How Bad is it? – A Branching Activity Model to Estimate the Impact of Information Security Breaches

Russell Cameron Thomas, Marcin Antkiewicz, Patrick Florer, Suzanne Widup, Matthew Woodyard
2013 Social Science Research Network  
This paper proposes an analysis framework and model for estimating the impact of information security breach episodes. Previous methods either lack empirical grounding or are not sufficiently rigorous, general or flexible. There has also been no consistent model that serves theoretical and empirical research, and also professional practice. The proposed framework adopts an ex ante decision frame consistent with rational economic decision-making, and measures breach consequences via the
more » ... ed costs of recovery and restoration by all affected stakeholders. The proposed branching activity model is an event tree whose structure and branching conditions can be estimated using probabilistic inference from evidence -'Indicators of Impact'. This approach can facilitate reliable model estimation when evidence is imperfect, incomplete, ambiguous, or contradictory. The proposed method should be especially useful for modeling consequences that extend beyond the breached organization, including cascading consequences in critical infrastructures. Monte Carlo methods can be used to estimate the distribution of aggregate measures of impact such as total cost. Non-economic aggregate measures of impact can also be estimated. ordinal scales, e.g. "High", "Medium", and "Low". Probabilistic risk analysis involves quantitative estimation of breach impact on a ratio scale, usually as a dollar cost. Whether the estimates are expressed as ordinal or ratio scale values, impact estimation plays a central role in formal risk assessment and risk management. Even in informal settings, perception and communication about risk often involves some estimate or mental model of the severity of breach episodes. If the impacts of breach episodes fit Gaussian distributions, then it would be progressively easier to estimate them with experience and information pooling, and the consequences of estimation errors would be moderate and manageable. However, information security breach impacts, especially in interdependent settings like critical infrastructures, appear to follow 'heavy tailed' distributions due to cascading consequences (Woolf et al. 2004 , Buldyrev et al. 2010
doi:10.2139/ssrn.2233075 fatcat:ecnk3vh6j5gubg6twhhimwsmzu