Research on Security and Identity Management (by Marco Casassa Mont) : Economics of Identity Management

The Economics of Identity and Access Management (IAM)

marcocasassamont — Fri, 20 Mar 2009 17:33:00 GMT

What are the Economics of Identity and Access Management (IAM)? This is a key area that needs to be explored, to really understand, from an economic perspective, the actual value that IAM provides to organizations based on its impact on aspects of relevance to decision makers (such as loss prevention and risk mitigation) and the threat landscape.

A few core aspects need to be researched:

1) What are the key "aspects/metrics" that characterize the impact of IAM investments on an enterprise, for example in terms of preventing/reducing losses? In a first analysis important "macro" aspects include: security breaches (B), productivity loss (P), compliance violations (C) and costs (K)...

2) How do these aspects/metrics relate to the basic IAM "levers" that decision makers (e.g. CIO/CISO/Risk Managers) can act on i.e. configuration, enforcement and audit reporting tools (compliance checking tools)? We need to capture the relevant causal dependencies, for example: what are the consequences and the impact of investing more on audit/compliance checking, rather than in configuration or enforcement? What are the consequences of acting on enforcement in terms of productivity and costs?

3) Which utility functions, U(B,P,C,K) can effectively model the impact of IAM (e.g. in terms of losses) on security breaches, productivity loss, compliance violations and costs by factoring in the investments in the "configuration, enforcement and audit" levers?

4) How to effectively use systems modeling to estimate these utility functions, by animating the causal dependencies and inter-relationships among these "levers" and their impact on metrics, inclusive of assumptions on the threat landscape?

So far I found very little literature and related work in this space - I would be keen to get any reference or link, if available.

I am going to pursue research in this space, in the context of the Identity Analytics activity (HP Labs Security Analytics project, Systems Security Lab), as I believe this (as for the Economics of Privacy and the Economics of Information Security) can:

- provide a more rational way to describe and analyse the impact and value that IAM actually offers to organizations;

- provide key decision makers with a decision support tool that operates at their level of abstraction.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

Economics of Identity Management & Risk-driven Identity Management

marcocasassamont — Tue, 06 Jan 2009 22:25:00 GMT

Kim Cameron's post called "The economics of vulnerabilities ...", highlights a few key points made in Gunnar Peterson's notes about the importance - when making security decisions - of keeping into account the (1) assets at stake in an organization and (2) their value.

Specifically, I found the following point very interesting:

"... If you are like most business you will find that you spend most on Network, then Host, then Applications, then Data. Congratulations, Information Security, you are diametrically opposed to the business!".

I tend to agree that quite often decisions and investments made in the security space are not really driven by risk management and/or "value-at-risk" criteria.

This is also true in the Identity Management (IdM) space. Quite often the starting point, when making investment decisions in this field, is purely on IdM functionalities and the "general" added-value that they could provide to a business: it would help coupling this with the analysis of the actual business assets at stake, to be protected (business processes and services, information, etc.), their values, the involved threats and related risks.

As previously mentioned in my blog, I believe that we should start discussing about the "Economics of Identity Management", in the wider context of "Economics of Information Security" ...

In the medium/long run, what are the consequences (in terms of costs, risk exposure, usability, agility, reputation loss, etc.) of decisions made in the space of identity management, given the context and the involved assets? What are the feasible trade-offs and available options? Which key factors are truly relevant and need to be kept into account to make informed decisions?

So far, I have found no major discussions about the "Economics of Identity Management" and the above points. I am very keen in getting your input, observations and links.

In the context of the Identity Analytics R&D project, I am indeed interested in researching and exploring this area.

--- Posted by Marco Casassa Mont (here and here) ---

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

On Identity Analytics: New HP Labs Technical Report

marcocasassamont — Wed, 09 Jul 2008 09:35:00 GMT

This community might be interested to a new HPL Technical Report, just released, titled "On Identity Analytics: Setting the Context" (authors: Marco Casassa Mont, Adrian Baldwin, Simon Shiu).

This report reflects R&D work we are doing at HP Labs, Systems Security Lab. I am very keen in getting your views and input. The abstract of this technical report follows:

"This paper aims at setting the context for "Identity Analytics" within enterprises and paving the path towards new R&D opportunities. In our vision, Identity Analytics is about explaining and predicting the impact of identity and identity management (along with other related aspects, such as users' behaviours) on key factors of relevance to decision makers (e.g. CIOs, CISOs), in complex enterprise scenarios - based on their initial assumptions and investment decisions.

Ultimately the goal is to provide rigorous techniques to help decision makers gain a better understanding of the investment trade-offs within the identity space (e.g. investing in technologies vs. changing processes vs. investing in users' education, etc.). This means providing "decision support" and "what-if analysis" capabilities to decision makers enabling them to explore these investment trade-offs, formulate new policies and/or justify existing ones. Our vision of "Identity Analytics" is introduced and discussed, along with the methodology that we intend to adopt.

There are many research opportunities and challenges in this space: we believe that a scientific approach is required, involving the usage of modelling and simulation techniques, coupled with the understanding of involved technologies and processes, human behaviours and economic aspects. To ground some of the concepts discussed in this paper, we provide an illustration of Identity Analytics focusing on emerging "web 2.0 enterprise collaborative data sharing", where unstructured information is created, stored and shared by people in collaborative contexts, within and across organisations. We demonstrate how trade-offs can be explored using the modelling approach hence allowing decision makers to explore the different impacts of policy choices."

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---

WEIS 2008 and “Economics of Identity Management”

marcocasassamont — Tue, 10 Jun 2008 21:47:00 GMT

R&D papers and work presented at the Workshops on Economics of Information Security (WEIS) discuss and explore how economic theory and economic analysis can be successfully applied to information security, instead of focusing just on the traditional technology-driven approaches.

What are the “Economics of Identity Management”? Something I believe it would be worth exploring too, with a scientific approach.

The 7^th workshop on Economics of Information Security - WEIS 2008 is going to take place in Hanover, HN, June 25-28, 2008:

“Information security requires not only technology, but a clear understanding of risks, decision-making behaviors and metrics for evaluating business and policy options. How much should we spend on security? What incentives really drive privacy decisions? What are the trade-offs that individuals, firms, and governments face when allocating resources to protect data assets? Are there good ways to distribute risks and align goals when securing information systems?

The 2008 Workshop on the Economics of Information Security, the seventh workshop, will build on a strong and growing interdisciplinary tradition, bringing together information technology academics and practitioners with social scientists and business and legal scholars to better understand security and privacy threats. Until recently, research in security and dependability focused almost exclusively on technical factors, rather than incentives. However, we know that economic, behavioral, and legal factors often contribute as much as technology to the dependability of information and information systems. The application of economic analysis to these problems has proven to be an exciting and fruitful area of research.”

Most of the above points also apply to the “Identity Management” field. An opportunity to contribute.

--- NOTE: use this mirror blog if you prefer posting on an external blog site ---