Quantitative economics of security: software vulnerabilities and data breaches

Includes bibliographical references.2016 Summer.Security vulnerabilities can represent enormous risks to society and business organizations. A large percentage of vulnerabilities in software are discovered by individuals external to the developing organization. These vulnerabilities are often exchanged for monetary rewards or a negotiated selling price, giving rise to vulnerability markets. Some of these markets are regulated, while some are unregulated. Many buyers in the unregulated markets include individuals, groups, or government organizations who intend to use the vulnerabilities for potential attacks. Vulnerabilities traded through such markets can cause great economic, organizational, and national security risks. Vulnerability markets can reduce risks if the vulnerabilities are acquitted and remedied by the software developers. Studying vulnerability markets and their related issues will provide an insight into their underlying mechanisms, which can be used to assess the risks and develop approaches for reducing and mitigating the potential risks to enhance the security against the data breaches. Some of the aspects of vulnerability—discovery, dissemination, and disclosure—have received some recent attention. However, the role of interaction among the vulnerability discoverers and vulnerability acquirers has not yet been adequately addressed. This dissertation suggests that a major fraction of discoverers, a majority in some cases, are unaffiliated with the software developers and thus are free to disseminate the vulnerabilities they discover in any way they like. As a result, multiple vulnerability markets have emerged. In recent vulnerability discovery literature, the vulnerability discoverers have remained anonymous. Although there has been an attempt to model the level of their efforts, information regarding their identities, modes of operation, and what they are doing with the discovered vulnerabilities has not been explored. Reports of buying and selling the vulnerabilities are now appearing in the press; however, the nature of the actual vulnerability markets needs to be analyzed. We have attempted to collect detailed information. We have identified the most prolific vulnerability discoverers throughout the past decade and examined their motivation and methods. A large percentage of these discoverers are located outside of the US. We have contacted several of the most prolific discoverers in order to collect firsthand information regarding their techniques, motivations, and involvement in the vulnerability markets. We examine why many of the discoverers appear to retire after a highly successful vulnerability-finding career. We found that the discoverers had enough experience and good reputation to work officially with a good salary in some well- known software development companies. Many security breaches have been reported in the past few years, impacting both large and small organizations. Such breaches may occur through the exploitation of system vulnerabilities. There has been considerable disagreement about the overall cost and probability of such breaches. No significant formal studies have yet addressed this issue of risk assessment, though some proprietary approaches for evaluating partial data breach costs and probabilities have been implemented. These approaches have not been formally evaluated or compared and have not been systematically optimized. This study proposes a consolidated approach for identifying key factors contributing to the breach cost by minimizing redundancy among the factors. Existing approaches have been evaluated using the data from some of the well-documented breaches. It is noted that the existing models yield widely different estimates. The reasons for this variation are examined and the need for better models is identified. A complete computational model for estimating the costs and probabilities of data breaches for a given organization has been developed. We consider both the fixed and variable costs and the economy of scale. Assessing the impact of data breaches will allow organizations to assess the risks due to potential breaches and to determine the optimal level of resources and effort needed for achieving target levels of security

HCAPP-SEC : selection and analysis of security assessment items based on heuristics and criteria

Orientador: Mario JinoTese (doutorado) - Universidade Estadual de Campinas, Faculdade de Engenharia Elétrica e de ComputaçãoResumo: Nos dias atuais, o software tem papel importante na maioria das indústrias e áreas de atividade. Os aspectos relacionados à segurança da informação são críticos, com forte impacto na qualidade dos sistemas. Como saber se uma determinada avaliação de segurança foi boa ou suficiente? Por meio de critérios e heurísticas é possível determinar a suficiência da avaliação de segurança e, consequentemente, analisar sua qualidade. Fontes de conhecimento (normas, padrões, conjuntos de casos de teste) e seus itens de avaliação são instrumentos essenciais para avaliar a segurança dos sistemas. Para criar projetos de avaliação de segurança mais efetivos é necessário saber as propriedades de segurança e as dimensões de avaliação abordadas em cada item de uma fonte de conhecimento de segurança. Nesta tese, uma abordagem para selecionar e analisar itens de avaliação de segurança (HCApp-Sec) é proposta; suas bases provêm de critérios e heurísticas de avaliação e visam a aumentar a cobertura das dimensões de avaliação e propriedades de segurança dos projetos de avaliação. A abordagem centra-se em selecionar itens de avaliação de forma sistemática. Sistematiza-se o processo de avaliação de segurança por meio da formalização conceitual da área de avaliação de segurança; uma ontologia (SecAOnto) é usada para explicitar os conceitos principais. HCApp-Sec pode ser aplicada a qualquer fonte de conhecimento de segurança para selecionar ou analisar itens de avaliação em relação a 11 propriedades de segurança e 6 dimensões de avaliação. A abordagem é flexível e permite que outras dimensões e propriedades sejam incorporadas. Nossa proposta visa a apoiar: (i) a geração de projetos de avaliação de segurança de alta cobertura que incluam itens mais abrangentes e com cobertura assegurada das principais características de segurança e (ii) a avaliação de fontes de conhecimento de segurança em relação à cobertura de aspectos de segurança. Em um estudo de caso, um mapeamento de fontes de conhecimento de segurança é apresentado. Então, aplica-se a proposta a uma fonte de conhecimento de segurança bem conhecida (ISO/IEC 27001); seus itens são analisadosAbstract: Nowadays, software plays an important role in most industries and application domains. The aspects related to information security are critical, with a strong impact on systems quality. How to know whether a particular security assessment was good or sufficient? By means of criteria and heuristics it is possible to determine the sufficiency of the security assessment and consequently to analyze its quality. Knowledge sources (standards, patterns, sets of test cases) and their assessment items are essential instruments for evaluation of systems security. To create security assessment designs with suitable assessment items we need to know which security properties and assessment dimensions are covered by each knowledge source. We propose an approach for selecting and analyzing security assessment items (HCApp-Sec); its foundations come from assessment criteria and heuristics and it aims to increase the coverage of assessment dimensions and security properties in assessment designs. Our proposal focuses on the selection of better assessment items in a systematic manner. We systematize the security assessment process by means of a conceptual formalization of the security assessment area; an ontology of security assessment makes explicit the main concepts. HCApp-Sec can be applied to any security knowledge source to select or analyze assessment items with respect to 11 security properties and 6 assessment dimensions. The approach is flexible and allows other dimensions and properties to be incorporated. Our proposal is meant to support: (i) the generation of high-coverage assessment designs which includes security assessment items with assured coverage of the main security characteristics and (ii) evaluation of security standards with respect to coverage of security aspects. We have applied our proposal to a well known security knowledge source (ISO/IEC 27001); their assessment items were analyzedDoutoradoEngenharia de ComputaçãoDoutor em Engenharia Elétric