THE QUANTIFICATION OF

INFORMATION SYSTEMS RISK

PhD Research
By Craig S Wright
Information

Craig S Wright
PhD Candidate,
Charles Sturt University

Craig.Wright@information-defense.com
Introduction

Incomplete information is not

always information asymmetry
Information security is a risk
function.
Paying for too much security can
be more damaging in economic
terms than not buying enough.
This leads to the optimal
expenditure on damage prevention
and where this should lie.
Introduction

Incomplete information is not

always information asymmetry
Who should be responsible for
the security failures that are
impacting the economy and
society?
How can this be maximized in
order to minimize negative
externalities?
Papers
Conference submissions
GC10 Globecomm 2010
Criminal Specialization as a corollary of Rational Choice.
Rationally opting for the insecure alternative: Negative externalities and the
selection of security controls
SCN Conference on Security and Cryptography for Networks
Modelling System Audit as a Sequential test with Discovery as a Failure Time
Endpoint
NSS International Conference on network and System Security
A quantitative analysis into the economics of testing software bugs.
ACM CCS ACM Conference on Computer and Communications
Security
Current issues and liability facing Internet Intermediaries.
ProvSec International Conference on Provable Security
Software,Vendors and Reputation: an analysis of the dilemma in creating
secure software.
Papers
Conference submissions (Continued)
SecureComm International Conference on Security and Privacy for
Communication Networks
A preamble into aligning Systems engineering and Information security risk measures
IWSEC International Workshop on Security
Software, Vendors and Reputation! Oh My!
ICIS International Conference on Information Systems
Who pays for a security violation? An assessment into the cost of lax security,
negligence and risk, a glance into the looking glass.
SAGT International Symposium on Algorithmic Game Theory
When it is best to walk away: Economic efficiency and the Good Samaritan
ISSRE International Symposium on Software Reliability Engineering
Of Black Swans, Platypii and Bunyips.
Journal Papers
Computer Law and Security Review
Legal
Applications as they apply to Internet Intermediaries in relation to Specific
Conduct
Rational Choice Theory

Criminal
Specialization as a
corollary of
Rational Choice.
Rational choice theory
is based on the
assumption an agent
as Homo economicus
holds particular sets
of discrete, fixed,
hierarchical
predilections
Rational Choice Theory

Criminal
Specialization as a
corollary of
Rational Choice.
The addition of income
achieved by successful
cybercriminals
changes the levels of
economic constraints
and leads to increasing
levels of crime.
Rational Choice Theory

Criminal
Specialization as
a corollary of
Rational Choice.
Economic
constraints and price
policies through
increases in the
expected cost of
criminal activity
leads to lower rates
of cybercrime.
Rational Choice Theory

Predator - Prey Games as a model

for cybercrime
The decisions of A and B when taken
together result in either an attack
against B or A engaging in alterative
activities and are displayed in the
upper and lower branches of the
game tree.
As B makes the first move, player B

can anticipate player A's reaction

and choose a level of expenditure on
security controls that selects the
outcome.
When it is profitable, player B

chooses a level of security controls

that induce A to either attack an
alternative (a party who has spent
less on controls than B) or to engage
in legitimate activity (such as trade).
Rational Choice Theory

Rationally opting
for the insecure 1.What is the importance of the
alternative: information or resource being
Negative protected?
2.What is the potential impact, if
externalities and the security is breached?
the selection of 3.Who is the attacker likely to be?
security controls 4.What are the skills and
resources available to an
Relative computer attacker?
security can be 5.What constraints are imposed
measured using six by legitimate usage?
6.What resources are available to
factors implement security?
Stag Hunt
Incomplete This game has two pure
information is strategy equilibria in which
not always both of the players prefer
the lower risk equilibrium
information
to the higher payoff
asymmetry equilibrium.
A better game The game is both Pareto
model for the optimal and Hicks optimal,
but the sub-optimal and
software industry hence inefficient
is the Stag equilibrium poses a lower
Hunt. risk to either player.
Stag Hunt
Incomplete This game has two pure
information is strategy equilibria in which
not always both of the players prefer
the lower risk equilibrium
information
to the higher payoff
asymmetry equilibrium.
A better game The game is both Pareto
model for the optimal and Hicks optimal,
but the sub-optimal and
software industry hence inefficient
is the Stag equilibrium poses a lower
Hunt. risk to either player.
System Modelling

Modelling System
Audit as a
Sequential test Modeling the failure rate of systems
with Discovery as and the propagation rate of an
a Failure Time attack, allows us to calculate an
expected number of hosts that are
Endpoint anticipated to have been
compromised in the time between an
audit given a specified survival
function or threat.
System Modelling

Modelling System
Audit as a
Sequential test
with Discovery as Past data and comparisons from
similar systems (such as survival
a Failure Time data from DShield[1]) allow for the
Endpoint modeling of alternative systems
where a reported number of events
have been reported against those
deployed.
System Modelling

Modelling System
Audit as a
Sequential test
with Discovery as Past data and comparisons from
similar systems (such as survival
a Failure Time data from DShield[1]) allow for the
Endpoint modeling of alternative systems
where a reported number of events
have been reported against those
deployed.
System Modelling

SIR
(Susceptible- Allowing that a compromised
Infected- or infected system remains
Removed) infected for a random amount
of time , the discovery of an
epidemic
incident by an auditor will be
modelling of dependent on a combination
incidents of the extent of the sample
during Audit tested during the audit and
the rate at which the incident
impacts individual hosts
A quantitative analysis into the
economics of testing software bugs

Program size
against Coding
time
A quantitative analysis into the
economics of testing software bugs

A Box plot of
the ratio of
buggy patches
 A quantitative analysis into the
economics of testing software bugs

Training in
security helps

The Utility of Training

1
0.9
0.8
0.7
Utility
0.6
Utility
0.5
0.4
0.3
0.2
0.1
0
Training (t)
A quantitative analysis into the
economics of testing software bugs

Perceptrons can
automate risk
detection
Imperfect Information
At present, it can
be demonstrated The vendor does not know the
that neither side situation of the user (for the
(the user or the most part) and the user may
not have an easily accessibly
vendor) is
means of determining the risk
informed as to from software.
the true risks and Worse, neither side is likely to
costs of software. know the risk posed from
integrating multiple software
products
Security and Compliance
Audit with employee incentives
1. The employee has no knowledge of
extra testing by the auditor and no
extra tests are to be conducted
2. The client has knowledge of testing
(from past experience) conducted by
the auditor.
3. Prior tests have occurred, but new
auditors have done the testing.
Audit with no employee incentives
4. The employee has no knowledge of
extra testing by the auditor and no
extra tests are to be conducted
5. The client has knowledge of testing
(from past experience) conducted by
the auditor.
6. Prior tests have occurred, but new
auditors have done the testing.
Patching is aligned to Audit
Some systems
are well
configured and
patched.
Others are
terrible

It all depends on
what is audited
Compliance does not mean
Security
1
As systems
become more
compliant, more
0.8

0.6
Security
Compliance
is taken from
C.S
Total Security security.
0.4

0.2

0
Software is on average
improving
80.00 Bugs / M.
SLOC
M. SLOC
70.00 Bugs/10
There is just
60.00
SO MUCH MORE
50.00
of it!
40.00

30.00

20.00

10.00
C
LO
.S
/M

0.00
gs
Bu
93

94

96

00
19

01
19

03
19

06
20

09
20

20

20

20
Security Features work
Firewalling
unpatched
systems has a
significant effect
Security Features work
More people leads to less
Larger teams can
find less
More people leads to less
Larger teams can
find less and cost
more
Better managed systems
survive
Displayed above we
have a plot of the
survival time against
automated
processes (green)
overlayed with that
of manual processes
(red).
The Loess fit for each
is also incorporated
into the plot.
Conclusion
The addition of measures that take
externalities into account act as a
signaling instrument that reduce
information asymmetry and improve the
overall risk position of both the
consumer and vendor.
The development of a software risk
derivative mechanism would be
beneficial to security through the
provision a signaling process to security
and risk.
Questions/Discussions

Any questions?