of accurate assessment of firms’ security environment, including potential loss, the nature of attacks, intrinsic vulnerability, network vulnerability and the number of partners. Firms can evaluate these factors by using many methods like the expert grading method and decision tree. For example, Huang, Lin, Lin, and Sun (2013) formulate an analysis model to express the security grades of software vulnerability. Andoh-Baidoo and Osei-Bryson (2007) use decision tree to analyse the observed cumulative abnormal stock market return, which is one measure of the loss of the breached firms.
As with all analytical models, this study has limitations. First, the information security investment game has two participants: firms and hackers. In our analysis, we ignore the behaviour of hackers and only consider the firms’ behaviours. Second, we use two breach probability functions to represent targeted and oppor- tunistic attacks, assuming that they are independent of each other. However, targeted and opportunistic attacks may occur simultaneously in the real world, which we do not consider in this study. Our study points to several future directions for research. For instance, this work could be extended by modelling the behaviours between firms and hackers when firms are inter- connected and hackers share information. Another interesting research is to design the incentive mechanisms that could encourage firms to decide jointly and share security information, and guide the legal system to stipulate rules to enforce compli- ance of firms. In addition, information security investments will be different in the situation of multiple breaches, and our work can be extended to include this situation. Lastly, the managerial implications of our findings can be examined with empirical data in a future study.
Acknowledgements
The research presented in this paper is supported by the National Natural Science Foundation Project of China (71390331 & 71390333), the Program for New Century Excellent Talents in University (NCET-13-0460), the National Soft Science Project of China (2014GXS4D151), the Soft Science Project of Shaanxi pro- vince (2014KRZ04), and the Fundamental Research Funds for the Central Universities.
References
Anderson, R., & Moore, T. (2006). The economics of information security. Science, 314, 610–613.
Andoh-Baidoo, F. K., & Osei-Bryson, K. M. (2007). Exploring the characteristics of Internet security breaches that impact the market value of breached firms. Expert Systems with Applications, 32, 703–725.
Casey, E. (2003). Determining intent—opportunistic vs targeted attacks. Computer Fraud & Security, 2003, 8–11.
Cavusoglu, H., Mishra, B., & Raghunathan, S. (2005). The value of intrusion detection systems in information technology security architecture. Information Systems Research, 16, 28–46.
Cavusoglu, H., Raghunathan, S., & Yue, W. T. (2008). Decision-theoretic and game- theoretic approaches to IT security investment. Journal of Management Information Systems, 25, 281–304.
Cezar, A., Cavusoglu, H., & Raghunathan, S. (2014). Outsourcing information security: Contracting issues and security implications. Management Science, 60, 638–657.
Collins, M. P., Gates, C., & Kataria, G. (2006). A model for opportunistic network exploits: The case of P2P worms. In: fifth workshop on economic of information security, Cambridge, England.
Fang, F., Parameswaran, M., Zhao, X., & Whinston, A. B. (2014). An economic mechanism to manage operational security risks for inter-organizational information systems. Information Systems Frontiers, 16, 399–416.
Gal-Or, E., & Ghose, A. (2005). The economic incentives for sharing security information. Information Systems Research, 16, 186–208.
Gordon, L. A., & Loeb, M. P. (2002). The economics of information security investment. ACM Transactions on Information and System Security (TISSEC), 5, 438–457.
Gordon, L. A., Loeb, M. P., & Lucyshyn, W. (2003). Sharing information on computer systems security: An economic analysis. Journal of Accounting and Public Policy, 22, 461–485.
He, B. Z., Chen, C. M., Su, Y. P., & Sun, H. M. (2014). A defence scheme against Identity Theft Attack based on multiple social networks. Expert Systems with Applications, 41, 2345–2352.
Huang, C. D., & Behara, R. S. (2013). Economics of information security investment in the case of concurrent heterogeneous attacks with budget constraints. International Journal of Production Economics, 141, 255–268.
Huang, C. D., Behara, R. S., & Goo, J. (2014). Optimal information security investment in a healthcare information exchange: An economic analysis. Decision Support Systems, 61, 1–11.
Huang, C. D., Hu, Q., & Behara, R. S. (2008). An economic analysis of the optimal information security investment in the case of a risk-averse firm. International Journal of Production Economics, 114, 793–804.
Huang, C. C., Lin, F. Y., Lin, F. Y. S., & Sun, Y. S. (2013). A novel approach to evaluate software vulnerability prioritization. Journal of Systems and Software, 86, 2822–2840.
Hui, K. L., Hui, W., & Yue, W. T. (2012). Information security outsourcing with system interdependency and mandatory security requirement. Journal of Management Information Systems, 29, 117–155.
Kim, H. K., Im, K. H., & Park, S. C. (2010). DSS for computer security incident response applying CBR and collaborative response. Expert Systems with Applications, 37, 852–870.
Kolfal, B., Patterson, R. A., & Yeo, M. L. (2013). Market impact on IT security spending. Decision Sciences, 44, 517–556.
Krebs, B. (2014). Email Attack on vendor set up breach at target. In Krebs on security <http://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach- at-target/#more-24313>.
Kunreuther, H., & Heal, G. (2003). Interdependent security. Journal of Risk and Uncertainty, 26, 231–249.
Lee, C. H., Geng, X. J., & Raghunathan, S. (2013). Contracting information security in the presence of double moral hazard. Information Systems Research, 24, 295–311.
Ogut, H., Menon, N., & Raghunathan, S. (2005). Cyber insurance and IT security investment: impact of interdependence risk. In: Fourth workshop on the economics of information security, Harvard University.
Parker, D. B. (1997). The strategic values of information security in business. Computers & Security, 16, 572–582.
Ponemon, I. (2013). 2013 Cost of data breach study: Global Analysis. In: PGP Corporation.
PWC (2013). Key findings from the Global State of Information Security Survey 2013.
Richardson, R. (2011). CSI 15th annual computer crime and security survey. Computer Security Institute (CSI).
Straub, D. W. Jr., (1990). Effective IS security: An empirical study. Information Systems Research, 1, 255–276.
Straub, D., Goodman, S., & Baskerville, R. (2008). Framing of information security policies and practices. Information Security Policies, Processes, and Practices, 5–12.
Varian, H. (2004). System reliability and free riding. In Economics of information security (pp. 1–15). Springer.
Wang, J., Chaudhury, A., & Rao, H. R. (2008). A value-at-risk approach to information security investment. Information Systems Research, 19, 106–120.
Zhang, Y. J., Deng, X. Y., Wei, D. J., & Deng, Y. (2012). Assessment of E-commerce security using AHP and evidential reasoning. Expert Systems with Applications, 39, 3611–3623.
Zhao, X., Xue, L., & Whinston, A. B. (2013). Managing interdependent information security risks: Cyberinsurance, managed security services, and risk pooling arrangements. Journal of Management Information Systems, 30, 123–152.
- Game of information security investment: Impact of attack types and network vulnerability
- 1 Introduction
- 2 Literature review
- 3 Model preliminaries
- 3.1 Information system features
- 3.2 Attack types
- 3.3 Network vulnerability
- 4 Optimal security investments
- 4.1 Optimal investment and potential loss
- 4.2 Optimal investment and intrinsic vulnerability
- 4.3 Optimal investment and network vulnerability
- 5 Economic incentives
- 5.1 Joint decision
- 5.2 Liability
- 5.3 Security Information sharing
- 5.4 Numerical analysis
- 6 Extension to three or more firms
- 7 Conclusions
- Acknowledgements
- References
Security and Vulnerability Assessment of Social Media Sites: An Exploratory Study
Jensen Zhao
Ball State University, Muncie, Indiana, USA
Sherry Y. Zhao
Massachusetts Institute of Technology, Cambridge, Massachusetts, USA
While the growing popularity of social media has brought many benefits to society, it has also
resulted in privacy and security threats. The authors assessed the security and vulnerability of
50 social media sites. The findings indicate that most sites (a) posted privacy and security
policies but only a minority stated clearly their execution of the key security measures; (b)
had network information that was publicly available through Internet search, which was
vulnerable to cyber intrusion; and (c) were secured with firewalls, filters, or port closures,
with only few ports detected as open, which need further improvement.
Keywords: computer network systems, social media, security, vulnerability
The world has witnessed how the Internet-based social
media, such as Facebook, Twitter, and YouTube, have
changed the traditional communication landscape and
empowered people to play active roles in economic, social,
and political activities. Empowered with social media, con-
sumers are increasingly active in cocreating everything from
product design to promotional messages; they want compa-
nies to listen, appropriately engage, and respond (Berthon,
Pitt, McCarthy, & Kates, 2007; Kietzmann, Hermkens,
McCarthy, & Silvestre, 2011). For instance, acting on behalf
of her 4-year-old brother who loves to cook and wanted an
oven, McKenna Pope, a 13-year-old girl got more than
40,000 signatures on her online petition at Change.org
requesting the toy maker of the Easy-Bake Oven to make a
version for both boys and girls. In response, the manufac-
turer of the Easy-Bake Oven (Hasbro, Pawtucket, RI), a toy
marketed only to girls over its 50-year history, accepted the
petition to make a gender-neutral oven and to include boys
in the ads starting in 2013 (Cavaliere, 2012).
The top U.S. marketers at Fortune 100 and Forbes Top
200 companies indicated that the social media spending
was 3.5% of company marketing budget on average in
2009 and increased to 7.4% of the marketing budget in
2012. The top U.S. marketers expected that the social
media spending would reach 19.5% of their marketing
budgets in five years following 2012 (Moorman, 2012).
Research also indicated that the proper corporate use of
social media impacts positively the corporate revenue and
profit (Zhao & Zhao, 2014).
However, the growing popularity of social media on the
Internet has also resulted in privacy and security threats to
people, businesses, and governments. For instance, a
Nexgate’s cyber-threat analysis of the social media pres-
ence of the Fortune 100 firms from July 2013 to June 2014
reported that, on average, one in five Twitter accounts and
two of five Facebook accounts claiming to represent a For-
tune 100 brand were unauthorized. On aggregate, Fortune
100 brands experienced at least one compromise every day
on their social media accounts (Ashford, 2014a). In 2014,
70% of social media scams were manually shared and these
scams spread rapidly and were lucrative for cybercriminals
because people were more likely to click something posted
by a friend (Symantec, 2015).
As research showed, some social media sites were com-
promised by hackers; celebrities’ private pictures, personal
information, and emails were published by hackers on the
web (e.g., Ashford, 2014b; Gay, 2014; Nerney, 2011).
These attacks mainly targeted at networks’ TCP/IP (Layer
Correspondence should be addressed to Jensen Zhao, Ball State Uni-
versity, Miller College of Business, ISOM Department, Muncie, IN 47306,
USA. E-mail: [email protected]
Color versions of one or more figures in this article are available online
at www.tandfonline.com/vjeb.
JOURNAL OF EDUCATION FOR BUSINESS, 90: 458–466, 2015
Copyright� Taylor and Francis Group, LLC ISSN: 0883-2323 print / 1940-3356 online
DOI: 10.1080/08832323.2015.1095705
4), secure socket layer (SSL; Layer 5), and HTTP and FTP
(Layer 7) according to the Open Systems Interconnection
Reference Model (McNurlin & Sprague, 2006). Overall,
cyber attackers’ primary purpose of social media intrusion
and attack is to steal customer data, defame celebrities,
damage brands, and manipulate markets for financial gains
(Ashford, 2014a; Symantec, 2015). According to the Trust-
wave Global Security Report, cybercrime gave attackers
1,425% return on investment (Trustwave, 2015).
The purpose of the present study was to assess the secu-
rity and vulnerability of the social media sites by examining
the following issues: the privacy and security policies and
implementations, information availability of social media
systems, computer network security of social media sites,
and the difference of privacy and security measures
between U.S.-based social media sites and other country-
based counterpart sites. Four research questions guided this
study:
Research Question 1 (RQ1): What privacy and security
measures are stated in policies on the social media
sites?
RQ2: What network information of social media sites is
publicly available on the Internet?
RQ3: How secure are the computer network systems
of the social media sites to cyber intrusions and
attacks?
RQ4: How do the U.S.-based social media sites differ from
other country-based counterparts in securing their
sites?
The findings of the study would benefit the social media
administrators for continuous improvement of their social
media security. In addition, the findings would enable stu-
dents specialized in e-business or Internet security to iden-
tify opportunities for internships or jobs at the social media
sites that need to strengthen or maintain their Internet secu-
rity. As the 2014 Occupational Outlook Handbook (Bureau
of Labor Statistics, 2014) indicated, the employment of
information security analysts was projected to grow 37%
from 2012 to 2022, much faster than the average for all
occupations. Demand for information security analysts is
expected to be very high as these analysts will be needed to
come up with innovative solutions to prevent hackers from
stealing critical information or creating havoc on computer
networks.
METHOD
To assess social media sites in terms of (a) privacy and
security policies and their implementation, (b) network
information availability of social media sites, and (c) com-
puter network system vulnerability to cyber intrusions and
attacks, we used three methods for data collection and
analysis: web content analytics, network system informa-
tion auditing, and computer network security mapping.
The web content analytics is commonly used in assess-
ing organizations’ web contents, deliveries, and strategies
(e.g., Boggs & Walters, 2006; Campbell & Beck, 2004;
Wilkinson & Cappel, 2005; Zhao & Zhao, 2004; Zhao,
Truell, Alexander, & Davis, 2006). We used this method
for systematically and objectively identifying and recording
the privacy and security policies available at the social net-
working sites and then analyzing what privacy and security
measures were stated as in implementation. This method
generated the following content categories for analysis: (a)
existence of privacy, security, child-protection, proper-use,
and no-liability policies; (b) antihacking notice; (c) data
transmission encryption; (d) intrusion detection; (e) investi-
gation of improper web activities; (f) login authentication;
and (g) web traffic monitoring.
To find out what network information of the social
media sites is publicly available on the Internet and how
vulnerable the social media sites are to cyber intrusions and
attacks, we conducted Google search for related websites
and auditing tools. We found three websites—ZoneEdit.
com, arin.net, and insecure.org—offering the tools.
The ZoneEdit.com site is a leading website in DNS
(Domain Name System) and domain management solu-
tions. It provides a free DNS lookup utility tool, which ena-
bles any online user to enter a website domain name (e.g.,
yahoo.com) for searching its IP (Internet Protocol; e.g.,
216.115.108.245) address (see at http://www.zoneedit.com/
lookup.html).
The arin.net (American Registry of Internet Numbers)
site provides a free database search service at ws.arin.net.
The search service allows any online user to find a
website’s registration information for resources registered
with ARIN. The ARIN database contains IP addresses,
autonomous system numbers, network name, type, and
range, organizations or customers that are associated with
these resources, and related points of contact. By entering a
site’s IP address into the search tool, any person can get all
the registered information of the site’s network systems
(see at http://www.arin.net/whois/).
The computer network security mapping is a major
method of using software tools for assessing the vulner-
ability of an entire computer network system without
intrusion and identifying areas of potential security
threats (e.g., Garcia, 2004; Winkler, 2004). To assess
the vulnerability of the computer network systems of
social media sites, we selected a popular, free network
mapping utility tool, Nmap, provided by the insecure.
org. Nmap is a port scanning and network mapping soft-
ware. It uses raw IP packets to determine what hosts are
available on the network; what ports are open, filtered,
firewalled, or closed; what services and servers those
hosts are offering; what operating systems they are run-
ning; and many other characteristics.
SECURITY AND VULNERABILITY OF SOCIAL MEDIA SITES 459
To ensure that using Nmap for this study is legal and eth-
ical, we reviewed related literature and could not find fed-
eral or state laws that specifically address the issue (e.g.,
U.S. Department of Justice, 2003). However, in a Georgia
District Court case of Moulton v. VC3, the judge declared a
port scan in the case legal because it did not impair the
integrity nor availability of the network. The judge found
that since the activity performed no damage to the target, it
could not be illegal (Jamieson, 2002). The implication of
this case is that a port scan is not an attack and usually
causes no damage to a target network; the legality and
ethics of a port scan depend on whether the intent of a port
scan is to cause damage or to improve security. As the pur-
pose of this study was to provide the social media sites’
administrators with the findings that they need for continu-
ous improvement of their site security, using Nmap for this
study was justified.
The population of this study consisted of the 210 active
social media sites around the world, which were ranked by
Alexa.com—an amazon.com company specialized in web
rating and analytics. This exploratory study randomly
selected a sample of 50 social media sites from the popula-
tion. The sample consists of 35 sites (70%) based in the
United States of America and 15 sites (30%) based in other
countries such as Argentina, China, Germany, Japan, Mex-
ico, Saudi Arabia, or Spain.
All the data were collected electronically between Janu-
ary and April 2015. The results of web content analytics,
network information auditing, and computer network secu-
rity mapping were saved in digital format and coded for sta-
tistical analysis with IBM SPSS. Frequency counts,
percentage distributions, means, and standard deviations
were prepared. The independent t test was employed to
identify whether any significant difference existed at the
.01 alpha level between the U.S.-based social networking
sites and other country-based counterparts in securing their
sites in order to address Research Question 4.
FINDINGS
The findings of the study are reported in the following
sequence: (a) privacy and security policies on social media
sites, (b) network information publicly available on Inter-
net, (c) security status of social media systems, and (d) dif-
ference between U.S.-based and other country-based social
media sites.
Privacy and Security Policies on Social Media Sites
RQ1 asked, “What privacy and security measures are stated
in policies on the social media sites?” As Table 1 shows, of
the 50 social media sites, 46 sites (92%) provided a link on
their home pages to the privacy policy, but the name of the
link varied, and included privacy policy, privacy
information, policies, and data use policy. Forty-five sites
(90%) presented a child-protection policy link on their
home pages or embedded it within the privacy policy.
Forty-five sites (90%) also presented a no-liability state-
ment as the disclaimer or attached to the security policy.
For example, Facebook’s no-liability disclaimer (see Fig-
ure 1) stated, “We will not be liable to you for any lost
profits or other consequential, special, indirect, or inciden-
tal damages arising out of or in connection with this state-
ment or Facebook, even if we have been advised of the
possibility of such damages.”
Among the 50 social media sites, 41 sites (82%) pro-
vided a link on their home pages to the security policy as
well as a proper-use note that was attached to the security
policy or disclaimer. The security policies indicated that
the social media sites are committed to ensuring a secure
environment that can protect personal and business infor-
mation by implementing various security measures (see, for
example, Figure 2). While the majority sites (74%) stated
using SSL encryption to protect data transmissions, only a
minority of the sites stated clearly the execution of the fol-
lowing key security measures: authentication, using user-
name and password authentication to protect for account
privacy and security (24%); antipassword guessing, limit-
ing login to three trials only (8%); monitoring, using server
management software to monitor traffic (4%);
TABLE 1
Social Media Sites’ Security Measures Stated on Their Sites
(N D 50)
Policy status Frequency Percentage
A privacy policy link present on the site 46 92
A child-protection policy link present on
the site
45 90
A no-liability note attached to the security
policy or disclaimer
45 90
A proper-use note attached to the security
policy or disclaimer
41 82
A security policy link present on the site 41 82
Security measures
Encryption: using secure socket layer
(SSL) encryption to protect data
transmissions
37 74
Authentication: using username and
password to protect for account privacy
and security
12 24
Antipassword guessing: limiting login to 3
trials only
4 8
Monitoring: using software programs to
monitor traffic
2 4
Investigation: investigating improper
activities to identify individual persons
1 2
Auditing: identifying unauthorized
attempts to upload or change information
1 2
460 J. ZHAO AND S. Y. ZHAO
investigation, investigating improper activities to identify
individual persons (2%); and auditing, using intrusion
detection software to audit and identify unauthorized
attempts to upload or change information or otherwise
cause damage (2%).
Network Information Publicly Available on the Internet
RQ2 asked, “What network information of social media
sites is publicly available on the Internet?” The Internet
search at ZoneEdit.com and ws.arin.net identified the IP
FIGURE 1. No-liability statement at Facebook site.
FIGURE 2. Security statement at LinkedIn site.
SECURITY AND VULNERABILITY OF SOCIAL MEDIA SITES 461
addresses and network information of almost all the 50
social media sites. As Table 2 shows, 100% of social media
sites’ IP addresses were publicly available on the Internet.
As a consequence, with these publicly available IP
addresses, any online users could go to ws.arin.net and
enter the IP addresses for identifying a large amount of net-
work information from the majority of the social media
sites, such as a site’s organization name; physical address;
network range, name, handle, type, parent, and CIDR
(classless interdomain routing); registration date, last
updated time, phone number, email address, and comments
(see Table 2).
Security Status of Social Media Network Systems
RQ3 asked, “How secure are the computer network systems
of the social media sites to cyber intrusions and attacks?”
Computer network systems connect to the Internet through
communication ports. The ports of an Internet-connected
computer are classified into three categories: (a) the well-
known ports, (b) the registered ports, and (c) the dynamic
or private ports. The numbers of the well-known ports
range from 0 to 1023; those of the registered ports are from
1024 through 49151; and those of the dynamic or private
ports range from 49152 to 65535. If the ports are open on
the Internet without firewalls or filters, they are very vulner-
able to cyber intrusions and attacks. As Table 3 illustrates,
of the 50 social media sites scanned by using Nmap, the
majority (68%) of the sites revealed only one or two open
ports at their respective sites. By contrast, only the minority
of the sites revealed three or more open ports. While 13
sites (26%) were detected three or four open ports, only
three sites (6%) revealed five, 10, and 26 open ports on their
respective sites.
The Nmap scan report also indicated that most social
media sites’ Internet ports were filtered or behind firewalls.
As Figure 3 shows, while Nmap scan did not detect any
port information at five social media sites (10%), it reported
that four sites (8%) had around 150 ports filtered or behind
firewalls and the majority of the sites (82%) had filtered or
firewalled their 925 up to 1,000 ports, respectively.
Regarding the types of open Internet ports, 49 sites
(98%) had their Port 80/TCP open for HTTP (hypertext
transfer protocol) or world wide web services (see
Figure 4). Web servers identified from Port 80/TCP were
Apache, Microsoft IIS, and Netscape. Second, 46 sites
(92%) also had Port 443/TCP open for encrypted https serv-
ices. In addition, a minority of the sites had the following
ports open for varied purposes: Port 8080/TCP open for
http-proxy—a more secure web service than Port 80/tcp
(12%), Port 53/TCP open for DNS domain service (6%),
Port 22/TCP open for email communication (6%), Port 21/
TCP open for FTP file transfer (4%), and Port 8443/tcp
open as a https-alternative for encrypted data transmissions
(4%).
The Nmap scan also reported the server information and
operating systems at the 50 social media sites. As Figure 5
shows, while 20% of the sites did not reveal any match of
computer server information, 80% were detected of running
varied servers such as Nginx (34%), Apache (24%), Aka-
maiGHost (6%), ATS (4%), Varnish (4%), Haproxy (2%),
GFE (2%), H3rr (2%), and PWS httpd (2%). However, the
Nmap scan did not detect computer operating systems at
the majority of the sites (70%, see Figure 6). But the minor-
ity of the sites (30%) were detected as running Linux
(18%), Dell (6%), MS Windows (4%), and NetDBS (2%),
respectively.
Difference Between U.S.- and Other Country-Based Social Media Sites
RQ4 asked, “How do the U.S.-based social media sites dif-
fer from other country-based counterparts in securing their
sites?” As Table 4 shows, in comparison with other coun-
try-based social media sites, the U.S.-based counterparts
had significantly more secure measures in the following six
aspects: (a) child protection policy, t(48) D 4.099, p < .000; (b) privacy policy, t(48) D 3.495, p < .001; (c) SSL encryption, t(48) D 2.961, p < .005; (d) security
TABLE 3
Number of Internet Ports Open at Social Media Sites
Group
Open ports Sites Frequency Percentage
1 1
2 33 34 68
3 7
4 6 13 26
5 1
10 1
26 1 3 6
Total 50 50 100
TABLE 2
Social Media Network Information Publicly Available on the Internet
Category Frequency Percentage
IP addresses 50 100
Organization name 50 100
Address (city, state/province, country) 50 100
Network range 50 100
Network name 50 100
Network handle 50 100
Network type 50 100
CIDR (Classless Interdomain Routing) 50 100
Registration date 50 100
Last updated 50 100
Phone number 50 100
Email address 50 100
Network parent 39 78
Comments 33 66
462 J. ZHAO AND S. Y. ZHAO
policy, t(48) D 2.802, p < .007; (e) proper use statement, t (48) D 2.802, p < .007; and (f) no-liability statement, t(48) D 2.705, p < .009.
SUMMARYAND CONCLUSIONS
The majority of the social media sites posted links to pri-
vacy policy, child-protection policy, no-liability statement,
security policy, and proper-use guidelines on their home
pages. The majority of the security policies stated using
SSL encryption to protect data transmissions. But only a
minority of the sites stated clearly the execution of the key
security measures: authentication, antipassword guessing,
monitoring, investigation, and auditing. These findings
indicate the need for further improvement because around
10–18% of the social media sites failed to post the privacy-
and security-related policies. In addition, many sites need
to clearly state what key security measures are in execution
as an effective communication to not only assure users of
FIGURE 3. Number of internet ports filtered or firewalled at social media sites.
FIGURE 4. Types of internet ports open at social media sites.
SECURITY AND VULNERABILITY OF SOCIAL MEDIA SITES 463
FIGURE 5. Server systems vulnerability status of social media sites.
FIGURE 6. Operating systems vulnerability status of social media sites.
464 J. ZHAO AND S. Y. ZHAO
the site’s security measures, but also to deter potential
intruders and attackers from trying improper activities
(Ashford, 2014b; Symantec, 2015).
Second, the majority of the social media sites’ network
information was publicly available through the Google
search. Such information included networks’ IP address
and physical address; network range, name, handle, type,
parent, and CIDR; registration date, last updated time,
phone number, and email address. The information makes
the sites vulnerable to cyber intrusions and attacks. For
example, searching for the IP address of a site is often the
first step for cyber intruders to connect to the server of the
site. In addition, the network range and CIDR address
reveal the total number of hosts the network possess and
the network’s higher and lower level routing information.
Having put these pieces of information together, a cyber
intruder has a full picture of which parts of the network are
vulnerable and easy to intrude. These findings suggest that
social media sites should consider negotiating with Ameri-
can Registry of Internet Numbers on requiring username
and password login for access to a web portal’s registration
information. To make the negotiation successful, social
media companies need to form an industry alliance and
conduct collective negotiation with American Registry of
Internet Numbers.
Furthermore, the network scan illustrated that the social
media sites had most of their ports closed, filtered, or
behind firewalls; only very few ports were detected as
open: Port 80/TCP and Port 443/TCP. The open Port 80/
TCP enabled Nmap to detect that 80% of the sites were run-
ning servers such as Nginx (34%), Apache (24%), Aka-
maiGHost (6%), ATS (4%), Varnish (4%), Haproxy (2%),
GFE (2%), H3rr (2%), and PWS httpd (2%). Obviously, the
sites currently keeping open Port 80/tcp should consider
adopting more secured open Port 8080/tcp for http-proxy,
thereby making the site anonymous on the Internet. Regard-
ing the open Port 443/TCP or alternative Port 8443/TCP for
encrypted https services, user IDs and passwords must be
required to grant access to the port and outgoing access to
the port from servers should be restricted.
Finally, the U.S.-based social media sites had signifi-
cantly more policies and measures than other country-based
counterparts in the following six aspects: privacy policy,
security policy, child-protection policy, SSL encryption,
proper use statement, and no-liability statement. Therefore,
other country-based social media sites should consider fol-
lowing the U.S. examples regarding such policies and
measures.
RECOMMENDATION FOR FURTHER RESEARCH
We recommend that a further study of this type be conducted
in three years among the active social media sites around the
world for measuring their site security and vulnerability,
comparing the sites for strengths and weaknesses, and identi-
fying opportunities for further improvement.
REFERENCES
Ashford, W. (2014a). Google could face $100 million lawsuit over nude
celebrity pictures. Computer Weekly. Retrieved from http://www.com
puterweekly.com/news/2240232039/Google-could-face-100m-lawsuit-
over-nude-celebrity-pics
Ashford, W. (2014b). Social media threats to business on the rise. Com-
puter Weekly. Retrieved from http://www.computerweekly.com/news/
2240236398/Social-media-threats-to-business-on-the-rise-says-report
Berthon, P. R., Pitt, L. F., McCarthy, I., & Kates, S. (2007). When custom-
ers get clever: Managerial approaches to dealing with creative consum-
ers. Business Horizons, 50, 39–48.
Boggs, R. A., & Walters, D. (2006). A longitudinal look at e-government
in practice. Issues in Information Systems, 7, 161–164.
Bureau of Labor Statistics. (2014). The 2014 occupational outlook hand-
book. Retrieved from http://www.bls.gov/ooh/computer-and-informa
tion-technology/information-security-analysts.htm
TABLE 4
Independent t-Test of Security Measures Between U.S.-Based and Other Country-Based Social Media Sites
Security measures
Country base: 1 D United States; 2 D other n M SD t df Sig. (two-tailed)
Child protection policy present on social networking site 1 35 1.000 0.000 4.099 48 .000*
2 15 0.667 0.488
Privacy policy present on social networking site 1 35 1.000 0.000 3.495 48 .001*
¢ 2 15 0.733 0.458 SSL encryption 1 35 0.800 0.406 2.961 48 .005*
¢ 2 15 0.400 0.507 Security policy present on social networking site 1 35 0.914 0.284 2.802 48 .007*
¢ 2 15 0.600 0.507 Proper use statement present on social networking site 1 35 0.914 0.284 2.802 48 .007*
2 15 0.600 0.507
No liability statement present on social networking site 1 35 0.971 0.169 2.705 48 .009*
2 15 0.733 0.458
*p < .01.
SECURITY AND VULNERABILITY OF SOCIAL MEDIA SITES 465
Campbell, D., & Beck, A. C. (2004). Answering allegations: The use of the
corporate website for restorative ethical and social disclosure, Business
Ethics, 13, 100.
Cavaliere, V. (2012). Hasbro Easy-Bake Oven to be marketed to girls and
boys in 2012 following petition for change by 13-year-old girl. New
York Daily News. Retrieved from http://www.nydailynews.com/new-
york/hasbro-easy-bake-oven-girls-boys-article-1.1222592
Garcia, R. C. (2004). Network security: Mapping intrusion and anomaly
detection to very-high-degree polynomials. Signals, Systems, and Com-
puters, 2, 1449–1452.
Gay, R. (2014). The great 2014 celebrity nude photos leak is only the
beginning. The Guardian. Retrieved from http://www.theguardian.com/
commentisfree/2014/sep/01/celebrity-naked-photo-leak-2014-nude-
women
Jamieson, S. (2002). The ethics and legality of port scanning. Bethesda, MD:
SANS Institute. Retrieved from http://www.sans.org/reading_room/
whitepapers/legal/the_ethics_and_legality_of_port_scanning_71?showD71. php&catDlegal
Kietzmann, J. H., Hermkens, K., McCarthy, I. P., & Silvestre, B. S. (2011).
Social media? Get serious! Understanding the functional building blocks
of social media. Business Horizons, 54, 241–251.
McNurlin, B. C., & Sprague, R. H. Jr. (2006). Information systems manage-
mentinpractice(7thed.).UpperSaddleRiver,NJ:PearsonPrenticeHall.
Moorman, C. (2012). Social media spend continues to soar. Durham, NC:
The CMO Survey. Retrieved from http://www.cmosurvey.org/blog/
social-media-spend-continues-to-soar/
Nerney, C. (2011). 5 top social media security threats. Network World.
Retrieved from http://www.networkworld.com/article/2177520/
collaboration-social/5-top-social-media-security-threats.html
Symantec. (2015). 2015 Internet security threat report. Retrieved from
http://www.symantec.com/security_response/publications/threatreport.
jsp?inidDus_ghp_hero1_istr20 Trustwave. (2015). The 2015 trustwave global security report. Retrieved
from https://www2.trustwave.com/rs/815-RFM-693/images/2015_Trust
waveGlobalSecurityReport.pdf
U.S. Department of Justice. (2003). Fraud and related activity in connec-
tion with computers. In United States Code Annotated (Title 18, Chapter
47, Section 1030). Washington, DC: Author. Retrieved from http://
www.usdoj.gov/criminal/cybercrime/1030NEW.htm
Wilkinson, V. O. & Cappel, J. J. (2005). Impact of economic prosperity
and population on e-government involvement. Issues in Information Sys-
tems, 6, 204–209.
Winkler, I. (2004), What is a security audit? Tech Target. Retrieved from
http://searchcio.techtarget.com/sDefinition/0,,sid182_gci955099,00.html
Zhao, J. J., Truell, A. D., Alexander, M. W., & Davis, R. (2006). State e-
government service and economic competitiveness: A relational analy-
sis. Issues in Information Systems, 7, 171–176.
Zhao, J. J., & Zhao, S. Y. (2004). Internet technologies used by INC. 500
corporate web sites. Issues in Information Systems, 5, 366–372.
Zhao, J. J., & Zhao, S. Y. (2014). The impact of corporate social media on
revenue and profit: An exploratory study. International Journal of Man-
agement and Information Technology, 10, 1892–1902.
466 J. ZHAO AND S. Y. ZHAO
Copyright of Journal of Education for Business is the property of Taylor & Francis Ltd and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.
36 COMMUNICATIONS OF THE ACM | MARCH 2018 | VOL. 61 | NO. 3
V viewpoints
I M
A G
E B
Y A
N D
R I
J B
O R
Y S
A S
S O
C I
A T
E S
ment. Somebody must pay. It could be consumers (through higher prices), government (through tax credits or grants), or investors (if developers will accept reduced profits). But realize that the consumers, taxpayers, and inves- tors are just us. So before mandating expenditures for enhanced cybersecu- rity, we must decide that we are will- ing to pay and decide how much we are willing to pay.
Other priorities will compete. Some will advocate using “return on invest-
T HE LIST OF cyberattacks hav- ing significant impacts is long and getting longer, well known, and regularly invoked in calls for ac-
tion. Such calls are not misplaced, because society is becoming more dependent on computing, making cyberattacks more capable of wide- spread harm. Vardi’s recent call1 “it is time to get government involved, via laws and regulations” motivates this Viewpoint. Indeed, we do know how to build more-secure systems than we are deploying today. And gov- ernments can—through regulation or other mechanisms—incentivize ac- tions that individuals and organiza- tions are otherwise unlikely to pursue.
However, a considerable distance must be traversed from declaring that government interventions are needed to deciding particulars for those inter- ventions, much less intervening. To start, we need to agree on specific goals to be achieved. Such an agreement re- quires understanding monetary and other costs that we as a society are will- ing to incur, as well as understanding the level of threat to be thwarted. Only after such an agreement is reached, does it make sense for policymakers to contemplate implementation details.
This Viewpoint reviews interven- tions often suggested for incentiviz- ing enhanced cybersecurity. I discuss
the trade-offs involved in the adop- tion of each. In so doing, I hope to fa- cilitate discussions that will lead to agreements about goals and costs. It is premature to advocate for specific in- terventions, exactly because those dis- cussions have yet to take place.
Secure Systems Are More Expensive Assurance that a system will do what it should and will not do what it should not requires effort during develop-
Viewpoint Impediments with Policy Interventions to Foster Cybersecurity A call for discussion of governmental investment and intervention in support of cybersecurity.
DOI:10.1145/3180493 Fred B. Schneider
MARCH 2018 | VOL. 61 | NO. 3 | COMMUNICATIONS OF THE ACM 37
viewpoints
V viewpoints
to proceed. But user authentication re- quires (tedious) user interactions with the system; program authentication limits which software can be run on a system; and the role of context can lim- it a user’s flexibility in how tasks might be accomplished.
˲ Another common approach to de- fense is isolation. Here, effects of ac- tions by users, programs, or machines are somehow contained. Isolation might be employed to keep attackers out or to keep attackers in. In either case, communications is blocked, which makes orchestrating coopera- tion difficult. We might, for example, facilitate secure access to a bank ac- count by requiring use of a Web brows- er that is running in a separate (real or virtual) computer on which there is a separate file system and only certain “safe” application programs are avail- able. The loss of access to other files or programs hinders attackers but it also hinders doing other tasks.
These enforcement mechanisms increase the chances that malicious ac- tions will be prevented from executing, because they also block some actions that are not harmful. And users typi- cally feel inconvenienced when limita- tions are imposed on how tasks must be accomplished. So nobody will be surprised to learn that users regularly disable enforcement mechanisms— security is secondary to efficiently get- ting the job done.
Security Can Be in Tension with Societal Values Enhanced level of cybersecurity can conflict with societal values, such as privacy, openness, freedom of expres- sion, opportunity to innovate, and ac- cess to information. Monitoring can undermine privacy; authentication of people can destroy anonymity; authen- tication of programs prevents change, which can interfere with flexibility in innovation and can be abused to block execution of software written by com- petitors. Such tensions must be re- solved when designing interventions that will promote increased levels of cybersecurity.
Moreover, societal values differ across countries. We thus should not expect to formulate a single uniform set of cybersecurity goals that will serve for the entire Internet. In addition, the ju-
ment” (ROI) to set spending levels for cybersecurity versus other priorities. But ROI is problematic as a basis for justifying how much to spend here.
˲ There are no good ways to quantify how secure a system is. Measuring cy- bersecurity can be as difficult as estab- lishing assurance for a system in the first place, which we know to be a hard problem for real systems.
˲ There are no good ways to quantify the costs of not investing in cybersecu- rity. To tally lost business or the work to recover data and systems ignores other, important harms from attacks. Disclosure of confidential informa- tion, for example, can destroy reputa- tions, constrain future actions, or un- dermine advantages gained through technological superiority. Externali- ties also must be incorporated into a cost assessment—attacks can have both local and remote impact, because the utility of an individual computer often depends on, or is affected by, an entire network.
We should be mindful, though, that investments directed at other national priorities—defense, foreign aid, and social programs—are also difficult to evaluate in purely objective ways. Yet governments routinely prioritize across making such investments. Even in smaller, private-sector institutions, the “bottom line” is rarely all that mat- ters, so they too have experience in making investment decisions when ROI or other objective measures are not available.
Any given intervention to encour- age investing in cybersecurity will allo- cate costs across various sectors and, therefore, across different sets of indi- viduals. A decision to invest in the first place might well depend on specifics of that allocation. We often strive to have those individuals who benefit the most be the ones who pay the most. But the nature of networked infra- structures makes it difficult to charac- terize who benefits from cybersecurity and by how much. For instance, civil government (and much of defense), private industry, and individuals all share the same networks and use the same software, so all benefit from the same security investments. Externali- ties also come into play. For example, should only the targeted political party be paying to prevent cyberattacks that,
if successful, threaten the integrity of an election outcome?
Investments in cybersecurity will have to be recurring. Software, like a new bridge or building, has both an initial construction cost and an ongo- ing maintenance cost. It is true that software does not wear out. Neverthe- less, software must be maintained:
˲ Today’s approaches for establish- ing assurance in the systems we build have limitations. So some vulnerabili- ties are likely to remain in any system that gets deployed. When these vulner- abilities are discovered, patches must be developed and applied to systems that have been installed.
˲ Unanticipated uses and an en- vironment that evolves by accretion mean that assumptions a system devel- oper will have made might not remain valid forever. Such assumptions con- stitute vulnerabilities, creating further opportunities for attackers.
Ideally, systems will be structured to allow patching, and software produc- ers will engage in the continuing ef- fort to develop patches. Some business models (for example, licensing) are better than others (for example, sales) at creating the income stream needed to support that patch development.
Cost Is Not the Only Disincentive Secure systems tend to be less con- venient to use, because enforcement mechanisms often intrude on usability.
˲ One common approach for ob- structing attacks is based on monitor- ing. The system authenticates each request before it is performed and uses the context of past actions when deciding what requests are authorized
The nature of networked infrastructures makes it difficult to characterize who benefits from cybersecurity.
38 COMMUNICATIONS OF THE ACM | MARCH 2018 | VOL. 61 | NO. 3
viewpoints
terrence depends on being able to attri- bute acts to individuals or institutions and then punish the offenders.
˲ Attribution of attacks delivered over a network is difficult, because packets are relayed through multiple intermediaries and, therefore, pur- ported sources can be spoofed or re- written along the way. Attribution thus requires time-consuming analysis of information beyond what might be available from network traffic.
˲ Punishment can be problematic because attackers can work outside the jurisdiction of the government where their target is located. To limit or monitor all traffic that is destined to the hosts within some govern- ment’s jurisdiction can interfere with societal values such as openness and access to information. Such monitor- ing also is infeasible, given today’s net- work architecture.
Making Progress The time is ripe to be having discus- sions about investment and govern- ment interventions in support of cyber- security. How much should we invest? And how should we resolve trade-offs that arise between security and (other) societal values? It will have to be na- tional dialogue. Whether or not com- puter scientists lead, they need to be involved. And just as there is unlikely to be a single magic-bullet technology for making systems secure, there is un- likely to be a magic-bullet intervention to foster the needed investments.
Reference 1. Vardi, M. Cyber insecurity and cyber libertarianism.
Commun. ACM 60, 5 (May 2017), 5.
Fred B. Schneider ([email protected]) Fred B. Schneider is Samuel B. Eckert Professor of Computer Science and chair of the at Cornell University computer science department, Cornell University, USA.
The impetus for this Viewpoint was a series of discussions with Communications Senior Editor Moshe Vardi during the two years preceding his May 2017 Communications Editor’s Letter. Susan Landau, Lyn Millett, and Deirdre Mulligan read an earlier version of this Viewpoint and provided helpful and timely feedback. I am also grateful to the two reviewers for their comments, which resulted in this Viewpoint having a better-defined focus.
The author’s work has been supported in part by AFOSR grant F9550-16-0250 and NSF grant 1642120. The views and conclusions contained in this Viewpoint are those of the author and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of these organizations or the U.S. government.
Copyright held by author.
risdiction of any one government nec- essarily has a limited geographic scope. So government interventions designed to achieve goals in some geographic region (where that government has jurisdiction) must also accommodate the diversity in goals and enforcement mechanisms found in other regions.
Flawed Analogies Lead to Flawed Interventions Long before there were computers, lia- bility lawsuits served to incentivize the delivery of products and services that would perform as expected. Insurance was available to limit the insured’s costs of (certain) harms, where the for- mulation and promulgation of stan- dards facilitated decisions by insurers about eligibility for coverage. Finally, people and institutions were discour- aged from malicious acts because their bad behavior would likely be detected and punished—deterrence.
Computers and software comprise a class of products and services, at- tackers are people and institutions. So it is tempting to expect that liabil- ity, insurance, and deterrence would suffice to incentivize investments to improve cybersecurity.
Liability. Rulings about liability for an artifact or service involve compari- sons of observed performance with some understood basis for acceptable behaviors. That comparison is not possible today for software security, since software rarely comes with full specifications of what it should and should not do. Software developers and service providers shun provid- ing detailed system specifications be- cause specifications are expensive to create and could become an impedi- ment to making changes to support deployment in new settings and to support new functionality. Having a single list that characterizes accept- able behavior for broad classes of systems (for example, operating sys- tems or mail clients) also turns out to be problematic. First, by its nature, such a list could not rule out attacks to compromise a property that is spe- cific only to some element in the class. Second, to the extent that such a list rules out repurposing functionality (and thereby blocks certain attacks), the list would limit opportunities for innovations (which often are imple-
mented by repurposing functionality). Insurance. Insurance depends for
pricing on the use of data about past incidents and payouts to predict fu- ture payouts. But there is no reason to believe that past attacks and com- promises to computing systems are a good predictor of future attacks or compromises. I would hope succes- sive versions of a given software com- ponent will be more robust, but that is not guaranteed. For example, new system versions often are developed to add features, and a version that adds features might well have more vulnerabilities than its predecessor. Moreover, software deployed in a large network is running in an environment that is likely to be changing. These changes—which might not be under the control of the developer, the user, the agent issuing insurance, or even any given national government— might facilitate attacks, and that fur- ther complicates the use of historical data for predicting future payouts.
Companies that offer insurance can benefit from requiring compliance with industrywide standards since the domain of eligible artifacts is now nar- rowed, which simplifies predictions about possible adverse incidents and payouts. Good security standards also will reduce the likelihood of adverse incidents. However, any security stan- dard would be equivalent to a list of ap- proved components or allowed classes of behavior. Such a list only can rule out certain attacks and it can limit op- portunities for innovation, so security standards are unlikely to be popular with software producers.
Deterrence. Finally, deterrence is considerably less effective in cyber- space than in the physical world. De-
Secure systems tend to be less convenient to use because enforcement mechanisms often intrude on usability.
Copyright of Communications of the ACM is the property of Association for Computing Machinery and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.
Internal Audit Role in Cybersecurity
Carataș Maria Alina “Andrei Saguna” University of Constanta
[email protected] Spătariu Elena Cerasela
Gheorghiu Gabriela “Ovidius” University of Constanta
[email protected] [email protected]
Abstract
In a changing world, with a massive exposure to risks on all levels, from nature climate change to violent cyber war attempts, the business environment needs to adapt its instruments in mitigating and responding to cyber-security risks on different stages: prevention, detection, disposal, improvement.
Internal audit function has a key role in assessing cyber disruptions as part of strategic risks and identifying the operational control gaps on the business level, working with management at developing and maintaining an adaptive capacity to different types of risks building and improving business continuity.
Key words: cyber security, internal audit, cyber attacks, business continuity, cyber resilience J.E.L. classification: F60, K24, M42, M48, O33.
1. Introduction
Technology surrounds us in every field and the risks on security got into a broader level. Therefore, apart from the existing risk exposure to global warming, nuclear war, political changes, terrorism, regulation changes, loss of well-prepared employees an important trigger consists in the cyber threats and security incidents.
Most of the big organizations have strong security protocols implemented to fulfil the cyber- security politics, like the three levels security, tunnel secure shell (SSH), telecom protocols, etc. This helps organizations develop appropriate tactics to determine how they can achieve continuity and recovery in the event of a data breach. 2. Current risk exposure
Deloitte (2015) conducted a study and the highest risks that can arise in a company disrupting the normal business are: • cyber attacks, in terms of malware, denial of service, phishing, • data breach (information theft, identity stealing, reputational damage, private/secure information
public release) • unplanned IT and telecom outages • security incidents
According to Business Continuity Institute (2017), Horizon Scan Survey, top three challenges in cyber-security are the use of the internet for malicious attacks, the influence of social media, and on third place, the loss of the key employees.
“Ovidius” University Annals, Economic Sciences Series Volume XVII, Issue 2 /2017
510
2. Three lines of defense model
Forwards, we’ll present the IIA three lines of defense model and we will explain how a business can fight against the cyber security risks
Deloitte adapts the Institute of Internal Auditors Three lines of defense model with a view to cyber risks, as it follows:
Figure no.1 Three lines of defense IIA model
Source: Authors visual projection the IIA model The first line of defense: Management control is the responsibility of the operational
management, ensuring the identification and control of operational risks on the business processes level. There are three functions on this level: • Owning and managing risks • Anticipating risks • Ensuring independence and security
Teamwork with IT department on cyber risks security and reaction. Internal audit will assure the effectiveness of the response actions on IT risk. On the first line of defense level, the business and IT function include cyber risk management in daily operations.
Promoting communication and collaboration using the extensive image that internal audit has it on the organization level.
The second line of defense is represented by:
• a risk management function and supervising the risk management and internal control system completed by the operational management; at this level, governance gets settled and also policies, standards, processes; eventual risky situations are reported to management;
• a conformity function providing consultation, verification, monitoring specific risks and reports to superior management and even on the governance structures;
• a financial control function supervising the financial risks and financial reporting problems. The independence on this level is limited. The third line of defense is the internal audit function, which has higher independence, offering
an objective opinion over the control carried by the operational management and the efficiency of the functions from the second line of defense.
The internal audit function reports to the executive management and governance responsibilities. Internal audit offers assurance over the risk management, internal controls, covering a large area of objectives. The result of the evaluation is further presented to top
“Ovidius” University Annals, Economic Sciences Series Volume XVII, Issue 2 /2017
511
management, to the Audit Committee and to the Board of Directors. Also, other stakeholders are interested in the evaluations of the internal audit, such as regulating authorities and the external auditor. 3. What should internal audit do in a proactive defense?
The Institute of Internal Auditor’s CEO, Mr Chambers presented in several steps the role of internal audit in cyber security. • He admits one of the roles of internal audit function is testing and providing assurances on the
cybersecurity and the planning on business continuity and recovery strategies from different threats.
• Efficient communication between internal audit and executive management is essential to the cyber-security risks levels at the organization level and countervail or mitigate them.
Protect • First of all, internal audit may provide help with developing adequate, IT governance program,
including cybersecurity strategy and policy working together with the board of directors and management. Internal audit can also offer assurance on the IT governance.
• Furthermore, it needs to point out and evaluate the cybersecurity risks, assesses the tests and their effectiveness and works on diminishing them to a minimum by offering analysis reports and judgments on the execution plan.
• Getting the awareness that risks may occur both from outside and inside of the company, the internal audit function will carefully assess cybersecurity plans and work on mitigating risks.
Detect
• The internal audit needs to evaluate cyber risks, cybersecurity controls and inform the executive management and the Audit Committee about the vulnerabilities, threats, and effectiveness of the installed procedures and control systems solutions.
• The cybersecurity measures should be integrated into the internal audit plan. Also, the implemented organizational culture should support and encourage the cybersecurity endeavors.
• Should work on prevention in terms of cybersecurity, using sophisticated security and protocols, technology, and trained human resources. The internal audit can be externalized for an improved technical oriented audit aimed to widen the control over the cyber risks.
• With the use of data analysis and data mining IT security issues might be detected. Integrating data analysis in internal audit work leads to better risk monitoring and a wider control and fraud detection.
Business continuity
• Implementing a response program for cyber risks and a business continuity programme as a priority, in order to achieve cyber resilience.
• Cyber resilience can be a solution for the future, as cybersecurity without having implemented a business continuity program will not decrease too much the occurring risks.
• Companies need to pay greater importance and develop their own business continuity management (BCM) blueprint, by creating procedures on dealing and resolving different scenarios that might interrupt normal business activity, both on IT and physical security threats level.
• Business continuity brings value in organizations, as the existing risks tend to expand. Ex: terrorism, political moves, cybercrime, economic instability, climate change.
• It is a great strength for business to be able to foresight the darkest events that may occur and plan a strategy for managing to get out of it and continue their activity without being disrupted.
“Ovidius” University Annals, Economic Sciences Series Volume XVII, Issue 2 /2017
512
React • Companies need to prepare a crisis management program, part of the BCM in case of incidence.
The first important step is assessing the breach and finds a way to respond it. The entire organization needs to be aware of the crisis management program (so everybody in the company should be trained so they know their specific role in case of an incident), working in cohesiveness, so communication will be in a single voice and transparent.
• Internal audit will independently act in surveillance and assess the response.
Improve • The internal audit function adds value to the business by expressing its opinions from the
extensive activity. • Security procedures, protocols, and strategies need to get continuous revising and
improvements, to be always prepared for eventual attacks. 4. Conclusions
Organizations can create cyber resilience plans for their businesses, following the presented model protect – detect – business continuity, react – improve/re-evaluate.
Companies need to introduce in their organizational culture the cyber defensive behaviour and train the employees’ rules of conduct and the internal audit will assess the conformity.
They should take advantage of the existing standards and framework on improving infrastructure on cybersecurity and adapt their policies and strategies accordingly.
Using a continuous monitoring program for cyber risks, as they are dynamic and prevalent; internal audit function should work aside from the IT in getting recurring updates and amendments on strategy cybersecurity program. This will lead to a change in internal audit function, in terms of expertness, talent, and leadership.
In case of risk emergence, a crisis management program, part of a business continuity management is fundamental. The first step will be discovering the reason for the attack and a way of response, and then ensuring a transparent and comprehensive communication, so every employee would know his role and responsibilities. Specific procedures (adopting ISO 22301 organization security - BCM) and defensive systems should be carried on an internal audit will assess the responsiveness and effectiveness of the strategies for future improvement opinions. A global collaboration and support between internal audit, executive management, IT and every single player in the company will lead to cyber resilience and greater protection on all level risks. 5. References
• Alcantara P., Riglietti G., 2017, Horizon Scan Report 2017, [online]. Business Continuity Institute, Available at: https://www.bsigroup.com/LocalFiles/en- AE/BCI%20Horizon%20Scan%20report%202017/BCI-BSI-Horizon-Scan-%20Business- %20Continuity.pdf [Accessed November 2017]
• Chambers R., The Institute of Internal Auditors, 2017, Internal Audit’s Critical Role in Cybersecurity, Available at: https://www.accountingweb.com/aa/auditing/internal-audits-critical- role-in-cybersecurity [Accessed November 2017]
• MetricStream, 2017, Top eight priorities for cyber security and BCM Leaders in 2017, https://www.metricstream.com/
• Pundmann S., Doctor P., Adams S., White N., Deloitte Development LLC., 2016, Internal audit insights High - impact areas of focus 2017, Available at: https://www2.deloitte.com/content/dam/Deloitte/nl/Documents/risk/deloitte-nl-risk-internal- audit-insights-high-impact-focus-areas.pdf [Accessed November 2017]
• Pundmann S., Young C., Juergens M., 2015, Deloitte Development LLC., Cybersecurity - The role of Internal Audit, Available at: https://www2.deloitte.com/us/en.html [Accessed November 2017]
“Ovidius” University Annals, Economic Sciences Series Volume XVII, Issue 2 /2017
513
The emerging role of the CISO
Val Hooper *, Jeremy McKissack
Victoria University of Wellington, P.O. Box 600, Wellington 6014, New Zealand
Business Horizons (2016) 59, 585—591
Available online at www.sciencedirect.com
ScienceDirect www.elsevier.com/locate/bushor
KEYWORDS CISO; Cybersecurity; CISO job/role; CISO attributes; Organization concerns
Abstract Against a background of board-level concern for cybersecurity, organiza- tions are seeking to ensure the protection of their information assets and minimize the risk of a cybersecurity attack. These objectives place two particular demands on organizations: to appoint a suitable official to head up their information security operations, a CISO; and to ensure that the executive and board are appropriately informed of the organization’s security status. In exploring the challenges that confront organizations in selecting a CISO, we drew on data from the U.S., Canada, and New Zealand. Two main issues were addressed. First, the organization has to be very clear on what it wants in terms of the job the CISO is expected to perform and the corresponding attributes that such an incumbent would need to possess. The CISO is a senior-level executive and rather than being a specialized technical expert, the CISO should be an excellent communicator. This will help address the second issue, which is how effectively the CISO can communicate with the board. Some suggestions are provided that serve to aid both effectiveness and efficiency. However, organizations need to embrace their concern about cybersecurity and build it into their selection criteria for board members. # 2016 Kelley School of Business, Indiana University. Published by Elsevier Inc. All rights reserved.
1. Heightened awareness of cybersecurity breaches
Over the past 10 years, cybersecurity breaches–—of which hacking is by far the most common–—have cost public and business sectors worldwide billions of dollars. While the data from the different countries is not all equally accessible, that which is reported
* Corresponding author E-mail addresses: [email protected] (V. Hooper),
[email protected] (J. McKissack)
0007-6813/$ — see front matter # 2016 Kelley School of Business, I http://dx.doi.org/10.1016/j.bushor.2016.07.004
predominantly from the U.S. and the U.K. indicate the most targeted are the financial, healthcare, and government sectors. More recently, the latter two sectors have been the recipients of an ever- increasing number of attacks. Although the retail sector has been the recipient of many attacks, technology-based or focused organizations–—such as eBay, Adobe Systems, AOL, and Sony Interactive Entertainment’s PlayStation Network–—have suf- fered the heaviest losses. These breaches have been widely reported in the media and have served to raise public awareness of the potential damage of security breaches.
ndiana University. Published by Elsevier Inc. All rights reserved.
586 V. Hooper, J. McKissack
Another reason for the heightened public aware- ness of security breaches is that a number of them have been linked to high-profile celebrities. Security and privacy breaches have become a very profitable topic for the media to cover. Three of the most notable leaks have fueled the publicity in recent years: Edward Snowden spoke out against the mass surveillance that was being conducted by the U.S. National Security Agency; like Snowden, Chelsea Manning (born Bradley Manning) breached the U.S. Espionage Act of 1917 with disclosures of U.S. Army activities in Iraq and Afghanistan; and Julian Assange published secret information and news leaks from anonymous sources, including the Manning files, on WikiLeaks, the website he founded. Breaches of this sort have resulted in divided loyalties in terms of support–—even between countries such that Assange is currently enjoying asylum in the Ecuadorian embassy in London.
As the public worldwide operates more and more online, there has been an increased public emphasis on security, as well as privacy. This has been driven by media reports of e-commerce incidents and breaches caused by fraud and identity theft. Social media, too, has opened up a plethora of privacy and security breach possibilities. Similarly, the introduc- tion of e-government in many countries has raised privacy and security concerns, especially pertaining to identity theft. In terms of security and privacy, governments are responsible for their nation’s well-being. With the threat of IT warfare and international hacking into government security and systems, government departments are much more aware of the importance of security.
It is against this background of increased oppor- tunity for information security breaches and height- ened awareness of the repercussions of such breaches that organizations are seeking to protect the security of their information and minimize the risk of possible damage from a breach. Technologi- cal disruption and cybersecurity are now top issues in boardrooms across the world (Paredes, 2016). These objectives place two particular demands on organizations: to appoint a suitable official to guide the organization along a well-protected path that ensures its security, and to ensure that the execu- tive and board are informed appropriately of the organization’s security status so they are able to make optimal security-related decisions. We sought to determine how best to address these demands via interviews with senior security officials in public and private organizations in the U.S., Canada, and New Zealand, as well as those in security consulting firms. We also conducted a survey of Chief Informa- tion Security Officer (CISO) advertisements. Our findings are reported below.
2. Security is becoming too important to entrust to IT alone
Traditionally, the IT security of an organization fell under the IT security manager or under the risk manager. Nevertheless, the role and its responsibil- ities appeared to be an offshoot of IT. It has typically been placed in the IT department, reporting to the CIO or someone holding a similar position. While such an arrangement made sense, the downside was that IT security got diluted in the plethora of other aspects for which IT is responsible–—not only in terms of attention or reporting but, because it is largely invisible in the day-to-day operations of an organi- zation, in terms of budget allocation. Consequently, the reporting to the executive/board was also diluted and unless there had been a major breach, security tended to fade into the background in terms of its profile.
The increased general awareness of the signifi- cant potential danger of security breaches has trig- gered organizations that are particularly security conscious, like government departments and banks, to establish a position at a higher level than the IT security manager to be in charge of their security. The CISO position thus came into being. The CISO is a strategic level position, responsible for ensuring that the information assets and IT systems are pro- tected and secure, and that such protection is in line with the strategic direction of the organization.
The question was where to place the CISO. If placed under the CIO or head of IT, the CISO could have the benefit of the CIO’s support in many ways rather than having to compete with the CIO, for instance, for financial resources. This sort of con- figuration provides opportunity for greater efficien- cies and better service to the organization. However, it would be difficult for the CISO to blow the whistle on the IT department if the need should arise. Many organizations that are very focused on the integrity of their information, especially in the government sector, seek to preserve the CISO’s independence and position the CISO outside the IT department on a level on par with the CIO. This provides independence, but it can also become problematic with regards to the CISO’s accountabil- ity and reliance on its IT underpinning. A third configuration is a hybrid, with a split between operations and the more strategic level. In this instance, an IT security manager would work under the IT umbrella and be in charge of technical oper- ations. The CISO would operate independently and be responsible for the strategic aspects of security.
Given the heightened awareness of IT security/ cybersecurity and the recognition of the importance of safeguarding its information assets, organizations
The emerging role of the CISO 587
that have established independent CISO positions usually have the CISO reporting directly to the CEO. This is the case in many government departments where the focus is very much on the need for scrupulous independence and custody of informa- tion. Governments thus create an independent CISO position while organizations, such as banks that are very IT dependent, allow the CISO to fall under the CIO. Small organizations typically don’t have a CISO position and security is handled by the CIO. Orga- nizations thus follow any one of these organizational configurations, depending on their business focus and size.
The role descriptions of CISO positions have typi- cally been derived from three sources: the incum- bent, a role description from a similar organization used as a template, or an industry standard. Often a combination of two or three sources is used. The first source is more frequent than is commonly believed. Very often, the CISO is someone who has risen through the IT ranks, first becoming an IT security manager and then the CISO. Such CISOs have strong IT knowledge and experience. Alterna- tively, they might have come up through the risk management ranks, in which case their emphasis would not necessarily be as technical.
3. Are the expectations of CISOs sufficiently embodied in their job descriptions?
Many role descriptions have been crafted directly by the incumbent CISO, and one would assume that no one knows better what the role entails and how it serves the organization best. Despite this, we are left with two questions: Do the job/role descriptions actually result in the appointment of someone who is optimal for the requirements of the organization? Do the job/role descriptions correlate? In order to address these questions, we analyzed over 100 ad- vertisements for open CISO positions to identify what was involved in terms of duties and responsi- bilities and what sort of person was being sought. The evidence indicated that the job descriptions perpetuate what is currently done or advised as best practice, with scant regard for the needs of the organization. Additionally, the attributes of the person desired for the position do not necessarily match the job description.
For our analysis, we accessed the eBizMBA web- site for the ‘‘Top 15 most popular job websites,’’ as well as the JobisJob and Trade Me websites. These were the most frequently visited recruitment sites in the U.S., Canada, and New Zealand. The study proceeded according to themes that were
categorized in Excel spreadsheets. Further analysis of themes and subthemes, and their interrelation- ships, was conducted with the use of Leximancer Desktop Academic Edition, Version 4. Understand- ably, not all organizations embraced the same themes and subthemes. This did not mean organiza- tions did not accord those topics due regard, but rather that there were other aspects which they felt were more important to be noted. The findings are reported according to job/role descriptions and requirements of the desired candidate.
3.1. Job/role descriptions
Although the vast majority of the positions were titled CISO, in some instances the position was named director of information security. Many of the advertisements did not indicate to whom the CISO reported and those that did seemed to be equally split between reporting to the CIO and reporting to the CEO/ President, or CEO and board of directors. The role was frequently described as an expert advisor to senior management and a strategic enabler. Clearly it was envisioned as a key leadership role, entailing more strategic-level responsibilities.
However, many of the job descriptions consisted of a lengthy list of tasks which the CISO would be required to perform or for which they would be responsible. These lists consisted of a mixture of strategic and operational tasks and, given the inter- spersion of the types of tasks in the lists, it was often not apparent whether the compilers of the adver- tisements themselves could distinguish clearly be- tween the different strategic and operational levels of tasks.
The focus of the responsibilities fell very much on risk–—in fact, more so on risk than security. Protec- tion against risks was paramount, and ensuring business continuity, speedy incident response, and disaster recovery were close seconds in the priorities. Also, according to many advertisements, the CISO was responsible for monitoring the exter- nal environment and keeping abreast of the latest developments in the information security and cybersecurity arenas.
At a senior, strategic level, the CISOs were required generally to manage the whole security operation. In most instances, they were required to devise an enterprise-wide security plan and imple- ment it, coordinating all the relevant activities and staff involved. The success of the plan should be monitored regularly and the CISO was responsible for developing metrics and frameworks for regular reporting. The CISO was also responsible to devel- oping and adhering to a security budget, although
588 V. Hooper, J. McKissack
this was often not the case if the CISO reported to the CIO. In a number of instances, the CISO was responsible for the development of appropriate IT security governance mechanisms. Another impor- tant aspect of the CISO’s responsibilities appeared to be to liaise and communicate with important internal and external stakeholders. These included the IT and risk departments internally but also all IT users, legislative and regulatory bodies, suppliers, and customers externally. Additionally, the CISO in many organizations would be tasked, to a greater or lesser extent, with the development of ongoing training and mentoring programs for staff to create an environment of security awareness and vigilance.
Although the strategic level tasks certainly did feature in the job descriptions, the overwhelming majority of the job descriptions contained lengthy lists of operational-level tasks. Sometimes over 30 tasks and responsibilities were listed. Occasion- ally, they would be introduced by such phrases as ‘‘oversees daily security activities,’’ or responsi- bility for ‘‘all ongoing day-to-day activities.’’ While it would be necessary for the position to be industry specific, one job description of the CISO in an average-type business industry even included that the job may contain ‘‘occasional bending, stooping, lifting and climbing.’’
3.2. What organizations are seeking
Given the responsibilities of the CISO, the require- ments for the candidate organizations were seeking reflected some interesting trends. Considerable experience was required: usually at least 10 years in IT, 5—10 years in security, and 5—10 years in risk, of which at least five years should have been in a senior management/leadership role. However, only one or two organizations required evidence of suc- cessful accomplishments in those specific fields. In addition, the CISO should be knowledgeable about the business environment, although not all adver- tisements specified this. For organizations in the health sector particularly, knowledge of that spe- cific industry was required.
With regard to education, a degree in computer science or related fields such as IT was usually required. Often a master’s degree indicating either further specialization or, occasionally, more of a business focus as manifested in an MBA was recom- mended. However, an overwhelming list of industry qualifications, such as CISSP, CSSLP, CCFP, CISA, and CISM were usually required. For instance, one job required experience with vulnerability scanning tools, web application vulnerability scanning tools, static analysis tools, and current security certifica- tions such as CISSP, CSSLP, CCFP, GSSP-JAVA, and
GSSP-NET. In addition, knowledge of ethical hacking tools was sometimes included. Knowledge of specif- ic systems was usually required, including auditing systems like the ISO/IEC 2700 suite; frameworks like CoBIT, COSO, and ITL; as well as international stand- ards and regulations, such as those promoted by NIST, SOX, and HIPAA.
While some advertisements focused on strong technical skills, such as programming experience with Java and expertise in cryptography, other jobs sought a CISO who was proficient in PC use and Microsoft Windows. This range is surprising, partic- ularly for someone heading up an information secu- rity department. Often, experience with Microsoft Windows is assumed in a similar way the ability to read is. On the other hand, the overwhelming focus on technical qualifications and expertise is under- standable, but in many instances it was in disregard for the need for business knowledge and the ability to be able to communicate with the rest of the organization and the board.
Some organizations sought a CISO who possessed excellent communication skills, including verbal, written, or public speaking. Yet others (albeit in the minority) took it further, and were wanting some- one with outstanding analytical skills, an uncanny ability to move swiftly to resolution, and an apti- tude for providing flexible security solutions. One organization was looking for someone with a strong executive presence. A couple advertisements sought a CISO with strong ethics and understanding of business and information security, as well as an expert level of personal integrity. The latter re- quirements are interesting because, of all people, someone in charge of security should possess a high level of personal integrity. However, sometimes the obvious needs to be stated and as the examples in the introduction demonstrate, often it is those entrusted with highly confidential material who leak it.
Overall, it seems that both the role/job descrip- tions and the candidate requirements have a strong technical and security focus and that each of them, while containing some elements of business knowl- edge and understanding, saw the detailed techni- cal/security expertise as being of primary importance. Given the mixture of strategic and operational tasks in many of the long lists in the job descriptions, the impression is created that, although they know CISOs should play a strategic role in their organization, organizations allocate many operational tasks to the role.
Picking up on the importance of good communi- cation skills and business knowledge listed in some advertisements as requisite attributes, one of the emerging, primary roles of the CISO is to act as a
The emerging role of the CISO 589
bridge between the executive and IT security func- tions. It is imperative for the CISO to work well with people and have a good business understand- ing. Too much of an emphasis on technical exper- tise, without a balance of business knowledge and interpersonal skills could be detrimental to the organization. Whitman and Mattord (2010, pp. 388—390) said, ‘‘In information security, over-specialization can actually be a drawback. . . The CISO is a business manager first and a technol- ogist second.’’
4. The importance of the CISO as communicator
One of the biggest challenges that CISOs face is the invisibility of security success. Success usually goes unheralded, while breaches can receive huge atten- tion. Success is not generally perceived as resulting from proactivity. If it is celebrated, it is in response to successful reaction to a breach that has already occurred, where the damage is minimized and busi- ness continuity is not too disrupted. More often than not, the response is to blame the security depart- ment if the reaction is unsuccessful, rather than celebrate each hurdle addressed or attack thwarted.
While boards worldwide are concerned about their security, the invisibility of much of the positive activity ensuring security makes it difficult for board members to grasp the spectrum of such activities and judge whether what is being done is sufficient. Plus, reporting of security performance is often swamped by any number of more pressing issues. For instance, private organizations would be more concerned about stakeholder wellbeing, share prices, and profits–—until the organization is struck by a security attack.
As a communicator, success in the CISO role requires the ability to understand what is important to both business and technical audiences. It is unlikely that the issues faced by members of the executive team are the same as those who are developing and administrating security controls within the organization. Having understood the ex- pectations of all stakeholders, the CISO’s role is to explain security concepts in terms that can be understood within the C-suite (e.g., through the use of analogy) and to educate the security team about the business drivers that direct the focus of security investment. In his article, Ragan (2014) quoted Stephen Boyer, the co-founder and CTO of BitSight Technologies:
In no way should every board member have to act as a security expert. But, in today’s world,
cyber risks are a major part of managing risk in a business. Therefore board members need to make it known what they see as critical and how to begin those conversations.
Acting as a conduit of security information to the executive and, ultimately, the board, it is essential for the CISO to make sure the security team under- stands what information is required, how discussions should be framed, and the level of abstraction required by decision makers. Otherwise, the CISO is at risk of having conversations with the business that fail to address the most relevant issues.
Based on an understanding of the organization’s business strategy, the CISO will often work with risk practitioners to identify the most significant securi- ty risks. The CISO also needs to consider risk in relation to business partners and suppliers. Suppli- ers can be used as a backdoor to get into a targeted organization. Third-party assurance is a growing focus of security managers as organizations become increasingly connected. Security risk indicators help CISOs assess risk exposure. Such indicators might include the number of monthly attempts to access the corporate network from known sources of cyber espionage, attempted intellectual property theft, or quarterly revenue losses associated with custom- er data leakage incidents. These primary risk indi- cators are important to communicate to the board because they help illustrate the strengths and weak- nesses of a company’s overall security posture. Risk indicators such as these can be used to ‘tell a story’ to board members and fellow executives. Stories can help business managers understand what spe- cific threats are targeting the organization, what the attacks look like, and what they can do to help avoid a breach.
This type of security reporting is primarily old- fashioned and can lead to a reactive response to security incidents. CISOs can reduce the risk of an ad hoc security response by adding context to threat discussions. One method of adding context is through industry and peer benchmarking (Solomon, 2014). The CISO can use peer benchmarking to tell the top management or board where their organi- zation is in relation to their industry and suggest which areas might require improvement. Due to the shared threat of security incidents across industries, it is not uncommon for CISOs to create informal networks for the sharing of information. This level of collaboration between CISOs is not only useful in increasing security for all parties, but it also pro- vides insight into whether an organization is more or less secure than others in the sector. By discussing the expected ranking of an organization within its peer group with top management, the CISO can help
590 V. Hooper, J. McKissack
leaders justify strategic changes and investments that can improve security capability.
5. The reporting challenge for CISOs
Having established the risk context and having built security stories, the role of the CISO is then to communicate effectively the security performance and capability of the organization. Executive re- ports of security assurance and performance met- rics, risk and compliance assessments, and ROI measures are often underpinned by a comprehen- sive set of metrics based on ISO 27001 or other security frameworks.
The challenge with such comprehensive security reporting is that it is generally acknowledged that communicating security information is incredibly difficult, especially with non-technical, disinter- ested, or time-constrained C-suite executives (Brousell, 2014). Addressing this challenge is not helped by the general trend for security briefings to occur less frequently than the monthly or quarterly briefings with other business disciplines such as finance, HR, or manufacturing. An industry- sponsored survey on the state of risk-based security (Ponemon Institute, 2013) found most senior exec- utives are only asking to hear from their CISOs when breaches have occurred or other security crises hit a need-to-inform crisis level. The focus of the survey was the communication of security metrics. Respondents to the survey were not specifically CISOs but included ITsecurity, operations, and risk manage- ment personnel, as well as internal audit and enter- prise risk management. A total of 1,321 employees from U.S. and U.K. organizations responded. The survey resulted in these key findings:
� 75% of respondents indicated that metrics were important or very important to a risk-based secu- rity program.
� 53% didn’t believe or were unsure whether the security metrics used in their organizations were properly aligned with business objectives.
� 51% percent didn’t believe or were unsure wheth- er organizations metrics adequately conveyed the effectiveness of security risk management efforts to senior executives.
The report also found that although many organiza- tions rely on metrics for operational improvement in IT, more than half of IT professionals surveyed ap- peared to be concerned about their ability to use
metrics to communicate effectively about security with senior executives. This survey supports a general view that the use of formal assurance tech- niques, based on comprehensive risk and security metrics, do not always provide an effective com- munication tool for the CISO.
6. The path ahead
There is a growing trend toward CISOs using cyber- security control benchmarks, which is viewed as a semi-formal alternative to comprehensive security reporting. One such benchmark that has proven useful within some organizations is the SANS 20 Crit- ical Security Controls (Cain & Couture, 2011; Hardy, 2012). This benchmark is based on a relatively short list of security controls that have proven most useful in combatting cybersecurity incidents. Each of the controls is described in easily understood terms. The current top five from this list (SANS, 2016) are:
1. Inventory of authorized and unauthorized de- vices;
2. Inventory of authorized and unauthorized soft- ware;
3. Secure configurations for hardware and software on mobile devices, laptops, workstations, and servers;
4. Continuous vulnerability assessment and reme- diation; and
5. Controlled use of administrative privileges.
A comparable cybersecurity control benchmark, the ASD Top 35 is provided by the Australian Department of Defence, Intelligence, and Security (2014). This benchmark is a similarly brief and easily understood list of security controls that have been proven to be effective. The current top four on the ASD list are:
1. Perform application whitelisting of permitted/ trusted programs to prevent execution of mali- cious or unapproved programs, including .DLL files, scripts, and installers.
2. Patch applications (e.g., Java, PDF viewer, Flash, web browsers, and Microsoft Office). Patch/ mitigate systems with ‘extreme risk’ vulnerabil- ities within two days. Use the latest version of applications.
The emerging role of the CISO 591
3. Patch operating system vulnerabilities. Patch/ mitigate systems with extreme risk vulnerabil- ities within two days. Use the latest suitable operating system version. Avoid Microsoft Win- dows XP.
4. Restrict administrative privileges to operating systems and applications based on user duties. Such users should use a separate unprivileged account for email and web browsing.
The New Zealand government, for instance, used the top four controls from the ASD benchmark as a component of the original New Zealand Cyber Secu- rity Strategy. The key stakeholders in the strategy were the CEOs of each of the core government agencies. Each CEO was held accountable for their agency’s performance with respect to these four controls. This limited scope made it relatively easy for the CISO (or security manager) within each agency to have conversations about the current state of each control, the associated risks, and mitigation strategies.
This approach to reporting a small number of controls can be used in conjunction with the short- listing of four to six cyber risks, and reporting the risk indicators that signal the organization’s level of exposure to them. A short list of information security risks might include intellectual property theft, a data breach that compromises sensitive customer information, or financial and third-party fraud (Paredes, 2016). The benefit of shortlisting security risks and controls is that they allow the CISO to focus on communicating a relatively small num- ber of significant areas within the larger domain of information security. This more manageable set of controls and corresponding smaller set of metrics is easier to explain to the senior managers. A small number of target controls also provides an opportu- nity for a CISO to show measureable progress in improving security within an organization.
An ongoing challenge for CISOs is to maintain the momentum gathered by a focused campaign to cre- ate an ongoing dialogue with the executive. Another challenge–—and one for the organization rather than the CISO to deal with–—is to ensure that IT-savvy board members are elected. Better still, such board members should have a good understanding of the basic underpinnings of cybersecurity and the protec- tion of information assets and IT systems.
7. Conclusion
In exploring the challenges that confront organiza- tions in their selection of a suitable CISO, two main
issues were addressed. First, the organization has to be very clear on what it wants in terms of the job the CISO is expected to perform and the corresponding attributes such an incumbent would need to pos- sess. The CISO is a senior-level executive and as such should be performing strategic-level tasks rather than daily operational ones. Furthermore, rather than being a specialized technical expert–— although we are not denying the importance of technical expertise–—the CISO should be an excel- lent communicator with business knowledge and interpersonal skills. This will help address the second issue, which is how the CISO can fashion communication with the board and the executive in a manner that is most effective and enables the organization to address its cybersecurity chal- lenges. Some suggestions are provided that serve to be both effective and efficient. However, organiza- tions need to embrace their concern about cyber- security and build it into their selection criteria for board members.
References
Australian Government. Australian Department of Defence, In- telligence, and Security. (2014). Strategies to mitigate tar- geted cyber intrusions. Retrieved from http://www.asd.gov. au/publications/Mitigation_Strategies_2014.pdf
Brousell, L. (2014). How CSOs can help CIOs talk security to the board. CIO. Retrieved from http://www.cio.com/article/ 2850855/security0/how-csos-can-help-cios-talk-security-to- the-board.html
Cain, C. I., & Couture, E. (2011). Establishing a security metrics program - Final project report [White Paper]. Bethesda, MD: SANS Institute.
Hardy, M. G. (2012). Reducing federal systems risk with the SANS 20 Critical Controls [White Paper]. Bethesda, MD: SANS Institute.
Paredes, D. (2016). Tech disruption and cybersecurity top board- room agenda in NZ. CIO. Retrieved from http://www.cio.co. nz/article/593402/tech-disruption-cybersecurity-top- boardroom-agenda-nz/
Ponemon Institute. (2013). The state of risk-based security man- agement. Retrieved from http://www.tripwire.com/it- resources/the-state-of-risk-based-security-2013-full-report/ showMeta/2/?dl=C4FEDC6D-CA1F-B5BC- 8816561E822ACABE
Ragan, S. (2014). Addressing security with the board: Tips for both sides of the table. CSO. Retrieved from http://www. csoonline.com/article/2606073/security-leadership/ addressing-security-with-the-board-tips-for-both-sides-of- the-table.html
SANS. (2016). CIS critical security controls. Retrieved March 20, 2016, from https://www.sans.org/critical-security-controls/
Solomon, H. (2014). Risk management provider now ranks orga- nizations against each other. IT World Canada. Retrieved from http://www.itworldcanada.com/article/risk-management- provider-now-ranks-organizations-against-each-other/94859
Whitman, M. E., & Mattord, H. J. (2010). The management of information security (3rd ed.). Boston: Cengage Learning.
- The emerging role of the CISO
- 1 Heightened awareness of cybersecurity breaches
- 2 Security is becoming too important to entrust to IT alone
- 3 Are the expectations of CISOs sufficiently embodied in their job descriptions?
- 3.1 Job/role descriptions
- 3.2 What organizations are seeking
- 4 The importance of the CISO as communicator
- 5 The reporting challenge for CISOs
- 6 The path ahead
- 7 Conclusion
- References