Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Wednesday, May 26, 2010

Want Better Security? Reward Your Provider

Managed security contracts that reward providers for notifying their clients of breaches provide better security, according to a mathematical analysis conducted by three researchers at the University of Texas at Dallas and the Middle East Technical University.  The research, which will be presented at the Workshop on the Economics of Information Security (WEIS) 2010 next month, analyzed a common type of contract used today in which a provider assesses a fee for its managed security service, but refunds part of the fee—as a penalty—if there is a breach.  Using game-theory analysis, the researchers established that this commonly used contract model provides no incentive for the provider to notify its client of a breach.  Two other contract models, however, are more likely to provide incentives for better security, the researchers say.

Without a reward, “You are not providing any incentive for the managed security service provider to detect breaches,” says Asunur Cezar, the paper’s lead author and an instructor at the Middle East Technical University in Ankara, Turkey.  “It may be penalized after some investigation, but that does not necessarily act as an incentive.”

The research also found that, when penalties are limited in some way, the second variant—using one MSSP for monitoring and another for detection—provides better security.  The researchers pointed to court cases that limit penalties against service providers, concluding that such real-world limits mean having one provider essentially audit the other leads to the best performance.

The results of the study could be interesting academically, but they might not translate well to real-world MSSP contracts, says John Pescatore, vice president of analyst firm Gartner.  In the real world, service firms are providing a specific function, not blanket protection, so it is usually difficult to penalize the companies for a breach.  “The contract is to manage your firewalls or manage your firewalls, intrusion detection system, and antiviral—they are not saying, ‘Sign up with us, and we will protect you against all breaches,’” Pescatore says.

Posted on 05/26