Working Paper

How Much Is Enough?A Risk-ManagementApproach to Computer Security

Kevin J. Soo Hoo

Consortium for Research on Information Security and Policy (CRISP)CRISP is a research collaboration of the Center for InternationalSecurity and Cooperation, the Institute for International Studies, andthe School of Engineering, Stanford University. June 2000The opinions expressed here are those of the author and do not necessarilyrepresent the positions of the Center, its supporters, or Stanford University.© Copyright by Kevin J. Soo Hoo 2000All Rights Reserved

Preface

The research for this working paper was sponsored in part by the Consortium forResearch on Information Security and Policy (CRISP).CRISP was created at Stanford University to develop a better analytical and policyunderstanding of national and international security problems relating to informationtechnology. CRISP studies explore the technological, legal, organizational, and policydimensions of these problems. The consortium includes university researchers from theCenter for International Security and Cooperation and from two departments in theSchool of Engineering: the Department of Computer Science and the Department of Management Science and Engineering. CRISP works with companies involved in variousareas of information technology, with network users and providers, and with parts of thefederal government.The specific projects undertaken by CRISP draw on the interests and knowledge of thiscommunity. The three main areas of work are a university/industry/government forum,technology and policy research, and international participation. CRISP’s main function isto provide a forum to continue and expand the dialogue among the main stakeholders inU.S. national information infrastructures (i.e., the infrastructure owners, the networktechnology industry, the major users, the federal government, and the researchcommunity). CRISP members will continue to assist in the process of developing commonviews among these interested organizations through analysis of the surrounding issues.In the technology and policy area CRISP defines and conducts research projects onsubjects that are important to understanding the vulnerability of informationinfrastructures, the barriers to solutions, and possible remedies. These projects investigateand analyze technical constraints on infrastructure protection and possible technologicaldevelopments, international policy considerations in protecting infrastructure, and theeffect of existing and proposed laws and regulations on the goal of securing infrastructure.Information infrastructure security is a manifestly international problem since usage,and hence dependence, are becoming global. Cyber attacks can move easily across borders,and adequate remedies will require a high degree of interstate cooperation. CRISP will,through conferences and other forms of exchange, undertake to build an internationalconstituency to address the problems of securing information infrastructures on a globalbasis.As a product of the technology and policy research area, this paper examines theresource allocation dilemma facing every organization that uses information technology:How much security is enough? The answer is found by investigating the applicability andutility of risk-management tools and techniques to computer-security risks. The paperbegins with a short history of computer security risk management, highlighting thechallenges and successes that marked each generation of risk-management tools. Next, itgives a brief discussion of the state of publicly available computer security data withrecommendations for how that state might be improved. Finally, the paper offers ademonstration of a decision-analysis-based approach for managing computer security risksthat directly addresses many of the issues that stymied previous computer security risk-management efforts.Because much of the information infrastructure is privately owned and operated, effortsto improve general infrastructure security must be mindful of the resource allocationpredicament confronting individual firms and organizations. By understanding the

iiieconomic pressures and incentives under which these actors formulate their individualsecurity policies, public policymakers will be better able formulate national initiatives thatsupplement and enhance existing private security efforts.This working paper is a published version of Kevin J. Soo Hoo’s doctoral dissertationfor the Department of Management Science and Engineering at Stanford University. Formore information about CRISP and its activities, see its web page under research athttp://cisac.stanford.edu.Michael M. May, Senior FellowInstitute for International StudiesSeymour E. Goodman, DirectorConsortium for Research on Information Security and Policy