Legal, Regulatory & Public Legal, Regulatory & Public Policy Constraints on Risk Policy Constraints on Risk
AnalysisAnalysis
John W. BagbyJohn W. Bagby
Prof. of IST Prof. of IST
IIPIIP
Roles of Law/Reg/Policy in Risk Roles of Law/Reg/Policy in Risk Analysis & Risk ManagementAnalysis & Risk Management
Law Resolves Disputes, Shifts Risk of Loss Law Resolves Disputes, Shifts Risk of Loss Risk Analysis Failure Shifts Liability Risks to CreatorRisk Analysis Failure Shifts Liability Risks to Creator Actual Injuries Trigger Disputes over Risk Duties Actual Injuries Trigger Disputes over Risk Duties
Law Defines Risks & Duties of Care Law Defines Risks & Duties of Care Crimes, Torts, Contracts, Standards, Determination of Injury Crimes, Torts, Contracts, Standards, Determination of Injury Law Dis-Incentivizes Risky Deeds (DD&tDDC)Law Dis-Incentivizes Risky Deeds (DD&tDDC)
Law Defines Risk Management Duties Law Defines Risk Management Duties Law Compensates Injuries Derived from Law Compensates Injuries Derived from Law Defines/Constrains Damage ComputationLaw Defines/Constrains Damage Computation
Law Encourages Risk Mgt Law Encourages Risk Mgt Law Defines Risk Mgt Professionalism Law Defines Risk Mgt Professionalism Law Enforces Risk Shifting ContractsLaw Enforces Risk Shifting Contracts Law Requires Risk Analysis & Impacts Methods Law Requires Risk Analysis & Impacts Methods But Law may Disincentivize Introspection w/o Self-Eval But Law may Disincentivize Introspection w/o Self-Eval
Privilege Privilege Law Regulates Risk Management Industry Law Regulates Risk Management Industry Law Enforces Risk Mgt Profession’s Arrangements Law Enforces Risk Mgt Profession’s Arrangements
Risk Analysis is SectoralRisk Analysis is Sectoral Risk Analysis Differs by Domain Risk Analysis Differs by Domain
Just like U.S. Privacy LawJust like U.S. Privacy Law Major Differences: Physical vs. Intangible Security Major Differences: Physical vs. Intangible Security
Most domains blend tangible w/ information Most domains blend tangible w/ information Many Key Domains Track Critical Infrastructures as Many Key Domains Track Critical Infrastructures as
defined in USA Patriot’s CIPA §1016(e) defined in USA Patriot’s CIPA §1016(e) “…“…systems and assets, whether physical or virtual, so vital to systems and assets, whether physical or virtual, so vital to
the U.S. that the incapacity or destruction of such systems the U.S. that the incapacity or destruction of such systems and assets would have a debilitating impact on security, and assets would have a debilitating impact on security, national economic security, national public health or safety, national economic security, national public health or safety, or any combination of those matters.” or any combination of those matters.”
telecommunications; electrical power systems; gas & oil telecommunications; electrical power systems; gas & oil storage & transportation; banking & finance; transportation; storage & transportation; banking & finance; transportation; water supply systems; emergency services (e.g., medical, water supply systems; emergency services (e.g., medical, police, fire, & rescue), govt. continuity & CyberSpacepolice, fire, & rescue), govt. continuity & CyberSpace
Calls for National Effort to Enhance Modeling & Analytical Capacities Calls for National Effort to Enhance Modeling & Analytical Capacities appropriate mechanisms to ensure the stability [of] complex & appropriate mechanisms to ensure the stability [of] complex &
interdependent systems, [incl] continuous viability & adequate protection interdependent systems, [incl] continuous viability & adequate protection of critical infrastructuresof critical infrastructures
What is Shared Among these Vastly Different What is Shared Among these Vastly Different Sectors?Sectors?
SRA’s Profoundly Different SectorsSRA’s Profoundly Different Sectors Terrorism, Piracy Terrorism, Piracy LitigationLitigation LegislationLegislation Financial (Default, Financial (Default,
Systematic, Systematic, Recordkeeping, Fraud, Recordkeeping, Fraud, Derivatives)Derivatives)
Environmental, Ecological, Environmental, Ecological, Toxic/Hazardous Toxic/Hazardous Substances, Pollution, Substances, Pollution, Contaminants, MicrobalContaminants, Microbal
NanoParticles NanoParticles SafetySafety PoliticalPolitical DesignDesign Manufacturing Manufacturing IntelligenceIntelligence MedicineMedicine Nuclear Power Nuclear Power ConstructionConstruction
Food SafetyFood Safety Drinking WaterDrinking Water Foreign Trade Foreign Trade Energy Availability/ Energy Availability/
Sustainability Sustainability Climate, Natural Disasters Climate, Natural Disasters
& Response & Response Infringements Infringements Public Health & Lifestyle Public Health & Lifestyle CrimeCrime Malpractice, Fiduciary Malpractice, Fiduciary
Breach Breach Property, Casualty Property, Casualty Data Availability/Integrity Data Availability/Integrity Cyber Attack Cyber Attack AerospaceAerospace ChemiclesChemicles Government/Regulation Government/Regulation DefenseDefense
Law Permits/Regulates Risk AnalyticsLaw Permits/Regulates Risk Analytics
QuantitativeQuantitative Statistical Statistical ActuarialActuarial Mortality & Mortality &
MorbidityMorbidity Admissibility of Admissibility of
Forensic Quality Forensic Quality Expertise Expertise
Decision AnalysisDecision Analysis Failure Analysis Failure Analysis
Qualitative Qualitative HeuristicHeuristic Visualization Visualization Interdependence Interdependence Risk Assessment Risk Assessment
Education Education Demographics Demographics Risk RecognitionRisk Recognition EmotionEmotion
FIPP Std: Integrity &/or SecurityFIPP Std: Integrity &/or Security
Collector/Archiver/CustodiansCollector/Archiver/Custodians Reasonable steps to assure accuracy of PII Reasonable steps to assure accuracy of PII Administrative & technical security measures Administrative & technical security measures
Standards: Standards: Prevent unauthorized access Prevent unauthorized access Prevent unauthorized disclosurePrevent unauthorized disclosure Prevent destruction Prevent destruction Prevent misuse Prevent misuse
Relationship to SOX Internal Control & Relationship to SOX Internal Control & Data SecurityData Security
Financial Info Security Risks: FTCFinancial Info Security Risks: FTC
FTC “Safeguards Rule” Imposes Standards for FTC “Safeguards Rule” Imposes Standards for Safeguarding Customer Information Safeguarding Customer Information Regulated financial institutions must develop, implement Regulated financial institutions must develop, implement
& maintain reasonable, administrative, technical & & maintain reasonable, administrative, technical & physical safeguards to protect the security, physical safeguards to protect the security, confidentiality & integrity of customer information confidentiality & integrity of customer information
Flexible: need be appropriate to institution’s size & Flexible: need be appropriate to institution’s size & complexitycomplexity
Risk Analysis RequiredRisk Analysis Required Designate Data Security Employee(s) Designate Data Security Employee(s) Perform Risk Assessment, at least, evaluate risks Perform Risk Assessment, at least, evaluate risks
in:in: Employee training & management Employee training & management Information systems, including, Information systems, including, inter aliainter alia
Network & software design Network & software design Information processing, storage, transmission & disposal Information processing, storage, transmission & disposal Detecting, preventing & responding to attacks, intrusions or Detecting, preventing & responding to attacks, intrusions or
system failures system failures
Financial Info Security Risks: SECFinancial Info Security Risks: SEC
Financial Institutions w/in SEC Juris. Must:Financial Institutions w/in SEC Juris. Must: Adopt Adopt writtenwritten policies & procedures, reasonably policies & procedures, reasonably
designed to … designed to … Insure security & confidentiality of customer Insure security & confidentiality of customer
recordsrecords Protect against anticipated threats or hazards Protect against anticipated threats or hazards Protect against unauthorized access or use that Protect against unauthorized access or use that
could result in substantial harm or inconvenience could result in substantial harm or inconvenience Disposal Rule: Disposal Rule:
must properly dispose of PII using reasonable must properly dispose of PII using reasonable measures to protect against unauthorized access measures to protect against unauthorized access to or use of PII to or use of PII
Controls over Internal RisksControls over Internal Risks
COSO’s Definition of Internal ControlCOSO’s Definition of Internal Control ““a process, effected by an entity’s board of a process, effected by an entity’s board of
directors, management and other personnel, directors, management and other personnel, designed to provide reasonable assurance designed to provide reasonable assurance regarding the achievement of objectives” in regarding the achievement of objectives” in these categories:these categories:
effectiveness and efficiency of operations; effectiveness and efficiency of operations; reliability of financial reporting; and reliability of financial reporting; and compliance with applicable laws and regulations.compliance with applicable laws and regulations.
Components of Internal Control are: Components of Internal Control are: - Control Environment- Control Environment- - Risk AssessmentRisk Assessment - Control Activities- Control Activities- Information & Communication- Information & Communication- - MonitoringMonitoring
GLB Safeguards RuleGLB Safeguards Rule Financial institutions must design, implement and Financial institutions must design, implement and
maintain safeguards maintain safeguards Purpose: to protect private infoPurpose: to protect private info Must implement written information security program Must implement written information security program
appropriate to company's size & complexity, nature & appropriate to company's size & complexity, nature & scope of activities, & sensitivity of customer datascope of activities, & sensitivity of customer data
Security program must also:Security program must also: assign one or more employees to oversee program; assign one or more employees to oversee program; conduct risk assessment; conduct risk assessment; put safeguards in place to control risks identified in put safeguards in place to control risks identified in
assessment then regularly test & monitor themassessment then regularly test & monitor them require service providers, by written contract, to protect require service providers, by written contract, to protect
customers' personal information; & customers' personal information; & periodically update security programperiodically update security program
What Are OffShore Outsourcing Risks?What Are OffShore Outsourcing Risks?
Cost Focus Myopia Cost Focus Myopia Unwarranted due diligence suspension Unwarranted due diligence suspension Cultural Ignorance Cultural Ignorance
Identifying Scalability ChallengesIdentifying Scalability Challenges Remedies for Service FailureRemedies for Service Failure Retrieving Hosted AssetsRetrieving Hosted Assets
IP…Ip…ipIP…Ip…ip Transitioning to Substitute Service Provider Transitioning to Substitute Service Provider Designing Service Level Metrics, negotiating SLCDesigning Service Level Metrics, negotiating SLC Incompatible Functions (security)Incompatible Functions (security) Lou Dobbs engenders grassroots political Lou Dobbs engenders grassroots political
pressure to advance reactionary policies: pressure to advance reactionary policies: Protectionism, Xenophobia, Nationalism Protectionism, Xenophobia, Nationalism
Admitting then Analyzing Admitting then Analyzing Outsourcing Risks Outsourcing Risks
Not Outsourcing Risks Internal Failure Not Outsourcing Risks Internal Failure Interdependency Reduces (Some) Risks of Interdependency Reduces (Some) Risks of
Conflict Conflict Outsourcing Sacrifices Monitoring Risking Outsourcing Sacrifices Monitoring Risking
Injury from Diminished Control Injury from Diminished Control Slipshod Rush to Outsource for $avings Slipshod Rush to Outsource for $avings Cross-Cultural Ignorance Obscures Outsourcing Cross-Cultural Ignorance Obscures Outsourcing
Vulnerabilities Vulnerabilities SAS 70 Requires Outsourcing Risk SAS 70 Requires Outsourcing Risk
Analysis/MgtAnalysis/Mgt SLC Negotiation Opportunities to Reduce Risk SLC Negotiation Opportunities to Reduce Risk
NIST Risk Mgt MethodNIST Risk Mgt Method
Asset ValuationAsset Valuation Information, software, personnel, hardware, & Information, software, personnel, hardware, &
physical assetsphysical assets Intrinsic value & the near-term impacts & long-Intrinsic value & the near-term impacts & long-
term consequences of its compromiseterm consequences of its compromise Consequence AssessmentConsequence Assessment
Degree of harm or consequence that could occurDegree of harm or consequence that could occur Threat IdentificationThreat Identification
Typical threats are error, fraud, disgruntled Typical threats are error, fraud, disgruntled employees, fires, water damage, hackers, employees, fires, water damage, hackers, virusesviruses
Vulnerability AnalysisVulnerability Analysis Safeguard AnalysisSafeguard Analysis
Any action that reduces an entity’s vulnerability Any action that reduces an entity’s vulnerability to a threatto a threat
Includes the examination of existing security Includes the examination of existing security measures & the identification of new safeguardsmeasures & the identification of new safeguards
Risk Management Requires Risk AnalysisRisk Management Requires Risk Analysis Analyzed in terms of missing safeguardsAnalyzed in terms of missing safeguards“ The
Process of Identifying, Controlling and Minimizing the Impact of Uncertain Events” (NIST, 1995 @59)
NIST Risk Mgt MethodNIST Risk Mgt Method
Source: NIST Handbook
Law & Economics of Risk Analysis Law & Economics of Risk Analysis
The Micro-Economics Fundamentals define The Micro-Economics Fundamentals define the Incentives to Invest & Innovate in Risk the Incentives to Invest & Innovate in Risk ReductionReduction Lack of incentive directly risks market lossLack of incentive directly risks market loss Security features are integral to products & Security features are integral to products &
services services Liability for product or service failure Liability for product or service failure
Defective designDefective design Defects in manufacturingDefects in manufacturing Defective Packaging or TransitDefective Packaging or Transit Failure to warn Failure to warn Malpractice Malpractice
Insufficient incentives for optimal securityInsufficient incentives for optimal security
Externalities Externalities Role of ExternalitiesRole of Externalities
Negative Externalities: Negative Externalities: all costs not borne by actor but at least some by othersall costs not borne by actor but at least some by others
Positive Externalities: Positive Externalities: all benefits not enjoyed by actor but at least some by othersall benefits not enjoyed by actor but at least some by others
Almost Always Free Rider Emerge when Externalities are Almost Always Free Rider Emerge when Externalities are Present Present
Classic case I: Pollution Control RequirementsClassic case I: Pollution Control Requirements Polluters save on controls, society suffers (e.g., health, quality Polluters save on controls, society suffers (e.g., health, quality
of life) of life) Environmentalism costs polluters but society benefits Environmentalism costs polluters but society benefits Incentives: Incentives:
under-invest, hide activities, argue/lobby costs are speculative under-invest, hide activities, argue/lobby costs are speculative illusion to non-existentillusion to non-existent
Moral Hazard: person or organization does not bear full adverse Moral Hazard: person or organization does not bear full adverse consequences its actions consequences its actions
Classic Case II: Workplace Safety Regulation Classic Case II: Workplace Safety Regulation Safety under-investment costs borne by workersSafety under-investment costs borne by workers
Classic Case III: privacy Classic Case III: privacy Security under-investment costs borne by individualsSecurity under-investment costs borne by individuals
Free Riders & Public GoodsFree Riders & Public Goods Free Riders illustrate market failure Free Riders illustrate market failure
Cause negative externalities or benefit from positive Cause negative externalities or benefit from positive externalities externalities
Do not internalize their costs or benefits Do not internalize their costs or benefits Essentially ride free (enjoy) others’ investments & Essentially ride free (enjoy) others’ investments &
expensesexpenses Public Goods Public Goods
Non-rival, under-produced by competitive markets Non-rival, under-produced by competitive markets Producers risk free riders who they cannot effectively Producers risk free riders who they cannot effectively
exclude from positive externalitiesexclude from positive externalities Producers under-invest w/o clear business model & returnProducers under-invest w/o clear business model & return EX: defense, law enforcement, justice system, property EX: defense, law enforcement, justice system, property
rights, public transport centers (wharves, airports, roads), rights, public transport centers (wharves, airports, roads), fireworks, lighthouses, environmental quality, some fireworks, lighthouses, environmental quality, some information goods (e.g, software development, authorship, information goods (e.g, software development, authorship, invention), public educ.invention), public educ.
How can you argue that Security is a public good?How can you argue that Security is a public good? What public responses might improve securityWhat public responses might improve security CyberCrime EnforcementCyberCrime Enforcement
Asymmetric Information TheoryAsymmetric Information Theory
Transactors have unequal bargaining pwr Transactors have unequal bargaining pwr Akerlof, George, Akerlof, George, The Market for Lemons: Quality The Market for Lemons: Quality
Uncertainty & the Market MechanismUncertainty & the Market Mechanism (1970) (1970) Two transacting parties do not have the Two transacting parties do not have the
same relevant informationsame relevant information Classic Examples:Classic Examples:
buyers know less than sellers about product qualitybuyers know less than sellers about product quality lenders know less about borrower’s propensity to lenders know less about borrower’s propensity to
default default Seller’s incentive to pass off low quality Seller’s incentive to pass off low quality
goods as higher quality, hide defectsgoods as higher quality, hide defects Security performance generally unknown to customersSecurity performance generally unknown to customers Security Breach Notification laws: classic legislation Security Breach Notification laws: classic legislation
correcting market failure (asymmetric info)correcting market failure (asymmetric info)
Adverse SelectionAdverse Selection
Asymmetries Induce Adverse SelectionAsymmetries Induce Adverse Selection Asymmetries lead to bad results whenAsymmetries lead to bad results when
Buyers purchase “bad” products or pay too much Buyers purchase “bad” products or pay too much Sellers select bad buyers or charge too little Sellers select bad buyers or charge too little
As adverse selection experience grows:As adverse selection experience grows: Buyers retreat, seek intermediaries (assistance, Buyers retreat, seek intermediaries (assistance,
repairs), suffer higher opportunity costs repairs), suffer higher opportunity costs Sellers lose money, use intermediaries, even failSellers lose money, use intermediaries, even fail
Sub-Optimal SignalsSub-Optimal Signals More bad sellers/buyers, fewer good productsMore bad sellers/buyers, fewer good products Custodians & 3d P service providers Custodians & 3d P service providers
untrustworthyuntrustworthy
Moral HazardMoral Hazard
Moral Hazard is a form of externality: Moral Hazard is a form of externality: Person or organization fails to bear full costs of Person or organization fails to bear full costs of
actions causing adverse selection actions causing adverse selection EX: Smokers/parachutists/drunks hide their habit EX: Smokers/parachutists/drunks hide their habit
or activities when buying health/life ins or activities when buying health/life ins EX: US vs. UK in re ATM & credit card fraudEX: US vs. UK in re ATM & credit card fraud
US banks liable for card fraud, UK banks notUS banks liable for card fraud, UK banks not US banks invest more heavily to avoid lossesUS banks invest more heavily to avoid losses UK banks lazy & careless, suffer avalanche of UK banks lazy & careless, suffer avalanche of
fraudfraud Individuals s/could do more self-protection Individuals s/could do more self-protection
Least Cost Provider Least Cost Provider
Liability generally most justifiable for:Liability generally most justifiable for: Party with greatest responsibility to analyze Party with greatest responsibility to analyze
risk & safeguard safety, quality & securityrisk & safeguard safety, quality & security Party w/ lowest cost of servicesParty w/ lowest cost of services Party financially able to burden riskParty financially able to burden risk
Economics urges Public Policy to Economics urges Public Policy to incentivize least cost providerincentivize least cost provider
Who is info security’s least cost Who is info security’s least cost provider?provider? Individuals, ISP, s/w licensor, h/w supplier Individuals, ISP, s/w licensor, h/w supplier
Risk Analysis & Management Risk Analysis & Management Aspects of StandardizationAspects of Standardization
Standardization promises superior process Standardization promises superior process design & best practice integration design & best practice integration Domain experts develop rather than meddlers Domain experts develop rather than meddlers
Standards Reduce Risks of Variety Standards Reduce Risks of Variety Incompatibility, Incompetence Incompatibility, Incompetence
Conformity Assessment Analyzes Non-Conformity Assessment Analyzes Non-Compliance Risk, Provides FeedbackCompliance Risk, Provides Feedback Incentivizes Compliance & ImprovementIncentivizes Compliance & Improvement
However, Standardization Risks Stagnancy However, Standardization Risks Stagnancy & Communicates Widespread Vulnerability & Communicates Widespread Vulnerability
Standards ARE Important!Standards ARE Important!
Standards Impact Nearly All Fields Standards Impact Nearly All Fields SDA Participants,Affected Parties, Int’l Orgs, SDA Participants,Affected Parties, Int’l Orgs,
Gov’t Agencies, SROs, NGOsGov’t Agencies, SROs, NGOs eCommerce & Internet largely dependant on eCommerce & Internet largely dependant on
Stds:Stds: EX: html, http, 802.11, x.25 packet switching …EX: html, http, 802.11, x.25 packet switching …
Stds Embody Considerable InnovationStds Embody Considerable Innovation SDA have Innovation Life Cycle Independent of SDA have Innovation Life Cycle Independent of
Products/Services Compliant w/ StdProducts/Services Compliant w/ Std Std Innovation Occurs in Various VenuesStd Innovation Occurs in Various Venues
Inside innovating firms, inherent in many products, Inside innovating firms, inherent in many products, Inside technical domain groups (trade assoc. Inside technical domain groups (trade assoc. professional societies, indus. Consortia)professional societies, indus. Consortia)
Why are Standards Important?Why are Standards Important?
Stds Increasingly an Emerging Source of PolicyStds Increasingly an Emerging Source of Policy Lessig’s Lessig’s CodeCode cited for IT trend: cited for IT trend:
Public policy imbedded in s/w. f/w. h/w & ICT stds Public policy imbedded in s/w. f/w. h/w & ICT stds Do SDA Approximate Traditional Policymaking?Do SDA Approximate Traditional Policymaking?
Do SDA decrease public’s consideration/deliberation?Do SDA decrease public’s consideration/deliberation? Are SDA transparent? Are SDA transparent? Are stds’ downstream impact so embodied w/in code Are stds’ downstream impact so embodied w/in code
or technical compatibility details they are obscured or technical compatibility details they are obscured from public review?from public review?
SDA Participants Use Non-Gov’t VenuesSDA Participants Use Non-Gov’t Venues Forum Shopping may be Widespread Forum Shopping may be Widespread
Classic “Race to the Bottom”Classic “Race to the Bottom”
Why are Standards Important?Why are Standards Important?
Stds are emerging from obscurityStds are emerging from obscurity More widely understood to impact most More widely understood to impact most
economic activityeconomic activity Increasingly viewed Increasingly viewed lessless as technically as technically
objective matters; objective matters; moremore as arbitrary choices as arbitrary choices from among near infinite alternativesfrom among near infinite alternatives
Increasingly perceived to favor particular Increasingly perceived to favor particular nations, industries, identifiable groups or nations, industries, identifiable groups or individual firms who participate most individual firms who participate most effectively effectively
Why Standards May Impact Why Standards May Impact CyberSecurity MethodsCyberSecurity Methods
Stds Create CyberSpace: html, ftp, http, 802.11Stds Create CyberSpace: html, ftp, http, 802.11 General Advantages of StandardizationGeneral Advantages of Standardization
Facilitates comparison, interoperability, competition Facilitates comparison, interoperability, competition Attracts investment in compatible technologies, Attracts investment in compatible technologies,
products & servicesproducts & services General Disadvantages of StandardizationGeneral Disadvantages of Standardization
Lock in old/obsolete technologyLock in old/obsolete technology Resists favorable evolution or adaptationResists favorable evolution or adaptation Favors particular groups & disfavors particular Favors particular groups & disfavors particular
groupsgroups Voluntary Consensus is really a Sub-optimal Voluntary Consensus is really a Sub-optimal
Compromise that Dictates too much DesignCompromise that Dictates too much Design
Top Related