CSE 127: Lecture 1

The topics covered in this lecture are risk management, expectation values, risk mitigation strategies. under construction

Risk Management

In computer security we often do not (or cannot) minimize the security risks. Instead, we try to manage it.

To see what this means, let us look at a strawman example. Al Qaeda's 9/11 terrorist acts are horrible and we wish to prevent anything similar from ocurring in the future. One strategy for doing so might be to eliminate air travel altogether: permanently close all the (non-military) airports, declare all airlines out-of-business, etc. The cost of doing so to the country is, of course, unacceptable.

The high level goal of all security measures is to reduce risk to a manageable level, or to mitigate risk. In order to figure out what is managable, we have to have an estimate of the cost of having a security vulnerability, which involves identifying the assets to be protected and their values as well as the likelihood that a security vulnerability will lead to their compromise.

Some of the probability estimates can be obtained from statistics gathered by law enforcement or organizations like CERT, but it is wise to be wary: it is likely to suffer from under-reporting from organizations like banks, where negative publicity can damage the business -- in the case of banks, causing fearful depositors to move their business elsewhere.

Expectation Values

The notion of expectation values come from probability. Suppose you have some random event, say in a game of chance, where some value is associated with each possible outcome. For example, suppose we played a gambling game with payoffs given by this table:

Payoff for a hypothetical single die dice game
Number of spots Value
1 $1
2 -$2
3 $3
4 -$4
5 $5
6 -$6

i.e., if the die came up 3, you win $3, but if it came up 6, you lose $6.

The general formula for computing the sum is

sumx in Events Pr(x) * Value(x)
If the die is fair, you would expect to lose money in the long run if you played many games. The expectation value is essentially the average rate at which you'd win. In this case, you "win":
sumx in Events Pr(x) * Value(x) = sumx in Events (1/6) * Value(x)
= 1/6 * sumx in Events Value(x)
= 1/6 * ($1 + -$2 + $3 + -$4 + $5 + -$6)
= 1/6 * (-$3)
= -$0.50
i.e., you'd lose, on average, 50 cents per game.

Risk Mitigation

Knowing how much you are going to lose as an expectation value gives you guidance as to how you should protect your assets. Clearly, if you were paid $1.00 to play the dice game, you'd probably go ahead. Or, if you were forced to make a choice between paying $0.25 to avoid playing the game or to play it, you'd probably rather lose the $0.25 than lose the expected $0.50. In this latter case, your strategy is to choose the outcome that costs least -- and an expected loss of $0.50 is worse than a definite loss of $0.25. (Unless you derive entertainment from the game / taking risks, which is a completely different topic.)

Having a handle on the expected (annual) loss allows us to determine how best to protect our assets. If a company is expected to lose $50,000 in information assets, time and effort to rebuild affected systems, etc, due to computer viruses, and the company can license some anti-virus software that is expected to be 50% effective for $10,000 per year, then it would be worth it: at 50% effectiveness the loss reduction should be approximately $25,000 per year, and that will pay for the $10,000 licensing cost.

Alternatively, the company can transfer the risk. One way to do this is to buy insurance. This is what we do whey be buy automobile insurance, whether it is collision-only or comprehensive. We trade off an estimated huge loss for a definite much smaller loss (the insurance premium payment is not probabilistic in nature!), and this ``peace of mind'' enables us to weather catastrophes that could otherwise bankrupt us by sharing the risk with all the other insurers. Note, of course, that the insurance companies make money: so the annual expected loss is going to be less than the cost of the premium. This simply means that money is not the best measure of cost -- the ``value'' of money is a complex function, and in economics people speak of the ``utility'' of money as the abstract value quantity being optimized.

As a side note, the utility of money is often used to explain why people are generally risk adverse. Many people would pay $1 for a lottery ticket with very low odds of winning, say 10-7 of winning $1,000,000. The expected winnings is $0.10, so the net value of the game is -$0.90. However, those same people would not be willing to take a $1 in exchange for the same odds of having to pay out $1,000,000, even though the definite gain of $1 with the expected loss of $0.10 means they come out ahead, on average.

Coming back to computer security, having a good understanding of the value of the assets and the ``risk exposure'' that you have is very important. Obviously there are many oversimplifications involved, since we are dealing with inexact information and lots of estimates are involved and so the numbers are going to be inexact.

[ search CSE | CSE | bsy's home page | links | webster | MRQE | google | yahoo | citeseer | pgp certserver | openpgp certserver ]
picture of bsy

bsy+cse127.w03@cs.ucsd.edu, last updated Thu Jan 9 16:12:11 PST 2003. Copyright 2003 Bennet Yee.
email bsy.

Don't make me hand over my privacy keys!