Your SlideShare is downloading. ×
Invited%20 talk%201 matsuura_wisa2011_0821
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Invited%20 talk%201 matsuura_wisa2011_0821


Published on



Published in: Automotive, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. My publication (2006-2011) Invited talk at WISA2011 (August 22, 2011)Management Crypto Network Passive a d Active Measurements o ass e and ct e easu e e ts of Cybersecurity Risk Parameters Kanta MATSUURA (IIS, The University of Tokyo)
  • 2. Agnda Security management Traditional heuristics Recent trend of cybersecurity science Empirical study Quality of empirical data Passive measurements and finding proxies Example Theoretical study Active measurements: Design of observable stochastic processes associated with cybersecurity risks2
  • 3. Security Management3
  • 4. Traditional heuristics Security management is quality management of security properties such as CIA (confidentiality, integrity, and availability). Heuristics of a PDCA cycle. Plan Do Check Act evolution4
  • 5. We need revolution, rather thanevolution.evolutionHuman and social problems: Lack of science to explain mechanisms behind the problems.Problems of heuristic evaluation: Lack of reproducibility and impact. How general claims one can make?Recent trend: Promotion of cybersecurity science The US Cybesecurity Act of 2009. Research communities started well before (e.g. the First Workshop on the Economics of Information Security (WEIS) was in 2002). R. Anderson and T. Moore: The Economics of Information Security. Science (314) pp.610-613, 2006. 20065
  • 6. Lessons from the economics of information securitySome problems happen due to economically-sound behaviors.(Example) Users get more benefits if a larger number of other users use the same software. This enhances an earlier release (of an immature version). Afterwards, version) Afterwards software vendors release security patches one after another. z*Others happen due to behaviors which arenot economically sound. 0 1 v(Example) Different features of investment vulnerability curves: investment-vulnerability imply over/under-investment. z* K. K Matsuura: Productivity Space of Information Security in an Extension of the Gordon-Loebs Investment Model, WEIS2008. 0 1 v Prediction is difficult 6
  • 7. We really need measurements measurements. Plan Do Check Act Cybersecurity S i C b i Science Measurements of cybersecurity risk parameters7
  • 8. Passive measurements Empirical Study8
  • 9. Quality of empirical data Questionnaire exclusively for your research (Pros) You can ask what you want to ask. (Cons) The resultant data quality is questionable. They do not always answer with their best efforts. Response rate could be low. Existing ffi i l/ E i i official/general statistics ( l i i (passive measurements i from the viewpoint of your side) (Cons) You (C ) Y can not always fi d survey items you want to place. t l find it tt l You should find good proxies. (Pros) Some statistics are very reliable reliable. Some surveys are well established (e.g. the statistics law helps in Japan), and some companies even have a section established to answer to the surveys.9
  • 10. Topics of empirical studies: An example Interdependency of information security Security incidents and efforts of a party can influence other parties. If this happens without accompanied economic transactions, the externality can cause many problems (e.g. free-riding). t lit bl ( f idi ) Important factor of many theoretical models in security economics. Interdependency between different regions/sectors may imply I t d d b t diff t i / t i l risks in the real economy.B. Jenjarrussakul, H. Tanaka, K.B Jenjarrussakul H Tanaka K Matsuura: Empirical Study on Interdependency ofInformation Security between Industrial Sectors and Regions. Seventh AnnualForum on Financial Information Systems and Cybersecurity: A Public PolicyPerspective, 2011.Perspective 2011H. Tanaka: Quantitative Analysis of Information Security Interdependency betweenIndustrial Sectors. Proc. 3rd International Symposium on Empirical SoftwareEngineering and Measurement pp 574-583 2009 Measurement, pp.574 583, 2009. 10
  • 11. DatasetsMETI: Ministry of economy, RIETI: Research Institute of Trade, and Industry Economy, Trade, and Industry• Inter-regional Input-Output table for 2005 • Japan Industrial Productivity • Economic transaction Database 2008 value • Information-technology• 2006 Survey of Information (IT) dependency Technology (about 3000 samples) • Information-security (IS) multiplier11
  • 12. Inter-regional Input-Output Inter regional Input Output TableEconomic Transaction Final Demand ImportPurchase value byy Value which is used Value of Companies of sector j in region r to determine input import in sector j (column index) and output of the in region q.from sector Companies of sector i in region q p g (row index) Export Value of Purchase … Region r … Import Export (Neg) (All export in Final r=q regions sector j Production … … Sector j … … i=j by row) Demand in region q. … … … … Region q Sector i zq,i,r,j fq,i,r -mq,i eq,i … … … … Value dd d V l added … … Matrix size (9*12)2 (Tax) … Value added cr,j (9 regions and 12 i d t i i J i d industries in Japan) ) 12
  • 13. Backward dependency (BD) Based on E. Dietzenbacher and Jan A. van der Linder: Sectoral and Spatial Linkages in the EC Production Structure. Journal of Regional Science (37 2) pp.235-257, 1997, S i (37:2) 235 257 1997 BD is computed as Pur- chase … Region r … Import Export a normalized value of (Neg) r=q (All regions Produc- Final an output reduction … … Sector j … … i=j by row) tion Demand supposing a particular … … 0 … 0 column is a zero vector. … 0 Region q Sector i zq,i,r,j 0 fq,i,r -mq,i eq,i … 0(From an engineering point … 0 … of view, this is a kind of … 0 … 0 sensitivity analysis.) y y ) … … 0 Value added cr,j 0 13
  • 14. Output reduction (a sketch) Suppose we can define an activity level (output) of this economy both from the supply side and from the demand side. This provides an accounting equation where all the coefficients can be obtained from the input-output table. By solving the accounting equation, we can see the activity level of this economy and its building blocks. Output reduction in the context of backward dependency is a normalized reduction of this level when a particular sector in a particular region does no longer work as a demand-side group.14
  • 15. Information security backwarddependency (ISBD) Computed by supposing a particular column (r, j) is not 0 but (1-sisj)zq,i,r,j (i=1, 2, . . . , 12; q=1, 2, . . . , 9) where the reduction is based on security risk levels:(1) Level of IT dependency (of sector i) ITi / (ITi + nITi) where ITi = IT capital stock of sector i nITi = non-IT capital stock of sector i(2) IS Multiplier Average number of deployed IS countermeasures in all sectors Average number of deployed IS countermeasures in sector i (25 countermeasures i th survey) t in the )(3) Security risk level (a proxy) si = (1) x (2) 15
  • 16. Production value (region) Region g Region g Output p name ID (billion US$) Hokkaido AKanto C 7,745.90Kinki E 2,882.30 2 882 30 TohokuChubu D 2,218.20 ChubuKyushu H 1,494.00 BChugoku F 1,114.70 Kinki KantoTohoku B 1,076.70 C Chugoku DHokkaido A 648.90 Okinawa F EShikoku G 482.00Okinawa I 110.70 110 70 H GSource: Inter-Regional Input-Output table for 2005 Shikoku I1 US(¥$) = 81.59 JYP(¥Yen)Red = High p g production value = Large economic scale g KyushuGreen = Low production value = Small economic scale16
  • 17. Production value (sector) Sector Sector Output name ID (billion US$) Services 12 2,929.40 Commerce and Logistic 09 1,816.30 Machinery 05 1,607.60 Financial, Insurance, 10 1,331.40 and Real Estate Other M Oth Manufacturing f t i 06 1,165.50 1 165 50 Construction 07 781.10 ICT 11 567.40 Metal 04 562.80 Food and Beverage 03 443.80 Utilities 08 330.90 Argriculture 01 162.50 Mining Mi i 02 12.50 12 017
  • 18. Level of IT dependency18
  • 19. Level of IS and risk19
  • 20. Results (regional perspective) Influenced (demand-side) regions Most : Shikoku, Okinawa A large number of supply-side region-sectors have ISBD larger than a threshold (0 01%) thresh ld (0.01%). Small economic scale regions Least : Kanto, Tohoku The largest economic scale region and Tohoku. Influential (supply-side) regions (supply side) Most : Kanto, Kinki Large economic scale regions g g Least : Okinawa, Shikoku, Hokkaido Small economic scale regions.20
  • 21. Tohoku as a supply side region supply-side• Firstly, it should be noted that Tohoku plays an importantrole i many supply chains as noticed b i d t i l people l in l h i ti d by industrial lafter the quake on March 11, 2011. (In that sense, largelyinfluential on demand side when we consider normaleconomic dependency.)• Tohoku is in a group of the moderate influential region g g(i.e. depended by a medium number of demand-sidegroups).•HHowever, 69% of th d f the dependent supply-side sectors i d t l id t inTohoku mainly influence demand-side sectors which arelocated in Tohoku itself itself.• This means the influence is likely to be limited in itsown region. 21
  • 22. In empirical studies, derivingimplications is important important.• Wh When we rebuild T h k we can pay attention t b ild Tohoku, tt ti toIS interdependency issues inside the region, ratherthan interdependency among diffth i t d d different regions. t i • As a demand side region Tohoku is in one of the least demand-side region, influenced regions (i.e. depends on a small number of supply-side groups compared to other regions). pp y g p p g ) •Similar to Kanto region which includes Tokyo. • As a supply-side region, Tohoku is not so influential. • Different from Kanto (the most influential region). 22
  • 23. Active measurements Theoretical Study K. K Matsuura: A Derivative of Digital Objects and Estimation of Default Risks in Electronic Commerce. LNCS 2229, Springer, pp.90-94, 2001. K. Matsuura: Digital Security Tokens and Their Derivatives. Netnomics (5:2) pp.161 179, 2003 pp 161-179 2003.23
  • 24. Credit risks in cyberspace Protocols require frequent q q Why? y verifications. Feasible but Digital certificates. could be heavy. Avoid copyright violation. py g Need freshness. Verify, verify, Compatibility. p y verify, ... if Policy agreement. ・ ・ ・ Real-time, distributed & trusted , directories are too difficult.Probably OK . . . Verification results can change.g 24
  • 25. Example The verification may output NG. It may output OK. Who knows in advance?? Suppose a digital ticket signed by an issuer. When I purchased it, it I verified th signature and th result was OK H ifi d the i t d the lt OK. However, when I attempt to use it at a service provider, the verification by the provider may output NG Or I may even face a NG. congestion that keeps me from connection with the provider, or TTP needed for verification may be too busy (e.g. some implementations of ID-based crypto).25
  • 26. More credit risks in cyberspace With the help of cryptographic technologies which establish a secure channel, a lot of virtual currencies (in a broader sense) are already available (e.g. reward points, FFP mileage, and di i l cash). il d digital h) Their values can change, at least in the context of their exchange rates. P l h Policy changes regarding expiration, h d redemption, and so on, can happen as well. From the viewpoint of consumers, they cause credit risks F h f h d k in cyberspace.26
  • 27. Abstraction based on stochastic processes (observable but unpredictable) Y and H can be observed by everyone whereas V is not necessarily observable b everyone; if th i b bl by the issuer can observe V th t’ enough. b V, that’s h Information related to availability and QoS is an example of V. Price process: Y(t) Implicit value process: V(t) Monetary value in a Value process: H(t) = h(t, V(t)) transaction where h is a value value- Token depends on. . . interpretation function.Occurrences (= realized numerical (values) of Y and H are writtenwhen issued. 27
  • 28. Modeling the dynamics Compromise: Assumed to be a Poisson p p process with intensity λ. Revoked if compromised The value dynamics: dH = (1−λdt)(μHdt+σHdW)−Hλdt where μ and σ are deterministic constants and W is a Wiener process.Geometric Brownian motion unless compromised (μ: velocity; σ: volatility) 28
  • 29. Wiener process W(0) = 0, dt dW= 0. If r<s<t< then W( ) W(t) and W(s) W(r) are r<s<t<u, W(u)−W(t) W(s)−W(r) independent. For F s<t, the stochastic variable W(t)−W(s) h the h h bl W( ) W( ) has h Gaussian distribution N[0,(t−s)1/2]. W has continuous trajectories. Paying attention to (dt)2=0, we have y g ( ) dH = (μ−λ)Hdt + σHdW deterministic stochastic29
  • 30. Design a new stochastic process torealize an active measurement European call option Right to buy a share of the token with a strike value K at the time of a maturity Tm at a fixed price Y=1. Let C(t)=c(t, H(t)) be the price process where c(t 0)=0 C(t)=c(t c(t,0)=0. As a restriction, we do not allow anyone to divide a token into smaller pieces. Except this restriction, we p p p , place ideal market assumptions including the existence of a riskless asset whose interest rate is r. Financial derivatives (whose prices depend on risk parameters) Inverse estimation Risk parameters (λ and σ) ( ) Market b M k t observation ti30
  • 31. Stochastic calculus If the system is free from the risk of compromise (i.e. λ=o), we can derive a PDE (partial differential equation) which has a ( ff ) closed-form solutionc(t,h)=KN[d1(t h)]/h −r(T−t)N[d2(t h)] (t h) KN[d (t,h)]/h−e r(T t) (t,h)] (1)where N is the cumulative distribution function for the standard normal distribution andd1(t,h)={ln(K/h)+(r+σ2/2)(Tm−t)}/{σ(Tm−t)1/2}d2(t h)=d1(t h) (Tm−t)1/2. (t,h)=d (t,h)−σ(T t) If there is a risk of compromise, we can derive a PDE to be computationally solved with the help of the closed form closed-form solution (1) for the special case above.31
  • 32. Further maturity More uncertain Relax both chance and risk32 (Current occurrence of the value process H)
  • 33. Larger volatility More uncertain Relax both chance and risk33
  • 34. Higher strike value Better position34
  • 35. Some notes Even if the compromise is rare (and has never happened before), we can measure the market evaluation of the risk. Introducing derivatives can enhance information dissemination and collection. This is good, too. In cyberspace, simple derivatives are difficult to realize whereas complicated ones (e.g. mileage which needs co-pay when redeemed) are easy. Other applications of financial theories: Privacy metrics (e.g. different rates in on-line social lending). Real options to decide when and how we update a system.R. Boehme: Security Metrics and Security Investment Models. LNCS 6434,Springer, pp.10-24, 2010.Springer pp 10-24 2010 35
  • 36. Concluding Remarks and Some Notes36
  • 37. Emerging importance of cybersecurityscience Security management is quality management of security properties. Measurement of risk parameters may provide a basic bridge between theory and practice. Many research topics can be found if we consider trust and credit before/after conventional management. Possible impacts on network/system security. Practical information sharing (e.g. among ISP and security vendors) is one thing, common dataset for research is another. Mechanism design for research-promotion infrastructure. Recent actions by SIG-CSEC of IPSJ.37