Who Can We Trust?: The Economic Impact of Insider Threats

This article was downloaded by: [TOBB Ekonomi Ve Teknoloji]On: 20 December 2014, At: 19:02Publisher: RoutledgeInforma Ltd Registered in England and Wales Registered Number: 1072954Registered office: Mortimer House, 37-41 Mortimer Street, London W1T 3JH, UK

Journal of Global InformationTechnology ManagementPublication details, including instructions for authors andsubscription information:http://www.tandfonline.com/loi/ugit20

Who Can We Trust?: The EconomicImpact of Insider ThreatsJian Huaa & Sanjay Bapnab

a University of the District of Columbiab Morgan State UniversityPublished online: 07 Jul 2014.

To cite this article: Jian Hua & Sanjay Bapna (2013) Who Can We Trust?: The Economic Impactof Insider Threats, Journal of Global Information Technology Management, 16:4, 47-67, DOI:10.1080/1097198X.2013.10845648

To link to this article: http://dx.doi.org/10.1080/1097198X.2013.10845648

PLEASE SCROLL DOWN FOR ARTICLE

Taylor & Francis makes every effort to ensure the accuracy of all the information (the“Content”) contained in the publications on our platform. However, Taylor & Francis,our agents, and our licensors make no representations or warranties whatsoeveras to the accuracy, completeness, or suitability for any purpose of the Content. Anyopinions and views expressed in this publication are the opinions and views of theauthors, and are not the views of or endorsed by Taylor & Francis. The accuracyof the Content should not be relied upon and should be independently verifiedwith primary sources of information. Taylor and Francis shall not be liable for anylosses, actions, claims, proceedings, demands, costs, expenses, damages, and otherliabilities whatsoever or howsoever caused arising directly or indirectly in connectionwith, in relation to or arising out of the use of the Content.

This article may be used for research, teaching, and private study purposes. Anysubstantial or systematic reproduction, redistribution, reselling, loan, sub-licensing,systematic supply, or distribution in any form to anyone is expressly forbidden.Terms & Conditions of access and use can be found at http://www.tandfonline.com/page/terms-and-conditions

http://www.tandfonline.com/loi/ugit20

http://www.tandfonline.com/action/showCitFormats?doi=10.1080/1097198X.2013.10845648

http://dx.doi.org/10.1080/1097198X.2013.10845648

http://www.tandfonline.com/page/terms-and-conditions

http://www.tandfonline.com/page/terms-and-conditions

Economic Impact ofInsider Threats

Who Can We Trust?The Economic Impact of Insider Threats

Jian Hua, University of the District of Columbia, [email protected] Bapna, Morgan State University, [email protected]

ABSTRACT

Information Systems (IS) Security has become a critical issue in the IT world. Amongall threats against IS security, the insider threat is the greatest. This paper proposes agame theoretical model to study the economic impact of insider threats on IS securityinvestments. We identify three factors influencing the optimal IS security investment:breach function sensitivity, deterrence level, and advantage rate. Our simulationresults show that the optimal investment required to protect an information systemsinfrastructure from insiders is several magnitudes higher than for protecting againstexternal hackers.

KEYWORDS

Insider Threat, Information Security, Deterrence, Investment, Game Theory

INTRODUCTION

Modem economies are heavily dependent upon information systems (IS) for survival.However, regardless of the enormous business benefits derived from informationsystems, increased reliance on information systems leads to increased vulnerabilitiesand risks. IS security has thus become a critical issue in the IT world (Sonnenreich,Albanese, & Stout, 2006). Among all threats against IS security, the insider threat isthe greatest (Warkentin & Willison, 2009).

In the IS Security field, the term "Insider" means a person who is authorized to accessspecific files, software or hardware, which belong to an organization. An insider couldbe a current or forrnal employee, contractor, or a temporary user. If an insider is ahacker, what will happen? According to the results of Computer Security Institute'sCSI Computer Crime and Security Survey 2009,43.2% of respondents report insiderabuse.

Insiders can be categorized into two groups: malicious insiders and non-maliciousinsiders. Which group causes more losses has not yet been determined and is not thefocus of this research. Through employee training, we could minimize the threatsfrom non-malicious insiders. However, the threats from non-malicious insiders can beexploited by hackers and that is an area we examine in this paper. Employee training

47 JGITM, Vol. 16, No.4, October 2013

Dow

nloa

ded

by [

TO

BB

Eko

nom

i Ve

Tek

nolo

ji] a

t 19:

02 2

0 D

ecem

ber

2014


does not work for malicious insiders, because their intentions are to steal, modify, ordestroy valuable data/files. In this paper, we treat a malicious insider as an internalhacker, who has more advantages over an external hacker. Without a special mention,an insider equals to a malicious insider, as well as an internal hacker, in this paper.

The quality of IS security is highly related to the investments in IS security (Bojanc &Jerman-Blazic, 2008). The appropriate level of the IS security investment can enhancethe capability of organizations and governments to reduce the threats from insiders(Bodin & Gordon, 2005). The aim of this paper is to use game theory to model theinsider threat risks in the IT-based information systems. We propose a static gamemodel which can then be used to compare the optimal investments for insiders andexternal hackers. This paper attempts to find an appropriate approach to study theeconomic impact of insider threats on IS security investments.

The rest of the paper is organized as follows. In the next section, we review theliterature on the related IS security research and discuss key cases that deal withinsiders. This provides us with the background to propose a game theoretical modelfor IS security investments. The game theoretical model is described in theMethodology section. In the section after that, the results of simulations are analyzed.Finally, we discuss the implications of our work in the Conclusion section.

LITERATURE REVIEW

Studying the influence of insider threats on IS security investments is multidisciplinary and requires the study of IS security research, deterrence, and cases ofinsider threats. Research on IS security provides an understanding of the methods,threats, risks, and behavioral aspects of cyber crimes. Because the goal of this paper ison modeling insider threats, we focus our attention primarily on those areas ofresearch that enable us to model insider threats.

Insider Threat Cases

Many malicious insiders have been found, sued and sentenced. After we reviewedrecent five years cyber crime cases provided by the United States Department ofJustice (cybercrime.gov), six representative insider threat cases are presented asfollows.

• Samarth Agrawal, a trader at Societe Generale, printed parts of high frequencytrading system codes used by Societe Generale, He took the printed code to hisapartment and subsequently showed it to obtain a job offer from Tower CapitalResearch LLC (Tower), a proprietary trading group and hedge fund, to develop ahigh frequency trading system. His new compensation package included a total of$575,000 up front plus 20% of the profits generated by the duplicated trading


Dow

nloa

ded

by [

TO

BB

Eko

nom

i Ve

Tek

nolo

ji] a

t 19:

02 2

0 D

ecem

ber

2014


system that he intended to build. He was sentenced by Manhattan federal court to36 months in prison for theft of trade secrets and interstate transportation of stolenproperty charges on February 28, 2011.

• Rajendrasinh Babubhai Makwana, a network contractor, worked at Fannie Mae'sUrbana, Maryland facility from 2006 to October 24,2008. He inserted a maliciousscript into a routine program on the day he was fired. The malicious script wasdesigned to propagate throughout the Fannie Mae's network of computers anddestroy all data, including financial, securities and mortgage information. Thescript was to be triggered on January 31, 2009. Makwana was sentenced to 41months in prison, followed by three years of supervised release on December 17,2010.

• Andrew Michael Shelnutt was an employee of CariNet, Inc., a company whichprovides a large computer server hosting service in San Diego, California. Herepeatedly changed CariNet's network configuration and deleted the computerlogs that could show his unauthorized activity. The losses to Carinet are estimatedto be more than $5,000.

• Bradley John Dierking, an employee of Geary Interactive, a local online anddigital advertising agency company, intruded Geary Interactive's computernetwork and defaced the online reservation page of Miraval Resort, which was asignificant customer of Geary Interactive, a month after being fired in April 2007.In addition, Dierking changed all of the administrative passwords to some ofGeary Interactive databases.

• Jeffery Howard Gibson, a computer programmer of Stain Cloud Hospital,installed a logic-bomb in the computer-based training program that he developedfor hospital employees. After he quit his job at the hospital in June 2006, heactivated the logic bomb.

• Yung-Hsun Lin, a computer systems administrator of Medco Health Solutions,Inc., created codes to wipe out computer servers on Medco's computer networkduring his employment tenure in Medco Health Solutions. One database in theaffected servers kept critical information about patient-specific drug interactions.Although his action failed, due to the potential severity of the crime, Yung-HsunLin had to face a maximum statutory penalty of 10 years in prison and a $250,000fine.

Risk Models of IS Security Investment

Bojanc and Jerman-Blazic (2008) presented an approach towards assessing therequired information and communication technology (ICT) security investment anddata protection through the identification of assets and vulnerabilities. Theyintroduced three methods to quantify the costs and benefits of security investments:return on investment (ROI), net present value (NPV), and internal rate of return (IRR).Huang, Hu, and Behara (2008) adopted expected utility theory to determine theoptimal security investment level and showed how an organization could manage its

49 JGITM, Vol. 16,No.4, October 2013

Dow

nloa

ded

by [

TO

BB

Eko

nom

i Ve

Tek

nolo

ji] a

t 19:

02 2

0 D

ecem

ber

2014


investment in information security based on the different characteristics of threatenvironments and system configurations. Wang, Chaudhury, and Rao (2008)introduced the value-at-risk approach to measure the daily risk of an organizationalinformation system. Using extreme value theory, they found the probabilitydistribution of daily losses and time trends in the extreme behavior of daily risks.

Anderson (200 I) first identified various distorted incentives in information securitythat made risk management in this domain difficult. He hypothesized that when a finnprotects its computer systems to make it harder for a hacker to crack the systems,hackers may shift their effort to other companies, and thus, this increases thelikelihood of a successful attack on other companies' resources.

The Breach Functions of IS Security

Gordon & Loeb (2002) believed that previous studies related to the economic aspectsof information security provided little generic guidance on how to derive the properinvestment in IS security. Hence, they built a model that considered how thevulnerability of information and the potential loss from such vulnerability affected theoptimal funding to secure that information. They had three assumptions: (1) if theinformation set was completely invulnerable, it would remain perfectly protected forany amount of information security investment, including a zero investment; (2) ifthere was no investment in information security, the probability of a security breachwas the information set's inherent vulnerability, v; and (3) as the investment insecurity increased, the information was made more secure; but at a decreasing rate.

They proposed two classes of security breach probability functions. The first class ofsecurity breach probability functions proposed was s' (z, v) = ( v )b' where z is the

az+linvestment, and v is the vulnerability. Their second class is not considered in thispaper. The parameters, a and b, are measures of the productivity of informationsecurity. The probability of breaches decreases with increases in both of theseparameters. Hausken (2006) proposed a logistic breach function S"'(z, v) =

(vT

) (third class of breach functions) to address some of the drawbacks of thel+p e Z-l

Gordon and Loeb's classes of breach functions. Hausken's other classes of breachfunctions are not considered in this paper. The parameters, p and T, measure theproductivity of information security. By varying the parameters of the functions, it ispossible to model the sensitivity of breaching information systems to investmentlevels. A sensitive breach function is a function where a moderate increase in theamount of investment can decrease breaching probability considerably. In otherwords, a sensitive breach function has a steeper slope at a particular investment level,compared to an insensitive breach function.


Dow

nloa

ded

by [

TO

BB

Eko

nom

i Ve

Tek

nolo

ji] a

t 19:

02 2

0 D

ecem

ber

2014


The Game Theoretical Model of IS Security

Using game theory, Schechter & Smith (2003) developed a model for companies togauge their attractiveness to thieves and determine the proper level of securityrequired for packaged systems. Under varying conditions of attack, their researchrevealed that a company would benefit substantially by increasing the probability ofdetection and/or the probability of repelling the attack, and by increasing thelikelihood of hacker convictions.

Cavusoglu, Raghunathan, & Vue (2008) claimed that the traditional decision-theoreticrisk management techniques used to determine IS security investments wereincomplete, because the traditional techniques did not recognize that hackers altertheir hacking strategies in response to the firm's security investment strategies. Theycompared game theory and decision theory approaches on the investment levels,vulnerability, and payoffs from investment and concluded that game theory wasappropriate to model IS security investment.

Kantzavelou & Katsikas (20 I0) gave special attention to insiders when the insidersinteract with an intrusion detection system. A game theoretical model was used tocapture these interactions. They solved the game using Quantal Response Equilibriumanalysis. They claimed that they can determine how an insider will move and theirsuggestions can improve the IDS performance. Tang, Zhao, & Zho (2011) proposedan algorithm for insider threat situation awareness. They used dynamic Bayesiannetwork structure and exact inference to acquire and fuse different type of insiderinformation for behavior analysis. These two papers are discussed in greater details inSection 3.

Overill (2008) explained three approaches that prevent and detect the insiderintrusion. Those three approaches have not been reviewed in any great detail:simulation and modeling, scenario gaming and game theory, and artificial learningtechnologies. He claimed that insider intrusions can be viewed as a game betweenmany stakeholders where each stakeholder possesses at least one intrusive strategyalong with one or more defensive strategies.

The Deterrence Function in IS Security

Deterrence theory has been widely employed in the fields of economics andcriminology to study the behavior of criminals and antisocialists (Becker, 1968;Pearson & Weiner, 1985). In criminology, deterrence theory asserts that theprobability of criminal behavior varies with the expected punishment, which consistsof the perceived probability of being caught and the punishment level (Pearson &Weiner, 1985).


Dow

nloa

ded

by [

TO

BB

Eko

nom

i Ve

Tek

nolo

ji] a

t 19:

02 2

0 D

ecem

ber

2014


In criminology, deterrence theory focuses on the effects ofpunishment. In economics,deterrence theory focuses on the reward of legal behavior and the punishment ofillegal behavior (Becker, 1968). In economics, deterrence theory asserts thatindividuals make rational decisions to maximize their benefits and minimize theircosts. A person can make a decision to undertake a criminal activity when theexpected payoff from the criminal activity exceeds the expected expense from thepotential cost and punishment (Straub & Welke, 1998). Deterrence theory has anunderlying assumption that human behaviors pursue pleasure and avoid pain. To deterpotential criminals from committing unlawful behavior, it is necessary to imposecountermeasures that increase the cost, and or reduce the benefits, associated withdoing so (Becker, 1968). Workman & Gathegi (2007) studied the effects of attitudestowards the law and the effects of social influence and concluded that punishment wasmore effective in deterring people who tried to avoid punishment or negativeconsequences, while ethics education was more effective in deterring people who hada strong social consciousness.

Oksanen & Valimaki (2007) conducted research on copyright violations and foundthat the strategy of minimizing risk was not only theoretically practiced, but was alsoextensively used. They found that the classic deterrence model should incorporateboth the reputational cost of violations and the reputational benefit of violations(Sunstein, 2003). The reputational cost means the unofficial sanction applied by theindividual's peers. Reputational benefit comes from the support of the individual'scommunity, or peers (Rebellon & Manasse, 2004). The reputational benefit may playa significant role in individual decision-making. .

Straub & Welke (1998) considered deterrence theory as a theoretical basis for securitycountermeasures to reduce IS risks and posited that managers and administrativepolicies were the key to successfully deterring, preventing, detecting, and pursuingremedies to cyber terrorism.

Determining the proper punishment is an important issue in the legal field. Legalsystems in most societies specify punishments that increase with the level of socialharm caused by the criminal activities (Rasmusen, 1995).

METHODOLOGY

Game theory is a branch of applied mathematics widely applied in economics,accounting, finance, biology, and political science. Game theory attempts to modelinteractions among rational players and mathematically predicts their choices ofactions. Game theory has numerous applications, ranging from solving problemsinvolving offense and defense (Lye & Wing, 2005; Sallhammar, Helvik, & Knapskog,2007) to the design of optimal penalties to deter crime, which can be viewed as arational choice decision (Saha & Poole, 2000; Chu, Hu, & Huang, 2000). Sandler &


Dow

nloa

ded

by [

TO

BB

Eko

nom

i Ve

Tek

nolo

ji] a

t 19:

02 2

0 D

ecem

ber

2014


Arce (2003) listed six strengths of game theory in analyzing the behavior of a hackerand a target.

Insider threats are an interactive process situation, thereby enabling game theoreticapproaches to be applied to solve such problems (Kantzavelou & Katsikas, 2010; Liu,Wang, & Camp, 2008; Overill, 2008). Because inside threats are a significant sourceof security incidents, some researchers have proposed game theoretical approaches tostudy insider problems (Tang, Zhao, & Zhou, 2011; Liu, Wang, & Camp, 2008).However, the focus of such research is on understanding action sets rather than usinggame theory to determine investment levels.

Liu, Wang, and Camp (2008) model and analyze security insider threats using gametheory. They propose a two-player zero-sum mixed strategy game to study theequalirium behavior. In a zero-sum game, the reward to the insider will be an identicalloss to a defender. That assumption is not valid since the gain to an insider may be acomplex function of the loss to the organization. Liu et al. Their focus was more onsecurity action sets of the defender (revoke privilege to the insider or not), and not onthe investments by the defender.

Kantzavelou and Katsikas (2010) model the evolution of an insider and an intrusiondetection system over time using a two-player game using preference based payofffunctions. They assume that insiders may not be rational and therefore use quantumequiliribrium response fucntions (QRE) that models irrationality by means ofincorporating a random perturbation term in the payoff. Their goal is not so much onunderstanding the equilibrium behavior, but rather on understading the evolution ofaction sets over time.

Tang, Zhao and Zhu (2011) borrow the methodology as developed by Kantzavelouand Katsikas (2010) to propose a two-player mixed strategy game with the goal ofunderstading the evolution of player's actions over time, using preference basedpayoff functions. Dynamic Bayesian networks are used to compute the posteriorpayoffs after action sets. Based on the evolution of the actions, over time, the players'actions become rational as determined by their simulation experiments.

In most applications of game theory, all players are assumed to be rational with adesire to maximize their rewards. Each player also assumes that the other players willact rationally. A common assumption that enables us to solve a given game is that aplayer knows that all other players are rational. This assumption guarantees that eachplayer makes a correct prediction on the choices of the other players, and hence, isable to make the best choice for himselflherself.

In Game Theory, pure strategies specify the nonrandom action selection of players. Inthis case, a player always selects one action from hislher action set, without any

53 JG1TM, Vol. 16, No.4, October 2013

Dow

nloa

ded

by [

TO

BB

Eko

nom

i Ve

Tek

nolo

ji] a

t 19:

02 2

0 D

ecem

ber

2014


uncertainty. Contrary to pure strategies, mixed strategies specify the set of actionsfrom which a random selection will be made. For example, if an insider has an actionset {Breach, Do Not Breach}, a mixed strategy of (30%, 70%) will result in selectingthe action "Breach" with a probability of 30 percent and the action" Do Not Breach"with a probability with 70 percent, respectively.

Model Development

In this paper, we proposed a one-state non-cooperative static 2 x 2 general-sum gamebetween an insider and a target with the objective of determining the rewards to theorganization and an insider, with varying investment levels by the organization. Thenormal form of the insider threat game is presented in Table 1. A target will be aninformation system of an organization. This game model can be applied to hiddeninsider attacks. Since the game is a general-sum game, rewards to the insider andorganization will be different. Moreover, since the game is a non-cooperative game,the players are prohibited from colluding, which models the behavior of insiders andthe organizations. It is assumed that all malicious insiders can be represented as oneentity (as has been assumed in previous works mentioned above). Table I presents therewards to the two players. The breaching actions of a malicious insider are, usingauthorized information or obtaining unauthorized information for personal gains or forcausing monetary damages to the organization. In this game model, the organizationfaces two choices: either to invest more money to improve the security of the ISinfrastructure, or to keep the current investment level. For the insider, the two possibleactions are either to lead to conditions that result in breaching the system, or leavingthe system in a safeguarded state.

Organizations are facing the challenge of improving IS security, as well as minimizingIS security expenses. Increasing investment in IS security may not be justified basedon the marginal benefits of the investment. Two similar companies may spend anequal amount on securing their information systems, but the level of security achievedmay be quite different. IS security does not depend on the investment amount only. Inthis paper, we argue that, in addition to the investment amount, three variables,namely, advantage rate, breach function sensitivity, and the deterrence level, affect theoptimal investment for IS security. The advantage rate reflects whether an attacker hasample knowledge and resources to plan out an attack with a great degree ofsophistication. Breach function sensitivity represents the IS security administrationand configuration.


Dow

nloa

ded

by [

TO

BB

Eko

nom

i Ve

Tek

nolo

ji] a

t 19:

02 2

0 D

ecem

ber

2014


Table 1. A General-Sum Insider Threat Game

Player 2: Target Organization

Player 1:Insider

Invest More in IS SecurityDo Not Invest More III ISSecurity

/lPiM + Il.zi - Qv /lPoM + Il.zo - Qo,Breach

-(PiM + Zi) -(PoM + zo)

Do NotIl.zi, -Zi Il.zo, -ZoBreach

In Table 1, a negative sign indicates that a player loses money. Pi and Po denote thefuture and current probability of information systems breaches respectively. Thevariable Ziand zodenote the target's future and current investment in IS securityrespectively. The variable M denotes the maximum instant loss in the incident ofinformation systems breaches. The maximum instant loss includes any loss fromincursions excluding the cost of security. Subscript 0 denotes the current state.Subscript 1 denotes the future state. Zi > Zo and Pi < Po.

• -(PiM + Zi) is the reward to the target for the strategy pair {Breach, InvestMore in IS Security }. If the insider chooses the action "Breach" and thetarget chooses the action "Invest in IS Security", the target wouldlose (PiM + Zi ).

• -(PoM + zo) is the reward to the target for the strategy pair {Breach, Do NotInvest More In IS Security }. If the insider chooses the action "Breach" andthe target chooses the action "Do Not Invest in IS Security", the breachincidence would lead to the total amount PoM + Zo loss for the target.

• -Zi is the reward to the target for the strategy pair {Do Not Breach, InvestMore In IS Security}. When the insider chooses the action "Do Not Breach"and the target chooses the action "Invest in IS Security", the targets will onlylose the new investment Zi .

• -zo is the reward to the target for the strategy pair {Do Not Breach, Do NotInvest More In IS Security }. If the insider chooses the action "Do Not


Dow

nloa

ded

by [

TO

BB

Eko

nom

i Ve

Tek

nolo

ji] a

t 19:

02 2

0 D

ecem

ber

2014


Breach" and the target chooses the action "Do Not Invest in IS Security", thetargets will only lose their current investment zo.

The reward to the insider is more complex. In Table 1, f.1 and A are parameters toconvert the target's losses to the insider's gains. For example, if the maximum loss Mis 100 million dollars and the reward to the insider is 48 million dollars, the

conversion is ~ = 0.48 . The value range of 11 and A is [0, 1]. A is the advantage100

rate and it reflects the degree to which an insider expends energy or has enoughknowledge to get to the target information quickly and the reward can be expressed interms of the total investment in information security. Benefits accrue to employees ofan organization that invest in security (e.g., no bad publicity and resulting benefits)and hence even by not breaching, the non-malicious employees get a reward based onthe advantage rate. If A = 0.01, it is assumed that less rewards accrue to bothmalicious and non-malicious insiders and represents a case of an insider obtaining apotential reward that is 1% of the investment in security.

Before insiders take action, they will evaluate their potential costs, punishment andreputationallosses. We call this process deterrence. The function P=P(z) denotes thebreach function (see Section 2.3), which is independent of the Game Theoryformulation. The function a = a(z) represents the probability that the insider choosesthe "Breach" action based on the Game Theory formulation. The function Q(z)denotes the deterrence function including the potential punishment and costs. Giventhat the insiders' skills are fixed, it is assumed that

aQ > 0az -

i.e., if the target increased investment in IS security, the deterrence of the insiderwould increase.

We have only one assumption concerning a = a(z), a = a(z = 0) = 1. That is, iftheinformation system of a target were not protected by any IS security protection, theprobability that the system can be breached is 100%. This assumption allows for thepossibility that an insider may breach the system, thus guaranteeing a lower bound onthe investments that an organization makes on information systems security.

• I.lP1 M + AZ1 - Q1 denotes the reward to the insider, if the insider chooses theaction "Breach" and the target chooses the action "Invest More in ISSecurity". P1 (Zl) denotes the new probability of information systemsbreaches with the new investment Zl . Q1 (Zl) denotes new deterrence whichincludes hislher concerns about the potential punishment and costs of the newinvestment Zl' The deterrence function can be a linear function with variablez, or a constant value.


Dow

nloa

ded

by [

TO

BB

Eko

nom

i Ve

Tek

nolo

ji] a

t 19:

02 2

0 D

ecem

ber

2014


• J1PoM + AZO - Qo is the reward to the insider, if the insider chooses the action"Breach" and the target chooses the action "Do Not Invest More in ISSecurity". Qo(zo) denotes new deterrence which includes his/her concernsabout the potential punishment and costs of the current investment Zo.

• AZl is the reward to the insider, if the insider chooses the action "Do NotBreach" and the target chooses the action "Invest More in IS Security".

• AZo is the reward to the insider, when the insider chooses the action "Do NotBreach" and the target chooses the action "Do Not Invest More in ISSecurity" .

WhenJ1PM + AZ - Q = AZ, we have Z = z", which represents a breakpoint. Thebreak-even point occurs when pPM + AZ - Q = AZ. The investment at the break-evenpoint is represented as Z *. When the investment z is higher or lower than z*, the twoplayers' strategy will change.

We assign the variable a = a(z) to present the probability that the insider chooses theaction "Breach", and the variable ~ to represent the probability that the target choosesthe action "Invest More in IS Security". We use H to denote the total reward to theinsider and L to denote the total reward to the target. We consider some boundaryconditions, given next.

When Zo < z* and Zl < z* , J1P1M + AZl - Ql > AZb the game reduces to a purestrategy game. The profile of best response in the static game is: When the targetchooses the action "Invest More in IS Security", the insider will choose the action"Breach". When the target chooses the action "Do Not Invest More in IS security",the insider will still choose the action "Breach". The value of (J. is 100% until zincreases to the breakpoint z*.

When Zo < z" and Zl > z* , J1P1M + AZl - Ql < AZ1, the game becomes a mixedstrategy game. When the target chooses the action "Invest More in IS Security", theinsider will choose the action "Do Not Breach". When the target chooses the action"Do Not Invest More in IS Security", the insider will choose the action "Breach".When the insider chooses the action "Breach", the target will choose the action"Invest More in IS Security", because-(P1M + Zl) > -CPoM + zo). When theinsider chooses the action "Do Not Breach", the target will choose the action "Do NotInvest More in IS Security", because-ezj < -zoo Considering this information, wefind that there is no pure-strategy Nash equilibrium. However, there is a mixedstrategy Nash Equilibrium for the insider and the target.

The Insider' mixed strategy (a ,1 - a) indicates that the insider chooses the action"Breach" and the action "Do Not Breach" with a probability of a and 1 - a


Dow

nloa

ded

by [

TO

BB

Eko

nom

i Ve

Tek

nolo

ji] a

t 19:

02 2

0 D

ecem

ber

2014


respectively. When the target chooses the action "Invest More in IS Security", thereward to the target is -(PiM + zi)a - zl(l- a). When the target chooses theaction "Do Not Invest More in IS Security", the reward to the target is -(PoM +zo)a - zo(l - a). Since a player chooses a mixed strategy when he/she is indifferentbetween alternative strategy choices because it yields the same payoff, we equate thetwo rewards of the target to obtain

RearrangingZi -zo

a=----M(Po - Pi)

(pPoM - QO)AZi - AZO(JlPiM - Qi)H = -------------

(pPoM - Qo) - (JlPiM - Qi)

yields

When the insider chooses the above mixed strategy (a,l - a), the target's rewardsfrom two action rewards are indifferent. Regardless of the target's strategy, the totalreward to the target won't change, because the insider chooses the Nash Equilibrium.

The target's mixed strategy ({3 , 1- {3 ) indicates that the target chooses the action"Invest More in IS Security" and the action "Do Not Invest More in IS Security" witha probability of {3 and 1 - {3 respectively. When the insider chooses the action"Breach", the reward to the insider is {3(JlPiM + AZi - Qi) + (1 - {3) (JlPoM +AZo - Qo). When the insider chooses the action "Do Not Breach", the reward to theinsider is {3(AZi) + (1 - {3)(AZo). We equate the two rewards to get

From the above equation, we get

When Zo ~ z* and Zi > z* ,JlPi M + AZi - Qi < AZi and JlPoM + AZo - Qo < AZoThe function PM+z has its minimum value with z=z# . When the target chooses theaction "Invest More in IS Security", the insider will choose the action "Do NotBreach". When the target chooses the action "Do Not Invest More in IS Security", theinsider will choose the action "Do Not Breach". When the probability that the insiderchooses the action "Do Not Breach" is 100%, the target will choose the action "Do


Dow

nloa

ded

by [

TO

BB

Eko

nom

i Ve

Tek

nolo

ji] a

t 19:

02 2

0 D

ecem

ber

2014


Not Invest More in IS Security" with 100%. There is no reason for the target toincrease the investment in IS security. The values of a and fJ both equal 0. Theexpected reward to the insider, H, is AZO' The expected reward to the target, L, is -Zo0

When we assume Zl - Zo = E and E ~ 0, we can get a dynamic game model. -z* isthe minimum loss of the target.

With changes to the advantage value (A value), the general sum static game model canrepresent different IS security games in which attackers have different advantages. Inthe following section, we present one particular application of our general sum staticgame model: an insider game.

In this paper five propositions are proposed

1. There is an optimal IS security investment to minimize the target's loss.

2. There is an optimal IS security investment to minimize the reward to theinsider

3. Given identical deterrence functions, a sensitive breach function can lead to alower optimal IS security investment than a less sensitive breach function.

4. Given identical breach functions, a high level deterrence function leads to alower optimal IS security investment than a low level deterrence function.

5. If everything is equal, a higher advantage rate can lead to a higher optimal ISsecurity investment.

SIMULATION RESULTS AND DISCUSSIONS

Simulations were conducted in MatLab to prove the above propositions. Two Gordon

and Loeb's breach functions: P = _1_ and P =-(1 )2' as well as two Hausken'sO.Sz+l Sz+l

breach functions P = t Sz ) and P = 1 (Z )' were used III the1+0.1 e -1 1+0.0001 e -1

simulation. The two deterrence functions, Q = Z and Q = 4z + 4, were used in thesimulation. A total of 8 cases were analyzed and are presented. They are

1. Less sensitive breach function and low level deterrence (Gordon and Loebbreach function)

2. Less sensitive breach function and high level deterrence(Gordon and Loebbreach function)

3. More sensitive breach function and low level deterrence (Gordon and Loebbreach function)

4. More sensitive breach function and high level deterrence (Gordon and Loebbreach function)

5. Less sensitive breach function and low level deterrence (Hausken breachfunction)


Dow

nloa

ded

by [

TO

BB

Eko

nom

i Ve

Tek

nolo

ji] a

t 19:

02 2

0 D

ecem

ber

2014


6. Less sensitive breach function and high level deterrence(Hausken breachfunction)

7. More sensitive breach function and low level deterrence (Hausken breachfunction)

8. More sensitive breach function and high level deterrence (Hausken breachfunction)

Tables 2 presents the implications of the parameter values. Two levels were used foreach parameter: high and low. For each case, we change the advantage rate from 0.05to 1 with 0.05 increment. A low advantage rate (A) is reflective of insiders, equaling toan external hacker, without any useful inside information, who are fishing in the darkfor information and their fingerprints within the network can be traced easily toeffectively shut them down soon. In contrast, a high advantage rate reflects insiderswho have ample knowledge of critical and sensitive information or who may havebeen authorized to access critical information and systems.

V If h PT bl 2 Th I ra e . e mplication 0 t e arameter a uesParameter Values ImplicationsHigh Advantage rate (A=0.9) Insiders with long term objectives

Low Advantage rate (A=O.I) External hackers

High Level Deterrence (Q=4z) High costs to insider to breach InformationSystems

Low Level Deterrence (Q=z) Low costs to insider to breach InformationSystems

Table 3. Breach FunctionsGordon and Loeb's Hausken's

Function Format Function Format

Sensitive Breach Function 1 1p= p=

(Information systems with (Sz + 1)2 1 + O.l(e SZ - 1)

good administration andconfiguration)

Insensitive Breach Function 1 1p= p=

(Information systems with O.5z + 1 1 + O.OOOl(e Z- 1)

poor administration andconfiguration)


Dow

nloa

ded

by [

TO

BB

Eko

nom

i Ve

Tek

nolo

ji] a

t 19:

02 2

0 D

ecem

ber

2014


14*N.... 12r::::::J0E 10«....r::: 8QI

E.... 6VIQI>..= 4

"jQE 2....Do0 0

U"loc:i

.-i

c:iU"l.-i

c:i

N

c:iU"lN

c:i

mc:i

U"lmc:i

<tc:i

U"l<tc:i

U"lc:i

U"lU"lc:i

<Dc:i

U"l<Dc:i

U"lr-,c:i

00c:i

U"l00c:i

enc:i

U"lenc:i

Advantage Rate_Less sensitive breach function and low level deterrence_Less sensitive breach function and high level deterrence~More sensitive breach function and low level deterrence-More sensitive breach function and level deterrence

Figure 1. Optimal Investment Variance with Advantage Rate (Gordon and LoebBreach Function)

12

*N'E10:::J0E 8«....r:::QI

E 6....VIQI>r::: 4

"jQ

E+' 2Do0

0LI'l ..... LI'l0 c:i .....c:i c:i

N LI'l m LI'l ~ LI'l LI'l LI'l ~ LI'l ~ LI'l 00 LI'lc:i N c:i m c:i ~ c:i LI'l c:i ~ 0 ~ 0 00

o c:i 0 c:i c:i c:i c:i

Advantage Rate_ Less sensitive breach function and low level deterrence_ Less sensitive breach function and high level deterrence

~More sensitive breach function and low level deterrence-More sensitive breach function and level deterrence

Figure 2. Optimal Investment Variance with Advantage Rate (Hausken BreachFunction)


Dow

nloa

ded

by [

TO

BB

Eko

nom

i Ve

Tek

nolo

ji] a

t 19:

02 2

0 D

ecem

ber

2014


The simulation results are presented in Figures 1 and 2. In Figures 1 and 2, thehorizontal axis is the advantage rate, and the vertical axis is the optimal IS securityinvestment. There are 4 lines in Figures 1 and 2. Because Figures 1 and 2 are similar,we only explain Figure 1 in the following sentences. Red line represents the conditionthat the breach function is less sensitive and the deterrence level is low. Green linerepresents the condition that the breach function is less sensitive and the deterrencelevel is high. Purple line represents the condition that the breach function is moresensitive and the deterrence level is low. Blue line represents the condition that thebreach function is more sensitive and the deterrence level is high.

On condition that the breach function is more sensitive and the deterrence level ishigh, changing the advantage rate won't change the optimal IS security investmentmuch. The reason is clear. If an organization administrate its IS security pretty tightlyand the deterrence to insiders is very high, even an inside is not willing to, or unableto, commit cyber crime.

In contrast, on condition that the breach function is less sensitive and the deterrencelevel is low, changing the advantage rate will change the optimal IS securityinvestment sharply. If an organization administrate its IS security very poorly and thedeterrence to insiders is low, an inside is willing to, or able to, commit cyber crime.

Both of Figure 1 and Figure 2 shows that: (i) Given identical deterrence functions, asensitive breach function can lead to a lower optimal IS security investment than aless sensitive breach function; (ii) Given identical breach functions, a high leveldeterrence function leads to a lower optimal IS security investment than a low leveldeterrence function; (iii) Given everything being equal, a higher advantage rate canlead to a higher optimal IS security investment.

A sensitive breach function reflects organizational policies and technical solutions thathave a large marginal improvement in security with increasing investments. A lesssensitive breach function, by contrast, is relatively insensitive in decreasing securityrisks with increasing levels of investments. Based on all the cases that have beendiscussed in Section 2.1, insider threats can be modeled using a low sensitivity breachfunction since insiders have numerous means available to them to thwart anorganization's policies. As an example, in the first case described, Samarth Agarwalprinted lines of codes and shared them with a hedge fund. Organizational policieswould have to require that all printing activities for lines of code be disallowed for thisnot to have occurred. This type of a policy has additional loss of productivity costsassociated with it and organizations may not strictly adhere to such policies. Due tosuccessful prosecution of several insider cases, precedence does exist for deterrence;however, based on the existing literature, it is unclear whether the existing deterrencelevel is enough. For instance, there is a paucity of literature that considers insiderbreaches that have not been identified and hence not brought to justice.


Dow

nloa

ded

by [

TO

BB

Eko

nom

i Ve

Tek

nolo

ji] a

t 19:

02 2

0 D

ecem

ber

2014


Advantage rate is important in determining the optimal investment. In this paper, weuse a high advantage rate to represent insiders with long term objectives, and a lowadvantage rate to represent external hackers. According to the simulation results, wefound that insiders with long term objectives can cause more of a loss to targetorganizations. The reason is clear. Insiders with long term objectives have very cleargoals and may spend more than 2-years of effort (Mitnick & Simon, 2005) in theirattempt to commit cyber crime into their target organizations.

Intentional attacks are dangerous. If these attacks are launched by insiders, the threatwill be the greatest. As insiders, they know the internal IS security protection morethan external hackers. If insiders are current employees or contractors, firewallprotections will be useless to them, because they are already in the organization'sinformation systems. If insiders are former employees or contractors, they still canutilize their previous knowledge to bypass common firewall protections, or to locateinformation that has value to the organization being breached.

Compared with external hackers, insiders are more dangerous. Insiders have muchmore longer time to commit cyber crime than external hackers. External hackersprefer instant payoffs and act like shoplifters. They are opportunistic and cannot spenda long time intruding into a single dedicated organization. Compared to insiders,external hackers will cause less damage. Less security investment, therefore, can deterthem. For an organization, it is impossible to choose its adversaries. Theorganizational characteristics determine its adversaries. If the organization hasinformation that is much more valuable to insiders in the information systems, the ISsecurity level should be higher than the IS security level of organizations whoseinformation systems are less valuable.

The value of parameters in breach functions has a direct impact on the sensitivity ofboth breach functions. The vulnerabilities of an information system come from twocategories: technical vulnerability and administrative vulnerability. Organizationshave to decrease both vulnerabilities to increase the sensitivity of the breach function.Decreasing only one type of vulnerability will not achieve a satisfactory result.Technical vulnerability includes the improper configuration of software and hardware.A lack of advanced or the latest security software and hardware will increase thebreaching probability. Also, the lack of experienced security professionals andinappropriate implementations will increase the breaching probability. Investingmoney in software and hardware will not increase the sensitivity of an organization'sbreach function. Thus, any changes to the hardware, software, security policies, or theexternal environment will change the parameter values. Our focus was not on findingspecific parameter values, that change continuously, but on the bigger picture of thestudy of the sensitivity of investments in security.


Dow

nloa

ded

by [

TO

BB

Eko

nom

i Ve

Tek

nolo

ji] a

t 19:

02 2

0 D

ecem

ber

2014


Insider threats are not an individual country's issue. They are a global issue. They arenot just a matter of appropriate technology application. They involve social,psychological, financial, administrative, and legal issues. Solutions to insider threatsmust incorporate technology, people and polices. Of these three dimensions, thepeople dimension will result in the greatest vulnerability to the information systems.Moreover, people are unreliable. No matter where a company is located and whichindustry the company is in, the information system has some intangible and valuablesecrets. These systems are the target of insiders and outsiders. The results of oursimulation prove that high level of deterrence results in a decrease in the optimal levelof IS security investment. The level of deterrence is country specific (Fajnzylber,Lederman, & Loayza, 2002) and therefore the optimal IS security is expected to bedifferent for different countries.

Publicizing and reporting about insider crimes may also be country specific. The U.S.government allows citizens and organizations to report computer crimes to severalagencies: Federal Bureau of Investigation (FBI), the United States Secret Service, theUnited States Immigration and Customs Enforcement (ICE), the United States PostalInspection Service, and the Bureau of Alcohol, Tobacco and Firearms (ATF). Suchpublicizing and reporting capabilities may not exist in other nations. Any kind ofinformation breaches in large American companies can attract the whole world'seyeballs. Although we may not hear more about information breaches in othercountries, they exist none-the-less. Newspapers and other media have alreadyannounced that more and more hacking activities are implemented by Chinesehackers. This could mean that Chinese companies face even worse insider threats thanAmerican companies. Cultural reasons might account for why those inside breacheswere not released to the public perhaps because Chinese companies care more aboutreputation than the loss. The inter-country comparison of insider threats is aninteresting area of potential research.

This research result can be generalized to most industries and countries, provided theyhave modem information system infrastructure such as networks, computers anddatabases. The methods to minimize insider threats are the same for all countries.While we believe that insider threats are across cultures and legal systems, the optimalinvestment levels may be different across different countries as suggested by ourresearch.

CONCLUSIONS

Our contribution is that we prove that an optimal investment exists for the insiderthreat game. The correctness of the model is validated by showing that sensitivebreach functions lead to a lower optimal investment, that high level deterrence leadsto a lower optimal investment, and that low advantage rate leads to a lower optimalinvestment. The simulation results of our game model prove that the attacker's


Dow

nloa

ded

by [

TO

BB

Eko

nom

i Ve

Tek

nolo

ji] a

t 19:

02 2

0 D

ecem

ber

2014


advantage rate, breach function sensitivity and the deterrence level have an effect onthe optimal investment.

Our paper shows that organizations need to invest magnitude times more to protect itsinformation from insiders than from external hackers. The protection may be in theform of proactive employee training, but all the same, the organization will need toincur costs in that.

This research can also be generalized to other practical fields such as financial fraudprevention. If we view inside employees as potential cyber criminals, this game modelwill tell us that building a strong internal control system is important as much asincreasing deterrence level. Internal fraud from employees who can have a long-rangegoal for fraudulent activity could be more dangerous than actions originating fromother employees.

The current model is a static model, assuming that the parameters do not change. In areal-world setting, the parameters are constantly changing. However, while this is adrawback of the model, the results of the model comparing the impact of insiders tonon-insiders still hold.

REFERENCES

Anderson, R. "Why information security is hard: An economic perspective." The proceedingsof17th Computer Security Applications Conference, 2001, pp. 358-365.

Becker, S. G. "Crime and punishment: An economic approach." Journal of Politic Economy(76:2),2001, pp. 167-217.

Bodin, L. D., & Gordon, L. A. "Evaluating informaiton security investments using the analytichierarchy process." Communication ofACM (48:2),2005, pp. 79-83.

Bojanc, R., & Jerman-Blazic, B. "An economic modelling approach to information securityrisk management." International Journal of Information Management (28:5), 2008, pp. 413422.

Cavusoglu, H., Raghunathan, S., & Yue, W. T. "Decision-theoretic and game-theoreticapproaches to IT security investment." Journal of Management Information Systems (25:2),2008, pp. 281-304.

Chu, C C, Hu, S., & Huang, T. " Punishing repeat offenders more severely." InternationalReview ofLaw and Economics (20:1), 2000, pp. 127-140.

Fajnzylber, P., Lederman, D., & Loayza, N. "What causes violent crime? European EconomicReview (46:7) 2002, pp. 1323-1357.

Gordon, L. A., & Loeb, M. P. "The economics of information security investment." ACMTransactions on Information and System Security (5:4), 2002, pp. 438-457.

65 JGITM, Vol. 16, No.4, October 20/3

Dow

nloa

ded

by [

TO

BB

Eko

nom

i Ve

Tek

nolo

ji] a

t 19:

02 2

0 D

ecem

ber

2014


Hausken, K. "Returns to information security investment: The effect of alternative informationsecurity breach functions on optimal investment and sensitivity to vulnerability." InformationSystem Front (8:5), 2006, pp. 339-349.

Huang, C. D., Hu, Q., and Behara, R. S. "An economic analysis of the optimal informationsecurity investment in the case of a risk-averse." International journal of ProductionEconomics (114:2), 2008, pp. 793-804.

Kantzavelou, 1., & Katsikas, S. "A game-based intrusion detection mechanism to confrontinternal attackers." Computer & Security (29:8), 2010, pp. 859-874.

Liu, D., Wang, X., & Camp, J. "Game-theoretic modeling and analysis of insider threats."International Journal ofCritical Infrastructure Protection (1), 2008, pp. 75-80.

Liu, W., Tanaka, H., & Matsuura, K. "Empirical analysis methodology for informationsecurity investment and its application to reliable survey of Japanese firms." Information andMedia Technologies (3:2), 2008, pp. 464-478.

Lye, K., & Wing, J. "Game strategies in network security." International Journal ofInformation Security (4:1-2), 2005, pp. 71-86.

Mitnick, K., & Simon, W. L. The art of intrusion: The real stories behind the exploits ofhackers, intruders and deceivers. Indianapolis, IN: Wiley Publishing, Inc. 2005

Oksanen, V., & Valimaki, M. "Theory of deterrence and individual behavior. Can lawsuitscontrol file sharing on the Internet?" Review ofLaw and & Economics (3:3), 2007, pp. 693714.

Overill, R. E. "ISMS insider intrusion prevention and detection." Information SecurityTechnical Report (13:4), 216-219.

Pearson, F. S., & Weiner, N. A. "Toward an integration of criminological theories." Journal ofCriminal Law and Criminology (76:1), 116-150.

Rasmusen, E. "How optimal penalties change with the amount of harm." International ReviewofLaw and Economics (15:1),1995, pp. 101-108.

Rebellon, c., & Manasse, M. "Do" bad boys" really get the girls? Delinquency as a cause andconsequence of dating behavior among adolescents." Justice Quarterly (21 :2),2004, pp. 355 389.

Saha, A., & Poole, G. "The economics of crime and punishment: An analysis of optimalpenalty." Economics Letters (68:2), 2000, pp. 191-196.

Sallhammar, K., Helvik, B., & Knapskog, S. "A framework for predicting security anddependability measures in real-time." International Journal ofComputer Science and NetworkSecurity (7:3), 2007, pp. 169-183.

Sandler, T., & Arce, D. "Terrorism and game theory." Simulation and Gaming (34:3), 2003,pp.319-337.

Schechter, S. E., & Smith, M. D. "How much security is enough to stop a thief? Theeconomics of outsider theft via computer systems networks. the 7th Financial CryptographyConference (pp. 122-137). Guadeloupe, French: the International Financial CryptographyAssociation. 2003


Dow

nloa

ded

by [

TO

BB

Eko

nom

i Ve

Tek

nolo

ji] a

t 19:

02 2

0 D

ecem

ber

2014


Sonnenreich, W., Albanese, J., & Stout, B. "Return on security investment." Journal ofResearch and Practice in Information Technology (38:1), 2006, pp. 55-66.

Straub, D. W., & Welke, R. 1. "Coping with systems risk: Security planning models formanagement decision making." MIS Quarterly (22:4),1998, pp. 441-469.

Sunstein, C. Why societies need dissent. Cambridge: Harvard University Press. 2003

Tang, K., Zhao, M., & Zhou, M. "Cyber Insider Threats Situation Awareness Using GameTheory and Information Fusion-based User Behavior Predicting Algorithm." Journal ofInformation & Computational Science (8:3), 2011, pp. 529-545.

Wang, J., Chaudhury, A., & Rao, H. R. "A value-at-risk approach to information securityinvestment." Information Systems Research (19:1), 2008, pp. 106-120.

Warkentin, M., & Willison, R. "Behavioral and policy issues in information systems security:the insider threat." European Journal ofInformation Systems (18),2009, pp. 101-105.

Workman, M., & Gathegi, J. "Punishment and ethics deterrents: A study of insider securitycontravention." Journal of the American Society for information science and technology(58:2),2007, pp. 212-222.

Jian Hua is an associate professor of Management Iriformation Systems at theUniversity of the District of Columbia, USA. He received his PhD in BusinessAdministration from Morgan State University. He received his bachelor degree inEngineering from Southeast University, China. He has been awarded the bestresearch paper from in the national conferences ofDecision Science Institute in 2009and 2011. His research papers have been published in Journal of StrategicIriformation Systems and other several journals.

Sanjay Bapna is a Professor of Information Science and Systems at Morgan StateUniversity. His background is in the field of cyber-security, business intelligence,econometrics, data mining, and evaluations. Dr. Bapna has been awarded the bestpaper from the National Decision Sciences Institute Coriference in 2009 and 2011 aswell as the best paper from the International Association of Computer IriformationSystems. He has published extensively in quality journals including Decision Sciences,Decision Support Systems.


Dow

nloa

ded

by [

TO

BB

Eko

nom

i Ve

Tek

nolo

ji] a

t 19:

02 2

0 D

ecem

ber

2014

Documents

Who Can We Trust?: The Economic Impact of Insider Threats