Computer Security – Survey and Optimal Investment

(1)

1

Computer Security –

Survey and Optimal Investment

(2)

2

Outline

• Computer Crime and Security Survey

– Respondents – Key findings

• How much should be spent to improve

computer security?

(3)

3

Security Survey

₁

• Respondents

– CSI/FBI 2005

– 700 computer security practitioners in US

corporations, government agencies, financial institutions, medical institutions and

(4)

4

(5)

5

(6)

6

(7)

7

(8)

8

(9)

9

(10)

10

(11)

11

Security Survey

₉

(12)

12

(13)

13

(14)

14

(15)

15

(16)

16

(17)

17

(18)

18

How much should be spent?

₁

• The Model (Gordon & Loeb 2002)

– Invest $z to reduce L Information System Loss Threats Vulnerability: v Attacks L Breach function: s(z), s(0)=v

(19)

19

How much should be spent?

₂

• The Model

Firewall IPTable

Threat

v : probability a threat is realized

EBIS(z) = [v – s(z,v)] * L z : dollar invested in security

v * L, loss due to realized threat

(20)

20

How much should be spent?

₃

(21)

21

How much should be spent?

₄

• For low or high vulnerability systems, no optimal investment

• For midrange vulnerability, about 37% of expected loss

• Different breach function may have different optimal investment