Friday, August 22, 2008

New School: How much should I spend to mitigate phishing?

I just finished reading The New School of Information Security by Adam Shostack and Andrew Stewart. I plan on writing a formal book review now that I've made it through the book, but I also wanted to get these thoughts down before they leave my head. In this entry I'm going to attempt to use New School thinking to analyze an event that happened just this week at my organization.

All summer long we've had phising emails sent to our campus and they have pretty much bounced off our users with little effect. However as the school year starts up, we have more people on campus and a phishing message that was sent out this week was able to gather some credentials and those credentials were used to send out spam from our servers.

I responded to the event in a very non-New-School way. I did what my gut said I should do and I stepped up user education efforts. Of course we blocked the affected account, and made some people reset their passwords, but I also had about 300 fliers printed up and distributed around campus reminding people that we don't ask for passwords over email. I've also initiated plans to make some updates to our web pages and automated emails that come out from our department.

Looking back on the whole thing (about two days later) I started trying to take a New School approach to the problem. One of the major ideas expressed in the book that I really agree with is that we need to be more open about events like this and share that information readily instead of keeping it to myself. So I typed up a detailed report and sent it off to my security contacts at other schools in the state.

But now I'd like to address how much money we should spend on mitigating phising attacks in the future. This is where that objective data comes in that we don't have. I don't know how many phishing emails have been sent to universities in the state in the last year. I don't know how many people have responded to the phishing emails, and I don't know how much cost this has imposed on our universities. So I'm not going to be able to answer the question. However, we can look at how the New School would suggest that we answer the question once enough data is present.

This week my school has received about 400 phishing email messages which resulted in about an hour of work for IT staff, and the people that had to reset their passwords. I capitalize an hour of employee time at $50/hour, so each one of those phishing messages cost us about 12.5 cents. However, as I mentioned above, all summer long we were receiving these messages and only had one event. I think there is merit behind the idea that a university is more vulnerable when class is in session than when it is in break. During the summer break I estimate that we had about 2000 phish messages sent to our campus, and that resulted in another $50 worth of loss. So during the breaks a phish message costs us 2.5 cents. With that data we can come up with a Weighted Single Loss Expentancy. (.25)(2.5)+(.75)(12.5) = 10 cents. We can assume that throughout the year, each phish message that we get is going to cost us 10 cents. Therefore, if we receive 10,000 phish messages each year our Annual Loss Expectancy is $1000.

So far this isn't very New School. This is right out of the CISSP Common Body of Knowledge. Here is where things diverge a little bit. One of the things mentioned in the book is a paper by Lawrence Gordon and Martin Loeb that describes how much we should be spending on Information Security. Their paper finds that we should spend somewhere between 25 and 37% of the expected loss on mitigation. So we should spend somewhere between $250 and $370 each year to reduce phishing. This runs counter to the conventional wisdom that says we should spend some amount of money less than $1000 to reduce phishing. One of the principles of Economics is that rational people think at the margin, and Gordon and Loeb point out that after 37% you have hit diminishing returns. In other words, an extra dollar spent on mitigation reduces loss by some number less than one dollar. In fact, if the resource being protected is not very vulnerable, then 37% is far too high. So we could say that it is worth $250/year to reduce phishing.

Now let's bring in my favorite finance concept, Net Present Value. Let's say that I put together a five year project to reduce phishing on campus. I want to spend $50 every year printing fliers. I also want to invest $500 of developer time right now into making changes to our web pages and automated email messages. Is that a good project? The PV of $250 paid each year for five years (5% discount rate) is $1,082.37. So if the PV of my project is less than that, then we're good. $550 in year one, plus $50 each in years 2 through 5 at 5% is $692.66. So it looks like my project is a good idea financially...Maybe.

There are a couple of things that we don't know. Sure we know how much I should spend, but we don't know what I should spend it on. My user education plan might be 10% effective compared to some unknown solution that is 80% effective. Obviously we would put money into the more effective form of mitigation. Another problem to consider (and this is one for the economists) is that the loss expectancy was based on what happened at my university. Well we have a spam firewall and we've already put money into user education, and some of the money spent on that is preventing phishing attacks from working. That money should come out of the $250 a year that we spend...unless an economist would consider that to be sunk cost. I'm not sure. Here is what we would need to answer the question of how much to spend on mitigating phishing positively...
  1. How many phishing emails were sent to undergraduate Universities in Minnesota in the last year?
  2. Is an undergraduate University in Minnesota statistically less vulnerable to phishing when it is in break or is it simply because there are fewer people on campus? It is important to note the qualifiers here. A graduate university may have a more educated population that is less resistant to phishing. Also the population in Minnesota may be more trusting of email than the population in New York.
  3. What are the actual losses suffered by these universities because of phishing?

I'm sure there are other variables to consider, but just these three above can give you a good idea of how far we are from where the authors would like us to be. It would take tremendous information sharing to find out the answer to numbers 1 & 3. It would take years to study to answer question 2. I have to tell you, I get so bogged down in the numbers and variables that I'm not even positive that my analysis above is any good. I'm sure that an expert in economics or finance might read this and say "what a dumbass!" I'm just hoping to be 85% right. I have a lot of learning yet to do.

No comments: