Correlated Failures, Diversification, and Information Security Risk Management

The increasing dependence on information networks for business operations has focused managerial attention on managing risks posed by failure of these networks. In this paper, we develop models to assess the risk of failure on the availability of an information network due to attacks that exploit software vulnerabilities. Software vulnerabilities arise from software installed on the nodes of the network. When the same software stack is installed on multiple nodes on the network, software vulnerabilities are shared among them. These shared vulnerabilities can result in correlated failure of multiple nodes resulting in longer repair times and greater loss of availability of the network. Considering positive network effects (e.g., compatibility) alone without taking the risks of correlated failure and the resulting downtime into account would lead to overinvestment in homogeneous software deployment. Exploiting characteristics unique to information networks, we present a queuing model that allows us to quantify downtime loss faced by a rm as a function of (1) investment in security technologies to avert attacks, (2) software diversification to limit the risk of correlated failure under attacks, and (3) investment in IT resources to repair failures due to attacks. The novelty of this method is that we endogenize the failure distribution and the node correlation distribution, and show how the diversification strategy and other security measures/investments may impact these two distributions, which in turn determine the security loss faced by the firm. We analyze and discuss the effectiveness of diversification strategy under different operating conditions and in the presence of changing vulnerabilities. We also take into account the benefits and costs of a diversification strategy. Our analysis provides conditions under which diversification strategy is advantageous.

[1]  John D. Howard,et al.  An analysis of security incidents on the Internet 1989-1995 , 1998 .

[2]  David A. Patterson,et al.  A Simple Way to Estimate the Cost of Downtime , 2002, LISA.

[3]  Angelos D. Keromytis,et al.  Countering code-injection attacks with instruction-set randomization , 2003, CCS '03.

[4]  C. Shapiro,et al.  Systems Competition and Network Effects , 1994 .

[5]  C. Shapiro,et al.  Technology Adoption in the Presence of Network Externalities , 1986, Journal of Political Economy.

[6]  Ramayya Krishnan,et al.  An Empirical Analysis of Software Vendors' Patch Release Behavior: Impact of Vulnerability Disclosure , 2010, Inf. Syst. Res..

[7]  Pu Li,et al.  An examination of private intermediaries’ roles in software vulnerabilities disclosure , 2007, Inf. Syst. Frontiers.

[8]  Nicholas Economides,et al.  The Microsoft Antitrust Case , 2001 .

[9]  Hal R. Varian,et al.  Information rules - a strategic guide to the network economy , 1999 .

[10]  M. Rothschild,et al.  Increasing risk: I. A definition , 1970 .

[11]  Insu Park,et al.  Short Term and Total Life Impact analysis of email worms in computer systems , 2007, Decis. Support Syst..

[12]  David H. Ackley,et al.  Randomized instruction set emulation to disrupt binary code injection attacks , 2003, CCS '03.

[13]  Srinivasan Raghunathan,et al.  Cyber Insurance and IT Security Investment: Impact of Interdependence Risk , 2005, WEIS.

[14]  P. Klemperer,et al.  Coordination and Lock-In: Competition with Switching Costs and Network Effects , 2006 .

[15]  Khosrow Sohraby Delay analysis of a single server queue with Poisson cluster arrival process arising in ATM networks , 1989, IEEE Global Telecommunications Conference, 1989, and Exhibition. 'Communications Technology for the 1990s and Beyond.

[16]  Amgad Fayad,et al.  Diversity as a Defense Strategy in Information , 2001 .

[17]  Amgad Fayad,et al.  Diversity as a defense strategy in information systems. Does evidence from previous events support such an approach? , 2001, IICIS.

[18]  H. Raghav Rao,et al.  Functionality defense by heterogeneity: a new paradigm for securing systems , 2004, 37th Annual Hawaii International Conference on System Sciences, 2004. Proceedings of the.

[19]  C. Shapiro,et al.  Network Externalities, Competition, and Compatibility , 1985 .

[20]  Gregory B. White,et al.  Cyber security exercises: testing an organization's ability to prevent, detect, and respond to cyber security events , 2004, 37th Annual Hawaii International Conference on System Sciences, 2004. Proceedings of the.

[21]  M. Rothschild,et al.  Increasing risk II: Its economic consequences , 1971 .

[22]  H. Kunreuther,et al.  Interdependent Security , 2003 .

[23]  Joseph T. Mahoney,et al.  Information Rules: A Strategic Guide to the Network Economy , 2000 .

[24]  Rahul Telang,et al.  Market for Software Vulnerabilities? Think Again , 2005, Manag. Sci..

[25]  Minoru Akiyama Approximations for Bursty (and Smoothed) Arrival Queueing Delays Based on Generalized Peakedness , 2011 .

[26]  Carrie Gates,et al.  A Model for Opportunistic Network Exploits: The Case of P2P Worms , 2006, WEIS.

[27]  Gregory R. Ganger,et al.  On Correlated Failures in Survivable Storage Systems , 2002 .

[28]  Victor F. Nicola,et al.  Modeling of Correlated Failures and Community Error Recovery in Multiversion Software , 1990, IEEE Trans. Software Eng..

[29]  Josef Hadar,et al.  Rules for Ordering Uncertain Prospects , 1969 .

[30]  Algirdas A. Avi The Methodology of N-Version Programming , 1995 .

[31]  Jean-Claude Laprie,et al.  Diversity against accidental and deliberate faults , 1998, Proceedings Computer Security, Dependability, and Assurance: From Needs to Solutions (Cat. No.98EX358).