不同的資訊中心架構,有不同的投資安全投資分佈。針對每一個資訊中心架構,從 資訊安全投資分佈中找出最適當的組合,期望能帶給企業最小的損失,本研究提出一套 三階段的模型及演算法:(1)表達資訊中心之結構,(2)計算資源之累進不安全性機率,
(3)計算最佳投資效益。同時本研究考慮了多組架構,包括單層及雙層資訊中心架構。
無論在哪一種架構下,以本研究所提之演算法,可用來計算每一種架構之資訊安全投資 分佈以達到最佳投資效益。
本研究接著做資訊安全投模擬實驗與分析,獲得重要結果,在單層資訊中心架構中,
過濾器被成功攻擊的機率越高,則資源被入侵的機率也越高。在雙層資訊中心架構中,
過濾器被成功攻擊的機率越高,同樣的,兩層的資源被入侵的機率也越高,但卻發現了 累進不安全機率的交錯現象,即第一層資源的不安全性機率與第二層資源的不安全性機 率有交錯的現象,顯示第二層資源並非絕對安全或絕對不安全,此結果與 Moskowitz 和 Kang[21]的研究有相同的現象。
資源本身的價值也在本研究的討論之內,資源的價值越高,就必頇投資更多經費去 保護。如果成功攻擊的機率很高,資源的價值也很高,那麼潛在的損失就會很高。為了 降低潛在損失,企業必頇提高過濾器的保護能力。本研究討論了兩種不同的架構,分別 為單層資訊中心架構與雙層資訊中心架構,對於單層資訊中心架構而言,我們驗證了我 們的模型與 Gordon 和 Loeb[11]所提出的模型有相同的現象,因此,我們繼續討論雙層 資訊中心架構,針對此架構,討論過濾器之投資,過多的投資會使成本提高,造成企業 的負擔,投資太少,又無法提升過濾器的防禦能力。從實驗分析中,如總投資、投資前 預期損失、投資後預期損失、總投資淨利潤等,我們能得知,α=β=1 的設定,有顯著 的影響,此一模擬數值,造成些微的投資,可以帶來巨大的利潤,但我們仍可計算出最 佳的投資效益。同時,我們在實驗分析中得知,初始不安全性機率越高,投資回收越大,
亦可得知,依據不同的威脅機率,我們可找出最佳投資金額及最大投資回收淨利潤。因 此,本研究能給予相關資訊,對於哪一個過濾器,要如何投資,都能藉由本研究所計算 的結果,算出投資分佈,供企業做決策支援。
無論企業所處的資訊安全為何,本研究所提之計算模式,可提供企業選擇適當的投 資方式,以充分降低損失,例如雙層架構中,可根據設定之過濾器之不安全性機率,求 得投資金額,並得知總預期淨效益。因此,可用來作為設計或改善資訊中心架構投資之 參考。
現階段本研究僅在實驗室的環境模擬計算,雖然可算出投資分佈,但仍有許多限制,
若要將本研究的計算模式實際應用在企業上,必頇解決一些實際的問題。本研究後續研 究的研究方向包括:(1) 對於入侵機率分佈,本研究使用 Gordon 和 Loeb[11]所提出的 兩類安全威脅機率函數,分別為 Type I 和 Type II,這些均屬於模擬的函數,未來研究 可嘗試實際數據,使用實際的被入侵數據來計算入侵函數,以符合實際的情況,計算出 更精確的預期損失、投資分佈,目前僅有少數的研究 [24]探討此主題,(2)本研究所探 討的架構有單層架構和雙層架構,對於企業實際的拓撲架構,可能更多元化,若應用於 企業上,則必頇使用企業實際的架構,以便能計算正確的結果,(3)本研究的假設為過 濾器之間是相互獨立的,並未考量相依性,實際的情況或多或少都有相依性,未來研究 可針對相依性的部分進行研究,以符合實際的情況,(4)本研究雖有考量多個過濾器及 多個資源,但未考量多攻擊者同時入侵的情況,在多攻擊者的情況下,拓樸架構以及計 算的模式會有變化,雖然已有多攻擊者的研究[17],但與本研究所提出的三階段計算方 法不同,這些工作還有待未來持續的研究。
49 Vulnerability Analysis”, Proceedings of the 9th ACM Conference of Computer and Communications Security (CCS’02), 217-224, 2002.
[5] Bell, D., LaPadula, L., “Secure Computer Systems: Unified Exposition and Multics Interpretation”, Technical Report, MTR-2997, MITRE, Bedford, Mass, 1975.
[6] Bier, V.M., Abhichandani, V., “Optimal Allocation of Resources for Defense of Simple Series and Parallel Systems from Determined Adversaries”, In Risk-Based Decision Making in Water Resources X, 59-76, Reston, VA: American Society of Civil Engineers, 2003.
[7] Bodin L.D., Gordon L.A., Loeb M.P., “Evaluating Information Security Investments Using the Analytic Hierarchy Process”, Communications of the ACM, February 2005, Volume 48, No. 2, pp. 79-83.
[8] Cavusoglu H., Mishra B., Raghunathan S., “A Model for Evaluating IT Security Investments”, Communications of the ACM, July 2004, Volume 47, No. 7, pp. 87-92.
[9] Chen, Y., Boehm, B., Sheppard, L., “Measuring Security Investment Benefit for Off the Shelf Software Systems - A Stakeholder Value Driven Approach”, The Sixth Workshop on the Economics of Information Security, Carnegie Mellon University, USA, June 2007.
[10] Goguen, J.A., Meseguer, J., “Security Policies and Security Models”, Proc. of the 1982 IEEE Symposium on Security and Privacy, 11-20, Oakland, CA, April 1982.
[11] Gordon, L.A., Loeb, M.P., “The Economics of Information Security Investment”, ACM Transactions on Information and Systems Security, 5(4), 438-457, 2002.
[12] Gordon, L.A., Loeb, M.P., Lucyshyn W., “An Economics Perspective on the Sharing of Information Related to Security Breaches: Concepts and Empirical Evidence", Proceedings of the First WEIS, UC Berkeley, 16-17, 2002.
[13] Gordon, L.A., Loeb M.P., Lucyshyn, W., “Information Security Expenditures and Real Options: A wait-and-see Approach”, Computer Security Journal, Volume Number 2, 1-6, 2003.
[14] Grossklags, J., Christin, N., Chuang, J., “Security investment (failures) in five economic environments: A comparison of homogeneous and heterogeneous user agents”, The Seventh Workshop on the Economics of Information Security, Dartmouth, USA, June 2008.
[15] Hausken, K., “Returns to Information Security Investment: The Effect of Alternative Breach Functions on Optimal Investment and Sensitivity to Vulnerability”, Information Systems Frontiers, Vol. 5, No. 8, 2006.
[16] Hoo, K.J. S., “How much is enough? A Risk-Management Approach to Computer Security”, Ph.D. thesis, Stanford University, 2000.
[17] Huang, C.D., Hu, Q., Behara, R.S., ”Economics of Information Security Investment in the Case of Simultaneous Attacks”, The Fifth Workshop on the Economics of Information Security, University of Cambridge, England, June 2006.
[18] Hulthen, Rolf, “Communicating the Economic Value of Security Investments; Value at Security Risk”, The Seventh Workshop on the Economics of Information Security, Dartmouth, USA, June 2008.
[19] Kumar, V., Telang, R., Mukhopadhyay, T., “Optimally securing interconnected information systems and assets”, The Sixth Workshop on the Economics of Information Security, Carnegie Mellon University, USA, June 2007.
51
[20] Matsuura, K., “Productivity Space of Information Security in an Extension of the Gordon-Loeb’s Investment Model”, The Seventh Workshop on the Economics of Information Security, Dartmouth, USA, June 2008.
[21] Moskowitz, I.S., Kang, M.H., “An Insecurity Flow Model”, In New Security Paradigms Workshop, Langdale, Cumbria, UK, 1997.
[22] Ortalo, R., Dewarte, Y., Kaaniche, M., “Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security”, IEEE Transactions on Software Engineering, 25(5):633-650, September/October 1999.
[23] Phillips, C., Swiler, L.P., “A Graph-Based System for Network-Vulnerability Analysis”, In New Security Paradigms Workshop, 71-79, 1998.
[24] Ryan, J.C.H., Ryan, D.J., “Expected Benefits of Information Security Investments”, Computers and Security, 25, 579-588, 2006.
[25] Schechter, S.E., “Computer Security Strength and Risk: A Quantitative Approach”, Ph.D. thesis, Harvard University DEAS, 2004.
[26] Sheyner, O., Wing, J., “Tools for Generating and Analyzing Attack Graphs”, Proceedings of Formal Methods for Components and Objects, Lecture Notes in Computer Science, 2005.
[27] Sowa, S., Tsinas, L., Gabriel, R., “BORIS –Business ORiented management of Information Security”, The Seventh Workshop on the Economics of Information Security, Dartmouth, USA, June 2008.
[28] Sutherland, D., “A Model of Information”, Proc. of the 9th National Computer Security Conference, NSA/NIST, Gaithersburg, MD, September 1986.
[29] Wang, S.L., Chen, J.D., Hong, T.P., Stirpe, P.A., “Probabilistic Analysis of Information Center Insecurity”, The Twenty Second International Conference on Industrial, Engineering & Other Applications of Applied Intelligent Systems, Tainan, Taiwan, June 2009.
[30] Wang, S.L., Stirpe, P.A., Hong, T.P., “Modeling Optimal Security Investment of Information Centers”, The PAKDD 2008 Workshop on Data Mining for Decision Making and Risk Management, May, 2008, Osaka, Japan, 293-304.
[31] Willemson, J., “On the Gordon & Loeb Model for Information Security Investment”, The Fifth Workshop on the Economics of Information Security, University of Cambridge, England, June 2006.