This document discusses passive and active measurements for studying cybersecurity risk parameters. It covers the following key points in 3 sentences:
Passive measurements involve analyzing existing empirical data sources to study interdependencies between information security in different sectors and regions without directly interacting with systems. Theoretical active measurements involve designing observable stochastic processes to model dynamics of security risks like default risks and value changes over time for digital objects based on factors like compromise rates. Empirical studies on inter-sector and inter-regional information security used datasets like economic transaction data and security survey responses to analyze how risks in one area could influence others.
Mastering Mercedes Engine Care Top Tips for Rowlett, TX Residents
Analysis of cybersecurity risk parameters from empirical data (35 characters
1. My publication (2006-2011)
Invited talk at WISA2011 (August 22, 2011)
Management
Crypto
Network
Passive a d Active Measurements o
ass e and ct e easu e e ts of
Cybersecurity Risk Parameters
Kanta MATSUURA (IIS, The University of Tokyo)
2. Agnda
Security management
Traditional heuristics
Recent trend of cybersecurity science
Empirical study
Quality of empirical data
Passive measurements and finding proxies
Example
Theoretical study
Active measurements: Design of observable stochastic
processes associated with cybersecurity risks
2
4. Traditional heuristics
Security management is quality management of security
properties such as CIA (confidentiality, integrity, and
availability).
Heuristics of a PDCA cycle.
Plan Do Check Act
evolution
4
5. We need revolution, rather than
evolution.
evolution
Human and social problems:
Lack of science to explain mechanisms behind the problems.
Problems of heuristic evaluation:
Lack of reproducibility and impact. How general claims one can
make?
Recent trend: Promotion of cybersecurity science
The US Cybesecurity Act of 2009.
Research communities started well before (e.g. the First Workshop
on the Economics of Information Security (WEIS) was in 2002).
R. Anderson and T. Moore: The Economics of
Information Security. Science (314) pp.610-613,
2006.
2006
5
6. Lessons from the economics of
information security
Some problems happen due to economically-sound behaviors.
(Example) Users get more benefits if a larger number of other users use
the same software. This enhances an earlier release (of an immature
version). Afterwards,
version) Afterwards software vendors release security patches one
after another. z*
Others happen due to behaviors which are
not economically sound. 0 1 v
(Example) Different features of investment vulnerability curves:
investment-vulnerability
imply over/under-investment. z*
K.
K Matsuura: Productivity Space of Information Security in an
Extension of the Gordon-Loeb's Investment Model, WEIS2008.
0 1 v
Prediction is difficult
6
7. We really need measurements
measurements.
Plan Do Check Act
Cybersecurity S i
C b i Science
Measurements of cybersecurity risk parameters
7
9. Quality of empirical data
Questionnaire exclusively for your research
(Pros) You can ask what you want to ask.
(Cons) The resultant data quality is questionable.
They do not always answer with their best efforts.
Response rate could be low.
Existing ffi i l/
E i i official/general statistics (
l i i (passive measurements
i
from the viewpoint of your side)
(Cons) You
(C ) Y can not always fi d survey items you want to place.
t l find it tt l
You should find good proxies.
(Pros) Some statistics are very reliable
reliable.
Some surveys are well established (e.g. the statistics law helps in
Japan), and some companies even have a section established to answer
to the surveys.
9
10. Topics of empirical studies: An example
Interdependency of information security
Security incidents and efforts of a party can influence other parties.
If this happens without accompanied economic transactions, the
externality can cause many problems (e.g. free-riding).
t lit bl ( f idi )
Important factor of many theoretical models in security economics.
Interdependency between different regions/sectors may imply
I t d d b t diff t i / t i l
risks in the real economy.
B. Jenjarrussakul, H. Tanaka, K.
B Jenjarrussakul H Tanaka K Matsuura: Empirical Study on Interdependency of
Information Security between Industrial Sectors and Regions. Seventh Annual
Forum on Financial Information Systems and Cybersecurity: A Public Policy
Perspective, 2011.
Perspective 2011
H. Tanaka: Quantitative Analysis of Information Security Interdependency between
Industrial Sectors. Proc. 3rd International Symposium on Empirical Software
Engineering and Measurement pp 574-583 2009
Measurement, pp.574 583, 2009.
10
11. Datasets
METI: Ministry of economy, RIETI: Research Institute of
Trade, and Industry Economy, Trade, and Industry
• Inter-regional Input-Output
table for 2005 • Japan Industrial Productivity
• Economic transaction Database 2008
value • Information-technology
• 2006 Survey of Information (IT) dependency
Technology (about 3000
samples)
• Information-security (IS)
multiplier
11
12. Inter-regional Input-Output
Inter regional Input Output Table
Economic Transaction Final Demand Import
Purchase value byy Value which is used Value of
Companies of sector j in region r to determine input import in sector j
(column index) and output of the in region q.
from sector
Companies of sector i in region q
p g
(row index) Export
Value of
Purchase … Region r … Import Export
(Neg) (All export in
Final r=q regions sector j
Production … … Sector j … … i=j by row)
Demand in region q.
…
…
…
…
Region q Sector i zq,i,r,j fq,i,r -mq,i eq,i
…
…
…
…
Value dd d
V l added …
… Matrix size (9*12)2
(Tax) …
Value added cr,j
(9 regions and 12 i d t i i J
i d industries in Japan)
)
12
13. Backward dependency (BD)
Based on
E. Dietzenbacher and Jan A. van der Linder: Sectoral and Spatial
Linkages in the EC Production Structure. Journal of Regional
Science (37 2) pp.235-257, 1997,
S i (37:2) 235 257 1997
BD is computed as Pur-
chase
… Region r …
Import Export
a normalized value of (Neg)
r=q
(All
regions
Produc- Final
an output reduction … … Sector j … … i=j by row)
tion Demand
supposing a particular …
… 0
… 0
column is a zero vector. … 0
Region q Sector i zq,i,r,j 0 fq,i,r -mq,i eq,i
… 0
(From an engineering point … 0
…
of view, this is a kind of … 0
… 0
sensitivity analysis.)
y y ) …
… 0
Value added cr,j 0
13
14. Output reduction (a sketch)
Suppose we can define an activity level (output) of this
economy both from the supply side and from the demand
side.
This provides an accounting equation where all the
coefficients can be obtained from the input-output table.
By solving the accounting equation, we can see the
activity level of this economy and its building blocks.
Output reduction in the context of backward dependency
is a normalized reduction of this level when a particular
sector in a particular region does no longer work as a
demand-side group.
14
15. Information security backward
dependency (ISBD)
Computed by supposing a particular column (r, j) is not 0
but (1-sisj)zq,i,r,j (i=1, 2, . . . , 12; q=1, 2, . . . , 9)
where the reduction is based on security risk levels:
(1) Level of IT dependency (of sector i)
ITi / (ITi + nITi) where ITi = IT capital stock of sector i
nITi = non-IT capital stock of sector i
(2) IS Multiplier
Average number of deployed IS countermeasures in all sectors
Average number of deployed IS countermeasures in sector i
(25 countermeasures i th survey)
t in the )
(3) Security risk level (a proxy)
si = (1) x (2)
15
16. Production value (region)
Region
g Region
g Output
p
name ID (billion US$) Hokkaido A
Kanto C 7,745.90
Kinki E 2,882.30
2 882 30
Tohoku
Chubu D 2,218.20
Chubu
Kyushu H 1,494.00 B
Chugoku F 1,114.70 Kinki Kanto
Tohoku B 1,076.70
C
Chugoku
D
Hokkaido A 648.90 Okinawa
F E
Shikoku G 482.00
Okinawa I 110.70
110 70
H G
Source: Inter-Regional Input-Output table for 2005
Shikoku
I
1 US(¥$) = 81.59 JYP(¥Yen)
Red = High p
g production value = Large economic scale
g Kyushu
Green = Low production value = Small economic scale
16
17. Production value (sector)
Sector Sector Output
name ID (billion US$)
Services 12 2,929.40
Commerce and Logistic 09 1,816.30
Machinery 05 1,607.60
Financial, Insurance,
10 1,331.40
and Real Estate
Other M
Oth Manufacturing
f t i 06 1,165.50
1 165 50
Construction 07 781.10
ICT 11 567.40
Metal 04 562.80
Food and Beverage 03 443.80
Utilities 08 330.90
Argriculture 01 162.50
Mining
Mi i 02 12.50
12 0
17
20. Results (regional perspective)
Influenced (demand-side) regions
Most : Shikoku, Okinawa
A large number of supply-side region-sectors have ISBD larger than a
threshold (0 01%)
thresh ld (0.01%).
Small economic scale regions
Least : Kanto, Tohoku
The largest economic scale region and Tohoku.
Influential (supply-side) regions
(supply side)
Most : Kanto, Kinki
Large economic scale regions
g g
Least : Okinawa, Shikoku, Hokkaido
Small economic scale regions.
20
21. Tohoku as a supply side region
supply-side
• Firstly, it should be noted that Tohoku plays an important
role i many supply chains as noticed b i d t i l people
l in l h i ti d by industrial l
after the quake on March 11, 2011. (In that sense, largely
influential on demand side when we consider normal
economic dependency.)
• Tohoku is in a group of the moderate influential region
g g
(i.e. depended by a medium number of demand-side
groups).
•HHowever, 69% of th d f the dependent supply-side sectors i
d t l id t in
Tohoku mainly influence demand-side sectors which are
located in Tohoku itself
itself.
• This means the influence is likely to be limited in its
own region.
21
22. In empirical studies, deriving
implications is important
important.
• Wh
When we rebuild T h k we can pay attention t
b ild Tohoku, tt ti to
IS interdependency issues inside the region, rather
than interdependency among diff
th i t d d different regions.
t i
• As a demand side region Tohoku is in one of the least
demand-side region,
influenced regions (i.e. depends on a small number of
supply-side groups compared to other regions).
pp y g p p g )
•Similar to Kanto region which includes Tokyo.
• As a supply-side region, Tohoku is not so influential.
• Different from Kanto (the most influential region).
22
23. Active measurements
Theoretical Study
K.
K Matsuura: A Derivative of Digital Objects and Estimation of Default
Risks in Electronic Commerce. LNCS 2229, Springer, pp.90-94, 2001.
K. Matsuura: Digital Security Tokens and Their Derivatives. Netnomics
(5:2) pp.161 179, 2003
pp 161-179 2003.
23
24. Credit risks in cyberspace
Protocols require frequent
q q Why?
y
verifications. Feasible but Digital certificates.
could be heavy. Avoid copyright violation.
py g
Need freshness.
Verify, verify, Compatibility.
p y
verify, ...
if
Policy agreement.
・ ・ ・
Real-time, distributed & trusted
,
directories are too difficult.
Probably OK . . . Verification results can change.g
24
25. Example
The verification may output NG. It may output OK. Who
knows in advance??
Suppose a digital ticket signed by an issuer. When I purchased
it,
it I verified th signature and th result was OK H
ifi d the i t d the lt OK. However,
when I attempt to use it at a service provider, the verification
by the provider may output NG Or I may even face a
NG.
congestion that keeps me from connection with the provider,
or TTP needed for verification may be too busy (e.g. some
implementations of ID-based crypto).
25
26. More credit risks in cyberspace
With the help of cryptographic technologies which
establish a secure channel, a lot of virtual currencies (in a
broader sense) are already available (e.g. reward points,
FFP mileage, and di i l cash).
il d digital h)
Their values can change, at least in the context of their
exchange rates. P l
h Policy changes regarding expiration,
h d
redemption, and so on, can happen as well.
From the viewpoint of consumers, they cause credit risks
F h f h d k
in cyberspace.
26
27. Abstraction based on stochastic processes
(observable but unpredictable)
Y and H can be observed by everyone whereas V is not necessarily
observable b everyone; if th i
b bl by the issuer can observe V th t’ enough.
b V, that’s h
Information related to availability and QoS is an example of V.
Price process: Y(t)
Implicit value process: V(t)
Monetary value in a Value process: H(t) = h(t, V(t))
transaction where h is a value
value-
Token depends on. . . interpretation function.
Occurrences (= realized numerical
(
values) of Y and H are written
when issued.
27
28. Modeling the dynamics
Compromise: Assumed to be a Poisson p
p process with
intensity λ. Revoked if compromised
The value dynamics:
dH = (1−λdt)(μHdt+σHdW)−Hλdt
where μ and σ are deterministic constants and W is a
Wiener process.
Geometric Brownian motion unless compromised (μ: velocity; σ: volatility)
28
29. Wiener process
W(0) = 0, dt dW= 0.
If r<s<t< then W( ) W(t) and W(s) W(r) are
r<s<t<u, W(u)−W(t) W(s)−W(r)
independent.
For
F s<t, the stochastic variable W(t)−W(s) h the
h h bl W( ) W( ) has h
Gaussian distribution N[0,(t−s)1/2].
W has continuous trajectories.
Paying attention to (dt)2=0, we have
y g ( )
dH = (μ−λ)Hdt + σHdW
deterministic stochastic
29
30. Design a new stochastic process to
realize an active measurement
European call option
Right to buy a share of the token with a strike value K at the
time of a maturity Tm at a fixed price Y=1.
Let C(t)=c(t, H(t)) be the price process where c(t 0)=0
C(t)=c(t c(t,0)=0.
As a restriction, we do not allow anyone to divide a token
into smaller pieces. Except this restriction, we p
p p , place ideal
market assumptions including the existence of a riskless
asset whose interest rate is r.
Financial derivatives (whose prices
depend on risk parameters)
Inverse estimation
Risk parameters
(λ and σ)
( )
Market b
M k t observation
ti
30
31. Stochastic calculus
If the system is free from the risk of compromise (i.e. λ=o), we
can derive a PDE (partial differential equation) which has a
( ff )
closed-form solution
c(t,h)=KN[d1(t h)]/h −r(T−t)N[d2(t h)]
(t h) KN[d (t,h)]/h−e r(T t) (t,h)] (1)
where N is the cumulative distribution function for the standard
normal distribution and
d1(t,h)={ln(K/h)+(r+σ2/2)(Tm−t)}/{σ(Tm−t)1/2}
d2(t h)=d1(t h) (Tm−t)1/2.
(t,h)=d (t,h)−σ(T t)
If there is a risk of compromise, we can derive a PDE to be
computationally solved with the help of the closed form
closed-form
solution (1) for the special case above.
31
32. Further maturity
More uncertain
Relax both chance and risk
32 (Current occurrence of the value process H)
35. Some notes
Even if the compromise is rare (and has never happened
before), we can measure the market evaluation of the risk.
Introducing derivatives can enhance information
dissemination and collection. This is good, too.
In cyberspace, simple derivatives are difficult to realize
whereas complicated ones (e.g. mileage which needs co-pay
when redeemed) are easy.
Other applications of financial theories:
Privacy metrics (e.g. different rates in on-line social lending).
Real options to decide when and how we update a system.
R. Boehme: Security Metrics and Security Investment Models. LNCS 6434,
Springer, pp.10-24, 2010.
Springer pp 10-24 2010
35
37. Emerging importance of cybersecurity
science
Security management is quality management of security
properties.
Measurement of risk parameters may provide a basic
bridge between theory and practice.
Many research topics can be found if we consider trust
and credit before/after conventional management.
Possible impacts on network/system security.
Practical information sharing (e.g. among ISP and security
vendors) is one thing, common dataset for research is another.
Mechanism design for research-promotion infrastructure.
Recent actions by SIG-CSEC of IPSJ.
37