Learning from Early Attempts to Measure Information Security Performance

The rapid evolution of threat ecosystems and the shifting focus of adversarial actions complicate efforts to assure security of an organization's computer networks. Efforts to build a rigorous science of security, one consisting of sound and reproducible empirical evaluations, start with measures of these threats, their impacts, and the factors that influence both attackers and victims. In this study, we present a careful examination of the issue of account compromise at two large academic institutions. In particular, we evaluate different hypotheses that capture common perceptions about factors influencing victims (e.g., demographics, location, behavior) and about the effectiveness of mitigation efforts (e.g., policy, education). While we present specific and sometimes surprising results of this analysis at our institutions, our goal is to highlight the need for similar in-depth studies elsewhere.

[1]  Vern Paxson,et al.  Measuring Pay-per-Install: The Commoditization of Malware Distribution , 2011, USENIX Security Symposium.

[2]  Chris Kanich,et al.  Spamalytics: an empirical analysis of spam marketing conversion , 2009, CACM.

[3]  C. Gallagher Extending the Linear Model With R: Generalized Linear, Mixed Effects and Nonparametric Regression Models , 2007 .

[4]  Lorrie Faith Cranor,et al.  Anti-Phishing Phil: the design and evaluation of a game that teaches people not to fall for phish , 2007, SOUPS '07.

[5]  Christopher Krügel,et al.  Your botnet is my botnet: analysis of a botnet takeover , 2009, CCS.

[6]  Lorie M. Liebrock,et al.  Using Fingerprint Authentication to Reduce System Security: An Empirical Study , 2011, 2011 IEEE Symposium on Security and Privacy.

[7]  Stefan Savage,et al.  An inquiry into the nature and causes of the wealth of internet miscreants , 2007, CCS '07.

[8]  Vern Paxson,et al.  Strategies for sound internet measurement , 2004, IMC '04.

[9]  John G. Orme,et al.  Multiple Regression With Discrete Dependent Variables , 2009 .

[10]  Markus Jakobsson,et al.  Social phishing , 2007, CACM.

[11]  Ponnurangam Kumaraguru,et al.  Who falls for phish?: a demographic analysis of phishing susceptibility and effectiveness of interventions , 2010, CHI.

[12]  Vern Paxson,et al.  Outside the Closed World: On Using Machine Learning for Network Intrusion Detection , 2010, 2010 IEEE Symposium on Security and Privacy.

[13]  Elizabeth B. Lennon IT Security Metrics , 2003 .

[14]  Ravishankar K. Iyer,et al.  Analysis of Credential Stealing Attacks in an Open Networked Environment , 2010, 2010 Fourth International Conference on Network and System Security.

[15]  Gail A. Herndon The chronicle of higher education , 1977 .

[16]  Peter R. Winters,et al.  Forecasting Sales by Exponentially Weighted Moving Averages , 1960 .

[17]  Lorrie Faith Cranor,et al.  School of phish: a real-world evaluation of anti-phishing training , 2009, SOUPS.

[18]  Helmut Schneider,et al.  The domino effect of password reuse , 2004, CACM.

[19]  Jean-Paul Chilès,et al.  Wiley Series in Probability and Statistics , 2012 .

[20]  George Washington,et al.  A Roadmap for Cybersecurity Research , 2009 .

[21]  Lorrie Faith Cranor,et al.  Teaching Johnny not to fall for phish , 2010, TOIT.

[22]  Felix Ritchie,et al.  Secure access to confidential microdata: four years of the Virtual Microdata Laboratory , 2008 .

[23]  Sudhir Aggarwal,et al.  Testing metrics for password creation policies by attacking large sets of revealed passwords , 2010, CCS '10.

[24]  Felix C. Freiling,et al.  Learning More about the Underground Economy: A Case-Study of Keyloggers and Dropzones , 2009, ESORICS.

[25]  William H. Sanders,et al.  Safeguarding academic accounts and resources with the University Credential Abuse Auditing System , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2012).

[26]  Chris Kanich,et al.  Spamalytics: an empirical analysis of spam marketing conversion , 2008, CCS.