To see what this means, let us look at a strawman example. Al Qaeda's 9/11 terrorist acts are horrible and we wish to prevent anything similar from ocurring in the future. One strategy for doing so might be to eliminate air travel altogether: permanently close all the (non-military) airports, declare all airlines out-of-business, etc. The cost of doing so to the country is, of course, unacceptable.
The high level goal of all security measures is to reduce risk to a manageable level, or to mitigate risk. In order to figure out what is managable, we have to have an estimate of the cost of having a security vulnerability, which involves identifying the assets to be protected and their values as well as the likelihood that a security vulnerability will lead to their compromise.
Some of the probability estimates can be obtained from statistics gathered by law enforcement or organizations like CERT, but it is wise to be wary: it is likely to suffer from under-reporting from organizations like banks, where negative publicity can damage the business -- in the case of banks, causing fearful depositors to move their business elsewhere.
Number of spots | Value |
---|---|
1 | $1 |
2 | -$2 |
3 | $3 |
4 | -$4 |
5 | $5 |
6 | -$6 |
i.e., if the die came up 3, you win $3, but if it came up 6, you lose $6.
The general formula for computing the sum is
sumx in Events Pr(x) * Value(x) | = sumx in Events (1/6) * Value(x) | |
= 1/6 * sumx in Events Value(x) | ||
= 1/6 * ($1 + -$2 + $3 + -$4 + $5 + -$6) | ||
= 1/6 * (-$3) | ||
= -$0.50 |
Having a handle on the expected (annual) loss allows us to determine how best to protect our assets. If a company is expected to lose $50,000 in information assets, time and effort to rebuild affected systems, etc, due to computer viruses, and the company can license some anti-virus software that is expected to be 50% effective for $10,000 per year, then it would be worth it: at 50% effectiveness the loss reduction should be approximately $25,000 per year, and that will pay for the $10,000 licensing cost.
Alternatively, the company can transfer the risk. One way to do this is to buy insurance. This is what we do whey be buy automobile insurance, whether it is collision-only or comprehensive. We trade off an estimated huge loss for a definite much smaller loss (the insurance premium payment is not probabilistic in nature!), and this ``peace of mind'' enables us to weather catastrophes that could otherwise bankrupt us by sharing the risk with all the other insurers. Note, of course, that the insurance companies make money: so the annual expected loss is going to be less than the cost of the premium. This simply means that money is not the best measure of cost -- the ``value'' of money is a complex function, and in economics people speak of the ``utility'' of money as the abstract value quantity being optimized.
As a side note, the utility of money is often used to explain why people are generally risk adverse. Many people would pay $1 for a lottery ticket with very low odds of winning, say 10-7 of winning $1,000,000. The expected winnings is $0.10, so the net value of the game is -$0.90. However, those same people would not be willing to take a $1 in exchange for the same odds of having to pay out $1,000,000, even though the definite gain of $1 with the expected loss of $0.10 means they come out ahead, on average.
Coming back to computer security, having a good understanding of the value of the assets and the ``risk exposure'' that you have is very important. Obviously there are many oversimplifications involved, since we are dealing with inexact information and lots of estimates are involved and so the numbers are going to be inexact.
bsy+cse127.w03@cs.ucsd.edu, last updated
email bsy.