Correlated failures, diversification, and information security risk management

Pei-yu Chen, Gaurav Kataria, Ramayya Krishnan

Research output: Contribution to journalArticle

49 Citations (Scopus)

Abstract

The increasing dependence on information networks for business operations has focused managerial attention on managing risks posed by failure of these networks. In this paper, we develop models to assess the risk of failure on the availability of an information network due to attacks that exploit software vulnerabilities. Software vulnerabilities arise from software installed on the nodes of the network. When the same software stack is installed on multiple nodes on the network, software vulnerabilities are shared among them. These shared vulnerabilities can result in correlated failure of multiple nodes resulting in longer repair times and greater loss of availability of the network. Considering positive network effects (e.g., compatibility) alone without taking the risks of correlated failure and the resulting downtime into account would lead to overinvestment in homogeneous software deployment. Exploiting characteristics unique to information networks, we present a queuing model that allows us to quantify downtime loss faced by arm as a function of (1) investment in security technologies to avert attacks, (2) software diversification to limit the risk of correlated failure under attacks, and (3) investment in IT resources to repair failures due to attacks. The novelty of this method is that we endogenize the failure distribution and the node correlation distribution, and show how the diversification strategy and other security measures/investments may impact these two distributions, which in turn determine the security loss faced by the firm. We analyze and discuss the effectiveness of diversification strategy under different operating conditions and in the presence of changing vulnerabilities. We also take into account the benefits and costs of a diversification strategy. Our analysis provides conditions under which diversification strategy is advantageous.

Original languageEnglish (US)
Pages (from-to)397-422
Number of pages26
JournalMIS Quarterly: Management Information Systems
Volume35
Issue number2
StatePublished - Jun 2011
Externally publishedYes

Fingerprint

Security of data
Risk management
Repair
Availability
Information security
Software
Diversification
Costs
Industry
Vulnerability
Diversification strategy
Attack
Node
Information networks

Keywords

  • Correlated failures
  • Diversification
  • Downtime loss
  • Network effects
  • Risk management
  • Security
  • Software allocation

ASJC Scopus subject areas

  • Computer Science Applications
  • Information Systems
  • Information Systems and Management
  • Management Information Systems

Cite this

Correlated failures, diversification, and information security risk management. / Chen, Pei-yu; Kataria, Gaurav; Krishnan, Ramayya.

In: MIS Quarterly: Management Information Systems, Vol. 35, No. 2, 06.2011, p. 397-422.

Research output: Contribution to journalArticle

@article{7b0890d605d9433498c4c5eea73cd249,
title = "Correlated failures, diversification, and information security risk management",
abstract = "The increasing dependence on information networks for business operations has focused managerial attention on managing risks posed by failure of these networks. In this paper, we develop models to assess the risk of failure on the availability of an information network due to attacks that exploit software vulnerabilities. Software vulnerabilities arise from software installed on the nodes of the network. When the same software stack is installed on multiple nodes on the network, software vulnerabilities are shared among them. These shared vulnerabilities can result in correlated failure of multiple nodes resulting in longer repair times and greater loss of availability of the network. Considering positive network effects (e.g., compatibility) alone without taking the risks of correlated failure and the resulting downtime into account would lead to overinvestment in homogeneous software deployment. Exploiting characteristics unique to information networks, we present a queuing model that allows us to quantify downtime loss faced by arm as a function of (1) investment in security technologies to avert attacks, (2) software diversification to limit the risk of correlated failure under attacks, and (3) investment in IT resources to repair failures due to attacks. The novelty of this method is that we endogenize the failure distribution and the node correlation distribution, and show how the diversification strategy and other security measures/investments may impact these two distributions, which in turn determine the security loss faced by the firm. We analyze and discuss the effectiveness of diversification strategy under different operating conditions and in the presence of changing vulnerabilities. We also take into account the benefits and costs of a diversification strategy. Our analysis provides conditions under which diversification strategy is advantageous.",
keywords = "Correlated failures, Diversification, Downtime loss, Network effects, Risk management, Security, Software allocation",
author = "Pei-yu Chen and Gaurav Kataria and Ramayya Krishnan",
year = "2011",
month = "6",
language = "English (US)",
volume = "35",
pages = "397--422",
journal = "MIS Quarterly: Management Information Systems",
issn = "0276-7783",
publisher = "Management Information Systems Research Center",
number = "2",

}

TY - JOUR

T1 - Correlated failures, diversification, and information security risk management

AU - Chen, Pei-yu

AU - Kataria, Gaurav

AU - Krishnan, Ramayya

PY - 2011/6

Y1 - 2011/6

N2 - The increasing dependence on information networks for business operations has focused managerial attention on managing risks posed by failure of these networks. In this paper, we develop models to assess the risk of failure on the availability of an information network due to attacks that exploit software vulnerabilities. Software vulnerabilities arise from software installed on the nodes of the network. When the same software stack is installed on multiple nodes on the network, software vulnerabilities are shared among them. These shared vulnerabilities can result in correlated failure of multiple nodes resulting in longer repair times and greater loss of availability of the network. Considering positive network effects (e.g., compatibility) alone without taking the risks of correlated failure and the resulting downtime into account would lead to overinvestment in homogeneous software deployment. Exploiting characteristics unique to information networks, we present a queuing model that allows us to quantify downtime loss faced by arm as a function of (1) investment in security technologies to avert attacks, (2) software diversification to limit the risk of correlated failure under attacks, and (3) investment in IT resources to repair failures due to attacks. The novelty of this method is that we endogenize the failure distribution and the node correlation distribution, and show how the diversification strategy and other security measures/investments may impact these two distributions, which in turn determine the security loss faced by the firm. We analyze and discuss the effectiveness of diversification strategy under different operating conditions and in the presence of changing vulnerabilities. We also take into account the benefits and costs of a diversification strategy. Our analysis provides conditions under which diversification strategy is advantageous.

AB - The increasing dependence on information networks for business operations has focused managerial attention on managing risks posed by failure of these networks. In this paper, we develop models to assess the risk of failure on the availability of an information network due to attacks that exploit software vulnerabilities. Software vulnerabilities arise from software installed on the nodes of the network. When the same software stack is installed on multiple nodes on the network, software vulnerabilities are shared among them. These shared vulnerabilities can result in correlated failure of multiple nodes resulting in longer repair times and greater loss of availability of the network. Considering positive network effects (e.g., compatibility) alone without taking the risks of correlated failure and the resulting downtime into account would lead to overinvestment in homogeneous software deployment. Exploiting characteristics unique to information networks, we present a queuing model that allows us to quantify downtime loss faced by arm as a function of (1) investment in security technologies to avert attacks, (2) software diversification to limit the risk of correlated failure under attacks, and (3) investment in IT resources to repair failures due to attacks. The novelty of this method is that we endogenize the failure distribution and the node correlation distribution, and show how the diversification strategy and other security measures/investments may impact these two distributions, which in turn determine the security loss faced by the firm. We analyze and discuss the effectiveness of diversification strategy under different operating conditions and in the presence of changing vulnerabilities. We also take into account the benefits and costs of a diversification strategy. Our analysis provides conditions under which diversification strategy is advantageous.

KW - Correlated failures

KW - Diversification

KW - Downtime loss

KW - Network effects

KW - Risk management

KW - Security

KW - Software allocation

UR - http://www.scopus.com/inward/record.url?scp=80051749786&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=80051749786&partnerID=8YFLogxK

M3 - Article

AN - SCOPUS:80051749786

VL - 35

SP - 397

EP - 422

JO - MIS Quarterly: Management Information Systems

JF - MIS Quarterly: Management Information Systems

SN - 0276-7783

IS - 2

ER -