Article: How Bad is it? – A Branching Activity Model to Estimate the Impact of Information Security Breaches

Russell Cameron Thomas
George Mason University – Department of Computational Social Science

Marcin Antkiewicz
Qualys, Inc.

Patrick Florer
Risk Centric Security, Inc.

Suzanne Widup
Verizon Communications Inc., Verizon RISK Team

Matthew Woodyard
Zions Bancorporation

March 11, 2013


This paper proposes an analysis framework and model for estimating the impact of information security breach episodes. Previous methods either lack empirical grounding or are not sufficiently rigorous, general or flexible. There has also been no consistent model that serves theoretical and empirical research, and also professional practice. The proposed framework adopts an ex ante decision frame consistent with rational economic decision-making, and measures breach consequences via the anticipated costs of recovery and restoration by all affected stakeholders. The proposed branching activity model is an event tree whose structure and branching conditions can be estimated using probabilistic inference from evidence – ‘Indicators of Impact.’ This approach can facilitate reliable model estimation when evidence is imperfect, incomplete, ambiguous, or contradictory. The proposed method should be especially useful for modeling consequences that extend beyond the breached organization, including cascading consequences in critical infrastructures. Monte Carlo methods can be used to estimate the distribution aggregate measures of impact such as total cost. Non-economic aggregate measures of impact can also be estimated. The feasibility of the proposed framework and model is demonstrated through case studies of several publicly disclosed breach episodes.

You can download the full article from SSRN.

Via The New School of Information Security

About the author: Dissent

Comments are closed.