How Much Should You Invest In Software Security? f ? Kelce S. Wilson, PhD, MBA, JD Technical Director, Standards and Licensing Research In Motion May 24, 2011 1
Introduction Introduction 2
Introduction • New economic theory for optimizing budgets • Efficient use of resources • Manage risks intelligently You can fall asleep now because BUDGETING = BORING! You can fall asleep now, because BUDGETING = BORING! • New theory can justify spending nothing, nada, $0 • But only when it makes sense and is truly defensible WAIT! WAIT! What was that? How can I get away without having to spend a single penny on hacking prevention? Maybe it’s time to wake up and find out. 3
Introduction • PVT tool sets an anti ‐ hacking budget for you • Uses values assigned to options available in the market • No more: • Just using leftover scraps, after meeting other reqs • Using arbitrary gut ‐ feelings that can change daily • Throwing darts at numbers on the wall • Analyze multiple funding factors • Changes in attack and defense effectiveness • Changes in attack and defense effectiveness • Over ‐ funding (unlikely) vs Under ‐ funding (probably you) 4
Introduction • Extends to larger “insurance” budgeting question: Given that you have a resource valued at $X, how much should you spend ($Y) to reduce risk, by an amount Z%, to the loss of that resource’s value? • Examples: • Examples: • Purchasing insurance for a car that might be stolen • Warranty valuation for potentially expensive repairs y p y p p • Patent budgeting for inventions that might be copied • Earlier publication of the underlying concept in a legal, patent ‐ related journal: les Nouvelles , March 2010 t t l t d j l l N ll M h 2010 • Protection budgeting for computing resources that might be hacked • Hey! This is you! 5
Generating a Protection Valuation Tool (PVT) 6
PVT Introduction Risk Reduction Target, % • Protection Valuation Tool (PVT) 0 25 50 75 100 • Graphic ‐ based tool • Graphic based tool Effectiveness Effectiveness High Value Moderate Value • Look for intersection of lines Low Value Nat’l Security • Similar to Supply & Demand graph , $ $ tection Cost, tection Value • 2 independent curves • Value curve • Effectiveness curve Eff ti Prot Prot • Generate each one independently, without any regard to the other curve • Budgets are defined by intersections 0 • That is, IF an intersection point 0 25 50 75 100 even exists at all Actual Risk Reduction, % 7
PVT vs Supply/Demand Graph Risk Reduction Target, % 0 25 50 75 100 Effectiveness Effectiveness High Value Moderate Value Low Value Nat’l Security $ tection Cost, $ $ tection Value, Prot Prot 0 0 25 50 75 100 Actual Risk Reduction, % Source: http://randomactsofeconomics blogspot com/ Source: http://randomactsofeconomics.blogspot.com/ 2008/08/supply-and-demand-basics.html 8
PVT vs Supply/Demand Graph Supply and Demand Graph Protection Valuation Tool (“PVT”) Curves Supply has a positive slope, and is Value has a positive slope, and is monotonically non ‐ decreasing. monotonically non ‐ decreasing. Demand has a negative slope, and Effectiveness has a positive slope, and is monotonically non ‐ increasing. is monotonically non ‐ decreasing. Intersection One point is certain to exist. One trivial point will exist at zero. P i t Points Only one point exists in a typical O l i t i t i t i l N No non ‐ zero points are certain to exist. i t t i t i t market. Multiple non ‐ zero points may exist. Primary Use To explain a market price. To set an optimum budget. The intersection point is the The intersection point is the Each non ‐ zero intersection point is a Each non zero intersection point is a market price. local optimum budgeting point. Secondary To predict price dependence on 1. To identify the impact of funding Uses variations in supply and demand. variations on risk reduction. 2. To identify adjustments for changes in protection cost and effectiveness. 3. To explain a sensible lack of funding. 9
PVT Introduction • Underlying Theory: • If an intersection point between a first set of 2 curves can be • If an intersection point between a first set of 2 curves can be used to explain a price, then perhaps an intersection point between a second set of 2 curves can be used to set a price • But only if the curves in each set are similarly related • Leverage Supply & Demand graph theory, but adapt it • Use “what it is” theory to define a “what it should be” tool “ h ” h d f “ h h ld b ” l • • Challenge: Challenge: • No clear Equivalents for Supply and Demand curves 10
PVT Process 4 Steps: 1 Construct at least one Value Curve 1. Construct at least one Value Curve 2. Construct at least one Effectiveness Curve 3. Overlay the Curves 3. Overlay the Curves 4. Use the PVT for multiple tasks: • Set a protection budget • Analyze a possible “no market” condition • Analyze over ‐ funding scenarios • Analyze under ‐ funding scenarios Analyze under funding scenarios • Predict impacts of changing protection effectiveness • Predict impacts of changing attack technology 11
Constructing a Value Curve • A Value Curve traces the set of points representing the actual value High Value g achieved by reducing the risk of loss Moderate Value Low Value by various target percentages. ue, $ • The value assigned to a reduction The value assigned to a reduction rotection Val target is not the cost that the owner expects to pay to achieve that target, Value Value Pr but instead what the owner would be Increase willing to pay . Value Decrease • This amount is the owner’s perceived • This amount is the owner s perceived 0 value, based on expected increases in 0 25 50 75 100 profits, damage avoidance and other Risk Reduction Target, % benefits. b fi 12
Comments on the Value Curve • Starts at $0 for 0% risk reduction. There is no value, if there is no benefit for effort expended is no benefit for effort expended. • Limited maximum value for the theoretical, but impossible, case of 100% risk reduction • Likely tapers off to nearly flat, as risk reduction approaches 100% • Monotonically non ‐ decreasing, although they maybe not monotonically increasing • Higher value and greater criticality raises the protection h l d l h value for a given risk reduction target 13
Constructing an Effectiveness Curve • An Effectiveness Curve traces actual costs that are necessary to obtain Ineffective Highly Effective threat reductions at various levels • Must be at the same scope as a t, $ corresponding Value Curve corresponding Value Curve otection Cost • Risk reduction for Effectiveness Curve is the actual risk reduction , whereas Attack Pro M Methods h d Protection for a Value curve, the risk reduction is Improve Methods Improve a target amount • Actual risk reduction values can be Act al risk red ction al es can be 0 determined empirically, using 0 25 50 75 100 historical data for similar activities Actual Risk Reduction, % • Example: Red Team results 14
Constructing an Effectiveness Curve Create this one first: Ineffective 100 00 Ineffective I ff i Highly Effective Highly Effective ction, % 75 t, $ l Risk Reduc otection Cost 50 Attack Pro M Methods h d Actua Protection 25 Improve Methods Improve 0 0 Protection Cost, $ 0 0 25 50 75 100 Actual Risk Reduction, % Then rotate it 15
Comments on Effectiveness Curve • Starts at $0 for 0% reduction. There is no benefit, if there is no effort expended no effort expended. • Never reaches 100% risk reduction • Cost rapidly escalates as reduction approaches 100% Cost rapidly escalates as reduction approaches 100% • Monotonically non ‐ decreasing, although they maybe not monotonically increasing • Changes in technology affect shape and maximum cost endpoint • Attack Improvements • Defensive Improvements 16
Overlaying the Curves Risk Reduction Target, % • 2 different curves, 2 sets of axes 0 25 50 75 100 • Parallel axes have same units, but Optimum Budget Operating Points: Operating Points: different meanings Cost = Value Target = Actual • At intersection points: alue, $ ost, $ Region of Cost Cost = Value Value Protection Co Protection Va Triviality Target = Actual • Intersection points define a unique Intersection points define a unique P P relationship between a Value Curve and an Effectiveness Curve: 0 0 • What the owner wanted is available h h d l bl 0 25 50 75 100 at only those intersection points Actual Risk Reduction, % • Just operate at an amount for which you get what you really wanted 17
Watch out for Region of Triviality Risk Reduction Target, % • Several intersection points near the 0 25 50 75 100 ($0, 0%) point are likely to exist Optimum Budget Optimum Budget Operating Points: • Ignore all intersection points below Cost = Value Target = Actual some threshold of significance e, $ $ • Probably best to use highest b bl b h h otection Value otection Cost, Region of Triviality intersection point at a meaningful level of protection effectiveness p Pro Pro 0 0 25 50 75 100 Actual Risk Reduction, % 18
Using a PVT Using a PVT 19
Recommend
More recommend