SlideShare uma empresa Scribd logo

Analysis of cybersecurity risk parameters from empirical data (35 characters

B
ByoungKuk Min

This document discusses passive and active measurements for studying cybersecurity risk parameters. It covers the following key points in 3 sentences: Passive measurements involve analyzing existing empirical data sources to study interdependencies between information security in different sectors and regions without directly interacting with systems. Theoretical active measurements involve designing observable stochastic processes to model dynamics of security risks like default risks and value changes over time for digital objects based on factors like compromise rates. Empirical studies on inter-sector and inter-regional information security used datasets like economic transaction data and security survey responses to analyze how risks in one area could influence others.

Indústria automotivaTecnologia
1 de 37
Baixar para ler offline
My publication (2006-2011) Invited talk at WISA2011 (August 22, 2011) Management Crypto Network Passive a d Active Measurements o ass e and ct e easu e e ts of Cybersecurity Risk Parameters Kanta MATSUURA (IIS, The University of Tokyo)
Agnda Security management Traditional heuristics Recent trend of cybersecurity science Empirical study Quality of empirical data Passive measurements and finding proxies Example Theoretical study Active measurements: Design of observable stochastic processes associated with cybersecurity risks 2
Security Management 3
Traditional heuristics Security management is quality management of security properties such as CIA (confidentiality, integrity, and availability). Heuristics of a PDCA cycle. Plan Do Check Act evolution 4
We need revolution, rather than evolution. evolution Human and social problems: Lack of science to explain mechanisms behind the problems. Problems of heuristic evaluation: Lack of reproducibility and impact. How general claims one can make? Recent trend: Promotion of cybersecurity science The US Cybesecurity Act of 2009. Research communities started well before (e.g. the First Workshop on the Economics of Information Security (WEIS) was in 2002). R. Anderson and T. Moore: The Economics of Information Security. Science (314) pp.610-613, 2006. 2006 5
Lessons from the economics of information security Some problems happen due to economically-sound behaviors. (Example) Users get more benefits if a larger number of other users use the same software. This enhances an earlier release (of an immature version). Afterwards, version) Afterwards software vendors release security patches one after another. z* Others happen due to behaviors which are not economically sound. 0 1 v (Example) Different features of investment vulnerability curves: investment-vulnerability imply over/under-investment. z* K. K Matsuura: Productivity Space of Information Security in an Extension of the Gordon-Loeb's Investment Model, WEIS2008. 0 1 v Prediction is difficult 6
We really need measurements measurements. Plan Do Check Act Cybersecurity S i C b i Science Measurements of cybersecurity risk parameters 7
Passive measurements Empirical Study 8
Quality of empirical data Questionnaire exclusively for your research (Pros) You can ask what you want to ask. (Cons) The resultant data quality is questionable. They do not always answer with their best efforts. Response rate could be low. Existing ffi i l/ E i i official/general statistics ( l i i (passive measurements i from the viewpoint of your side) (Cons) You (C ) Y can not always fi d survey items you want to place. t l find it tt l You should find good proxies. (Pros) Some statistics are very reliable reliable. Some surveys are well established (e.g. the statistics law helps in Japan), and some companies even have a section established to answer to the surveys. 9
Topics of empirical studies: An example Interdependency of information security Security incidents and efforts of a party can influence other parties. If this happens without accompanied economic transactions, the externality can cause many problems (e.g. free-riding). t lit bl ( f idi ) Important factor of many theoretical models in security economics. Interdependency between different regions/sectors may imply I t d d b t diff t i / t i l risks in the real economy. B. Jenjarrussakul, H. Tanaka, K. B Jenjarrussakul H Tanaka K Matsuura: Empirical Study on Interdependency of Information Security between Industrial Sectors and Regions. Seventh Annual Forum on Financial Information Systems and Cybersecurity: A Public Policy Perspective, 2011. Perspective 2011 H. Tanaka: Quantitative Analysis of Information Security Interdependency between Industrial Sectors. Proc. 3rd International Symposium on Empirical Software Engineering and Measurement pp 574-583 2009 Measurement, pp.574 583, 2009. 10
Datasets METI: Ministry of economy, RIETI: Research Institute of Trade, and Industry Economy, Trade, and Industry • Inter-regional Input-Output table for 2005 • Japan Industrial Productivity • Economic transaction Database 2008 value • Information-technology • 2006 Survey of Information (IT) dependency Technology (about 3000 samples) • Information-security (IS) multiplier 11
Inter-regional Input-Output Inter regional Input Output Table Economic Transaction Final Demand Import Purchase value byy Value which is used Value of Companies of sector j in region r to determine input import in sector j (column index) and output of the in region q. from sector Companies of sector i in region q p g (row index) Export Value of Purchase … Region r … Import Export (Neg) (All export in Final r=q regions sector j Production … … Sector j … … i=j by row) Demand in region q. … … … … Region q Sector i zq,i,r,j fq,i,r -mq,i eq,i … … … … Value dd d V l added … … Matrix size (9*12)2 (Tax) … Value added cr,j (9 regions and 12 i d t i i J i d industries in Japan) ) 12
Backward dependency (BD) Based on E. Dietzenbacher and Jan A. van der Linder: Sectoral and Spatial Linkages in the EC Production Structure. Journal of Regional Science (37 2) pp.235-257, 1997, S i (37:2) 235 257 1997 BD is computed as Pur- chase … Region r … Import Export a normalized value of (Neg) r=q (All regions Produc- Final an output reduction … … Sector j … … i=j by row) tion Demand supposing a particular … … 0 … 0 column is a zero vector. … 0 Region q Sector i zq,i,r,j 0 fq,i,r -mq,i eq,i … 0 (From an engineering point … 0 … of view, this is a kind of … 0 … 0 sensitivity analysis.) y y ) … … 0 Value added cr,j 0 13
Output reduction (a sketch) Suppose we can define an activity level (output) of this economy both from the supply side and from the demand side. This provides an accounting equation where all the coefficients can be obtained from the input-output table. By solving the accounting equation, we can see the activity level of this economy and its building blocks. Output reduction in the context of backward dependency is a normalized reduction of this level when a particular sector in a particular region does no longer work as a demand-side group. 14
Information security backward dependency (ISBD) Computed by supposing a particular column (r, j) is not 0 but (1-sisj)zq,i,r,j (i=1, 2, . . . , 12; q=1, 2, . . . , 9) where the reduction is based on security risk levels: (1) Level of IT dependency (of sector i) ITi / (ITi + nITi) where ITi = IT capital stock of sector i nITi = non-IT capital stock of sector i (2) IS Multiplier Average number of deployed IS countermeasures in all sectors Average number of deployed IS countermeasures in sector i (25 countermeasures i th survey) t in the ) (3) Security risk level (a proxy) si = (1) x (2) 15
Production value (region) Region g Region g Output p name ID (billion US$) Hokkaido A Kanto C 7,745.90 Kinki E 2,882.30 2 882 30 Tohoku Chubu D 2,218.20 Chubu Kyushu H 1,494.00 B Chugoku F 1,114.70 Kinki Kanto Tohoku B 1,076.70 C Chugoku D Hokkaido A 648.90 Okinawa F E Shikoku G 482.00 Okinawa I 110.70 110 70 H G Source: Inter-Regional Input-Output table for 2005 Shikoku I 1 US(¥$) = 81.59 JYP(¥Yen) Red = High p g production value = Large economic scale g Kyushu Green = Low production value = Small economic scale 16
Production value (sector) Sector Sector Output name ID (billion US$) Services 12 2,929.40 Commerce and Logistic 09 1,816.30 Machinery 05 1,607.60 Financial, Insurance, 10 1,331.40 and Real Estate Other M Oth Manufacturing f t i 06 1,165.50 1 165 50 Construction 07 781.10 ICT 11 567.40 Metal 04 562.80 Food and Beverage 03 443.80 Utilities 08 330.90 Argriculture 01 162.50 Mining Mi i 02 12.50 12 0 17
Level of IT dependency 18
Level of IS and risk 19
Results (regional perspective) Influenced (demand-side) regions Most : Shikoku, Okinawa A large number of supply-side region-sectors have ISBD larger than a threshold (0 01%) thresh ld (0.01%). Small economic scale regions Least : Kanto, Tohoku The largest economic scale region and Tohoku. Influential (supply-side) regions (supply side) Most : Kanto, Kinki Large economic scale regions g g Least : Okinawa, Shikoku, Hokkaido Small economic scale regions. 20
Tohoku as a supply side region supply-side • Firstly, it should be noted that Tohoku plays an important role i many supply chains as noticed b i d t i l people l in l h i ti d by industrial l after the quake on March 11, 2011. (In that sense, largely influential on demand side when we consider normal economic dependency.) • Tohoku is in a group of the moderate influential region g g (i.e. depended by a medium number of demand-side groups). •HHowever, 69% of th d f the dependent supply-side sectors i d t l id t in Tohoku mainly influence demand-side sectors which are located in Tohoku itself itself. • This means the influence is likely to be limited in its own region. 21
In empirical studies, deriving implications is important important. • Wh When we rebuild T h k we can pay attention t b ild Tohoku, tt ti to IS interdependency issues inside the region, rather than interdependency among diff th i t d d different regions. t i • As a demand side region Tohoku is in one of the least demand-side region, influenced regions (i.e. depends on a small number of supply-side groups compared to other regions). pp y g p p g ) •Similar to Kanto region which includes Tokyo. • As a supply-side region, Tohoku is not so influential. • Different from Kanto (the most influential region). 22
Active measurements Theoretical Study K. K Matsuura: A Derivative of Digital Objects and Estimation of Default Risks in Electronic Commerce. LNCS 2229, Springer, pp.90-94, 2001. K. Matsuura: Digital Security Tokens and Their Derivatives. Netnomics (5:2) pp.161 179, 2003 pp 161-179 2003. 23
Credit risks in cyberspace Protocols require frequent q q Why? y verifications. Feasible but Digital certificates. could be heavy. Avoid copyright violation. py g Need freshness. Verify, verify, Compatibility. p y verify, ... if Policy agreement. ・ ・ ・ Real-time, distributed & trusted , directories are too difficult. Probably OK . . . Verification results can change.g 24
Example The verification may output NG. It may output OK. Who knows in advance?? Suppose a digital ticket signed by an issuer. When I purchased it, it I verified th signature and th result was OK H ifi d the i t d the lt OK. However, when I attempt to use it at a service provider, the verification by the provider may output NG Or I may even face a NG. congestion that keeps me from connection with the provider, or TTP needed for verification may be too busy (e.g. some implementations of ID-based crypto). 25
More credit risks in cyberspace With the help of cryptographic technologies which establish a secure channel, a lot of virtual currencies (in a broader sense) are already available (e.g. reward points, FFP mileage, and di i l cash). il d digital h) Their values can change, at least in the context of their exchange rates. P l h Policy changes regarding expiration, h d redemption, and so on, can happen as well. From the viewpoint of consumers, they cause credit risks F h f h d k in cyberspace. 26
Abstraction based on stochastic processes (observable but unpredictable) Y and H can be observed by everyone whereas V is not necessarily observable b everyone; if th i b bl by the issuer can observe V th t’ enough. b V, that’s h Information related to availability and QoS is an example of V. Price process: Y(t) Implicit value process: V(t) Monetary value in a Value process: H(t) = h(t, V(t)) transaction where h is a value value- Token depends on. . . interpretation function. Occurrences (= realized numerical ( values) of Y and H are written when issued. 27
Modeling the dynamics Compromise: Assumed to be a Poisson p p process with intensity λ. Revoked if compromised The value dynamics: dH = (1−λdt)(μHdt+σHdW)−Hλdt where μ and σ are deterministic constants and W is a Wiener process. Geometric Brownian motion unless compromised (μ: velocity; σ: volatility) 28
Wiener process W(0) = 0, dt dW= 0. If r<s<t< then W( ) W(t) and W(s) W(r) are r<s<t<u, W(u)−W(t) W(s)−W(r) independent. For F s<t, the stochastic variable W(t)−W(s) h the h h bl W( ) W( ) has h Gaussian distribution N[0,(t−s)1/2]. W has continuous trajectories. Paying attention to (dt)2=0, we have y g ( ) dH = (μ−λ)Hdt + σHdW deterministic stochastic 29
Design a new stochastic process to realize an active measurement European call option Right to buy a share of the token with a strike value K at the time of a maturity Tm at a fixed price Y=1. Let C(t)=c(t, H(t)) be the price process where c(t 0)=0 C(t)=c(t c(t,0)=0. As a restriction, we do not allow anyone to divide a token into smaller pieces. Except this restriction, we p p p , place ideal market assumptions including the existence of a riskless asset whose interest rate is r. Financial derivatives (whose prices depend on risk parameters) Inverse estimation Risk parameters (λ and σ) ( ) Market b M k t observation ti 30
Stochastic calculus If the system is free from the risk of compromise (i.e. λ=o), we can derive a PDE (partial differential equation) which has a ( ff ) closed-form solution c(t,h)=KN[d1(t h)]/h −r(T−t)N[d2(t h)] (t h) KN[d (t,h)]/h−e r(T t) (t,h)] (1) where N is the cumulative distribution function for the standard normal distribution and d1(t,h)={ln(K/h)+(r+σ2/2)(Tm−t)}/{σ(Tm−t)1/2} d2(t h)=d1(t h) (Tm−t)1/2. (t,h)=d (t,h)−σ(T t) If there is a risk of compromise, we can derive a PDE to be computationally solved with the help of the closed form closed-form solution (1) for the special case above. 31
Further maturity More uncertain Relax both chance and risk 32 (Current occurrence of the value process H)
Larger volatility More uncertain Relax both chance and risk 33
Higher strike value Better position 34
Some notes Even if the compromise is rare (and has never happened before), we can measure the market evaluation of the risk. Introducing derivatives can enhance information dissemination and collection. This is good, too. In cyberspace, simple derivatives are difficult to realize whereas complicated ones (e.g. mileage which needs co-pay when redeemed) are easy. Other applications of financial theories: Privacy metrics (e.g. different rates in on-line social lending). Real options to decide when and how we update a system. R. Boehme: Security Metrics and Security Investment Models. LNCS 6434, Springer, pp.10-24, 2010. Springer pp 10-24 2010 35
Concluding Remarks and Some Notes 36
Emerging importance of cybersecurity science Security management is quality management of security properties. Measurement of risk parameters may provide a basic bridge between theory and practice. Many research topics can be found if we consider trust and credit before/after conventional management. Possible impacts on network/system security. Practical information sharing (e.g. among ISP and security vendors) is one thing, common dataset for research is another. Mechanism design for research-promotion infrastructure. Recent actions by SIG-CSEC of IPSJ. 37

Recomendados

Salario
SalarioSalario
SalarioYack Recinos Lopez
 
Shipping your product overseas!
Shipping your product overseas!Shipping your product overseas!
Shipping your product overseas!Diogo Busanello
 
Lit research at a distance
Lit research at a distanceLit research at a distance
Lit research at a distancemark60horan
 
Arquitectura
ArquitecturaArquitectura
ArquitecturaYack Recinos Lopez
 
inspirational leadership, bruder fic.new (ini)
inspirational leadership, bruder fic.new (ini)inspirational leadership, bruder fic.new (ini)
inspirational leadership, bruder fic.new (ini)ardia adam
 
Tampa bay Hispanic market info
Tampa bay Hispanic market infoTampa bay Hispanic market info
Tampa bay Hispanic market infoEddy Alonso
 
New Business for Social and Search
New Business for Social and SearchNew Business for Social and Search
New Business for Social and SearchTiffanyMage
 
Practica22
Practica22Practica22
Practica22Yack Recinos Lopez
 

Recomendados

Salario
SalarioSalario
SalarioYack Recinos Lopez
 
Shipping your product overseas!
Shipping your product overseas!Shipping your product overseas!
Shipping your product overseas!Diogo Busanello
 
Lit research at a distance
Lit research at a distanceLit research at a distance
Lit research at a distancemark60horan
 
Arquitectura
ArquitecturaArquitectura
ArquitecturaYack Recinos Lopez
 
inspirational leadership, bruder fic.new (ini)
inspirational leadership, bruder fic.new (ini)inspirational leadership, bruder fic.new (ini)
inspirational leadership, bruder fic.new (ini)ardia adam
 
Tampa bay Hispanic market info
Tampa bay Hispanic market infoTampa bay Hispanic market info
Tampa bay Hispanic market infoEddy Alonso
 
New Business for Social and Search
New Business for Social and SearchNew Business for Social and Search
New Business for Social and SearchTiffanyMage
 
Practica22
Practica22Practica22
Practica22Yack Recinos Lopez
 
Practicaa1
Practicaa1Practicaa1
Practicaa1Yack Recinos Lopez
 
Ejercicio 2
Ejercicio 2 Ejercicio 2
Ejercicio 2 Yack Recinos Lopez
 
Osm in argentina
Osm in argentinaOsm in argentina
Osm in argentinaWerner Horsch
 
Actividades de soplo
Actividades de soploActividades de soplo
Actividades de soploEstela Esteliña
 
Jejaring dan kemitraan
Jejaring dan kemitraanJejaring dan kemitraan
Jejaring dan kemitraanardia adam
 
Non aligned movement (NAM)
Non aligned movement (NAM)Non aligned movement (NAM)
Non aligned movement (NAM)Pooja Solanki
 
Praxias con dora la exploradora
Praxias con dora la exploradoraPraxias con dora la exploradora
Praxias con dora la exploradoraEstela Esteliña
 
Intellectual capital taxonomy
Intellectual capital taxonomy Intellectual capital taxonomy
Intellectual capital taxonomy Linlin Cai
 
Acemoglu lecture4
Acemoglu lecture4Acemoglu lecture4
Acemoglu lecture4NBER
 
Statistical Models for Massive Web Data
Statistical Models for Massive Web DataStatistical Models for Massive Web Data
Statistical Models for Massive Web DataDeepak Agarwal
 
Internet of Things (Iot) Kit for Human Head Safety in Construction Project
Internet of Things (Iot) Kit for Human Head Safety in Construction ProjectInternet of Things (Iot) Kit for Human Head Safety in Construction Project
Internet of Things (Iot) Kit for Human Head Safety in Construction ProjectIRJET Journal
 
NAG software for the Actuarial Community (Sep. 2012)
NAG software for the Actuarial Community (Sep. 2012)NAG software for the Actuarial Community (Sep. 2012)
NAG software for the Actuarial Community (Sep. 2012)John Holden
 
vFS3 Main Tent Sessions
vFS3 Main Tent SessionsvFS3 Main Tent Sessions
vFS3 Main Tent Sessionsv-FS3 Industry Models User Group
 
Tracxn - Top Business Models - 3D Printing Industry Applications - Dec 2021
Tracxn - Top Business Models - 3D Printing Industry Applications - Dec 2021Tracxn - Top Business Models - 3D Printing Industry Applications - Dec 2021
Tracxn - Top Business Models - 3D Printing Industry Applications - Dec 2021Tracxn
 
Ln2520042007
Ln2520042007Ln2520042007
Ln2520042007Sai Sujeetha
 
Ln2520042007
Ln2520042007Ln2520042007
Ln2520042007IJERA Editor
 
Ln2520042007
Ln2520042007Ln2520042007
Ln2520042007IJERA Editor
 
Open source migration in public sector
Open source migration in public sectorOpen source migration in public sector
Open source migration in public sectorAndroklis Mavridis
 
The Role of Selfies in Creating the Next Generation Computer Vision Infused O...
The Role of Selfies in Creating the Next Generation Computer Vision Infused O...The Role of Selfies in Creating the Next Generation Computer Vision Infused O...
The Role of Selfies in Creating the Next Generation Computer Vision Infused O...hanumayamma
 
Productivity effects of knowledge-based capital – New evidence from German fi...
Productivity effects of knowledge-based capital – New evidence from German fi...Productivity effects of knowledge-based capital – New evidence from German fi...
Productivity effects of knowledge-based capital – New evidence from German fi...Structuralpolicyanalysis
 
Information Technology
Information TechnologyInformation Technology
Information TechnologyViraj Kansara
 
Multidisciplinary Design Optimization of Supersonic Transport Wing Using Surr...
Multidisciplinary Design Optimization of Supersonic Transport Wing Using Surr...Multidisciplinary Design Optimization of Supersonic Transport Wing Using Surr...
Multidisciplinary Design Optimization of Supersonic Transport Wing Using Surr...Masahiro Kanazaki
 

Mais conteúdo relacionado

Destaque

Jejaring dan kemitraan
Jejaring dan kemitraanJejaring dan kemitraan
Jejaring dan kemitraanardia adam
 
Non aligned movement (NAM)
Non aligned movement (NAM)Non aligned movement (NAM)
Non aligned movement (NAM)Pooja Solanki
 
Praxias con dora la exploradora
Praxias con dora la exploradoraPraxias con dora la exploradora
Praxias con dora la exploradoraEstela Esteliña
 

Destaque (7)

Practicaa1
Practicaa1Practicaa1
Practicaa1
 
Ejercicio 2
Ejercicio 2 Ejercicio 2
Ejercicio 2
 
Osm in argentina
Osm in argentinaOsm in argentina
Osm in argentina
 
Actividades de soplo
Actividades de soploActividades de soplo
Actividades de soplo
 
Jejaring dan kemitraan
Jejaring dan kemitraanJejaring dan kemitraan
Jejaring dan kemitraan
 
Non aligned movement (NAM)
Non aligned movement (NAM)Non aligned movement (NAM)
Non aligned movement (NAM)
 
Praxias con dora la exploradora
Praxias con dora la exploradoraPraxias con dora la exploradora
Praxias con dora la exploradora
 

Semelhante a Analysis of cybersecurity risk parameters from empirical data (35 characters

Intellectual capital taxonomy
Intellectual capital taxonomy Intellectual capital taxonomy
Intellectual capital taxonomy Linlin Cai
 
Acemoglu lecture4
Acemoglu lecture4Acemoglu lecture4
Acemoglu lecture4NBER
 
Statistical Models for Massive Web Data
Statistical Models for Massive Web DataStatistical Models for Massive Web Data
Statistical Models for Massive Web DataDeepak Agarwal
 
Internet of Things (Iot) Kit for Human Head Safety in Construction Project
Internet of Things (Iot) Kit for Human Head Safety in Construction ProjectInternet of Things (Iot) Kit for Human Head Safety in Construction Project
Internet of Things (Iot) Kit for Human Head Safety in Construction ProjectIRJET Journal
 
NAG software for the Actuarial Community (Sep. 2012)
NAG software for the Actuarial Community (Sep. 2012)NAG software for the Actuarial Community (Sep. 2012)
NAG software for the Actuarial Community (Sep. 2012)John Holden
 
Tracxn - Top Business Models - 3D Printing Industry Applications - Dec 2021
Tracxn - Top Business Models - 3D Printing Industry Applications - Dec 2021Tracxn - Top Business Models - 3D Printing Industry Applications - Dec 2021
Tracxn - Top Business Models - 3D Printing Industry Applications - Dec 2021Tracxn
 
Open source migration in public sector
Open source migration in public sectorOpen source migration in public sector
Open source migration in public sectorAndroklis Mavridis
 
The Role of Selfies in Creating the Next Generation Computer Vision Infused O...
The Role of Selfies in Creating the Next Generation Computer Vision Infused O...The Role of Selfies in Creating the Next Generation Computer Vision Infused O...
The Role of Selfies in Creating the Next Generation Computer Vision Infused O...hanumayamma
 
Productivity effects of knowledge-based capital – New evidence from German fi...
Productivity effects of knowledge-based capital – New evidence from German fi...Productivity effects of knowledge-based capital – New evidence from German fi...
Productivity effects of knowledge-based capital – New evidence from German fi...Structuralpolicyanalysis
 
Information Technology
Information TechnologyInformation Technology
Information TechnologyViraj Kansara
 
Multidisciplinary Design Optimization of Supersonic Transport Wing Using Surr...
Multidisciplinary Design Optimization of Supersonic Transport Wing Using Surr...Multidisciplinary Design Optimization of Supersonic Transport Wing Using Surr...
Multidisciplinary Design Optimization of Supersonic Transport Wing Using Surr...Masahiro Kanazaki
 
Niche construction for the evolution of industries
Niche construction for the evolution of industriesNiche construction for the evolution of industries
Niche construction for the evolution of industriesPavel Luksha
 
Market Research Report : ICT in Retail in India 2011
Market Research Report : ICT in Retail in India 2011Market Research Report : ICT in Retail in India 2011
Market Research Report : ICT in Retail in India 2011Netscribes, Inc.
 
Grid: New Business Opportunities?
Grid: New Business Opportunities?Grid: New Business Opportunities?
Grid: New Business Opportunities?Cybera Inc.
 
‘Policy-making for digital development: the role of the government’ by Ismael...
‘Policy-making for digital development: the role of the government’ by Ismael...‘Policy-making for digital development: the role of the government’ by Ismael...
‘Policy-making for digital development: the role of the government’ by Ismael...i2tic
 

Semelhante a Analysis of cybersecurity risk parameters from empirical data (35 characters (20)

Intellectual capital taxonomy
Intellectual capital taxonomy Intellectual capital taxonomy
Intellectual capital taxonomy
 
Acemoglu lecture4
Acemoglu lecture4Acemoglu lecture4
Acemoglu lecture4
 
Statistical Models for Massive Web Data
Statistical Models for Massive Web DataStatistical Models for Massive Web Data
Statistical Models for Massive Web Data
 
Internet of Things (Iot) Kit for Human Head Safety in Construction Project
Internet of Things (Iot) Kit for Human Head Safety in Construction ProjectInternet of Things (Iot) Kit for Human Head Safety in Construction Project
Internet of Things (Iot) Kit for Human Head Safety in Construction Project
 
NAG software for the Actuarial Community (Sep. 2012)
NAG software for the Actuarial Community (Sep. 2012)NAG software for the Actuarial Community (Sep. 2012)
NAG software for the Actuarial Community (Sep. 2012)
 
vFS3 Main Tent Sessions
vFS3 Main Tent SessionsvFS3 Main Tent Sessions
vFS3 Main Tent Sessions
 
Tracxn - Top Business Models - 3D Printing Industry Applications - Dec 2021
Tracxn - Top Business Models - 3D Printing Industry Applications - Dec 2021Tracxn - Top Business Models - 3D Printing Industry Applications - Dec 2021
Tracxn - Top Business Models - 3D Printing Industry Applications - Dec 2021
 
Ln2520042007
Ln2520042007Ln2520042007
Ln2520042007
 
Ln2520042007
Ln2520042007Ln2520042007
Ln2520042007
 
Ln2520042007
Ln2520042007Ln2520042007
Ln2520042007
 
Open source migration in public sector
Open source migration in public sectorOpen source migration in public sector
Open source migration in public sector
 
The Role of Selfies in Creating the Next Generation Computer Vision Infused O...
The Role of Selfies in Creating the Next Generation Computer Vision Infused O...The Role of Selfies in Creating the Next Generation Computer Vision Infused O...
The Role of Selfies in Creating the Next Generation Computer Vision Infused O...
 
Productivity effects of knowledge-based capital – New evidence from German fi...
Productivity effects of knowledge-based capital – New evidence from German fi...Productivity effects of knowledge-based capital – New evidence from German fi...
Productivity effects of knowledge-based capital – New evidence from German fi...
 
Information Technology
Information TechnologyInformation Technology
Information Technology
 
Multidisciplinary Design Optimization of Supersonic Transport Wing Using Surr...
Multidisciplinary Design Optimization of Supersonic Transport Wing Using Surr...Multidisciplinary Design Optimization of Supersonic Transport Wing Using Surr...
Multidisciplinary Design Optimization of Supersonic Transport Wing Using Surr...
 
Niche construction for the evolution of industries
Niche construction for the evolution of industriesNiche construction for the evolution of industries
Niche construction for the evolution of industries
 
Market Research Report : ICT in Retail in India 2011
Market Research Report : ICT in Retail in India 2011Market Research Report : ICT in Retail in India 2011
Market Research Report : ICT in Retail in India 2011
 
Grid: New Business Opportunities?
Grid: New Business Opportunities?Grid: New Business Opportunities?
Grid: New Business Opportunities?
 
IBM’s Global Innovation Outlook
IBM’s Global Innovation OutlookIBM’s Global Innovation Outlook
IBM’s Global Innovation Outlook
 
‘Policy-making for digital development: the role of the government’ by Ismael...
‘Policy-making for digital development: the role of the government’ by Ismael...‘Policy-making for digital development: the role of the government’ by Ismael...
‘Policy-making for digital development: the role of the government’ by Ismael...
 

Último

Program Design by Prateek Suri and Christian Williss
Program Design by Prateek Suri and Christian WillissProgram Design by Prateek Suri and Christian Williss
Program Design by Prateek Suri and Christian WillissForth
 
EPA Funding Opportunities for Equitable Electric Transportation by Mike Moltzen
EPA Funding Opportunities for Equitable Electric Transportation by Mike MoltzenEPA Funding Opportunities for Equitable Electric Transportation by Mike Moltzen
EPA Funding Opportunities for Equitable Electric Transportation by Mike MoltzenForth
 
Can't Roll Up Your Audi A4 Power Window Let's Uncover the Issue!
Can't Roll Up Your Audi A4 Power Window Let's Uncover the Issue!Can't Roll Up Your Audi A4 Power Window Let's Uncover the Issue!
Can't Roll Up Your Audi A4 Power Window Let's Uncover the Issue!Mint Automotive
 
Building a Future Where Everyone Can Ride and Drive Electric by Bridget Gilmore
Building a Future Where Everyone Can Ride and Drive Electric by Bridget GilmoreBuilding a Future Where Everyone Can Ride and Drive Electric by Bridget Gilmore
Building a Future Where Everyone Can Ride and Drive Electric by Bridget GilmoreForth
 
(办理学位证)(Toledo毕业证)托莱多大学毕业证成绩单修改留信学历认证原版一模一样
(办理学位证)(Toledo毕业证)托莱多大学毕业证成绩单修改留信学历认证原版一模一样(办理学位证)(Toledo毕业证)托莱多大学毕业证成绩单修改留信学历认证原版一模一样
(办理学位证)(Toledo毕业证)托莱多大学毕业证成绩单修改留信学历认证原版一模一样gfghbihg
 
办理昆士兰科技大学毕业证QUT毕业证留信学历认证
办理昆士兰科技大学毕业证QUT毕业证留信学历认证办理昆士兰科技大学毕业证QUT毕业证留信学历认证
办理昆士兰科技大学毕业证QUT毕业证留信学历认证jdkhjh
 
Centering Equity Panel by Samantha Bingham
Centering Equity Panel by Samantha BinghamCentering Equity Panel by Samantha Bingham
Centering Equity Panel by Samantha BinghamForth
 
办理乔治布朗学院毕业证成绩单|购买加拿大文凭证书
办理乔治布朗学院毕业证成绩单|购买加拿大文凭证书办理乔治布朗学院毕业证成绩单|购买加拿大文凭证书
办理乔治布朗学院毕业证成绩单|购买加拿大文凭证书zdzoqco
 
Pros and cons of buying used fleet vehicles.pptx
Pros and cons of buying used fleet vehicles.pptxPros and cons of buying used fleet vehicles.pptx
Pros and cons of buying used fleet vehicles.pptxjennifermiller8137
 
Transportation Electrification Funding Strategy by Jeff Allen and Brandt Hert...
Transportation Electrification Funding Strategy by Jeff Allen and Brandt Hert...Transportation Electrification Funding Strategy by Jeff Allen and Brandt Hert...
Transportation Electrification Funding Strategy by Jeff Allen and Brandt Hert...Forth
 
原版定制copy澳洲查尔斯顿大学毕业证UC毕业证成绩单留信学历认证保障质量
原版定制copy澳洲查尔斯顿大学毕业证UC毕业证成绩单留信学历认证保障质量原版定制copy澳洲查尔斯顿大学毕业证UC毕业证成绩单留信学历认证保障质量
原版定制copy澳洲查尔斯顿大学毕业证UC毕业证成绩单留信学历认证保障质量sehgh15heh
 
办理阳光海岸大学毕业证成绩单原版一比一
办理阳光海岸大学毕业证成绩单原版一比一办理阳光海岸大学毕业证成绩单原版一比一
办理阳光海岸大学毕业证成绩单原版一比一F La
 
(办理原版一样)Flinders毕业证弗林德斯大学毕业证学位证留信学历认证成绩单补办
(办理原版一样)Flinders毕业证弗林德斯大学毕业证学位证留信学历认证成绩单补办(办理原版一样)Flinders毕业证弗林德斯大学毕业证学位证留信学历认证成绩单补办
(办理原版一样)Flinders毕业证弗林德斯大学毕业证学位证留信学历认证成绩单补办fqiuho152
 
907MTAMount Coventry University Bachelor's Diploma in Engineering
907MTAMount Coventry University Bachelor's Diploma in Engineering907MTAMount Coventry University Bachelor's Diploma in Engineering
907MTAMount Coventry University Bachelor's Diploma in EngineeringFi sss
 
英国Bradford学位证,布拉德福德大学毕业证书1:1制作
英国Bradford学位证,布拉德福德大学毕业证书1:1制作英国Bradford学位证,布拉德福德大学毕业证书1:1制作
英国Bradford学位证,布拉德福德大学毕业证书1:1制作yjvk25x9
 
办理(PITT毕业证书)美国匹兹堡大学毕业证成绩单原版一比一
办理(PITT毕业证书)美国匹兹堡大学毕业证成绩单原版一比一办理(PITT毕业证书)美国匹兹堡大学毕业证成绩单原版一比一
办理(PITT毕业证书)美国匹兹堡大学毕业证成绩单原版一比一F La
 
What Causes The key not detected Message In Mercedes Cars
What Causes The key not detected Message In Mercedes CarsWhat Causes The key not detected Message In Mercedes Cars
What Causes The key not detected Message In Mercedes CarsGermany's Best Inc
 
原版工艺美国普林斯顿大学毕业证Princeton毕业证成绩单修改留信学历认证
原版工艺美国普林斯顿大学毕业证Princeton毕业证成绩单修改留信学历认证原版工艺美国普林斯顿大学毕业证Princeton毕业证成绩单修改留信学历认证
原版工艺美国普林斯顿大学毕业证Princeton毕业证成绩单修改留信学历认证jjrehjwj11gg
 
Dubai Call Girls Services Call 09900000000
Dubai Call Girls Services Call 09900000000Dubai Call Girls Services Call 09900000000
Dubai Call Girls Services Call 09900000000Komal Khan
 
Mastering Mercedes Engine Care Top Tips for Rowlett, TX Residents
Mastering Mercedes Engine Care Top Tips for Rowlett, TX ResidentsMastering Mercedes Engine Care Top Tips for Rowlett, TX Residents
Mastering Mercedes Engine Care Top Tips for Rowlett, TX ResidentsRowlett Motorwerks
 

Último (20)

Program Design by Prateek Suri and Christian Williss
Program Design by Prateek Suri and Christian WillissProgram Design by Prateek Suri and Christian Williss
Program Design by Prateek Suri and Christian Williss
 
EPA Funding Opportunities for Equitable Electric Transportation by Mike Moltzen
EPA Funding Opportunities for Equitable Electric Transportation by Mike MoltzenEPA Funding Opportunities for Equitable Electric Transportation by Mike Moltzen
EPA Funding Opportunities for Equitable Electric Transportation by Mike Moltzen
 
Can't Roll Up Your Audi A4 Power Window Let's Uncover the Issue!
Can't Roll Up Your Audi A4 Power Window Let's Uncover the Issue!Can't Roll Up Your Audi A4 Power Window Let's Uncover the Issue!
Can't Roll Up Your Audi A4 Power Window Let's Uncover the Issue!
 
Building a Future Where Everyone Can Ride and Drive Electric by Bridget Gilmore
Building a Future Where Everyone Can Ride and Drive Electric by Bridget GilmoreBuilding a Future Where Everyone Can Ride and Drive Electric by Bridget Gilmore
Building a Future Where Everyone Can Ride and Drive Electric by Bridget Gilmore
 
(办理学位证)(Toledo毕业证)托莱多大学毕业证成绩单修改留信学历认证原版一模一样
(办理学位证)(Toledo毕业证)托莱多大学毕业证成绩单修改留信学历认证原版一模一样(办理学位证)(Toledo毕业证)托莱多大学毕业证成绩单修改留信学历认证原版一模一样
(办理学位证)(Toledo毕业证)托莱多大学毕业证成绩单修改留信学历认证原版一模一样
 
办理昆士兰科技大学毕业证QUT毕业证留信学历认证
办理昆士兰科技大学毕业证QUT毕业证留信学历认证办理昆士兰科技大学毕业证QUT毕业证留信学历认证
办理昆士兰科技大学毕业证QUT毕业证留信学历认证
 
Centering Equity Panel by Samantha Bingham
Centering Equity Panel by Samantha BinghamCentering Equity Panel by Samantha Bingham
Centering Equity Panel by Samantha Bingham
 
办理乔治布朗学院毕业证成绩单|购买加拿大文凭证书
办理乔治布朗学院毕业证成绩单|购买加拿大文凭证书办理乔治布朗学院毕业证成绩单|购买加拿大文凭证书
办理乔治布朗学院毕业证成绩单|购买加拿大文凭证书
 
Pros and cons of buying used fleet vehicles.pptx
Pros and cons of buying used fleet vehicles.pptxPros and cons of buying used fleet vehicles.pptx
Pros and cons of buying used fleet vehicles.pptx
 
Transportation Electrification Funding Strategy by Jeff Allen and Brandt Hert...
Transportation Electrification Funding Strategy by Jeff Allen and Brandt Hert...Transportation Electrification Funding Strategy by Jeff Allen and Brandt Hert...
Transportation Electrification Funding Strategy by Jeff Allen and Brandt Hert...
 
原版定制copy澳洲查尔斯顿大学毕业证UC毕业证成绩单留信学历认证保障质量
原版定制copy澳洲查尔斯顿大学毕业证UC毕业证成绩单留信学历认证保障质量原版定制copy澳洲查尔斯顿大学毕业证UC毕业证成绩单留信学历认证保障质量
原版定制copy澳洲查尔斯顿大学毕业证UC毕业证成绩单留信学历认证保障质量
 
办理阳光海岸大学毕业证成绩单原版一比一
办理阳光海岸大学毕业证成绩单原版一比一办理阳光海岸大学毕业证成绩单原版一比一
办理阳光海岸大学毕业证成绩单原版一比一
 
(办理原版一样)Flinders毕业证弗林德斯大学毕业证学位证留信学历认证成绩单补办
(办理原版一样)Flinders毕业证弗林德斯大学毕业证学位证留信学历认证成绩单补办(办理原版一样)Flinders毕业证弗林德斯大学毕业证学位证留信学历认证成绩单补办
(办理原版一样)Flinders毕业证弗林德斯大学毕业证学位证留信学历认证成绩单补办
 
907MTAMount Coventry University Bachelor's Diploma in Engineering
907MTAMount Coventry University Bachelor's Diploma in Engineering907MTAMount Coventry University Bachelor's Diploma in Engineering
907MTAMount Coventry University Bachelor's Diploma in Engineering
 
英国Bradford学位证,布拉德福德大学毕业证书1:1制作
英国Bradford学位证,布拉德福德大学毕业证书1:1制作英国Bradford学位证,布拉德福德大学毕业证书1:1制作
英国Bradford学位证,布拉德福德大学毕业证书1:1制作
 
办理(PITT毕业证书)美国匹兹堡大学毕业证成绩单原版一比一
办理(PITT毕业证书)美国匹兹堡大学毕业证成绩单原版一比一办理(PITT毕业证书)美国匹兹堡大学毕业证成绩单原版一比一
办理(PITT毕业证书)美国匹兹堡大学毕业证成绩单原版一比一
 
What Causes The key not detected Message In Mercedes Cars
What Causes The key not detected Message In Mercedes CarsWhat Causes The key not detected Message In Mercedes Cars
What Causes The key not detected Message In Mercedes Cars
 
原版工艺美国普林斯顿大学毕业证Princeton毕业证成绩单修改留信学历认证
原版工艺美国普林斯顿大学毕业证Princeton毕业证成绩单修改留信学历认证原版工艺美国普林斯顿大学毕业证Princeton毕业证成绩单修改留信学历认证
原版工艺美国普林斯顿大学毕业证Princeton毕业证成绩单修改留信学历认证
 
Dubai Call Girls Services Call 09900000000
Dubai Call Girls Services Call 09900000000Dubai Call Girls Services Call 09900000000
Dubai Call Girls Services Call 09900000000
 
Mastering Mercedes Engine Care Top Tips for Rowlett, TX Residents
Mastering Mercedes Engine Care Top Tips for Rowlett, TX ResidentsMastering Mercedes Engine Care Top Tips for Rowlett, TX Residents
Mastering Mercedes Engine Care Top Tips for Rowlett, TX Residents
 

Analysis of cybersecurity risk parameters from empirical data (35 characters

  • 1. My publication (2006-2011) Invited talk at WISA2011 (August 22, 2011) Management Crypto Network Passive a d Active Measurements o ass e and ct e easu e e ts of Cybersecurity Risk Parameters Kanta MATSUURA (IIS, The University of Tokyo)
  • 2. Agnda Security management Traditional heuristics Recent trend of cybersecurity science Empirical study Quality of empirical data Passive measurements and finding proxies Example Theoretical study Active measurements: Design of observable stochastic processes associated with cybersecurity risks 2
  • 4. Traditional heuristics Security management is quality management of security properties such as CIA (confidentiality, integrity, and availability). Heuristics of a PDCA cycle. Plan Do Check Act evolution 4
  • 5. We need revolution, rather than evolution. evolution Human and social problems: Lack of science to explain mechanisms behind the problems. Problems of heuristic evaluation: Lack of reproducibility and impact. How general claims one can make? Recent trend: Promotion of cybersecurity science The US Cybesecurity Act of 2009. Research communities started well before (e.g. the First Workshop on the Economics of Information Security (WEIS) was in 2002). R. Anderson and T. Moore: The Economics of Information Security. Science (314) pp.610-613, 2006. 2006 5
  • 6. Lessons from the economics of information security Some problems happen due to economically-sound behaviors. (Example) Users get more benefits if a larger number of other users use the same software. This enhances an earlier release (of an immature version). Afterwards, version) Afterwards software vendors release security patches one after another. z* Others happen due to behaviors which are not economically sound. 0 1 v (Example) Different features of investment vulnerability curves: investment-vulnerability imply over/under-investment. z* K. K Matsuura: Productivity Space of Information Security in an Extension of the Gordon-Loeb's Investment Model, WEIS2008. 0 1 v Prediction is difficult 6
  • 7. We really need measurements measurements. Plan Do Check Act Cybersecurity S i C b i Science Measurements of cybersecurity risk parameters 7
  • 8. Passive measurements Empirical Study 8
  • 9. Quality of empirical data Questionnaire exclusively for your research (Pros) You can ask what you want to ask. (Cons) The resultant data quality is questionable. They do not always answer with their best efforts. Response rate could be low. Existing ffi i l/ E i i official/general statistics ( l i i (passive measurements i from the viewpoint of your side) (Cons) You (C ) Y can not always fi d survey items you want to place. t l find it tt l You should find good proxies. (Pros) Some statistics are very reliable reliable. Some surveys are well established (e.g. the statistics law helps in Japan), and some companies even have a section established to answer to the surveys. 9
  • 10. Topics of empirical studies: An example Interdependency of information security Security incidents and efforts of a party can influence other parties. If this happens without accompanied economic transactions, the externality can cause many problems (e.g. free-riding). t lit bl ( f idi ) Important factor of many theoretical models in security economics. Interdependency between different regions/sectors may imply I t d d b t diff t i / t i l risks in the real economy. B. Jenjarrussakul, H. Tanaka, K. B Jenjarrussakul H Tanaka K Matsuura: Empirical Study on Interdependency of Information Security between Industrial Sectors and Regions. Seventh Annual Forum on Financial Information Systems and Cybersecurity: A Public Policy Perspective, 2011. Perspective 2011 H. Tanaka: Quantitative Analysis of Information Security Interdependency between Industrial Sectors. Proc. 3rd International Symposium on Empirical Software Engineering and Measurement pp 574-583 2009 Measurement, pp.574 583, 2009. 10
  • 11. Datasets METI: Ministry of economy, RIETI: Research Institute of Trade, and Industry Economy, Trade, and Industry • Inter-regional Input-Output table for 2005 • Japan Industrial Productivity • Economic transaction Database 2008 value • Information-technology • 2006 Survey of Information (IT) dependency Technology (about 3000 samples) • Information-security (IS) multiplier 11
  • 12. Inter-regional Input-Output Inter regional Input Output Table Economic Transaction Final Demand Import Purchase value byy Value which is used Value of Companies of sector j in region r to determine input import in sector j (column index) and output of the in region q. from sector Companies of sector i in region q p g (row index) Export Value of Purchase … Region r … Import Export (Neg) (All export in Final r=q regions sector j Production … … Sector j … … i=j by row) Demand in region q. … … … … Region q Sector i zq,i,r,j fq,i,r -mq,i eq,i … … … … Value dd d V l added … … Matrix size (9*12)2 (Tax) … Value added cr,j (9 regions and 12 i d t i i J i d industries in Japan) ) 12
  • 13. Backward dependency (BD) Based on E. Dietzenbacher and Jan A. van der Linder: Sectoral and Spatial Linkages in the EC Production Structure. Journal of Regional Science (37 2) pp.235-257, 1997, S i (37:2) 235 257 1997 BD is computed as Pur- chase … Region r … Import Export a normalized value of (Neg) r=q (All regions Produc- Final an output reduction … … Sector j … … i=j by row) tion Demand supposing a particular … … 0 … 0 column is a zero vector. … 0 Region q Sector i zq,i,r,j 0 fq,i,r -mq,i eq,i … 0 (From an engineering point … 0 … of view, this is a kind of … 0 … 0 sensitivity analysis.) y y ) … … 0 Value added cr,j 0 13
  • 14. Output reduction (a sketch) Suppose we can define an activity level (output) of this economy both from the supply side and from the demand side. This provides an accounting equation where all the coefficients can be obtained from the input-output table. By solving the accounting equation, we can see the activity level of this economy and its building blocks. Output reduction in the context of backward dependency is a normalized reduction of this level when a particular sector in a particular region does no longer work as a demand-side group. 14
  • 15. Information security backward dependency (ISBD) Computed by supposing a particular column (r, j) is not 0 but (1-sisj)zq,i,r,j (i=1, 2, . . . , 12; q=1, 2, . . . , 9) where the reduction is based on security risk levels: (1) Level of IT dependency (of sector i) ITi / (ITi + nITi) where ITi = IT capital stock of sector i nITi = non-IT capital stock of sector i (2) IS Multiplier Average number of deployed IS countermeasures in all sectors Average number of deployed IS countermeasures in sector i (25 countermeasures i th survey) t in the ) (3) Security risk level (a proxy) si = (1) x (2) 15
  • 16. Production value (region) Region g Region g Output p name ID (billion US$) Hokkaido A Kanto C 7,745.90 Kinki E 2,882.30 2 882 30 Tohoku Chubu D 2,218.20 Chubu Kyushu H 1,494.00 B Chugoku F 1,114.70 Kinki Kanto Tohoku B 1,076.70 C Chugoku D Hokkaido A 648.90 Okinawa F E Shikoku G 482.00 Okinawa I 110.70 110 70 H G Source: Inter-Regional Input-Output table for 2005 Shikoku I 1 US(¥$) = 81.59 JYP(¥Yen) Red = High p g production value = Large economic scale g Kyushu Green = Low production value = Small economic scale 16
  • 17. Production value (sector) Sector Sector Output name ID (billion US$) Services 12 2,929.40 Commerce and Logistic 09 1,816.30 Machinery 05 1,607.60 Financial, Insurance, 10 1,331.40 and Real Estate Other M Oth Manufacturing f t i 06 1,165.50 1 165 50 Construction 07 781.10 ICT 11 567.40 Metal 04 562.80 Food and Beverage 03 443.80 Utilities 08 330.90 Argriculture 01 162.50 Mining Mi i 02 12.50 12 0 17
  • 18. Level of IT dependency 18
  • 19. Level of IS and risk 19
  • 20. Results (regional perspective) Influenced (demand-side) regions Most : Shikoku, Okinawa A large number of supply-side region-sectors have ISBD larger than a threshold (0 01%) thresh ld (0.01%). Small economic scale regions Least : Kanto, Tohoku The largest economic scale region and Tohoku. Influential (supply-side) regions (supply side) Most : Kanto, Kinki Large economic scale regions g g Least : Okinawa, Shikoku, Hokkaido Small economic scale regions. 20
  • 21. Tohoku as a supply side region supply-side • Firstly, it should be noted that Tohoku plays an important role i many supply chains as noticed b i d t i l people l in l h i ti d by industrial l after the quake on March 11, 2011. (In that sense, largely influential on demand side when we consider normal economic dependency.) • Tohoku is in a group of the moderate influential region g g (i.e. depended by a medium number of demand-side groups). •HHowever, 69% of th d f the dependent supply-side sectors i d t l id t in Tohoku mainly influence demand-side sectors which are located in Tohoku itself itself. • This means the influence is likely to be limited in its own region. 21
  • 22. In empirical studies, deriving implications is important important. • Wh When we rebuild T h k we can pay attention t b ild Tohoku, tt ti to IS interdependency issues inside the region, rather than interdependency among diff th i t d d different regions. t i • As a demand side region Tohoku is in one of the least demand-side region, influenced regions (i.e. depends on a small number of supply-side groups compared to other regions). pp y g p p g ) •Similar to Kanto region which includes Tokyo. • As a supply-side region, Tohoku is not so influential. • Different from Kanto (the most influential region). 22
  • 23. Active measurements Theoretical Study K. K Matsuura: A Derivative of Digital Objects and Estimation of Default Risks in Electronic Commerce. LNCS 2229, Springer, pp.90-94, 2001. K. Matsuura: Digital Security Tokens and Their Derivatives. Netnomics (5:2) pp.161 179, 2003 pp 161-179 2003. 23
  • 24. Credit risks in cyberspace Protocols require frequent q q Why? y verifications. Feasible but Digital certificates. could be heavy. Avoid copyright violation. py g Need freshness. Verify, verify, Compatibility. p y verify, ... if Policy agreement. ・ ・ ・ Real-time, distributed & trusted , directories are too difficult. Probably OK . . . Verification results can change.g 24
  • 25. Example The verification may output NG. It may output OK. Who knows in advance?? Suppose a digital ticket signed by an issuer. When I purchased it, it I verified th signature and th result was OK H ifi d the i t d the lt OK. However, when I attempt to use it at a service provider, the verification by the provider may output NG Or I may even face a NG. congestion that keeps me from connection with the provider, or TTP needed for verification may be too busy (e.g. some implementations of ID-based crypto). 25
  • 26. More credit risks in cyberspace With the help of cryptographic technologies which establish a secure channel, a lot of virtual currencies (in a broader sense) are already available (e.g. reward points, FFP mileage, and di i l cash). il d digital h) Their values can change, at least in the context of their exchange rates. P l h Policy changes regarding expiration, h d redemption, and so on, can happen as well. From the viewpoint of consumers, they cause credit risks F h f h d k in cyberspace. 26
  • 27. Abstraction based on stochastic processes (observable but unpredictable) Y and H can be observed by everyone whereas V is not necessarily observable b everyone; if th i b bl by the issuer can observe V th t’ enough. b V, that’s h Information related to availability and QoS is an example of V. Price process: Y(t) Implicit value process: V(t) Monetary value in a Value process: H(t) = h(t, V(t)) transaction where h is a value value- Token depends on. . . interpretation function. Occurrences (= realized numerical ( values) of Y and H are written when issued. 27
  • 28. Modeling the dynamics Compromise: Assumed to be a Poisson p p process with intensity λ. Revoked if compromised The value dynamics: dH = (1−λdt)(μHdt+σHdW)−Hλdt where μ and σ are deterministic constants and W is a Wiener process. Geometric Brownian motion unless compromised (μ: velocity; σ: volatility) 28
  • 29. Wiener process W(0) = 0, dt dW= 0. If r<s<t< then W( ) W(t) and W(s) W(r) are r<s<t<u, W(u)−W(t) W(s)−W(r) independent. For F s<t, the stochastic variable W(t)−W(s) h the h h bl W( ) W( ) has h Gaussian distribution N[0,(t−s)1/2]. W has continuous trajectories. Paying attention to (dt)2=0, we have y g ( ) dH = (μ−λ)Hdt + σHdW deterministic stochastic 29
  • 30. Design a new stochastic process to realize an active measurement European call option Right to buy a share of the token with a strike value K at the time of a maturity Tm at a fixed price Y=1. Let C(t)=c(t, H(t)) be the price process where c(t 0)=0 C(t)=c(t c(t,0)=0. As a restriction, we do not allow anyone to divide a token into smaller pieces. Except this restriction, we p p p , place ideal market assumptions including the existence of a riskless asset whose interest rate is r. Financial derivatives (whose prices depend on risk parameters) Inverse estimation Risk parameters (λ and σ) ( ) Market b M k t observation ti 30
  • 31. Stochastic calculus If the system is free from the risk of compromise (i.e. λ=o), we can derive a PDE (partial differential equation) which has a ( ff ) closed-form solution c(t,h)=KN[d1(t h)]/h −r(T−t)N[d2(t h)] (t h) KN[d (t,h)]/h−e r(T t) (t,h)] (1) where N is the cumulative distribution function for the standard normal distribution and d1(t,h)={ln(K/h)+(r+σ2/2)(Tm−t)}/{σ(Tm−t)1/2} d2(t h)=d1(t h) (Tm−t)1/2. (t,h)=d (t,h)−σ(T t) If there is a risk of compromise, we can derive a PDE to be computationally solved with the help of the closed form closed-form solution (1) for the special case above. 31
  • 32. Further maturity More uncertain Relax both chance and risk 32 (Current occurrence of the value process H)
  • 33. Larger volatility More uncertain Relax both chance and risk 33
  • 34. Higher strike value Better position 34
  • 35. Some notes Even if the compromise is rare (and has never happened before), we can measure the market evaluation of the risk. Introducing derivatives can enhance information dissemination and collection. This is good, too. In cyberspace, simple derivatives are difficult to realize whereas complicated ones (e.g. mileage which needs co-pay when redeemed) are easy. Other applications of financial theories: Privacy metrics (e.g. different rates in on-line social lending). Real options to decide when and how we update a system. R. Boehme: Security Metrics and Security Investment Models. LNCS 6434, Springer, pp.10-24, 2010. Springer pp 10-24 2010 35
  • 36. Concluding Remarks and Some Notes 36
  • 37. Emerging importance of cybersecurity science Security management is quality management of security properties. Measurement of risk parameters may provide a basic bridge between theory and practice. Many research topics can be found if we consider trust and credit before/after conventional management. Possible impacts on network/system security. Practical information sharing (e.g. among ISP and security vendors) is one thing, common dataset for research is another. Mechanism design for research-promotion infrastructure. Recent actions by SIG-CSEC of IPSJ. 37