Abstract
Systems security is essential for the efficient operation of all organizations. Indeed, most large firms employ a designated ‘Chief Information Security Officer’ to coordinate the operational aspects of the organization’s information security. Part of this role is in planning investment responses to information security threats against the firm’s corporate network infrastructure. To this end, we develop and estimate a vector equation system of threats to 10 important IP services, using industry standard SANS data on threats to various components of a firm’s information system over the period January 2003 – February 2011. Our results reveal strong evidence of contagion between such attacks, with attacks on ssh and Secure Web Server indicating increased attack activity on other ports. Security managers who ignore such contagious inter-relationships may underestimate the underlying risk to their systems’ defence of security attributes, such as sensitivity and criticality, and thus delay appropriate information security investments.
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1057%2Fjors.2016.37/MediaObjects/41274_2016_178_Fig1_HTML.gif)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1057%2Fjors.2016.37/MediaObjects/41274_2016_178_Fig2_HTML.gif)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1057%2Fjors.2016.37/MediaObjects/41274_2016_178_Fig3_HTML.gif)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1057%2Fjors.2016.37/MediaObjects/41274_2016_178_Fig4_HTML.gif)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1057%2Fjors.2016.37/MediaObjects/41274_2016_178_Fig5_HTML.gif)
Similar content being viewed by others
Notes
Port scanning is a technique whereby an attacker probes ports, access points, on a network. Early port scanning looked for open ports to access a part of the network; however, modern techniques involve actively probing for out-of-date port protection to exploit vulnerabilities in closed or encrypted ports.
In general, G(τ) need not be positive semi-definitive, because of the existence of possible asymmetric responses in the intensity process. In the case that G(τ) is positive semi-definite then the resulting eigenvectors are the weights of a set of orthogonal processes that are interpretable as principal components.
The data, routines, and all the pivotal statistics for the parameter estimates are available from the authors’ webpage.
References
Aït-Sahalia Y, Cacho-Diaz J and Laeven RJ (2015). Modeling financial contagion using mutually exciting jump processes. Journal of Financial Economics 117 (3): 585–606.
Bachrach Y, Draief M and Goyal S (2011). Security games with contagion. Manuscript, 2011: http://www.econ.cam.ac.uk/faculty/goyal/wp11/securitygames17.pdf.
Barndorff-Nielsen OE, Hansen PR, Lunde A and Shephard N (2011). Multivariate realised kernels: Consistent positive semi-definite estimators of the covariation of equity prices with noise and non-synchronous trading. Journal of Econometrics 162 (2): 149–169.
Billingsley P (1995). Probability and Measure. John Wiley & Sons: New Jersey, USA.
Böhme R and Kataria G (2006b). Models and measures for correlation in cyber-insurance. In: Anderson R (ed). Proceedings of the Fifth Workshop on the Economics of Information Security (WEIS 2006), Robinson College, University of Cambridge, http://weis2006.econinfosec.org; http://weis2006.econinfosec.org/docs/16.pdf.
Böhme R and Kataria G (2006a). A closer look at attack clustering. In: Schecter S (ed). Proceedings of the I3P Workshop on the Economics of Securing the Information Infrastructure, Washington DC, http://wesii.econinfosec.org/workshop/; http://wesii.econinfosec.org/draft.php?paper_id=35.
Böhme R and Schwartz G (2010). Modeling cyber-insurance: Towards a unifying framework. In: Moore T (ed). Proceedings of the Ninth Workshop on the Economics of Information Security (WEIS 2010), Harvard, http://weis2010.econinfosec.org; http://weis2010.econinfosec.org/papers/session5/weis2010_boehme.pdf.
Grossklags J, Christin N and Chuang J (2008). Security investment (failures) in five economic environments: A comparison of homogeneous and heterogeneous user agents. In: Proceedings (online) of the Seventh Workshop on the Economics of Information Security (WEIS), Hanover, NH.
Hawkes A (1970). Bunching in a semi-Markov process. Journal of Applied Probability 7: 175–182.
Hawkes A (1971a). Point spectra of some mutually exciting point processes. Journal of the Royal Statistical Society, Series B 33: 438–443.
Hawkes A (1971b). Spectra of some self-exciting and mutually exciting point processes. Biometrika 58: 83–90.
Hull JC (2006). Options, Futures and Other Derivatives. Prentice-Hall: London.
Ioannidis C, Pym D and Williams J (2009). Investments and trade-offs in the economics of information security. In: Dingledine R and Golle P (eds). Proc. Financial Cryptography and Data Security ‘09, Volume 5628 of LNCS, pp 148–166. Springer: Berlin, Heidelberg, New York.
Ioannidis C, Pym D and Williams J (2012a). Fixed costs, investment rigidities, and risk aversion in information security: A utility-theoretic approach. In: Schneier B (ed). Economics of Security and Privacy III. Springer, pp 171–192.
Ioannidis C, Pym D and Williams J (2012b). Information security trade-offs and optimal patching policies. European Journal of Operational Research 216 (2): 434–444.
Lelarge M (2009). Economics of malware: Epidemic risks model, network externalities and incentives. In. Communication, Control, and Computing. Allerton 2009. 47th Annual Allerton Conference on, pp 1353-1360, IEEE.
Lelarge M and Bolot J (2008). Network externalities and the deployment of security features and protocols in the internet. In. ACM SIGMETRICS Performance Evaluation Review 36 (1): 37–48.
Parachuri P, Pearce J, Tambe M, Ordonez F and Kraus S (2007). An efficient heuristic approach for security against multiple adversaries. In. Proceedings of the 6th international joint conference on Autonomous agents and multiagent systems. ACM.
Protter P (2004). Stochastic Integration and Differential Equations. 2nd edn, Springer: Berlin, Heidelberg, New York.
University of Georgia, Office of Information Security (2012). Information classification standard, http://infosec.uga.edu/policies/classification.php.
Acknowledgements
We are grateful to Yacine Aït-Sahalia and Jean Jacod for the Matlab code used in the estimation procedure for the system described for Equations (19), (18) and (17), the full derivation of the estimator is provided on pages 45–47 of Aït-Sahalia et al (2010). The data and codes used in this paper are available from the authors’ websites.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Baldwin, A., Gheyas, I., Ioannidis, C. et al. Contagion in cyber security attacks. J Oper Res Soc 68, 780–791 (2017). https://doi.org/10.1057/jors.2016.37
Published:
Issue Date:
DOI: https://doi.org/10.1057/jors.2016.37