Abstract
This paper discusses risk modeling and risk management in information and communications technology (ICT) systems for which the attack impact distribution is heavy tailed (e.g., power law distribution) and the average risk is unbounded. Systems with these properties include billing infrastructures used to charge customers for services they access. Attacks against billing infrastructures can be classified as peripheral attacks and backbone attacks. The goal of a peripheral attack is to tamper with user bills; a backbone attack seeks to seize control of the billing infrastructure. The probability distribution of the overall impact of an attack on a billing infrastructure also has a heavy-tailed curve. This implies that the probability of a massive impact cannot be ignored and that the average impact may be unbounded – thus, even the most expensive countermeasures would be cost effective. Consequently, the only strategy for managing risk is to increase the resilience of the infrastructure by employing redundant components.
Chapter PDF
Similar content being viewed by others
References
R. Albert, H. Jeong and A. Barabasi, Error and attack tolerance of complex networks, Nature, vol. 406, pp. 378–382, 2002.
F. Baiardi, C. Telmon and D. Sgandurra, Hierarchical, model-based risk management of critical infrastructures, Reliability Engineering and System Safety, vol. 94(9), pp. 1403–1415, 2009.
P. Bernstein, Against the Gods: The Remarkable Story of Risk, Wiley, New York, 1996.
J. Carlson and J. Doyle, HOT: A mechanism for power laws in designed systems, Physical Review E, vol. 60(2), pp. 1412–1427, 1999.
A. Clauset, C. Shalizi and M. Newman, Power-law distributions in empirical data, arXiv:0706.1062v2, arXiv, Cornell University, Ithaca, New York (arxiv.org/PS_cache/arxiv/pdf/0706/0706.1062v2.pdf), 2007.
R. D’Souza, C. Borgs, J. Chayes, N. Berger and R. Kleinberg, Emergence of tempered preferential attachment from optimization, Proceedings of the National Academy of Sciences, vol. 104(15), pp. 6112–6117, 2007.
C. Goldie and C. Kluppelberg, Subexponential distributions, in A Practical Guide to Heavy Tails: Statistical Techniques and Applications, R. Adler, R. Feldman and M. Taqqu (Eds.), Birkhauser, Boston, Massachusetts, pp. 435–459, 1998.
L. Lamport, R. Shostak and M. Pease, The Byzantine generals problem, ACM Transactions on Programming Languages and Systems, vol. 4(3), pp. 382–401, 1982.
L. LeMay, R. Nelli, G. Gross and C. Gunter, An integrated architecture for demand response communication and control, Proceedings of the Forty-First Annual Hawaii International Conference on System Sciences, p. 174, 2008.
T. Maillart and D. Sornette, Heavy-tailed distribution of cyber-risks, arXiv:0803.2256v2, arXiv, Cornell University, Ithaca, New York (arxiv.org /PS_cache/arxiv/pdf/0803/0803.2256v2.pdf), 2008.
D. Maluf, Y. Gawdiak and G. Bell, On space exploration and human error: A paper on reliability and safety, Proceedings of the Thirty-Eighth Annual Hawaii International Conference on System Sciences, p. 79, 2005.
B. Mandelbrot, Fractals and Scaling in Finance: Discontinuity, Concentration, Risk, Springer, New York, 1997.
B. Mandelbrot, New methods of statistical economics revisited: Short versus long tails and Gaussian versus power law distributions, Complexity, vol. 14(3), pp. 55–65, 2009.
M. Mitzenmacher, A brief history of generative models for power law and log-normal distributions, Internet Mathematics, vol. 1(2), pp. 226–251, 2003.
National Infrastructure Protection Center, Risk Management: An Essential Guide to Protecting Critical Assets, Washington, DC, 2002.
M. Newman, The structure and function of complex networks, SIAM Review, vol. 45(2), pp. 167–256, 2003.
M. Newman, Power laws, Pareto distributions and Zipf’s law, Contemporary Physics, vol. 46, pp. 323–351, 2005.
M. Newman, M. Girvan and J. Doyne Farmer, Optimal design, robustness and risk aversion, Physical Review Letters, vol. 89(2), pp. 028301.1–028301.4, 2002.
M. Pease, R. Shostak and L. Lamport, Reaching agreement in the presence of faults, Journal of the ACM, vol. 27(2), pp. 228–234, 1980.
S. Resnick, Heavy-Tail Phenomena: Probabilistic and Statistical Modeling, Springer, New York, 2007.
D. Sornette, Critical Phenomena in Natural Sciences: Chaos, Fractals, Self-Organization and Disorder: Concepts and Tools, Springer, Berlin-Heidelberg, Germany, 2006.
N. Taleb, Black swans and the domains of statistics, The American Statistician, vol. 61(3), pp. 1–3, 2007.
N. Taleb, The Black Swan: The Impact of the Highly Improbable, Random House, New York, 2007.
C. Wilke, S. Altmeyer and T. Martinetz, Large-scale evolution and extinction in a hierarchically structured environment, Proceedings of the Sixth International Conference on Artificial Life, pp. 266–272, 1998.
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 IFIP International Federation for Information Processing
About this paper
Cite this paper
Baiardi, F., Telmon, C., Sgandurra, D. (2009). Modeling and Managing Risk in Billing Infrastructures. In: Palmer, C., Shenoi, S. (eds) Critical Infrastructure Protection III. ICCIP 2009. IFIP Advances in Information and Communication Technology, vol 311. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04798-5_4
Download citation
DOI: https://doi.org/10.1007/978-3-642-04798-5_4
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-04797-8
Online ISBN: 978-3-642-04798-5
eBook Packages: Computer ScienceComputer Science (R0)