Contagion in cyber security attacks

Systems security is essential for the efficient operation of all organizations. Indeed, most large firms employ a designated ‘Chief Information Security Officer’ to coordinate the operational aspects of the organization’s information security. Part of this role is in planning investment responses to information security threats against the firm’s corporate network infrastructure. To this end, we develop and estimate a vector equation system of threats to 10 important IP services, using industry standard SANS data on threats to various components of a firm’s information system over the period January 2003 – February 2011. Our results reveal strong evidence of contagion between such attacks, with attacks on ssh and Secure Web Server indicating increased attack activity on other ports. Security managers who ignore such contagious inter-relationships may underestimate the underlying risk to their systems’ defence of security attributes, such as sensitivity and criticality, and thus delay appropriate information security investments.

[1]  Julian Williams,et al.  Investments and Trade-offs in the Economics of Information Security , 2009, Financial Cryptography.

[2]  Sarit Kraus,et al.  An efficient heuristic approach for security against multiple adversaries , 2007, AAMAS '07.

[3]  P. Protter Stochastic integration and differential equations , 1990 .

[4]  Nicolas Christin,et al.  Security Investment (Failures) in Five Economic Environments: A Comparison of Homogeneous and Heterogeneous User Agents , 2008, WEIS.

[5]  Marc Lelarge,et al.  Network externalities and the deployment of security features and protocols in the internet , 2008, SIGMETRICS '08.

[6]  A. Hawkes Point Spectra of Some Mutually Exciting Point Processes , 1971 .

[7]  Rainer Böhme,et al.  Models and Measures for Correlation in Cyber-Insurance , 2006, WEIS.

[8]  Bunching in a semi-Markov process , 1970 .

[9]  A. Hawkes Spectra of some self-exciting and mutually exciting point processes , 1971 .

[10]  Julian Williams,et al.  Information security trade-offs and optimal patching policies , 2012, Eur. J. Oper. Res..

[11]  Julian Williams,et al.  Fixed Costs, Investment Rigidities, and Risk Aversion in Information Security: A Utility-theoretic Approach , 2011, WEIS.

[12]  J. Hull Options, Futures, and Other Derivatives , 1989 .

[13]  Rainer Böhme,et al.  A Closer Look at Attack Clustering , 2006 .

[14]  Rainer Böhme,et al.  Modeling Cyber-Insurance: Towards a Unifying Framework , 2010, WEIS.

[15]  Yacine Ait-Sahalia,et al.  Modeling Financial Contagion Using Mutually Exciting Jump Processes , 2010 .

[16]  J. Norris Appendix: probability and measure , 1997 .

[17]  N. Shephard,et al.  Multivariate Realised Kernels: Consistent Positive Semi-Definite Estimators of the Covariation of Equity Prices with Noise and Non-Synchronous Trading , 2010 .

[18]  Marc Lelarge,et al.  Economics of malware: Epidemic risks model, network externalities and incentives , 2009, 2009 47th Annual Allerton Conference on Communication, Control, and Computing (Allerton).