Skip to main content
SpringerLink
Log in

Determining an Economic Value of High Assurance for Commodity Software Security

  • Conference paper
  • First Online:
Security Protocols XXVIII (Security Protocols 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14186))

Included in the following conference series:

  • 163 Accesses

Abstract

Security measures that attempt to prevent breaches of commodity software have not used high assurance methods and tools. Instead, rational defenders have risked incurring losses caused by breaches because the cost of recovery from a breach multiplied by the probability of that breach was lower than the cost of prevention by high assurance, e.g., by formal methods. This practice may change soon since breach-recovery costs have increased substantially while formal methods costs have decreased dramatically over the past decade.

We introduce the notion of selective high assurance and show that it is economically justified, as producers can easily recoup its cost even in very small commodity markets, and necessary for rational defenders to decrease their breach recovery costs below a chosen limit. However, these decreases depend on defenders’ risk aversion, which is difficult to assess since risk preferences cannot be anticipated. A challenge is to determine a lower bound on the economic value of selective high assurance independent of the defenders’ risk preferences; i.e., a value that depends only on the commodity software itself and the attacks it withstands. We propose an approach to determine such a value and illustrate it for SCION, a networking software system with provable security properties.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 49.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 64.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    CAGR stands for compound annual growth rate.

  2. 2.

    Recent cost estimates range between 0.8% [2] to slightly over 1% [3] of global GDP.

  3. 3.

    SLoC stands for Source Lines of Code.

  4. 4.

    It is possible to select C\(_b\)(verification) > C\(_b\)(recovery), e.g., using an average per-breach cost, and still satisfy the required condition for some defenders.

  5. 5.

    A decade ago, the average recovery cost of a US company was already $8.9M [14].

  6. 6.

    If C\(_b\)(verification)<C\(_b\)(recovery), \(\epsilon >1/(mn)\) >C\(_b\)(verification)/C\(_b\)(recovery)\(\cdot \)(mn).

  7. 7.

    This scaling accounts for the lowest recovery_cost(breach) = $2.9M, which assumes that advanced AI methods and tools detect and recover from breaches. This is lower than the recovery cost per breach of $3.28M in mature zero-trust architectures [13].

  8. 8.

    The 2017 NotPetya malware attack, which was attributed to Russia’s military intelligence agency in the conflict with Ukraine, was found not to be an “act of war” when deployed against the Merck pharmaceutical company, causing a $1.4B liability for Merck’s insurers  [26].

  9. 9.

    This difference reflects the behavioral-economics [16] separation between increased beliefs of trustworthiness (e.g., obtained by assurance of security properties) and decreased betrayal aversion (e..g, obtained by attack-deterrence measures) [17].

  10. 10.

    The earliest high-assurance method and automated tool for analyzing penetration-resistance properties were used on C language programs of the Trusted Xenix (https://en.wikipedia.org/wiki/Xenix) kernel and system processes [29, 30].

  11. 11.

    The US vulnerability database (see https://nvd.nist.gov/general/nvd-dashboard and https://cve.mitre.org/cve/identifiers/) currently contains over 200000 CVEs.

References

  1. Common Criteria. Evaluation Assurance Levels (EALs). https://en.wikipedia.org/wiki/Evaluation_Assurance_Level

  2. Finances Online. 119 Impressive Cybersecurity Statistics: \(2021/2022\) Data & Market Analysis, Cybermarket Statistics. https://financesonline.com/cybersecurity-statistics/

  3. Smith, Z.M., Lostri, E., Lewis, J.A.: The Hidden Costs of Cybercrime. McAfee Report for Center for Strategic and International Studies (2020). https://www.mcafee.com/enterprise/en-us/assets/reports/rp-hidden-costs-of-cybercrime.pdf

  4. Klein, G., et al.: Comprehensive formal verification of an OS microkernel. ACM Trans. Comput. Syst. 32(1), 1–70 (2014)

    Google Scholar 

  5. Hawblitzel, C., et al.: Ironclad apps: end-to-end security via automated full-system verification. In: Proceedings of USENIX OSDI, pp. 165–181 (2014)

    Google Scholar 

  6. Protzenko, J., et al.: EverCrypt: a fast, verified, cross-platform cryptographic provider. In: Proceedings of the IEEE Symposium on Security and Privacy (2020)

    Google Scholar 

  7. Yu, M., Gligor, V., Jia, L.: An I/O separation model for formal verification of kernel implementations. In: Proceedings of the IEEE Symposium on Security and Privacy (2021)

    Google Scholar 

  8. Gligor, V.: Security limitations of virtualization and how to overcome them (transcript of discussion). In: Christianson, B., Malcolm, J. (eds.) Security Protocols 2010. LNCS, vol. 7061, pp. 252–265. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45921-8_35

  9. Lampson, B.W.: Software components: only the giants survive. In: Spark-Jones, K., Herbert, A. (eds.) Computer Systems: Theory, Technology, and Applications, Chapter 20, vol. 9, pp. 137–146. Springer, New York (2004). https://doi.org/10.1007/0-387-21821-1_21

  10. Lampson, B.W.: Computer security in the real world. In: Proceedings of the 16th Annual Computer Security Applications Conference (ACSAC 2000), IEEE Computer, vol. 37, pp. 37–46 (2004). https://www.acsac.org/2000/papers/lampson.pdf

  11. Lampson, B.W.: Usable security: how to get it. Commun. ACM 52(11), 25–27 (2009)

    Article  Google Scholar 

  12. Finances Online. 119 Impressive Cybersecurity Statistics: 2021/2022 Data & Market Analysis, Cybermarket Statistics. https://financesonline.com/cybersecurity-statistics/

  13. IBM Corporation and Ponemon Institute. Cost of a Data Breach Report 2021–2022. https://www.ibm.com/security/data-breach

  14. HP Enterprise Security and Ponemon Institute. 2012 Cost of Cyber Crime Study: United States. https://www.ponemon.org/local/upload/file/2012_US_Cost_of_Cyber_Crime_Study_FINAL6%20.pdf

  15. Gligor, V.: Dancing with the adversary: a tale of wimps and giants (transcript of discussion). In: Christianson, B., Malcolm, J., Matyáš, V., Švenda, P., Stajano, F., Anderson, J. (eds.) Security Protocols 2014. LNCS, vol. 8809, pp. 116–129. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-12400-1_12

  16. Fehr, E.: The economics and biology of trust. J. Eur. Econ. Assoc. 7 (2009)

    Google Scholar 

  17. Gligor, V., Wing, J.M.: Towards a theory of trust in networks of humans and computers. In: Christianson, B., Crispo, B., Malcolm, J., Stajano, F. (eds.) Security Protocols 2011. LNCS, vol. 7114, pp. 223–242. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25867-1_22

  18. VentureBeat Staff. Report: US businesses experience-42-cyberattacks-per-year (2022). https://venturebeat.com/security/report-u-s-businesses-experience-42-cyberattacks-per-year/

  19. National Security Agency. Embracing a Zero Trust Security Model (2021). https://media.defense.gov/2021/Feb/25/2002588479/1/1/0CSI_EMBRACING_ZT_SECURITY_MODEL_UOO115131-21.PDF

  20. Future Market Insights. Cybersecurity Insurance Market Snapshot (2022–2032). https://www.futuremarketinsights.com/reports/cybersecurity-insurance-market

  21. Adrian Mak. Cyber Insurance Cost by Industry. AdvisorSmith (2021). https://advisorsmith.com/business-insurance/cyber-liability-insurance/cost-by-industry/

  22. NAIC Staff. Report on the Cyber Insurance Market, Memorandum (2022). https://content.naic.org/sites/default/files/cmte-c-cyber-supplement-report-2022-for-data-year-2021.pdf

  23. Rezilion and Ponemon Institute. The State of Vulnerability Management in DevSecOps (2022). https://www.rezilion.com/wp-content/uploads/2022/09/Ponemon-Rezilion-Report-Final.pdf

  24. Keary, T.: Vulnerability management: Most orgs have a backlog of 100K vulnerabilities. In: VentureBeat (2022). https://venturebeat.com/security/vulnerability-management-most-orgs-have-a-backlog-of-100k-vulnerabilities

  25. Torres, R.: Enterprise App Sprawl with most apps outside IT control. In: CIO Dive (2021). https://www.ciodive.com/news/app-sprawl-saas-data-shadow-it-productiv/606872/

  26. Vittorio, A.: Merck’s \$1.4 Billion Insurance Win Splits Cyber From “Act of War”. In: Bloomberg Law (2022). https://news.bloomberglaw.com/privacy-and-data-security/mercks-1-4-billion-insurance-win-splits-cyber-from-act-of-war

  27. Yehezkel, S.: The cost of cybersecurity insurance is soaring-and state-backed attacks will be harder to cover. It’s time for companies to take threats more seriously. In: Fortune (2023). https://fortune.com/2023/02/15/cost-cybersecurity-insurance-soaring-state-backed-attacks-cover-shmulik-yehezkel/

  28. Joyce, R.: Disrupting Nation State Hackers. Invited Keynote at USENIX Enigma Conference (2016). https://www.youtube.com/watch?v=bDJb8WOJYdA

  29. Gupta, S., Gligor, V.D.: Towards a theory of penetration-resistant computer systems. J. Comput. Secur. 1(2), 133–158 (1992) (also in Proceedings of 4th IEEE Computer Security Foundations Workshop, Franconia, New Hampshire, pp. 62–78 (1991)). https://content.iospress.com/articles/journal-of-computer-security/jcs1-2-02

  30. Gupta, S., Gligor, V.D.: Experience with a penetration analysis method and tool. In: Proceedings of the 15th National Computer security Conference, Baltimore, pp. 165–183 (1992). https://csrc.nist.rip/publications/history/nissc/1992-15th-NCSC-proceedings-vol-1.pdf

  31. Cook, B.: Formal reasoning about the security of Amazon web services. In: Chockler, H., Weissenbacher, G. (eds.) CAV 2018. LNCS, vol. 10981, pp. 38–47. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96145-3_3

  32. Backes, J., et al.: One-click formal methods. IEEE Software 36(6), 61–65 (2019). https://doi.org/10.1109/MS.2019.2930609

    Article  Google Scholar 

  33. Chuat, L., et al.: The Complete Guide to SCION: From Design Principles to Formal Verification. Springer, Cham (2022). doi: https://doi.org/10.1007/978-3-031-05288-0

  34. Gligor, V.D.: Zero Trust in Zero Trust? CMU CyLab Technical Report 22–002 December 17 (2022). https://www.cylab.cmu.edu/_files/pdfs/tech_reports/CMUCyLab22002.pdf

  35. Bradley, T.: Shifting cybersecurity to a prevention-first mindset. In: Forbes (2023). https://www.forbes.com/sites/tonybradley/2023/03/26/shifting-cybersecurity-to-a-prevention-first-mindset/?sh=209bbc4359cc

Download references

Acknowledgment

Mads Dam, Kevin Foltz, Rick Kuhn, Bryan Parno, and Frank Stajano provided helpful comments on earlier drafts of this paper. We gratefully acknowledge support for this project from the Werner Siemens Stiftung (WSS) Centre for Cyber Trust at ETH Zurich and CyLab at Carnegie Mellon University.

Author information

Authors and Affiliations

  1. ECE Department and CyLab, Carnegie Mellon University, Pittsburgh, USA

    Virgil Gligor

  2. Computer Science Dept, ETH Zurich, Zurich, Switzerland

    Adrian Perrig & David Basin

Authors
  1. Virgil Gligor
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Adrian Perrig
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. David Basin
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Virgil Gligor .

Editor information

Editors and Affiliations

  1. University of Cambridge, Cambridge, UK

    Frank Stajano

  2. Masaryk University, Brno, Czech Republic

    Vashek Matyáš

  3. University of Hertfordshire, Hatfield, UK

    Bruce Christianson

  4. Memorial University of Newfoundland, St. John’s, NL, Canada

    Jonathan Anderson

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Gligor, V., Perrig, A., Basin, D. (2023). Determining an Economic Value of High Assurance for Commodity Software Security. In: Stajano, F., Matyáš, V., Christianson, B., Anderson, J. (eds) Security Protocols XXVIII. Security Protocols 2023. Lecture Notes in Computer Science, vol 14186. Springer, Cham. https://doi.org/10.1007/978-3-031-43033-6_23

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-43033-6_23

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-43032-9

  • Online ISBN: 978-3-031-43033-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation