“It depends” is the most likely answer one is likely to get from asking a security professional the question “how can we best protect our intellectual property against loss or compromise?” Experts argue that the answer depends on what we are protecting, it’s value to us, to others, as well as the cost-to-effectiveness ratios of said solutions. While this is true, the issue runs much deeper than that, and this is something I refer to as the asymmetric economics of intellectual property protection. To understand this issue, we first need to develop a basic framework to help us think through the dynamics involved in security decisions, and quantify our risk. Cost of no security Let’s say I own a car and this car has no anti-theft mechanisms installed, and let’s assume that the vehicle is worth $15,000 if I were to sell it. That is the market value of this vehicle. Now, let’s assume someone is evaluating stealing my car. Would it be a worthwhile pursuit? To assess this, we need to view the issue from the attacker’s perspective because to an attacker, the theft of an asset has to yield some sort of positive return. Let’s assume the thief can obtain $3,000 for the stolen vehicle, and feels confident that he can steal the car with a 90% probability if he invests two hours to steal and sell the vehicle, plus $50 in tools. In addition, let’s say that, were he not stealing cars, this thief would be able to work at a legitimate place making $10/hr. In other words, going out to steal this vehicle costs the $10/hr * 2 hr = $20 in what economists call “opportunity cost”. The thief would earn: Revenue = Value of car in black market * % prob of success stealing the car Revenue = $3,000 * 90% = $2,700 The cost to the thief would be: Cost = Tools + Opportunity Cost = $50 + $10 * 2 = $70 The thief would expect to obtain an economic profit of: Profit = Revenue – Cost = $2,700 - $70 = $2,630 Now, let’s assume that this thief estimates there is a 3% probability of being captured by the police after stealing the car, in which case he would spend 2 years in prison, where he would forego his $10/hr job which he works 8 hours / day currently. Working-Hours in Prison = 365 days/yr * 2 yrs * 8 hrs/day = 5,840 hrs Opportunity cost fr. capture = $10 / hr * 5,840 hr = $58,400 Exp Cost of Capture = % of success * % of capture * Opportunity cost fr. capture = 90% * 3% * $58,400 = $1,053 Obviating time-value-of money type discounting for simplicity’s sake, the thief’s risk adjusted economic profits would therefore be: Risk adj profits = Exp Profit From Theft – Exp Cost of Capture = $2,630 - $1,577 = $1053 Next, let’s assume I am not worried because I live in a safe area, so I estimate the probability that this thief picks my car (as opposed to someone else’s) at 3%. My expected loss would be: Risk adj Loss = % prob of being chosen * % prob of success * value of car = 3% * 90% * $15,000 = $405 As you can see, after adjusting for risk, we the owner would expect a risk-adjusted loss of $405 and the thief a risk adjusted profit of $1053, so there is clearly an incentive for the thief to steal a car like mine, and there is an incentive for me to do something to protect it. However, please note the difference in value that I assign to the asset versus what the thief assigns to it: to the thief, this car is 2.5 times more valuable than it is to me. Cost of security First and most importantly, we have to understand that protection of an asset is not an end to itself. For instance, let’s assume the latest innovation in car security systems was the “Claw”, a $200 anti-theft mechanism. Nobody puts a Claw on their car just for the fun of it. Instead, people do it because if their car were to be stolen they would suffer some other negative consequence, such as having to buy a new car, having to deal with the inconvenience of not being able to go to work, etc. As obvious as it might seem, this is an important observation because it means that people are generally not willing to spend more on the security mechanism than the value they place on those undesirable outcomes, or ‘risks’. Thus, it would seem that the logical approach would be to not spend more than the price of the car multiplied by the probability that someone would try to steal it. In the example above, the car owner (I) determined that his expected loss would be $405, so that is the MAXIMUM he would likely spend on security. Installing the Claw might cost the owner $200 and it would act as a deterrent. For argument’s sake, let’s say this tool lowers the owner’s car’s odds of being chosen from 3% to 1%, and makes it more difficult to steal the car, increasing the cost of tools from $50 to $100, the complexity from 2 hours to 2.5 hours, and the risk of capture from 3% to 4.5%. Further, let’s assume it lowers the thief’s probability of success from 90% to 70%. Plugging these figures into out framework above, the Claw would lower my expected loss to from $405 to $105, and it would lower the thief’s risk adjusted expected payout from $1,053 to $135. Economically, it makes sense for me to use the Claw because I would receive a risk reduction worth $405 - $105 = $300, for a net risk adjusted benefit (or ‘surplus’) of $300 - $200 = $100, while simultaneously decreasing the thief’s payout from $1,053 to $135, effectively making the pursuit almost worthless for the thief as compared to stealing a car that does not have the Claw. An observation worth making here is that although the owner has assumed it would be absurd to consider spending more than the $405 of risk adjusted expected losses to secure his vehicle, in reality will likely spend less than the $405, because security measures never result in 100% secure approaches. Instead, they act as extra hurdles for the thief, making the theft more complicated, costly and risky, and as a result, there is always going to be a residual risk and therefore the buyer will not spend the full amount. Effect of Security Though car thieves are rarely this quantitative in approach, most understand empirically the market forces at play (“my friend x spent $y and made $z in just 3 hours”). In the example above, a simple measure (the ‘Claw’) reduced my risk adjusted expected loss from $405 to $105, “a $300 value for only $200!”, essentially leaving me with a net risk reduction of $300 - $200 = $100. However, it did so while reducing the thief’s risk adjusted expected payout to a level where the thief would only expect to earn $105, not a substantial economic benefit. In other words, security has the effect of reducing the gap between risk (for the owner) and reward (for the thief). Because of these economics, it should be evident why the thief is likely to pursue a vehicle without the Claw first, where the risk adjusted profits would be several times higher (in this example it’s 10x higher). This assumes, of course, that he or she is indifferent as to which car to steal! The Asymmetry Let’s consider for a moment the scenario where my car, Claw and all, was of specific interest because it had a bar code that was necessary to get through the security gates at the local Country Club, where residents are KNOWN to routinely leave their BMWs and Mercedes unlocked on their driveways. Although to me as the single car owner, the value of securing my vehicle might be only Claw-worthy, to a car thief that same vehicle can quite literally open the doors to the proverbial kingdom, allowing them access to an otherwise inaccessible area, where they could then obtain a larger payout. So, perhaps the added effort of breaking the Claw and stealing my car could be worth a criminal's while, after all. This means that, unbeknownst to me, my car is actually worth a lot more to the car thief. If this entrepreneurial thief saw the theft of my car (Claw and all) as an investment, he might receive a larger payout. Let’s illustrate this with an example. Let’s assume that there are 3 high end vehicles in the Country Club that are good candidates for stealing. For simplicity sake, let’s assume the calculation for each of these vehicles is the same as the “no security” scenario, except these cars are worth $25,000 each, would be worth $5,000 each in the black market, the thief might be able to steal with 90% success rate and only 1% chance of being arrested at the Country Club, once past the gates. And let’s say the thief can re-use the tools he used to steal my car, on these as well. Each car stolen at the Country Club would have a risk-adjusted expected value of $4,480. If the thief steals 3 of them, that would net him $11,863. The ‘investment’ necessary for this would be to steal my car (for ‘only $105’), for a grand total of almost $12,000. At this rate of return, an entrepreneurial thief could profitably invest in significantly more sophisticated thieving equipment which would allow him to steal vehicles with a higher probability of success and a lower risk of capture. Think covered car carrier, as opposed to electric screw driver. In this scenario, the Claw would be essentially useless because the thief could invest up to $12,000 in technology to bypass whatever I put in place, and still be economically profitable. And because at the upper limit, I would only spend $405 in security measures, I would likely lose my car with nearly 100% probability, as would several other Country Club members, as well. Because of this self-centered approach at risk assessment, (I) the car owner is unwilling to spend more than $405 in security, and has therefore created an increased risk not only for himself but for others as well, by way of network effects. The obvious alternative here is including into our risk assessment the risk associated with these network effects and adjusting my perspective on how much is appropriate to spend to secure the network (that is, my car and the Country Club cars) as a whole. Mathematically this is doable: plugging the numbers for all 4 cars into our model, results in a required security budget of $2,295. However, this is not trivial to carry out in practice. For starters, neither the car owner nor the Country Club residents are going to want to spend $2,295 for security that goes beyond what’s necessary to cover their own assets. As a reminder, this would be $405 for the car owner (minus the $200 already spent in the Claw), and $675 for each Country Club resident. Even in the case where we could agree to a common fund, this creates an incentive for some in the network to “defect” (i.e. “free ride”). The logic is that basically, if everyone else is secure, I don’t need to spend any extra money to secure myself. This phenomenon has been studied in great detail in public health, as it is similar to the issue with vaccinations, as well as in computational game theory, where it is known that there is no Nash equilibrium in certain situations, meaning that the “optimal” strategy for each player in the ecosystem is “it depends (on what the others are doing)”. In the instance above, the lack of a Nash equilibrium can be illustrated as follows: if the Country Club members decide to implement their own security measures, I would not need to spend anything extra beyond the Claw, arguably “free riding” on their expense. But if they do not spend money to secure themselves, I may need to spend more than what I spent on the Claw, and likely even more than my $405 limit in order to secure myself enough. By virtue of doing this, I am creating a situation where the Country Club members “free ride” on the extra security I buy. In an ideal world, people would coordinate their response, however what the research has found is that more often than not, these types of incentive systems lead to some subset of the ecosystem taking advantage of the rest. It is this dynamic nature of security spending, combined with the disconnect in the value WE place on our assets (and the security we chose to protect said assets as a result) vis-a-vis the value OTHERS place on the very same assets that makes security a complex challenge to solve. Now that we have explored the economics and challenges behind protecting a physical asset like a vehicle, let’s look at how this applies to information assets. Application to Information Assets The information security equivalent of the Country Club example above is not uncommon, in large part because the probability of hack detection is so low, and the chances of an attacker spending time in jail are slim to none, today. If you recall, deterrence was the main factor reducing the profitability of the criminal car theft enterprise in risk-adjusted terms. An attacker determined to break into my company’s network might be willing to utilize sophisticated techniques against my personal accounts, which I might not be sufficiently prepared to counteract. This might mean they would use sophisticated tools to break into my phone, social media account or my email account (the equivalents of my car), because this would give them easier access to my corporate network (the equivalent of the Country Club above). How do we accomplish this? First, we need to apply some basic security measures that will increase the complexity and hence the cost of a successful attack, reducing the expected profitability for the attacker. Generally speaking, everyone can benefit from anti-malware and systems patching that are automatically kept up to date. That’s because this is a sort of ‘Claw’ that everyone uses today: if you don’t have it, you will be the first victim. These are inexpensive solutions that raise the bar a certain minimum level by increasing the cost and complexity of running an attack campaign against you vis-à-vis those who don’t apply the same measures, but they are insufficient on their own. Properly configured and monitored packet filtering firewalls and routers, and/or personal firewalls are another must-have today, which fortunately are relatively inexpensive. Another relatively low cost item that goes a long way is conducting periodic employee education and awareness. These go a long way because technology can’t keep people from inadvertedly falling for a social engineering scam, or emailing passwords, etc., but they too are often insufficient for complete protection of intellectual property assets of any significant value. Strong employee on boarding and un boarding procedures are important as well, as are data protection and secure data destruction policies. From a technology perspective, strong identification, multi-factor authentication and access control are advisable for access to sensitive systems, networks and facilities. Strong cryptography with proper key management protocols, especially on removable media and communication channels can be of great help as well when securing intellectual property. For companies that have an online presence, integrating security architects into their software development lifecycle helps ensure solutions are more secure from the get go, reducing risk of compromise. Second, we need to be aware of the dynamics of the ecosystem. People and companies use the internet because there is an exchange of value in each and every interaction we have on it. As a result, there are network effects at play similar to those in the Country Club example. This means that the security posture of the players in that ecosystem is constantly shifting, and hence we could be exposed at times. This brings me to the last line of defense: security monitoring and incident response. These are crucial, and often overlooked by companies because of the costs involved in hiring specialized staff to carry out these time consuming and repetitive tasks: network and facilities access and data transfer logs must be kept and reviewed periodically by people familiar with business processes and IT security. Policies, processes and procedures must exist to review logs, identify issues promptly, contain incidents, taking systems offline if necessary to protect evidence, and investigate any incidents proactively. Conclusion As the examples above show, there are two main drivers to the complexity of security: 1) the difficulty of envisioning and quantifying the value that our assets might have to an opponent, 2) network effects present in security, the costs associated with securing the weak links in the chain, and the dynamic nature of the ecosystem. As discussed, these are aggravated by the low effectiveness in cyber law enforcement. Because of the asymmetry of asset values to players in the ecosystem, economics involved in securing a series of inter-related assets (such as the cars above, or computers in a network), downstream risks of a “small” compromise (say a social media account) are hard to gauge and hard to secure adequate funding for. For that reason, when evaluating our individual security postures, we have to apply security measures that are disproportionately simple and inexpensive for US to implement, and disproportionately expensive and complex for OTHERS to circumvent, such as the fictional anti-theft device above, the Claw. A properly applied, comprehensive risk-managed security strategy will help better assess the value of your assets to an opponent and would seek to apply a strategy that asymmetrically increases costs for said opponents. However, as shown in the Country Club example, this is not easily accomplished. Although in an ideal world, organizations would share the burden of securing against risk with other organizations, in reality the incentive systems at play create a dynamic under which the proper security posture changes constantly and significantly relative to the other players’ in the ecosystem. Because a single weak link in the chain can have catastrophic effects to the rest of the value chain, a pattern we see at play often during the early stages of Advanced Persistent Threat (APT) attacks, this is a concern for any organization that is serious about protecting their assets. New technologies such as Cienaga Systems’ DejaVu attempt to address this dynamic by optimizing for the constantly changing landscape of security, predicting changing ecosystem dynamics and assessing risk in a variety of scenarios. While the answer to how to secure an environment or information asset depends on a variety of factors and while there is no silver bullet to security, following best practices is a minimum requirement. Involving security experts to assess risk and engineer adequate controls that fit your business needs will go a long way to securing your environment. Finally, it is advisable to look for technology that will help you adapt your security posture to constantly changing ecosystem dynamics. Inigo Merino is the Founder and CEO of Cienaga Systems, the makers of DejaVu, the easiest way for organizations to deploy world-class security monitoring or enhance existing cyber
threat management capabilities.
Comments are closed.
|
About UsThrough the use of Genetically Engineered Cyber Security, Cienaga Systems technologies offer organizations the easiest way to monitor their networks and reduce cyber risk while increasing PCI, HIPAA and regulatory compliance. Archives
September 2017
Categories
All
|