Linking the Economics of Cyber Security and Corporate Reputation

1
Linking the Economics of Cyber Security and
Corporate Reputation
Reverse Engineering of Rationale for Decisions

• Barry Horowitz
• University of Virginia
• January 19th, 2007

2
Outline

• Reverse Engineering Concept
• Breach Disclosure Laws
• Impetus for Research
• Methodology
• Results
• Conclusions

3
Reverse Engineering
Actual Decisions
Implied Values of the Decision Makers
Multi-Objective Analytical Model for Decision
Support
Uses of Reverse Engineering Results Provide
decision-makers an opportunity to
reconsider Evaluate the values of others
(competitors, adversaries, constituents)
4
Economics of Cyber Security

• New Technologies New Risks
• Evolution of various cyber attacks
• Short-term Disruptions
• Denial of Service Attacks
• Viruses
• Worms
• Long-term Disruptions
• Loss of Reputation
• Loss of Intellectual Property
• Legal Liability
• Substantial Internet Infrastructure Outages

5
Breach Disclosure Laws

• Growth of e-commerce sector and companies
  growing dependence on the internet and digitized
  data has garnered attention to cyber security
• A newspaper article publicizing a cyber security
  breach can
• Damage reputation
• Damage consumer confidence
• Damage supply chain relations
• Lower revenues
• Companies invest to minimize the probability of
  being highlighted in a news article by
• Increasing cyber investment
• Keeping cyber breaches corresponding impacts
  secret
• Prior to 2003 - no laws enacted requiring
  security breach reporting

6
Breach Disclosure Laws

• Recent events have led to a movement on the state
  and national level towards mandating companies to
  report on cyber breaches
• California Security Breach Notification Law
  (July, 2003) first state to enact legislation
  that requires any company operating within the
  state to report any compromise of private
  information to the affected parties
• ChoicePoint Security Breach (February, 2005)
  company announced that it had unwittingly sold
  the personal information of at least 145,000
  Americans to identity thieves in 2004

7
Federal Legislation

• No direct mention of breach notification
  requirements, but gives authority to create them
• Gramm-Leach-Bliley Act
• Requires financial institutions to protect the
  security and confidentiality of their customers
  nonpublic personal information
• Health Insurance Portability and Accountability
  Act (HIPAA)
• Require health plans and health care providers to
  take appropriate safeguards to ensure the
  integrity and confidentiality of health
  information
• Sarbanes-Oxley Act (SOX)
• Authorizes the SEC to prescribe regulations
  requiring companies to report on the assessment
  of the security of information technology

8
State Legislation

• 34 states currently have legislation enacted
• California enacted legislation in 2003, other
  states follow by 2005
• 2003 1
• 2004 0
• 2005 11
• 2006 17
• 2007 5 (1/07)
• Laws require responsible parties to report the
  breach to affected party and in some cases
• identify the likelihood of harm
• offer assistance in limiting potential harm
• Out of the 34 states that have enacted
  legislation
• 27 state laws apply to businesses within the
  state
• 14 state laws apply to state agencies
• 1 state law applies to insurers

9

• Breach Disclosure Laws
• Impetus for Research
• Methodology
• Results
• Conclusions

10
Bi-Products of Legislation

• Bi-product of change in breach reporting -
  visibility to the press
• Given that the press has interest in reporting
  cyber breaches, this gives visibility to the
  public
• Thus, a companys reputation now can be impacted
  in a manner that it hasnt been in the past

11
Research Questions

• Question Raised - How will companies invest in
  cyber security given its impact on their
  reputation and corresponding impacts on their
  revenues and profits?
• We would like to understand
• How reporting laws could effect companies
  actions with regard to cyber security investments
• The differences between various industries
  regarding how they relate cyber security
  investments and protecting their reputation
• Example A bank would be more concerned with
  protecting its reputation and bolstering customer
  confidence through heightened cyber security than
  a manufacturing company.

12

• Breach Disclosure Laws
• Impetus for Research
• Methodology
• Results
• Conclusions

13
Methodology - Model
14
Methodology - Assumptions

• ß current observed annual probability of a
  security breach being publicized, no
  differentiation among companies in the same
  sector
• The added cyber security investment is made in
  the hope that the probability of a publicized
  cyber attack will be reduced to zero (a0)
• The value of K2 is the same from one company to
  another
• Treat this in a manner similar to insurance
• Rates are risk-based
• Rates are the same from buyer to buyer when the
  risks are the same
• Investment decisions are made on expected value
  analyses that compare costs with potential
  consequences of successful attacks

15
Methodology - Variables

• ß
• Companies (gt5000 Employees) with Publicized
  Cyber Breach
• Companies (gt5000 Employees) in Industry
• companies with publicized cyber breach
  determined from online databases of published
  newspaper articles
• companies in industry determined from Census
  Bureau data
• C
• ( Revenue Spent on IT) ( IT Spent on Cyber
  Security)
• Percentages determined from Forrester Group
  reports
• PM
• Financial data taken from Yahoo Finance and
  Morningstar.com

16
Methodology - Variables

• K1
• Representation of how a company is concerned
  about its reputation with respect to its cyber
  security spending
• K1 ratio quantitatively shows how much one
  industry believes cyber security has an impact on
  its reputation compared to another
• K2
• Assume equal from company to company - K2 ratio
  1
• V
• Likely correlation with K1 ratio
• If companies have different revenues at risk and
  one has a sense of it, it can be plugged into the
  equation

17
Methodology

• Three industries compared
• Finance
• Bank, Insurance, and Credit Sectors
• Retail
• Manufacturing
• Three sets of results
• Reputation-based financial loss due to a news
  article
• Independent of the details of the breach
• When breach impacts customers for the companys
  products
• When breach impacts company employees supply
  chain partners
• ßs calculated for period between October 1, 2005
  and September 30, 2006

18

• Breach Disclosure Laws
• Impetus for Research
• Methodology
• Results
• Conclusions

19
Results ßs
20
Results K1 Ratios

21
Results V Ratio Ind Var
22
Results - Interpretations

• Unbiased Reader
• ß
• Finance .0648
• Retail .0111
• Manufacturing .0110
• K1 ratios
• Finance allocates 6.72 and 3.37 times more than
  retail and manufacturing
• Manufacturing industry allocates twice as much as
  retail

23
Results - Interpretations

• Customers
• No data for manufacturing combined
  manufacturing and retail for analysis
• ß
• Finance .0605
• Retail .0093
• Retail Manufacturing .0043
• K1 ratios
• Finance allocates 7.52 times more than retail
• Finance allocates 11.01 times more than retail
  and manufacturing combined
• Financial institutions most concerned with
  reputation with customers
• Retailers more with customer reputation than
  manufacturers
• Retailers work more directly with customers,
  depend more on customer trust

24
Results - Interpretations

• Supply Chain
• ß
• Finance .0086
• Retail .0019
• Manufacturing .0110
• K1 ratios
• Manufacturing allocates 11.95 and 2 times more
  than retail and finance, respectively
• Finance allocates 5.37 times more than retail
• Manufacturers are willing to invest more to
  protect reputation with their partner companies
  and employees
• Depend greatly on supply chain partners
• Customers of manufacturers are often other
  companies

25

• Breach Disclosure Laws
• Impetus for Research
• Methodology
• Results
• Conclusions

26
Conclusion - Results

• This is one analysis, but others could be
  conducted
• Example different results likely from an
  analysis of reputation effects of policies
  concerning intellectual property protection
• Results support the claims that
• A financial institution has greater concern about
  protecting against reputation-based financial
  loss due to publicized security breaches than a
  retailer or manufacturer
• Closer to end customers ? care more about
  negative publicity than suppliers to those
  companies
• Policy makers should take into account the
  likelihood that different sectors will have
  different responses to certain policies

27
Future Work Bringing in time as a Variable

• Reputation-based financial effects seen as a
  function of time
• the actual attacks
• the reporting of those attacks by law
• the reporting of those attacks by the media
• Policy makers must be wary of companies covering
  up security breaches Evaluating the alternatives
  of avoiding reporting and adding security
• Assume companies cannot control the media
• Can only reduce effects by
• Decreasing probability of an attack
• Decreasing probability of an attack becoming
  visible to the public
• Reducing visibility lt reducing the probability of
  an attack?
• Evaluating the behavior of the press as reported
  cases increase over time

28
Addressing Lack of Data

• We try to understand decision-making even though
  we lack fundamental data
• Specific cyber security investments
• Cyber attacks
• Cyber attack financial effects
• Using reverse engineering, we make inferences
  from limited available financial data, news
  articles, and prior research and data collection
  efforts
• We hope our study encourages future research
  efforts related to reverse engineering of
  decisions, and that more innovative ideas emerge
  that can work around data limitations