Determining an Economic Value of High Assurance for Commodity Software Security
Pages 228 - 242
Abstract
Security measures that attempt to prevent breaches of commodity software have not used high assurance methods and tools. Instead, rational defenders have risked incurring losses caused by breaches because the cost of recovery from a breach multiplied by the probability of that breach was lower than the cost of prevention by high assurance, e.g., by formal methods. This practice may change soon since breach-recovery costs have increased substantially while formal methods costs have decreased dramatically over the past decade.
We introduce the notion of selective high assurance and show that it is economically justified, as producers can easily recoup its cost even in very small commodity markets, and necessary for rational defenders to decrease their breach recovery costs below a chosen limit. However, these decreases depend on defenders’ risk aversion, which is difficult to assess since risk preferences cannot be anticipated. A challenge is to determine a lower bound on the economic value of selective high assurance independent of the defenders’ risk preferences; i.e., a value that depends only on the commodity software itself and the attacks it withstands. We propose an approach to determine such a value and illustrate it for SCION, a networking software system with provable security properties.
References
[1]
Common Criteria. Evaluation Assurance Levels (EALs). https://en.wikipedia.org/wiki/Evaluation_Assurance_Level
[2]
Finances Online. 119 Impressive Cybersecurity Statistics: Data & Market Analysis, Cybermarket Statistics. https://financesonline.com/cybersecurity-statistics/
[3]
Smith, Z.M., Lostri, E., Lewis, J.A.: The Hidden Costs of Cybercrime. McAfee Report for Center for Strategic and International Studies (2020). https://www.mcafee.com/enterprise/en-us/assets/reports/rp-hidden-costs-of-cybercrime.pdf
[4]
Klein, G., et al.: Comprehensive formal verification of an OS microkernel. ACM Trans. Comput. Syst. 32(1), 1–70 (2014)
[5]
Hawblitzel, C., et al.: Ironclad apps: end-to-end security via automated full-system verification. In: Proceedings of USENIX OSDI, pp. 165–181 (2014)
[6]
Protzenko, J., et al.: EverCrypt: a fast, verified, cross-platform cryptographic provider. In: Proceedings of the IEEE Symposium on Security and Privacy (2020)
[7]
Yu, M., Gligor, V., Jia, L.: An I/O separation model for formal verification of kernel implementations. In: Proceedings of the IEEE Symposium on Security and Privacy (2021)
[8]
Gligor, V.: Security limitations of virtualization and how to overcome them (transcript of discussion). In: Christianson, B., Malcolm, J. (eds.) Security Protocols 2010. LNCS, vol. 7061, pp. 252–265. Springer, Heidelberg (2014).
[9]
Lampson, B.W.: Software components: only the giants survive. In: Spark-Jones, K., Herbert, A. (eds.) Computer Systems: Theory, Technology, and Applications, Chapter 20, vol. 9, pp. 137–146. Springer, New York (2004).
[10]
Lampson, B.W.: Computer security in the real world. In: Proceedings of the 16th Annual Computer Security Applications Conference (ACSAC 2000), IEEE Computer, vol. 37, pp. 37–46 (2004). https://www.acsac.org/2000/papers/lampson.pdf
[11]
Lampson BW Usable security: how to get it Commun. ACM 2009 52 11 25-27
[12]
Finances Online. 119 Impressive Cybersecurity Statistics: 2021/2022 Data & Market Analysis, Cybermarket Statistics. https://financesonline.com/cybersecurity-statistics/
[13]
IBM Corporation and Ponemon Institute. Cost of a Data Breach Report 2021–2022. https://www.ibm.com/security/data-breach
[14]
HP Enterprise Security and Ponemon Institute. 2012 Cost of Cyber Crime Study: United States. https://www.ponemon.org/local/upload/file/2012_US_Cost_of_Cyber_Crime_Study_FINAL6%20.pdf
[15]
Gligor, V.: Dancing with the adversary: a tale of wimps and giants (transcript of discussion). In: Christianson, B., Malcolm, J., Matyáš, V., Švenda, P., Stajano, F., Anderson, J. (eds.) Security Protocols 2014. LNCS, vol. 8809, pp. 116–129. Springer, Cham (2014).
[16]
Fehr, E.: The economics and biology of trust. J. Eur. Econ. Assoc. 7 (2009)
[17]
Gligor, V., Wing, J.M.: Towards a theory of trust in networks of humans and computers. In: Christianson, B., Crispo, B., Malcolm, J., Stajano, F. (eds.) Security Protocols 2011. LNCS, vol. 7114, pp. 223–242. Springer, Heidelberg (2011).
[18]
VentureBeat Staff. Report: US businesses experience-42-cyberattacks-per-year (2022). https://venturebeat.com/security/report-u-s-businesses-experience-42-cyberattacks-per-year/
[19]
National Security Agency. Embracing a Zero Trust Security Model (2021). https://media.defense.gov/2021/Feb/25/2002588479/1/1/0CSI_EMBRACING_ZT_SECURITY_MODEL_UOO115131-21.PDF
[20]
Future Market Insights. Cybersecurity Insurance Market Snapshot (2022–2032). https://www.futuremarketinsights.com/reports/cybersecurity-insurance-market
[21]
Adrian Mak. Cyber Insurance Cost by Industry. AdvisorSmith (2021). https://advisorsmith.com/business-insurance/cyber-liability-insurance/cost-by-industry/
[22]
NAIC Staff. Report on the Cyber Insurance Market, Memorandum (2022). https://content.naic.org/sites/default/files/cmte-c-cyber-supplement-report-2022-for-data-year-2021.pdf
[23]
Rezilion and Ponemon Institute. The State of Vulnerability Management in DevSecOps (2022). https://www.rezilion.com/wp-content/uploads/2022/09/Ponemon-Rezilion-Report-Final.pdf
[24]
Keary, T.: Vulnerability management: Most orgs have a backlog of 100K vulnerabilities. In: VentureBeat (2022). https://venturebeat.com/security/vulnerability-management-most-orgs-have-a-backlog-of-100k-vulnerabilities
[25]
Torres, R.: Enterprise App Sprawl with most apps outside IT control. In: CIO Dive (2021). https://www.ciodive.com/news/app-sprawl-saas-data-shadow-it-productiv/606872/
[26]
Vittorio, A.: Merck’s \$1.4 Billion Insurance Win Splits Cyber From “Act of War”. In: Bloomberg Law (2022). https://news.bloomberglaw.com/privacy-and-data-security/mercks-1-4-billion-insurance-win-splits-cyber-from-act-of-war
[27]
Yehezkel, S.: The cost of cybersecurity insurance is soaring-and state-backed attacks will be harder to cover. It’s time for companies to take threats more seriously. In: Fortune (2023). https://fortune.com/2023/02/15/cost-cybersecurity-insurance-soaring-state-backed-attacks-cover-shmulik-yehezkel/
[28]
Joyce, R.: Disrupting Nation State Hackers. Invited Keynote at USENIX Enigma Conference (2016). https://www.youtube.com/watch?v=bDJb8WOJYdA
[29]
Gupta, S., Gligor, V.D.: Towards a theory of penetration-resistant computer systems. J. Comput. Secur. 1(2), 133–158 (1992) (also in Proceedings of 4th IEEE Computer Security Foundations Workshop, Franconia, New Hampshire, pp. 62–78 (1991)). https://content.iospress.com/articles/journal-of-computer-security/jcs1-2-02
[30]
Gupta, S., Gligor, V.D.: Experience with a penetration analysis method and tool. In: Proceedings of the 15th National Computer security Conference, Baltimore, pp. 165–183 (1992). https://csrc.nist.rip/publications/history/nissc/1992-15th-NCSC-proceedings-vol-1.pdf
[31]
Cook, B.: Formal reasoning about the security of Amazon web services. In: Chockler, H., Weissenbacher, G. (eds.) CAV 2018. LNCS, vol. 10981, pp. 38–47. Springer, Cham (2018).
[32]
Backes J et al. One-click formal methods IEEE Software 2019 36 6 61-65
[33]
Chuat, L., et al.: The Complete Guide to SCION: From Design Principles to Formal Verification. Springer, Cham (2022).
[34]
Gligor, V.D.: Zero Trust in Zero Trust? CMU CyLab Technical Report 22–002 December 17 (2022). https://www.cylab.cmu.edu/_files/pdfs/tech_reports/CMUCyLab22002.pdf
[35]
Bradley, T.: Shifting cybersecurity to a prevention-first mindset. In: Forbes (2023). https://www.forbes.com/sites/tonybradley/2023/03/26/shifting-cybersecurity-to-a-prevention-first-mindset/?sh=209bbc4359cc
Recommendations
Determining an Economic Value of High Assurance for Commodity Software Security (Transcript of Discussion)
Security Protocols XXVIIIAbstractThis paper is on how to determine an economic value of high assurance for commodity software security.
The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers
Assessing the value of information technology (IT) security is challenging because of the difficulty of measuring the cost of security breaches. An event-study analysis, using market valuations, was used to assess the impact of security breaches on the ...
Integrating security activities into the software development life cycle and the software quality assurance process
Security concerns should be an integral part of the entire planning, development, and operation of a computer application. Inadequacies in the design and operation of computer applications are very frequent source of security vulnerabilities associated ...
Comments
Information & Contributors
Information
Published In
Mar 2023
278 pages
ISBN:978-3-031-43032-9
DOI:10.1007/978-3-031-43033-6
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2023.
Publisher
Springer-Verlag
Berlin, Heidelberg
Publication History
Published: 21 October 2023
Qualifiers
- Article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 07 Nov 2024
Other Metrics
Citations
View Options
View options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in