Anda di halaman 1dari 10

A New Approach for Information Security Risk Assessment: Value at Risk

Yasin Ozcelik and Jackie Rees {ozcelik, jrees} Purdue University Krannert Graduate School of Management West Lafayette, IN, 47907 May 2005 Abstract
Most of the tools that are used for Information Security (ISEC) risk assessment are qualitative and are not grounded in theory. This paper presents and applies a well-known financial risk theory, Value at Risk (VaR), to the ISEC risk assessment. VaR in its most succinct form is defined as a figure that relates the amount of potential loss in a given portfolio to its probability, and describes the quantile of the projected distribution of losses over a given time period. From the ISEC perspective, VaR summarizes the worst loss due to a security breach over a target horizon, with a given level of confidence. Using this quantitative measure of risk, the best possible balance between risk and cost of providing security to mitigate the risk can be achieved.

I. Introduction
Proliferation of the Internet and the increased dependence of business on information systems have forced companies to take necessary actions to secure their systems against possible attacks. The risk of ignoring these attacks and resulting security breaches may cause huge financial losses (Finne 1997; Bhimani 1996). Information systems have long been at risk from malicious actions, inadvertent user error, natural disasters and other unforeseen adverse events. In recent years, systems have become more susceptible to these threats due to the increasing interconnectivity of personal and corporate computers. The financial impacts of these threats are increasing at an alarming rate: In 1999, for example, it is estimated that $7.6 billion was lost in business productivity by Melissa, the Worm and other viruses (Briney 1999). 1
Electronic copy available at:

Previous approaches to IS security have generally concentrated on the technical aspects of security (Oppliger 1997, Bhimani 1996), security infrastructure models (Sherwood 2000), and corporate security policies (Finne 1998). There has been little research that seeks the optimal level of information security and corresponding level of investment. Traditional investment decisions are made using cost-benefit analysis. Applying cost-benefit analysis to choosing the optimal level of security may be tenuous because of the difficulty in quantifying the risk and the benefits associated with increased security. Therefore, a new methodology that overcomes these uncertainties and provides dependable results related to investment on IS security is needed. This research paper proposes a new quantitative approach for IS risk assessment, based on the Value at Risk (VaR) concept used in Finance for years. The paper is organized as follows: Section II highlights the significance of the problem. Section III introduces our proposed VaR framework for risk assessment, and Section IV presents the conclusions and limitations of this study, and directions for future research.

II. Significance of the Problem

The aim of Risk Management is to identify, measure, and control uncertain events, in order to minimize loss, and optimize the return on the money invested for security purposes (Caelli et al.1989). There have been some studies (PFIRES 2000, GAO 1999) that attempt to provide a framework for Risk Management within an ISEC context. The GAO Report on ISEC Risk Assessment (1999) defines four stages of Risk Management: Risk Assessment, Implementing policies, Promoting Awareness, Monitoring and Evaluation. Although each element of the risk management cycle is important and complements each other, the risk assessment stage generally provides the foundation for other elements of the cycle. Risk assessment also provides decision makers with the information needed to understand factors that

Electronic copy available at:

can negatively influence operations and outcomes, and to make informed judgments concerning the extent of actions needed to reduce risk. There are some challenges associated with assessing information security. First of all, data are limited on risk factors, such as the likelihood of a sophisticated hacker attack and the costs of damages, loss, or disruption caused by events that exploit security weaknesses. Secondly, it is often not possible to quantify, even precisely estimate, the related indirect costs due to a security breach, such as loss of productivity or possible loss of consumer confidence. Lastly, even if precise information is available, it would soon be out of date due to fast paced changes in technology and factors such as improvements in tools available to would-be intruders (GAO 1999). Given these challenges, it is worth looking at the current tools used for risk assessment by the industry, and examining whether they are actually grounded in theory. The GAO report (1999) presents an industry-level survey on the risk assessment tools used by companies known for the superior information security programs. The survey reveals that the tools used by the companies include tables, questionnaires, interviews, scenarios, risk assessment matrices, lists of known threats and controls, company policies, software applications, and expert systems. As can be seen from this review of current practices in risk assessment, most of the tools with perhaps the exception of the expert systems and software applications are relatively simple, qualitative in nature, subjective, and not grounded in theory. There is thus a need to develop a new quantitative methodology for ISEC risk assessment, which uses concepts from the well-established Financial Risk Theory literature. One particular tool, Value at Risk (VaR) may prove to be a useful methodology to be applied in the ISEC risk management cycle.

III. The VaR Framework

VaR gives a dollar estimate of maximum potential loss of a portfolio to be expected over a given period, and over a certain percentage of time. It has gained rapid acceptance as a valuable approach to risk management in the financial arena (Beder 1995). VaR has primarily been applied to market risk, though applications have recently been expanded to incorporate firm-level risk. VaR holds promise of combining all quantifiable risks across the business lines of an institution, yielding one firm-wide measure of risk (Simons 1996). There are three approaches to calculate VaR in the Finance literature: 1. Analytic variance-covariance approach: In this approach, VaR is expressed as a multiple of the standard deviation of the portfolio's return. The methodology depends upon the user estimating certain parameters, and the assumption is made that risk factors (market prices and rates) are log-normally distributed. The main advantage of this approach is its speed of calculation. However, any departure from a normal distribution poses a problem. 2. Historical simulation: The historical simulation approach shows the distribution of returns of the given portfolio by using historical data on risk factors, from which VaR can be derived. Historical simulation makes no assumptions about distribution and, as volatilities and correlations can be found from the historical data, there is no need to estimate them. 3. Monte Carlo analysis: The Monte Carlo approach entails simulations of possible portfolio outcomes derived from random market moves taken from historical data. The distribution of these simulated portfolio returns reveals the VaR. Like the historical simulation approach, Monte Carlo analysis expresses the returns as a histogram. This approach can provide a much greater range of outcomes than historical simulation, and it is much more flexible than the other approaches. Any distribution may be simulated, as long as the necessary parameters of the

assumed distribution can be estimated. Because IS security risk is generally dependent on past security experience of a company, and it is possible to obtain historical security data, the use of Monte Carlo approach in our VaR framework seems to be appealing. We will adopt a VaR framework to measure security risk and find the maximum possible loss due to a security breach over a certain period of time with a given level of confidence. Once risk is quantified, choosing the optimal security portfolio is a standard cost-benefit analysis. Markowitzs well-known stock portfolio theory shows that by diversifying investments in stock portfolios, one can decrease total risk of the portfolio. The interesting question would be whether we can apply the same principle to a portfolio of security initiatives, and decrease the total risk of that portfolio by diversification. However, given that Markowitzs portfolio theory requires existence of an efficient market and the construction of a well-diversified market portfolio, we need a clear justification of whether Markowitzs theory and VaR framework can really be applied to the ISEC Risk Assessment methodology. The strong form of Efficient Market Hypothesis states that any information that might lead to stock returns above the market level have already been reflected in prices, and hence markets are totally unpredictable. This implies that any historical stock data that can be used to predict future stock returns do not promise more chance than simply picking stocks randomly. Nevertheless, it has been a tradition in Finance literature to forecast future stock returns approximately by using historical data and assuming that one can create a well-diversified market portfolio that includes all possible investment tools in the market including all stocks, bonds, mutual funds, real estate, etc. We can follow the same procedure and use historical security data to forecast future risk probability distributions by assuming that one can create a well-diversified portfolio of all security measures for a company, and all future risk factors are

totally unpredictable. The latter seems to be a legitimate assumption in the ISEC environment, given a very random nature of information security risk factors and the fast-paced improvements in available tools to possible intruders today (GAO 1999). The incorporation of the VaR framework to the Information Security Risk assessment methodology appears below and is explained in detail in the following paragraphs:

Identify Threats

Risk Mitigation

Estimate Likelihood

Estimate VAR

VAR Framework

Figure 1: VaR Framework for Information Security Risk Assessment

1. Threat Identification: The first stage of risk assessment is to identify the threats or potential risks faced by a firm such as malicious acts, denial of service, unauthorized access to private information, deleting or altering sensitive company information, viruses, worms, password cracking, hacking, frauds, natural disasters, sabotage, and user errors. Every organization may be at risk from some or all of these potential types of risks. Threat identification can be implemented by conducting a survey of information security managers within or outside the firm or by employing consultants. 2. Likelihood Estimation of Threats: There are a number of surveys, which have reported the frequency of a security breach (Briney 1999, Ernst and Young 1999, Power 1999, Briney 2000). Briney (2000) finds that the percentages of respondents experiencing major types of security

breaches are viruses (80%), employee abuse (58%), unauthorized access by outsiders (42%) and theft/destruction of data (24%). While such industry figures may be useful, the probabilities may change for a particular firm, given that most security breaches go unreported, especially in particular industries. Estimates of the frequency of unauthorized external access to an organizations systems can be obtained from the access logs. Other estimates of likelihood of threats can be obtained from historical security data. Information Security officers within a firm are ideal candidates who can be interviewed to obtain dependable threat likelihood figures. As a result, based on industry surveys, log data, historical security data, and interviews with key security personnel; it is possible to estimate the probability distributions of threats a company may face. Possible risk scenarios can then be developed based on the probability distributions of individual risks. Moreover, some of the possible risk scenarios can be eliminated with the help of a good judgment. 3. Estimate VaR: Now that different risks have been identified, the likelihood of these risks (the probability distribution of risks) estimated and possible risk scenarios developed, the next step is to calculate the Value at Risk of the firm. Suppose that we decided to estimate the VaR for a firm that operates in the market for several years with $100 million worth of current assets, and has always been subject to security breaches. Suppose also that we want to estimate the VaR for the firm over a period of one month with 95th percentile confidence level. In other words, we want to find with 95% confidence the maximum amount in dollar terms that the firm may lose over one month as a result of security breach. To do that, we first calculate variability of risk factors as estimated from distribution of different risk scenarios. We then find the worst-case loss in each case of the risk scenario for the given time horizon. A probability distribution for the worst-case loss can be estimated from this. Some distribution approximation techniques can be used, or

some assumptions can be made about normality, symmetry, and skewness of the distribution. The last step involves using the estimated probability distribution for worst-case loss, and determining the VaR by identifying that portion of the loss-making distribution that corresponds to 95% confidence level (see Figure 2 below).

Figure 2: An example of a VaR calculation for a firm

Suppose that the worst-case loss corresponding to 95% confidence level is one percent. Then, the VaR of the firm is found from:

VaR = $100 million X 0.01 = $1 million

That means, the worst loss the firm may realize due to a security breach would be less than $1 million 95% of the time over a period of one month 4. Risk Mitigation: After VaR has been estimated and maximum loss due to a security breach calculated by applying the procedure specified above, the next step would be to choose security measures for risk mitigation. A company that has a smaller VaR would have to make a smaller investment on security measures than a company with a larger VaR. The process of calculating the VaR for the firm is then repeated assuming that new security measures are in place. The threats the firm would face and their corresponding likelihoods are also going to change with the

new security measures and this would affect the VaR calculations. After various iterations, the right tradeoff between an acceptable VaR and cost of providing security can be achieved.

IV. Conclusions, Limitations and Future Research

Most of the tools that are used for ISEC risk assessment are qualitative in nature and are not grounded in theory. Value at Risk (VaR) is a well-established quantitative method for managing portfolio risk and is well grounded in theory from the Finance literature. It can be used effectively by ISEC experts as it provides a quantitative and dependable measure of information security risk. Using our proposed framework that incorporates the VaR measure into the Information Security Risk Assessment methodology, the optimal balance between risk and cost of providing security to mitigate risk can be achieved. Each firm will have a figure in mind regarding how much risk is acceptable. When the total VaR of a company exceeds this figure, the firm will know that it is time to invest in more security to decrease the amount of risk back to the acceptable level. Although appealing, the VaR framework presented here has several disadvantages. First of all, applying Markowitzs portfolio theory to ISEC environment requires that one can create a well-diversified portfolio of all security measures a company may follow, and that future security risk factors are totally unpredictable. This may deteriorate dependability of results our framework generates. Secondly, VaR calculations depend heavily on identifying threats and estimating their likelihood. There could be some level of subjectivity involved in these calculations when the estimates are based on the knowledge of individual security personnel, rather than on security surveys and historical data. On the other hand, using industry-level security surveys may give undependable results for a specific firm. This is because security surveys can only provide an estimate of the likelihood of threats across an industry, rather than

for an individual firm. An organizations risk scenario and variables might be different, or these variables may change across industries. Lastly, VaR can only provide the worst-case loss due to a security breach rather than an average loss value, which is generally more desirable by the ISEC managers. There are several directions for future research in this area. We presented the application of VaR methodology to the ISEC Risk Assessment very broadly. Incorporation of several statistical tools and estimating techniques can improve our framework. Extensive testing of the framework on real company data may prove its usefulness. Moreover, applying our procedure to several industries or representative firms may yield standard industry-wide or firm-level VaR figures that can be used as a benchmark by ISEC risk managers.

V. References
Beder, T.S. (1995) VAR: Seductive but Dangerous, Financial Analysts Journal, 51 (5), pp.12-25. Bhimani, A. (1996) Securing the Commercial Internet, Communications of the ACM, 39 (6), pp. 29-35. Briney, A. (1999) Got Security? Information Security, available at Briney, A. (2000) Security Focused, Information Security available at Caelli, W., Longley, D. and M. Shain (1989) Information Security for Managers, Stockton Press. Ernst and Young (1999) 6th Annual Information Security Survey, available at$file/FF0156.pdf Finne, T. (1997) A Conceptual Framework for Information Security Management, Computers and Security, 16 (6), pp. 469-479. Finne, T. (1998) Information Security Implemented in: the Theory on Stock Market Efficiency, Markowitz Portfolio Theory and Porters Value Chain, Computers and Security, 17 (4), pp. 303-307. GAO Report (1999) Information Security Risk Assessment Practices of Leading Organizations, Report No. AIMD-99-139. PFIRES (2000) Policy Framework for Interpreting Risk in eCommerce Security, Accenture and CERIAS, Purdue University. Power, R. (1999) 1999 CSI/FBI Computer Crime and Security Survey, Computer Security Institute, 5 (1). Oppliger, R. (1997) Internet Security: Firewalls and Beyond; Communications of the ACM, 40 (5), pp. 92-103. Sherwood, J. (2000) Opening up the Enterprise, Computers and Security, 19 (8), pp. 710-719. Simons, K. (1996) Value at risk New approaches to risk management; New England Economic Review, Sept/Oct, pp. 3-14.