15 research outputs found
The Economics of Developing Security Embedded Software
Market models for software vulnerabilities have been disparaged in the past citing how these do little to lower the risk of insecure software. In this paper we argue that the market models proposed are flawed and not the concept of a market itself. A well-defined software risk derivative market would improve the information exchange for both the software user and vendor removing the often touted imperfect information state that is said to believe the software industry. In this way, users could have a rational means of accurately judging software risks and costs and as such the vendor could optimally apply their time between delivering features and averting risk in a manner demanded by the end user. It is of little value to increase the cost per unit of software by more than an equal compensating control in an attempt to create secure software. This paper argues that if the cost of an alternative control that can be added to a system is lower than the cost improving the security of the software itself, then it is uneconomical to spend more time and hence money improving the security of the software. It is argued that a software derivative market will provide the mechanism needed to determine these costs
A Strategic Analysis of Information Sharing Among Cyber Attackers
One firm invests in security to defend against cyber attacks by two hackers. Each hacker
chooses an optimal attack, and they share information with each other about the firm's
vulnerabilities. Each hacker prefers to receive information, but delivering gives competitive
advantage to the other hacker. We find that each hacker's attack and information sharing are
strategic complements while one hacker's attack and the other hacker's information sharing are
strategic substitutes. The attack is inverse U-shaped in the firm's unit defense cost, and reaches
zero, while the firm's defense and profit decrease, and the hackers' information sharing and
profit increase. The firm's profit increases in the hackers' unit cost of attack, while the hackers'
information sharing and profit decrease. Our analysis also reveals the interesting result that the
cumulative attack level of the hackers is not affected by the effectiveness of information sharing
between them and moreover, is also unaffected by the intensity of joint information sharing. We
also find that as the effectiveness of information sharing between hackers increases relative to
the investment in attack, the firm's investment in cyber security defense and profit are constant,
the hackers' investments in attacks decrease, and information sharing levels and hacker profits
increase. In contrast, as the intensity of joint information sharing increases, while the firm's
investment in cyber security defense and profit remain constant, the hackers' investments in
attacks increase, and the hackers' information sharing levels and profits decrease. Increasing the
firm's asset causes all the variables to increase linearly, except information sharing which is
constant. We extend our analysis to endogenize the firm's asset and this analysis largely
confirms the preceding analysis with a fixed asset.Information Systems Working Papers Serie
Assessing the Value of Network Security Technologies
Proper configuration of security technologies is critical to balance the
access and protection requirements of information. The common practice
of using a layered security architecture that has multiple technologies
amplifies the need for proper configuration because the configuration
decision about one security technology has ramifications for the
configuration decisions about others. We study the impact of
configuration on the value obtained from a firewall and an Intrusion
Detection System (IDS). We also study how a firewall and an IDS interact
with each other in terms of value contribution. We show that the firm
may be worse off when it deploys a technology if the technology (either
the firewall or the IDS) is improperly configured. A more serious
consequence for the firm is that even if each of these (improperly
configured) technologies offers a positive value when deployed alone,
deploying both may be detrimental to the firm. Configuring the IDS and
the firewall optimally eliminates the conflict between them, resulting
in a non-negative value to the firm. When optimally configured, we find
that these technologies may complement or substitute each other.
Further, we find that while the optimal configuration of an IDS is the
same whether it is deployed alone or together with a firewall, the
optimal configuration of a firewall has a lower detection rate (i.e.,
allow more access) when it is deployed with an IDS than when deployed
alone. Our results highlight the complex interactions between firewall
and IDS technologies when they are used together in a security
architecture, and, hence, the need for proper configuration in order to
benefit from these technologies
A Strategic Analysis of Information Sharing Among Cyber Attackers
One firm invests in security to defend against cyber attacks by two hackers. Each hacker
chooses an optimal attack, and they share information with each other about the firm's
vulnerabilities. Each hacker prefers to receive information, but delivering gives competitive
advantage to the other hacker. We find that each hacker's attack and information sharing are
strategic complements while one hacker's attack and the other hacker's information sharing are
strategic substitutes. The attack is inverse U-shaped in the firm's unit defense cost, and reaches
zero, while the firm's defense and profit decrease, and the hackers' information sharing and
profit increase. The firm's profit increases in the hackers' unit cost of attack, while the hackers'
information sharing and profit decrease. Our analysis also reveals the interesting result that the
cumulative attack level of the hackers is not affected by the effectiveness of information sharing
between them and moreover, is also unaffected by the intensity of joint information sharing. We
also find that as the effectiveness of information sharing between hackers increases relative to
the investment in attack, the firm's investment in cyber security defense and profit are constant,
the hackers' investments in attacks decrease, and information sharing levels and hacker profits
increase. In contrast, as the intensity of joint information sharing increases, while the firm's
investment in cyber security defense and profit remain constant, the hackers' investments in
attacks increase, and the hackers' information sharing levels and profits decrease. Increasing the
firm's asset causes all the variables to increase linearly, except information sharing which is
constant. We extend our analysis to endogenize the firm's asset and this analysis largely
confirms the preceding analysis with a fixed asset.Information Systems Working Papers Serie
The Chain-Link Fence Model: A Framework for Creating Security Procedures
A long standing problem in information technology security is how to help reduce the security footprint. Many specific proposals exist to address specific problems in information technology security. Most information technology solutions need to be repeatable throughout the course of an information systems lifecycle. The Chain-Link Fence Model is a new model for creating and implementing information technology procedures. This model was validated by two different methods: the first being interviews with experts in the field of information technology and the second being four distinct case studies demonstrating the creation and implementation of information technology procedures. (169 pages