1
Computer Security –
Survey and Optimal Investment
2
Outline
• Computer Crime and Security Survey
– Respondents – Key findings
• How much should be spent to improve
computer security?
3
Security Survey
1• Respondents
– CSI/FBI 2005
– 700 computer security practitioners in US
corporations, government agencies, financial institutions, medical institutions and
4
5
6
7
8
9
10
11
Security Survey
9
12
13
14
15
16
17
18
How much should be spent?
1
• The Model (Gordon & Loeb 2002)
– Invest $z to reduce L Information System Loss Threats Vulnerability: v Attacks L Breach function: s(z), s(0)=v
19
How much should be spent?
2
• The Model
Firewall IPTable
Threat
v : probability a threat is realized
EBIS(z) = [v – s(z,v)] * L z : dollar invested in security
v * L, loss due to realized threat
20
How much should be spent?
3
21
How much should be spent?
4
• For low or high vulnerability systems, no optimal investment
• For midrange vulnerability, about 37% of expected loss
• Different breach function may have different optimal investment