Scott Dynes Center for Digital Strategies Tuck School of Business at Dartmouth College

1
Scott DynesCenter for Digital StrategiesTuck
School of Business at Dartmouth College
Information Security and IT Risk Management in
the Real World Results From Field Studies
2

• What We Study
• Risks firms face as a result of using the
  information infrastructure to manager their
  extended enterprise
• How firms make InfoSec investment decisions
• Emergent risk from business networks
• Privacy

3
Field Study
Our Field Studies Methods Investigate a host
firm and a few suppliers of different sizes. At
each firm conduct interviews to determine - How
InfoSec investment decisions are made. - How
reliant the firm is on the information
infrastructure for its ability to produce
product. Understand the means by which the host
and suppliers communicate to gauge the internal
IT risk due to integration.
4
Field Study
Field Study Sector Coverage
5
Field Study

• Key Results From Field Studies

Four Main Paradigms To Managing/Investing in
Information Security

• The Sore Thumb Paradigm
• The IT Risk Paradigm
• The Business Risk Paradigm
• The Systemic Risk Paradigm

6
Field Study

• Key Results From Field Studies

Four Main Paradigms To Managing/Investing in
Information Security

• The Sore Thumb Paradigm
• The IT Risk Paradigm
• The Business Risk Paradigm
• The Systemic Risk Paradigm

Low/No Economic Role
High Economic Role
7
Field Study

• Key Results From Field Studies

Firms Are Mainly Taking A Local View of
Information Security

• Risk in supply chain glitches, leading to
  business sector brittleness
• Hypothesis Firms managing risk in the extended
  enterprise will directly lead to greater sector
  resiliency

8
Field Study

• Key Results From Field Studies

Local vs. Sector Views of Information Security

9
Field Study

• Key Results From Field Studies

Firms Are Mainly Taking A Local View of
Information Risk

10
Field Study

• Key Results From Field Studies

Firms Are Mainly Taking A Local View of
Information Risk

11
Field Study

• Key Results From Field Studies

Firms Are Mainly Taking A Local View of
Information Risk

12
Field Study

• Key Results From Field Studies

Notable Incentives/Drivers For InfoSec Investment

• Customer requests - firms are very responsive
• Government regulation - have to do it, but firms
  feel largely ineffective
• Brand protection
• Insurance - in unexpected ways

13
Field Study

• Conclusion

• Latent Market Forces Exist
• Proper Government Role Create Markets Through
  Increasing Transparency
• Key Challenge Enabling Investment Against
  Intangible, Never-Happened-Before Risks

14

15
Field Study

• Production resilience to cyber disruptions

Manufacturing sector In general, production not
sensitive to internet outages supply chain
sensitive to internet outages.

• Once beyond first tier of suppliers, reliance on
  information infrastructure to manage supply chain
  is low
• Electrical BU supply chain has learned behavior
• High-volume supply relations have extensive
  forecasting
• Everyone would do the expected thing
• Pain comes in distribution
• Auto BU- centralized control strategy leads to
  lack of learned behavior

16
Field Study

• Production resilience to cyber disruptions

17
Input-Output Model
Leontief Model
xo Axi c
Production x
Consumption c
A Technical Coefficient Matrix calculated from
U.S. Bureau of Economic Analysis data
Inoperability I-O Model (IIM)
qo A qi c
Terrorist Attack c
Inoperability q
A Interdependency Matrix
18
Ripple Effects
Input-Output Model
19
Economic Costs of Cyber-events
20
Economic Costs of Cyber-events
10 days of U.S. GDP 330,000 MM
21
Take-Aways

• The first demonstration of an empirically-based
  approach to estimating national economic
  consequences of cyber events
• The economic costs of the cyber events
  investigated may not be that great from a sector
  and national perspective.
• For the sectors presented (Manufacturing, Oil
  Refining), supply chains are largely resilient to
  cyber disruptions.
• Economic consequences due to cyber events depend
  on how, not whether firms use technology.

22

23
Incentives

What is an incentive? Example UK/US ATM
regulations Example Attendee badges at RSA
Security conference Example The
Commons Example Stop Signs
24
Incentives - Information Security

• Home Users
• What are they motivated to do?
• Privacy - not necessarily important
• Use of machine - is important
• Result no real incentive to protect machine
  until something bad happens
• Bad things
• Assimilation by Bot network Spam generator
• Spyware/virii machine becomes ever more unstable

25
Incentives - Information Security

• Business Users
• What are they motivated to do?
• Make Money! (rational market assumption)

26
Economic Costs - Information Security
Economic Costs of Cyber Events

27
InfoSec Adoption by Firms
In a rational market, firms will maximize profit.

After Gordon and Loeb 2002
28
InfoSec Adoption by Firms
This Optimal Spending approach requires

• Titration of cyber losses and cyber spending
• Some idea of what effect cyber spending has on
  cyber losses
• A good idea of the threat environment in which
  the firm lives

What are the incentives felt by directors of
information security?
29
InfoSec Adoption by Firms
Drivers of Adoption of InfoSec

30
InfoSec Adoption by Firms
Drivers of Adoption of InfoSec - Inputs

Baseline level of InfoSec based on -
Experience - Input from trusted colleagues -
External Consultants - Trade mags/ other
press Beyond baseline level, firms respond
mainly to - Customer requests/questionnaires -
Government regulation
31
InfoSec Adoption by Firms
Drivers of Adoption of InfoSec - Prioritization

• How were InfoSec recommendations prioritized, and
  received by decision-makers?
• At InfoSec managers level, InfoSec wants
  prioritized by
• - Cost
• Exposure
• Internal pain

32
InfoSec Adoption by Firms
Drivers of Adoption of InfoSec - Outcomes

• Making the leap from InfoSec manager to business
  managers, we found
• InfoSec not an important issue
• InfoSec efforts largely reactive and tactical
• ROI measures mainly qualitative investments
  seemingly made to eliminate all InfoSec incidents
  (not explicitly to minimize total costs)
• Most impressive firm didnt even have the
  conversation.

33
InfoSec Adoption by Firms
Drivers of Adoption of InfoSec - Outcomes

Managing Risk - always implicit, was never
explicit Info on threats - same as inputs Info
on probabilities came from - History - Industry
pubs - Gartner/Meta/etc. - Gut - Al - Tech
Republic Info on costs of attacks came
from -Gut
34
InfoSec Adoption by Firms
Drivers of Adoption of InfoSec

All firms thought of InfoSec as an expense Most
thought of InfoSec as a qualifier, even though
none had any InfoSec requirements of their
business partners Few gave examples of InfoSec
as a competitive advantage
35
InfoSec Adoption by Firms
Summary 4 Paradigms for InfoSec Risk Management

• The Sore Thumb Approach
• The IT Risk Approach
• The Business Risk Approach
• The Systemic Risk Approach
• In most business sectors, InfoSec is not a
  technical challenge, but a social/organizational
  challenge

36
Incentives - Information Security

• Government/National Level
• What are they motivated to do?

37
Incentives - Information Security

Government/National Level
38
Incentives - Information Security

Government/National Level
39
Incentives - Information Security

Government/National Level Freeman Drivers

• - Market Forces
• Government Regulation
• Litigation
• Government Spending

40
Incentives - Information Security
Intellectual Property loss - the real worry?

41
Incentives - Information Security

Government/National Level
Effects on Production of a 10-day Internet Outage
at an Electrical Goods Manufacturer
42
Incentives - Information Security

Government/National Level
Total Economic Effects on Production of a 10-day
Internet Outage at an Electrical Goods
Manufacturer - 22.6 Million
43
Managing Cyber Risk

Globally Known
Globally Unknown
Viruses
Other OS bugs
Web Site Defacement
Locally Known
Phishing
OS bugs
Best practices
Applied Research
? ? ? (Phishing)
Locally Unknown
Education
Basic Research
44
Managing Cyber Risk Reactive IS

Globally Known
Globally Unknown
Viruses
Other OS bugs
Web Site Defacement
Locally Known
Phishing
OS bugs
Implement
Wait for patch
? ? ?
Locally Unknown
---
Unprepared when something happens
45
Managing Cyber Risk Proactive IS

Globally Known
Globally Unknown
Viruses
Other OS bugs
Web Site Defacement
Locally Known
Phishing
OS bugs
Listen, work to mitigate outcomes
Implement
? ? ?
Locally Unknown
---
Watch, try to ID bad outcomes
46

• Managing Cyber Risk Mind The Gap
• Manufacturer Manager of InfoSec wants to patch
  critical vulnerability. Business manager would
  rather risk infection of machines and close the
  quarter.
• Oil refinery Manager of InfoSec wants better
  SCADA security VP refining How is more SCADA
  security going to help me make better oil?
• Hospital IS thinks virus event was mainly an IS
  event and had minor impact on clinical units
  clinical unit manager It was a living hell
• Most every InfoSec manager information security
  is not a priority with business managers.

47
(No Transcript)