Negligence and sanctions in information security investments in a cloud environment

The Learned Hand’s rule, comparing security investments against the expected loss from data breaches, can be used as a simple tool to determine the negligence of the company holding the data. On the other hand, companies may have several incentives to distribute their data over a cloud. In order to analyze the conflict between the sanctioning behavior and the search for economic profit, we employ the well known Gordon-Loeb models, as well as the more recent Huang-Behara models, for the relationship between investments and the probability of money loss due to malicious attacks. In this paper we determine the optimal amount of investments when data are distributed over a cloud and Hand’s rule is applied. We find that the net benefit of investing in security shrinks as the number of repositories making up the cloud grows, till investing becomes non profitable. An implication of our study is that, unless the cloud provider may guarantee a higher security investment productivity, the cloud solution provides a lower net benefit than the centralized one. By the application of Hand’s rule, we show that the company is held negligent if it does not invest just in the case it uses a centralized storage infrastructure or a cloud made of a limited number of repositories: Hand’s rule sanctions the lack of security investments by cloud providers with a limited number of repositories.

[1]  Maurizio Naldi,et al.  Balancing Leasing and Insurance Costs to Achieve Total Risk Coverage in Cloud Storage Multi-homing , 2014, GECON.

[2]  Aiko Pras,et al.  Benchmarking personal cloud storage , 2013, Internet Measurement Conference.

[3]  Giuseppe D'Acquisto,et al.  Damage Sharing May Not Be Enough: An Analysis of an Ex-ante Regulation Policy for Data Breaches , 2012, TrustBus.

[4]  Sushil Jajodia,et al.  The inference problem: a survey , 2002, SKDD.

[5]  Martin Gilje Jaatun,et al.  Beyond lightning: A survey on security challenges in cloud computing , 2013, Comput. Electr. Eng..

[6]  Michael L. Rustad,et al.  Extending Learned Hand's Negligence Formula to Information Security Breaches , 2007 .

[7]  Jörn Altmann,et al.  Cloud Goliath Versus a Federation of Cloud Davids - Survey of Economic Theories on Cloud Federation , 2014, GECON.

[8]  Yves Le Traon,et al.  Cloud Providers Viability: How to Address it from an IT and Legal Perspective? , 2015, GECON.

[9]  R. Cooter,et al.  Law and Economics , 1988 .

[10]  Richard S. Markovits TORT-RELATED RISK COSTS AND THE HAND FORMULA FOR NEGLIGENCE , 2011 .

[11]  Giuseppe D'Acquisto,et al.  A Game-Theoretic Formulation of Security Investment Decisions under Ex-ante Regulation , 2012, SEC.

[12]  Giuseppe D'Acquisto,et al.  Liability for Data Breaches: A Proposal for a Revenue-Based Sanctioning Approach , 2013, NSS.

[13]  Manish Parashar,et al.  Market Models for Federated Clouds , 2015, IEEE Transactions on Cloud Computing.

[14]  Ravi S. Behara,et al.  Economics of information security investment in the case of concurrent heterogeneous attacks with budget constraints , 2013 .

[15]  Loretta Mastroeni,et al.  Economic decision criteria for the migration to cloud storage , 2016, Eur. J. Inf. Syst..

[16]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.