Version 1.0 ( 22 5 ) cflkanta Matsuura Laboratory 2010, all rights reserved.
I 3 1 3 2 3 3 4 II 8 4 8 5 9 5.1......................... 9 5.2......................... 10 5.3......................... 10 6 11 6.1............................... 11 6.2............................. 11 6.3............................ 14 6.4................................. 18 7 18 7.1.................................. 18 7.2............................... 18 7.3............................. 19 7.4.................................. 20 8 21 8.1........................... 21 1
8.2................................. 21 8.3.............................. 21 8.4................................... 21 2
I 1 IT VMM (Value Measuring Methodology)[1],[2] (JCMVP: Japan Cryptographic Module Validation Program)[3] 2006 6 IPA 2007 4 JCMVP 4 [4] [5], [6] * 1 2 1. 2. *1 (NEDO) 3
3. 4. 2. JCMVP 4 PDCA 3 10 ffl ffl ffl Gordon-Loeb [7] [8] : t: (0» t» 1) L = t L v: (0» v» 1) z 0 Gordon-Loeb S(z; v) S(z; v) (SBP: security breach probability) ENBIS(Expected Net Benefits from an investment in Information Security) SBP S(z; v) =v ffz+1 4
[9], [10] ff ffl t T (z; t) =t fiz+1 fi ff ENBIS ENBIS(z) =vt S(z; v)t (z; t) z! max : (1) z Λ = ln Φ 1= vt ln(v ff fi t ) Ψ ln(v ff t fi ) = ln 1 vlfff(ln v)+fi(ln t)g ff(ln v)+ fi(ln t) (2) F (v) v ln v + fi ln t ff v + 1 ffl 0 (3) F (v) < 0 (2) ff fi 1 1 Case I Case II-A-1 *2 z Λ v 0 1 Case II-B-2-a 2 V 1, V 2 (v» V 1 ) (v V 2 ) z Λ =0 *2 Case I [8] 5
Case II A 2 Case II B 1 Threat reduction productivity 1/(L*ln(t)) Case II A 1 Case I Case II B 2 b Case II B 2 a 0 1/L e/l Vulnerability reduction productivity 1. (V 1 < v <V 2 ) (2) z Λ 2 2 [8] *3 ffv ln v fiv ln t ffl 1 Case II-A-2 Case II-B-1 Case II-B-2-b V 1 v z Λ 0 (2) z Λ 3 ffl *3 v Λ z t 6
Gordon-Loeb SBP Optimum investment 0 alpha*v*ln(v) beta*v*ln(t) 1/L 0 V1 V2 1 Vulnerability 2 (ff =0:00001, fi =0:000001, t =0:5, = 800000). (2) vl x = vl(ff ln v + fi ln t) z Λ vl = 1 x ln 1 x (4) (4) x = e 1=e 1=e 37% 37% Gordon-Loeb 7
Optimum investment 0 alpha*v*ln(v) beta*v*ln(t) 1/L 0 V1 V3 1 Vulnerability 3 (ff = 0:00001, fi = 0:00001, t =0:5, = 800000). II 4 *4 i Lvi IT 4 ffl 1. 2. *4 8
ffl 1. 2. 3. 4. ffl 1. 2. 3. 4. ffl 1. 2. 3. 4. 5 5.1 : 1. 2. 9
5.2 JCMVP ffl 1.0 1.1 1.2 1.3 ffl 2.0 2.1 2.2 ffl 3.0 3.1 3.2 5.3 *5 Risk Factor ffl *6 4 *7 *5 *6 *7 JCMVP JIS X 19790 4 10
ffl RiskFactor= (p 0 ;p 1 ;p 2 ;p 3 ;p 4 ) p 0 p i i 1» i» 4 p 0 + p 1 + p 2 + p 3 + p 4 = 100% (0; 0; 100%; 0; 0) 2 (30%; 60%; 10%; 0; 0) 1 2 ffl 0 p 1 =0 RiskFactor JCMVP JIS X 19790 ffl ffl 6 6.1 1 2 6.2 5 5 11
1 Lv1 2010 2011 2012 1.0 6 1 1 8 1.1 2 2 1.2 3 3 1.3 1 1 1 3 2.0 4 3 2 9 2.1 1 1 1 3 2.2 3 2 1 6 3.0 1 2 3 6 3.1 1 2 3 3.2 1 1 1 3 11 6 6 23 2 Lv2 2010 2011 2012 1.0 14 3 3 20 1.1 6 6 1.2 5 5 1.3 3 3 3 9 2.0 5 4 2 11 2.1 2 2 1 5 2.2 3 2 1 6 3.0 2 2 3 7 3.1 1 2 3 3.2 2 1 1 4 21 9 8 38 0 100 % 12
Lvi JCMVP Lvi i 0% i +1 100% *8 *9 ffl 2009 [11] 1 2 50% 3 4 75% 1 2 25%+ 3 4 37:5%+ 8% 8%+ x%+" x% x%+ y x <yx y x 0% 0% IT *8 60% 30% *9 13
0% (30%; 60%; 10%; 0%; 0%) 3 7 Lv2 Lv4 0% Lv1 10% 19:9%+ 19:9 > 10 1 Lv1 3 7 Lv1 Lv2 (10%; 0%; 80%; 10%; 0%) 8 12 Lv3 Lv4 0% Lv2 10% Lv1 90% 24:55%+ 24:55 < 90 3 Lv4 30% 0% 0% 1 60% 0% 0% 2 10% 0% 0% 3 0% 0% 0% 4 0% 0% 0% 100% N/A 0% 6.3 14
4 Lv3 30% 0% 0% 1 60% 0% 0% 2 10% 0% 0% 3 0% 0% 0% 4 0% 100% 0% 100% N/A 0% 5 Lv2 30% 0% 0% 1 60% 0% 0% 2 10% 0% 0% 3 0% 100% 0% 4 0% 100% 0% 100% N/A 0% 6 Lv1 30% 0% 0% 1 60% 0% 0% 2 10% 100% 10% 3 0% 100% 0% 4 0% 100% 0% 100% N/A 10% 15
7 30% 8%+ 2.4%+ 1 60% 25%+ 15%+ 2 10% 25%+ 2.5%+ 3 0% 37.5%+ 0% 4 0% 37.5%+ 0% 100% N/A 19.9%+ 8 Lv4 10% 0% 0% 1 0% 0% 0% 2 80% 0% 0% 3 10% 0% 0% 4 0% 0% 0% 100% N/A 0% 9 Lv3 10% 0% 0% 1 0% 0% 0% 2 80% 0% 0% 3 10% 0% 0% 4 0% 100% 0% 100% N/A 0% 16
10 Lv2 10% 0% 0% 1 0% 0% 0% 2 80% 0% 0% 3 10% 100% 10% 4 0% 100% 0% 100% N/A 10% 11 Lv1 10% 0% 0% 1 0% 0% 0% 2 80% 100% 80% 3 10% 100% 10% 4 0% 100% 0% 100% N/A 90% 12 10% 8%+ 0.8%+ 1 0% 25%+ 0% 2 80% 25%+ 20%+ 3 10% 37.5%+ 3.75%+ 4 0% 37.5%+ 0% 100% N/A 24.55%+ Lv1 28 10 Lv2 40 50 17
6.4 7 7.1 37% 7.2 Z Z max R (R; Z) (R; Z max ) * 10 *10 18
7.3 Lv1 Lv2 4 5 6 4. PDCA [12] trust but verify approach 19
5. 6. 7.4 20
8 8.1 8.2 8.3 8.4 21
[1] CIO Council Best Practices Committee: Value Measuring Methodology How- To-Guide". CIO Council, 2002. [2] 15 IT 2004. [3] : ". http://www.ipa.go.jp/security/jcmvp/index.html [4] : ". 21, May 2010. [5], : JCMVP ". 50, March 2010. [6] P. Yang and K. Matsuura: An Introduction of A Users' Guideline to Japan Cryptographic Module Validation Program". 5th ACM Symposium on Information, Computer and Communications Security (demo session), April 2010. [7] L. A. Gordon and M. P. Loeb: The economics of information security investment". ACM Trans. on Info. & Sys. Sec., Vol.5, No.4, pp.438 457, 2002. [8] K. Matsuura: Productivity Space of Information Security in an Extension of the Gordon-Loeb's Investment Model". In Johnson, M. Eric (ed.) Managing Information Risk and the Economics of Security, pp.99 119, Springer, 2009. [9] H. Tanaka, K. Matsuura and O. Sudo: Vulnerability and Information Security Investment: An Empirical Analysis of e-local Government in Japan". The Journal of Accounting and Public Policy, Vol.24, Issue.1, pp.37 59, 2005. [10] W. Liu, H. Tanaka and K. Matsuura: Empirical-Analysis Methodology for Information-Security Investment and Its Application to Reliable Survey of Japanese Firms"., Vol.48, No.9, pp.3204 3218, 2007. [11] Communications Security Establishment, Canada: CMVP annual report". 2009. [12] A. Paller and J. Streufert: Developing Metrics for Cybersecurity Programs". Federal Office Systems Exposition 2010 Conference, March 2010. 22