Transcript Security Standardization in the Presence of Unverifiable Control

Security
Standardization in
the Presence of
Chul Ho Lee
With
Dr. Geng and Dr.
Raghunathan
Unverifiable Control
2011.
6.15
The University of Texas at Dallas
Agenda
Introduction & Research Question
Literature Review
Model Setup
Model Analysis
Introduction  The emergence of
security standard
Damages from security breaches often
beyond the organizational boundary

go
o2006,
U.S. Department of Veterans
affairs lost 26.5 million of personal
information
o2007,
million
retailer TJX Companies lost
credit and debit cards
46.2
o2005,
Identity theft resulted in
corporate and consumer losses of $56
billion dollars
Firms
do not have incentive to protect
stakeholder value out of their boundaries
Regulation
forces companies to take
security more seriously. - Bruce Schneier
(2008)
o
for payment
card industry,
2
PCI-DSS
Introduction- But do security
standards really help?
The number of breached companies keeps
increasing since 2005.
The Number of Breached
Companies (Business Company)
2004
Dec. 2004
PCI DSS
Released
2005
2006
2007
Sep. 2006
2008
Oct. 2008
Version 1.1 Version 1.2
Released
Released
3
2009
Oct. 2010
Version 2.0
Released
Introduction- Relaxing of PCI-DSS standard
Is it just a coincidence?
On October 1,
was adopted

2008, PCI-DSS version 1.2
A major change in this version is the
elaxation of some standards
o
r
changed
freuency of rule set review
from uarterly to at least every six mon
ths.
o

Why relaxing the standards?
#
of security breaches decreased since th
e same year ?
4
Introduction 
Configuration
Security
security configurations are different
Digital
Assets
Digital
Assets
5
Introduction- What is breached
is often not regulated
What is breached is often not regulated
Heartland Payment
is stolen

Systems:
data in transit
Miller and Tucker (2010) state the
focus on encryption as a solution may be
misplaced, because so many instances of
electronic data loss are due to negligence
The evidences that attackers
or internal fraud rather than direct
deliberately
target
security

targeting
data inunregulated
transit (Heartland
instances
of on
hacking.
controls.
Payment Systems)


targeting on
wireless
network
(TJX company)
Why some security controls are not
regulated
by standards?
 Some controls
are difficult to measure or
to use as court evidence
Some controls are measureable but
prohibitive

cost-
New security controls constantly emerge
of fast-evolving
nature
Inbecause
this paper
we refer to
such of
security
information
security. 6
controls
as unverifiable
controls

Introduction  Standard compliance
helps not only in fighting
security
attacks, but also in
Liability Reduction
fights
in courts
 Heartland
Payment Systems and TJX Company
Heartland and TJX was certified as being
PCI compliant at the time of the breach
and had received this certification
several times
o
When they breached, both companies
used being PCI compliant as court
evidence
o
QIRA(Qualified Incident Response Assessors)
makes a decision to assess the merchants
PCI compliance for the lawsuit (Navetta,
2009)

The actual legal obligations in the
serves
dual includes
roles
event Standard
of a security
breach
not
only the contract itself but also the
specific mandates of the payment card
operating regulations
o
o
A
report by
QIRA
coming
down on
7
the
Introduction – A research on security standardization that highlights
unverifiable controls and liability reduction effect
We consider two security controls scenario
where one is verifiable and the other is
unverifiable
We consider the liability reduction
effect
We seek to explain the counterintuitive data mentioned before
We consider two security configuration;
parallel configuration and serial
configuration
8
Introduction 
Research Question
How does standard on a
verifiable control affect firm
effort on an unverifiable control?
How does standard on a verifiable
control affect overall firm security?
How do security configuration
and
liability reduction affect overall
firm security?
How does unobservability affect
overall firm security?
How does attack strategy affect
firm effort and security standard?
9
Agenda
Introduction & Research Question
Literature Review
Model Description
Model Analysis
Literature Review
pirical papers
Economics Model
Romanosky et al (2009) • Bernheim and Whinston
• the adoption of
(1998)
data breach
• it is often optimal to
disclosure laws has
specify an incomplete
marginal effect on
contract, when some
the reduction in
ed Research
from Accountingaspects of performance
incidences of
are unverifiable.
• Dye
(1993)
identity
thefts.
• Hendricks and McAfee
• the average
(2006)
uality of audits
• consider signaling
may decline as
model to analyze
What
is new?
auditing standard
attacker-defender
becomes tougher.
games.
• This
is the first paper
• Schwarts (1998)
to deal with security
• the socially optimal
standard from a policy
commitment according
makers perspective.
to standards is
• We consider a model in
achievable if the
which multiple security
auditors legal
controls exists and
liability regime is
standards cannot be
strict liability and
imposed on all of them.
is independent of the
• 11We consider strategic
actual investment.
•
Agenda
Introduction & Research Question
Literature Review
Model Description
Model Analysis
Model
Setup
We are interested in the scenario where,
if the digital asset or service is
compromised
by attacks, damages go
 Players
beyond the firm boundary.
One
firm that is in charge of
protecting a digital asset or service
using two security controls
A representative attack that may assail
the security controls in order to
compromise the digital asset/service

One policy maker that
social welfare


aims to optimize
Security Controls
In order to protect the digital asset,
 (eV , einvest
N )  1  eV eN in
the firm needs to
two security
controls, V (Verifiable)
N
 (eV , eN )  (1  eV )(1 and
 eN )
(Nonverifiable).
 (eV , eN )  1   min(eV , eN )

Breach probability functions


parallel configuration
Model
Setup
While the direct control of security
investments is in the hands of the firm,
the policy maker can indirectly affect
 Social
Welfare through standards
firm
investments
o U SW  VSW   (eV , eN ) DSW  CV (eV )  CN (eN )

Firms Payoff
o
U F  VF   (eV , eN )(1  keV ) DF  CV (eV )  CN (eN )
For the scope of this paper, we focus on
security standards that have strict
enforcement power, so that the affected
firm has to unconditionally confirm.

Model
Setup
Timing of the Model
Agenda
Introduction & Research Question
Literature Review
Model Description
Model Analysis
Model
Analysis 
standard
The impact of
Unverifiable control
The
firms effort on an unverifiable
control can increase or decrease in
security standard.
Overall security
High security standard can help
the firms overall security.

17
or hurt
Model
Analysis  The impact of
security configuration
Parallel configuration
The
firms effort on an unverifiable
control can decrease in high security
standard.
Overall firm security can
high security standard

decrease in
Serial configuration
The firms effort on unverifiable control
decrease in security standard.

Overall firm security can
security standard

18
decrease in
low
Model
Analysis  The impact of
standard (Comparative Statistics)
High liability reduction
If liability reduction effect is high
enough, higher security standard hurts the
firms security under parallel
configuration.

If liability reduction effect is high
enough, lower security standard can hurts
Low
reduction
theliability
firms security
under serial
configuration.
 If liability reduction effect is low,
security standard improve the firms
security under parallel configuration.

If liability reduction effect is low,
security standard improve the firms
security under serial configuration.

19
Model
Analysis  The impact of
Unobservability and Unverifiability
Nave Standard -
Unobservability
The policy maker does not recognize the
existence of the unverifiable control N.

Nave standard over-estimates the
marginal value of improving control V

Nave standard maker oversets the
security
First
Best standard.
Standard - Unverifiability

The policy maker believes that
control both security controls.

he can
First best standard maker oversets the
security standard under parallel
configuration.

First best standard maker may overset or
underset the security standard under serial
configuration.

20
Model
Analysis 
attack strategy
The impact of
Strategic attack

Strategic
attackers behavior
First identify (or infer
the weakest link
o
o
Then
concentrate
Relevant only
configuration
o
to
on this
the
21
in
euilibrium)
weakest link
parallel
Model
Analysis 
attack strategy
The impact of
s  sˆstandard
Lower effective
W
(i.e.
 Strategic attacks )
provide supplement
incentive for the firm
unverifiable control
Strategic
to
secure up
attacks can benefit
the
firm
security
s  sˆWstandard
Higher effective
(i.e.
) the unverifiable
 All attacks focus on
control
Under
a very high standard, since
strategic attacks are all directed to the
unverifiable control, standard does not
improve the overall security but rather
decrease the effort of the unverifiable
control. Therefore a standard harms
security.
22
Conclusion
What we have found is as follows
 This paper is a first study, from a
policy makers perspective, on whether
and how the existence of an
unverifiable security control and
strategic attack affect on firm
security.
 Under parallel configuration
increasing security standard may harm
firm security
 Under serial configuration, increasing
security standard help firm security
 Boundly rational policy maker will
overestimate the optimal standard
 Strategic attacks may benefit firm
security under lower standard
23