An Empirical Analysis of Cyber Security Incidents at a Large Organization

Every day, security engineers cope with a flow of cyber security incidents. While most incidents trigger routine reactions, others require orders of magnitude more effort to investigate and resolve. How security operation teams in organizations should tune their response to tame extreme events remains unclear. Analyzing the statistical properties of sixty thousand security events collected over six years at a large organization, we find that the distribution of costs induced by security incidents is in general highly skewed, following a power law tail distribution. However, this distribution of incident severity becomes less skewed over time, suggesting that the organization under scrutiny has managed to reduce the impact of large events. We illustrate this result with a case study focused on the empirical effects of full disk encryption on the severity of incidents involving lost or stolen devices.

[1]  Bernhard Plattner,et al.  Large-scale vulnerability analysis , 2006, LSAD '06.

[2]  Graeme G. Shanks,et al.  A case analysis of information systems and security incident responses , 2015, Int. J. Inf. Manag..

[3]  Michele Lanza,et al.  An extensive comparison of bug prediction approaches , 2010, 2010 7th IEEE Working Conference on Mining Software Repositories (MSR 2010).

[4]  T. Tidwell,et al.  Modeling Internet Attacks , 2022 .

[5]  Rainer Böhme,et al.  Security Metrics and Security Investment Models , 2010, IWSEC.

[6]  Doina Caragea,et al.  An Empirical Study on Using the National Vulnerability Database to Predict Software Vulnerabilities , 2011, DEXA.

[7]  Bernhard Plattner,et al.  Modelling the Security Ecosystem- The Dynamics of (In)Security , 2009, WEIS.

[8]  Huseyin Cavusoglu,et al.  Outsourcing Information Security: Contracting Issues and Security Implications , 2014, WEIS.

[9]  Robin M. Ruefle,et al.  State of the Practice of Computer Security Incident Response Teams (CSIRTs) , 2003 .

[10]  S. Resnick,et al.  Extreme Value Theory as a Risk Management Tool , 1999 .

[11]  Hao Xu,et al.  Optimal Policy for Software Vulnerability Disclosure , 2008, Manag. Sci..

[12]  Kenji Tanaka,et al.  Trend Analyses of Accidents and Dependability Improvement in Financial Information Systems , 2011, 2011 IEEE 17th Pacific Rim International Symposium on Dependable Computing.

[13]  Rahul Telang,et al.  Economics of software vulnerability disclosure , 2005, IEEE Security & Privacy.

[14]  Rahul Telang,et al.  Measuring the risk-based value of IT security solutions , 2004, IT Professional.

[15]  L. Jean Camp,et al.  Game-theoretic modeling and analysis of insider threats , 2008, Int. J. Crit. Infrastructure Prot..

[16]  Jeffrey L. Hieb,et al.  Cyber security risk assessment for SCADA and DCS networks. , 2007, ISA transactions.

[17]  T Maillart,et al.  Quantification of deviations from rationality with heavy tails in human dynamics. , 2010, Physical review. E, Statistical, nonlinear, and soft matter physics.

[18]  Jackie Rees Ulmer,et al.  Market Reactions to Information Security Breach Announcements: An Empirical Analysis , 2007, Int. J. Electron. Commer..

[19]  D. Sornette,et al.  Heavy-tailed distribution of cyber-risks , 2008, 0803.2256.

[20]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[21]  Martin Gilje Jaatun,et al.  Information security incident management: Current practice as reported in the literature , 2014, Comput. Secur..

[22]  Andreas Zeller,et al.  Predicting vulnerable software components , 2007, CCS '07.

[23]  Borka Jerman-Blazic,et al.  Towards a standard approach for quantifying an ICT security investment , 2008, Comput. Stand. Interfaces.

[24]  Laurie A. Williams,et al.  Evaluating Complexity, Code Churn, and Developer Activity Metrics as Indicators of Software Vulnerabilities , 2011, IEEE Transactions on Software Engineering.

[25]  Yashwant K. Malaiya,et al.  Seasonal Variation in the Vulnerability Discovery Process , 2009, 2009 International Conference on Software Testing Verification and Validation.

[26]  Lei Zhou,et al.  The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market , 2003, J. Comput. Secur..

[27]  Didier Sornette,et al.  The extreme risk of personal data breaches and the erosion of privacy , 2015, The European Physical Journal B.

[28]  Mark E. J. Newman,et al.  Power-Law Distributions in Empirical Data , 2007, SIAM Rev..

[29]  Didier Sornette,et al.  Multiple Outlier Detection in Samples with Exponential & Pareto Tails: Redeeming the Inward Approach & Detecting Dragon Kings , 2015, 1507.08689.

[30]  Keith M. Martin,et al.  Experimental Elicitation of Risk Behaviour amongst Information Security Professionals , 2015, WEIS.

[31]  Russell C. Thomas,et al.  How Bad is it? – A Branching Activity Model to Estimate the Impact of Information Security Breaches , 2013 .

[32]  Cormac Herley,et al.  Sex, Lies and Cyber-Crime Surveys , 2011, WEIS.

[33]  Kevin M. Stine,et al.  Performance Measurement Guide for Information Security , 2008 .

[34]  M. Stephens EDF Statistics for Goodness of Fit and Some Comparisons , 1974 .

[35]  W. R. Howard Managing the Human Factor in Information Security: How to Win Over Staff and Influence Business Managers , 2010 .

[36]  Benjamin Edwards,et al.  Hype and Heavy Tails: A Closer Look at Data Breaches , 2016, WEIS.

[37]  I. Monitor Information Security Management Handbook , 2000 .

[38]  L. Jean Camp,et al.  Mitigating Inadvertent Insider Threats with Incentives , 2009, Financial Cryptography.

[39]  D. Sornette,et al.  Dragon-kings: Mechanisms, statistical methods and empirical evidence , 2012, 1205.1002.

[40]  Maria Kjaerland,et al.  A taxonomy and comparison of computer security incidents from the commercial and government sectors , 2006, Comput. Secur..

[41]  Bruce Schneier Carry On: Sound Advice from Schneier on Security , 2013 .

[42]  R. Anderson,et al.  Epidemic thresholds and vaccination in a lattice model of disease spread. , 1997, Theoretical population biology.

[43]  J. Bolot Cyber Insurance as an Incentive for Internet Security , 2008 .

[44]  PAUL EMBRECHTS,et al.  Modelling of extremal events in insurance and finance , 1994, Math. Methods Oper. Res..

[45]  Huseyin Cavusoglu,et al.  The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers , 2004, Int. J. Electron. Commer..

[46]  Bruno Bogaz Zarpelão,et al.  An Empirical Study of Connections Between Measurements and Information Security , 2012, SECURWARE 2012.

[47]  Warren G. Kruse,et al.  Computer Forensics: Incident Response Essentials , 2001 .

[48]  Michel Cukier,et al.  Analysis of Computer Security Incident Data Using Time Series Models , 2008, 2008 19th International Symposium on Software Reliability Engineering (ISSRE).