Information Technology Reference
In-Depth Information
transactions, banks in these locations have an incentive to minimise the loss to the
consumer. Perversely, this can incentivise the consumer against adequately securing
their system. If the consumer expects to lose a maximum of
L
iy
(which is set at $50 for
credit card transaction fraud in Australia) for any given incident
i
where the total
expected damage is defined as:
n
n
∑
∑
DL
=
DL
=
(2)
y
iy
x
ix
i
=
1
i
=
1
The expected annual number of incidents per consumer
n
can be calculated as the
total number of incidents that have occurred divided by the total number of consumers
of a class (i.e. the total pool of credit card users).
#
incidents
En
()
=
(3)
#
consumers
Setting
C
Ty
as the total cost to the consumer of implementing controls, if the ex-
pected total loss to the consumer
D
y
< C
Ty
, it is doubtful that the consumer will pay
for additional protection. For instance, if a high-end HIDS and anti-malware product
costs
C
Ty
= $225
, and the consumer experiences
n=4
incidents in a usual year, the
expected damage
n
As
D
y
< C
Ty
, it is not in the interest of the con-
∑
DL
=
=
=
$200.
y
iy
i
1
sumer to adequately protect their system. The user of a system that requires more
security then the mean level of control provided by a vendor can implement increased
security controls on their system, but this would either require that the consumer ex-
perience other measurable losses or that
D
y
> C
Ty
for this consumer.
Here we see that the anti-fraud efforts by banks and credit card companies create a
negative incentive to consumers. The loss to the vendor
L
ix
currently averages $237
[1] for each lost set of credentials. The result is that it is in the interest of the financial
company to provide the consumer with a compensating control. Holding the con-
sumer liable if they had failed to use the enhanced controls over security would result
in
D
y
> C
Ty
and hence an incentive for the consumer to protect their system.
Capital invested by the consumer in securing their system has a greater marginal ef-
fect than that of the producer in the case of an organisation such as Microsoft. A con-
sumer can purchase HIDS and host firewall software for less than the cost that it
would cost Microsoft to perfect their software through formal verification and hence
remove more bugs.
The expected damage,
E(Damage)
i
= P(x
ai
).D
Tot
or the expected damage is equal to
the probability of a breach times the amount of damage suffered in a breach. This can be
expressed as a function for each user or as a total cost function for all us-
ers,
∑
.
Here we can clearly see that the total amount of dam-
age is a function of not only the producer, but also the consumer. The optimal solution is
to find a point that minimises the total costs. This is the expected damage as a loss func-
tion plus the costs of damage prevention of a compromise of other loss. The damage can
also be expressed as a function of both the producer and consumer (user) costs,
(
)
E Damage
(
)
=
P x
(
).
D
ai
Tot
i
Search WWH ::
Custom Search