Risk Models and Controlled Mitigation of IT Security R. Ann Miura-Ko Stanford University February...
-
Upload
sonya-cruse -
Category
Documents
-
view
216 -
download
2
Transcript of Risk Models and Controlled Mitigation of IT Security R. Ann Miura-Ko Stanford University February...
Risk Models and Controlled Mitigation of IT Security
R. Ann Miura-Ko
Stanford UniversityFebruary 27, 2009
MaliciousAttackers
Denial of Service
Denial of Service
Viruses and Worms
Viruses and Worms
Data sniffing / spoofing
Data sniffing / spoofing
Unauthorized Access
Unauthorized Access
Malware / Trojans
Malware / Trojans
Port scanningPort scanning
Defenders
Attackers and DefendersPolicies
Firewalls
Intrusion Detection
Anti-Virus Software
Authentication / Authorization
Encryption
Backup / Redundancy
Thesis Overview• Mathematical modeling of IT Risk encompasses a large and
relatively uncharted territory
• Modeled selected anchor points within the space focused on different levels of decision making:
Inter-Organization and Industry level Investments
Enterprise level resource allocation
Physical layer control
How do organizations invest their limited resources given
the relationships they have with one another?
Given an IT budget, how should a manager spend those
resources over time?
How do you design the physical infrastructure to meet reliability
and security requirements?
Motivating Example: Web Authentication•Same / similar
username and password for multiple sites
•Security not equally important to all sites
Shared risk for all
Literature Background
• Interdependent Security▫ IT Security Leads to Externalities: Camp
(2004)
▫Tipping Point for Investments: Kunreuther and Heal (2003)
▫Free Riding: Varian (2004)
•Network Game Theory▫Network Games: Galeotti et al. (2006)
▫Linear Influence Network Games: Balleste and Calvo-Armengol (2007)
Model Fundamentals
•Companies make investments in security
•Companies have complex interdependencies▫Complementarities and competition▫Leads to positive and negative interactions
Who invests and how much? Can we improve this equilibrium?
What does the model say about policy?
Network Model• Network = Directed Graph
▫ Nodes = Decision making agents
▫ Links = influence / interaction▫ Weights = degree of influence
-.1
-.1 -.1
-.1
-.1
-.1 -.1
-.1
-.1
-.1
.2
.2
.2
.2
.2
.1
.1
.1
.1
.1
-.1
-.1 -.1
-.1
-.1
-.1 -.1
-.1
-.1
-.1
.1 .2
.2 .1
.1 .2
.2 .1
.2
.1
Incentive Model•Each agent, i, selects
investment, xi
•Security of i determined by total effective investment:
•Benefit received by agent i:
•Cost of investment:•Net benefit:
How will agents react?• Single stage game of complete information• All agents maximize their utility function:
• bi is where the marginal cost = marginal benefit for agent i
Vi
xi
slope = ci
bi
• If neighbor’s contribution > bi, xi=0
• If neighbor’s contribution < bi, xi = difference
What is an equilibrium?
•Nash Equilibrium▫Stable point (vector of investments) at
which no agent has incentive to change their current strategy
▫This happens when:
▫Leverage Linear Complementarity literature
Existence and Uniqueness •Proposition 1: If W is strictly diagonally
dominant, , then there exists a unique Nash Equilibrium for the proposed game
•Proof: Follows from standard LCP results which states that any P matrix (one with positive principal minors) will have a unique solution to the optimization problem. We simply show that a W matrix is a P matrix.
Convergence• Proposition 2: If W is strictly diagonally
dominant, , then asynchronous best response dynamics converges to the unique Nash Equilibrium from any starting point x(0)>0. The best response dynamics are described by:
• Proof: Follows from standard LCP results which provides a synchronous algorithm. Using the Asynchronous Convergence Theorem (Bertsekas), we can establish that the ABRD also converges
Contribution of player i if all players are isolated
Contribution of player i in networked environment
Investment made by i with no neighbors
Impact of neighbors’ investments
Free Riding•One measure of contribution relative to what
they need, free riding index:
•Another measure of relative contribution allows for network effects to be taken into account, fair share index:
Web Authentication Example•Utility function:
-.1
-.1 -.1
-.1
-.1
-.1 -.1
-.1
-.1
-.1
.1 .2
.2 .1
.1 .2
.2 .1
.2
.1
-.1
-.1 -.1
-.1
-.1
-.1 -.1
-.1
-.1
-.1
.2
.2
.2
.2
.2
.1
.1
.1
.1
.1
Improving the Equilibrium
•Theorem 1: Suppose xi > 0 and xj> 0 for some i≠j. Then, there exists continuous trajectories, W(t) = (wkl(t)) and x∗(t) = (xk(t)) with t∈ [0, T ] such that: 1. x∗(0) = x∗ , W(0) = W 2. x∗(t) is the (unique) equilibrium under W(t) ∀
t 3. xi(t) and xj(t) are strictly decreasing in t
4. xk(t) is constant for all k∉{i, j} and all t
5. W(t) is component-wise differentiable and increasing in t (weakly, in magnitude)
Improving the Equilibrium
•Proof sketch of Theorem 1:▫Observe: if the effective
investments over the purple links are not changed, the investments in Group B will not change
5
6
3
2
4
1
Group A
Group B
▫Pick 2 nodes: i,j
▫For k∉{i.j}
Improvements to Equilibrium
•A linear increase in the strength of the links results in a nonlinear decrease in investments between nodes 1 and 2
Qualitative Implications
•For web authentication:▫Should high risk organizations subsidize the
IT budgets of low risk organizations (e.g. Citibank works with non-profits to aid their authentication efforts)?
▫Should government label websites by risk factor so users know which sites they can safely group together with a single password?