Title: Scott Dynes Center for Digital Strategies Tuck School of Business at Dartmouth College
1Scott DynesCenter for Digital StrategiesTuck
School of Business at Dartmouth College
Information Security and IT Risk Management in
the Real World Results From Field Studies
2- What We Study
- Risks firms face as a result of using the
information infrastructure to manager their
extended enterprise - How firms make InfoSec investment decisions
- Emergent risk from business networks
- Privacy
3Field Study
Our Field Studies Methods Investigate a host
firm and a few suppliers of different sizes. At
each firm conduct interviews to determine - How
InfoSec investment decisions are made. - How
reliant the firm is on the information
infrastructure for its ability to produce
product. Understand the means by which the host
and suppliers communicate to gauge the internal
IT risk due to integration.
4Field Study
Field Study Sector Coverage
5Field Study
- Key Results From Field Studies
Four Main Paradigms To Managing/Investing in
Information Security
- The Sore Thumb Paradigm
- The IT Risk Paradigm
- The Business Risk Paradigm
- The Systemic Risk Paradigm
6Field Study
- Key Results From Field Studies
Four Main Paradigms To Managing/Investing in
Information Security
- The Sore Thumb Paradigm
- The IT Risk Paradigm
- The Business Risk Paradigm
- The Systemic Risk Paradigm
Low/No Economic Role
High Economic Role
7Field Study
- Key Results From Field Studies
Firms Are Mainly Taking A Local View of
Information Security
- Risk in supply chain glitches, leading to
business sector brittleness - Hypothesis Firms managing risk in the extended
enterprise will directly lead to greater sector
resiliency
8Field Study
- Key Results From Field Studies
Local vs. Sector Views of Information Security
9Field Study
- Key Results From Field Studies
Firms Are Mainly Taking A Local View of
Information Risk
10Field Study
- Key Results From Field Studies
Firms Are Mainly Taking A Local View of
Information Risk
11Field Study
- Key Results From Field Studies
Firms Are Mainly Taking A Local View of
Information Risk
12Field Study
- Key Results From Field Studies
Notable Incentives/Drivers For InfoSec Investment
- Customer requests - firms are very responsive
- Government regulation - have to do it, but firms
feel largely ineffective - Brand protection
- Insurance - in unexpected ways
13Field Study
- Latent Market Forces Exist
- Proper Government Role Create Markets Through
Increasing Transparency - Key Challenge Enabling Investment Against
Intangible, Never-Happened-Before Risks
14 15Field Study
- Production resilience to cyber disruptions
Manufacturing sector In general, production not
sensitive to internet outages supply chain
sensitive to internet outages.
- Once beyond first tier of suppliers, reliance on
information infrastructure to manage supply chain
is low - Electrical BU supply chain has learned behavior
- High-volume supply relations have extensive
forecasting - Everyone would do the expected thing
- Pain comes in distribution
- Auto BU- centralized control strategy leads to
lack of learned behavior
16Field Study
- Production resilience to cyber disruptions
17Input-Output Model
Leontief Model
xo Axi c
Production x
Consumption c
A Technical Coefficient Matrix calculated from
U.S. Bureau of Economic Analysis data
Inoperability I-O Model (IIM)
qo A qi c
Terrorist Attack c
Inoperability q
A Interdependency Matrix
18Ripple Effects
Input-Output Model
19Economic Costs of Cyber-events
20Economic Costs of Cyber-events
10 days of U.S. GDP 330,000 MM
21Take-Aways
- The first demonstration of an empirically-based
approach to estimating national economic
consequences of cyber events - The economic costs of the cyber events
investigated may not be that great from a sector
and national perspective. - For the sectors presented (Manufacturing, Oil
Refining), supply chains are largely resilient to
cyber disruptions. - Economic consequences due to cyber events depend
on how, not whether firms use technology.
22 23Incentives
What is an incentive? Example UK/US ATM
regulations Example Attendee badges at RSA
Security conference Example The
Commons Example Stop Signs
24Incentives - Information Security
- Home Users
- What are they motivated to do?
- Privacy - not necessarily important
- Use of machine - is important
- Result no real incentive to protect machine
until something bad happens - Bad things
- Assimilation by Bot network Spam generator
- Spyware/virii machine becomes ever more unstable
25Incentives - Information Security
- Business Users
- What are they motivated to do?
- Make Money! (rational market assumption)
26Economic Costs - Information Security
Economic Costs of Cyber Events
27InfoSec Adoption by Firms
In a rational market, firms will maximize profit.
After Gordon and Loeb 2002
28InfoSec Adoption by Firms
This Optimal Spending approach requires
- Titration of cyber losses and cyber spending
- Some idea of what effect cyber spending has on
cyber losses - A good idea of the threat environment in which
the firm lives
What are the incentives felt by directors of
information security?
29InfoSec Adoption by Firms
Drivers of Adoption of InfoSec
30InfoSec Adoption by Firms
Drivers of Adoption of InfoSec - Inputs
Baseline level of InfoSec based on -
Experience - Input from trusted colleagues -
External Consultants - Trade mags/ other
press Beyond baseline level, firms respond
mainly to - Customer requests/questionnaires -
Government regulation
31InfoSec Adoption by Firms
Drivers of Adoption of InfoSec - Prioritization
- How were InfoSec recommendations prioritized, and
received by decision-makers? - At InfoSec managers level, InfoSec wants
prioritized by - - Cost
- Exposure
- Internal pain
32InfoSec Adoption by Firms
Drivers of Adoption of InfoSec - Outcomes
- Making the leap from InfoSec manager to business
managers, we found - InfoSec not an important issue
- InfoSec efforts largely reactive and tactical
- ROI measures mainly qualitative investments
seemingly made to eliminate all InfoSec incidents
(not explicitly to minimize total costs) - Most impressive firm didnt even have the
conversation.
33InfoSec Adoption by Firms
Drivers of Adoption of InfoSec - Outcomes
Managing Risk - always implicit, was never
explicit Info on threats - same as inputs Info
on probabilities came from - History - Industry
pubs - Gartner/Meta/etc. - Gut - Al - Tech
Republic Info on costs of attacks came
from -Gut
34InfoSec Adoption by Firms
Drivers of Adoption of InfoSec
All firms thought of InfoSec as an expense Most
thought of InfoSec as a qualifier, even though
none had any InfoSec requirements of their
business partners Few gave examples of InfoSec
as a competitive advantage
35InfoSec Adoption by Firms
Summary 4 Paradigms for InfoSec Risk Management
- The Sore Thumb Approach
- The IT Risk Approach
- The Business Risk Approach
- The Systemic Risk Approach
- In most business sectors, InfoSec is not a
technical challenge, but a social/organizational
challenge
36Incentives - Information Security
- Government/National Level
- What are they motivated to do?
-
37Incentives - Information Security
Government/National Level
38Incentives - Information Security
Government/National Level
39Incentives - Information Security
Government/National Level Freeman Drivers
- - Market Forces
- Government Regulation
- Litigation
- Government Spending
40Incentives - Information Security
Intellectual Property loss - the real worry?
41Incentives - Information Security
Government/National Level
Effects on Production of a 10-day Internet Outage
at an Electrical Goods Manufacturer
42Incentives - Information Security
Government/National Level
Total Economic Effects on Production of a 10-day
Internet Outage at an Electrical Goods
Manufacturer - 22.6 Million
43Managing Cyber Risk
Globally Known
Globally Unknown
Viruses
Other OS bugs
Web Site Defacement
Locally Known
Phishing
OS bugs
Best practices
Applied Research
? ? ? (Phishing)
Locally Unknown
Education
Basic Research
44Managing Cyber Risk Reactive IS
Globally Known
Globally Unknown
Viruses
Other OS bugs
Web Site Defacement
Locally Known
Phishing
OS bugs
Implement
Wait for patch
? ? ?
Locally Unknown
---
Unprepared when something happens
45Managing Cyber Risk Proactive IS
Globally Known
Globally Unknown
Viruses
Other OS bugs
Web Site Defacement
Locally Known
Phishing
OS bugs
Listen, work to mitigate outcomes
Implement
? ? ?
Locally Unknown
---
Watch, try to ID bad outcomes
46- Managing Cyber Risk Mind The Gap
- Manufacturer Manager of InfoSec wants to patch
critical vulnerability. Business manager would
rather risk infection of machines and close the
quarter. - Oil refinery Manager of InfoSec wants better
SCADA security VP refining How is more SCADA
security going to help me make better oil? - Hospital IS thinks virus event was mainly an IS
event and had minor impact on clinical units
clinical unit manager It was a living hell - Most every InfoSec manager information security
is not a priority with business managers.
47(No Transcript)