Third International Symposium on Empirical Software Engineering and Measurement

Quantitative Analysis of Information Security Interdependency Between Industrial Sectors

Hideyuki Tanaka The University of Tokyo tanaka@iii.u-tokyo.ac.jp

Abstract
This paper employs Input-Output analysis to quantitatively analyze cross-sectoral security interdependency in terms of economic activity. Previous studies using the Inoperability Input-Output Model (IIM) have demonstrated the impact of crosssectoral security incidents from the viewpoint of interdependency. However, the two primary limitations of these studies are that (1) they do not consider each sectors features in terms of information technology (IT) and information security (IS), and (2) they focus on the damage caused by IS incidents to sectors and do not consider the level of security interdependency itself. The author proposes a practical methodology to measure sectoral IS interdependency by introducing forward linkage and backward linkage analyses into an IIM. The methodology assesses the dependency of each sector with respect to IT and the level of IS measures. Furthermore, the paper applies the methodology to recent statistical economic data of Japanese industrial sectors and illustrates the implications of cross-sectoral security interdependency.

subsection 2.2, there are currently few metrics available that can be used to gauge security interdependency using only business activity or macroeconomic data. The author has therefore attempted to quantitatively analyze security interdependency from a macroeconomic perspective. This manuscript is organized as follows: Section 2 reviews previous studies related to IS interdependency and inoperability analyses of interdependent infrastructure sectors. Section 3 describes the methodology employed in this study. Section 4 introduces a case study to show how the proposed methodology can be applied the Japanese industrial sector and presents some results. Finally, section 5 concludes the study by discussing certain limitations of the model and offers suggestions for further study.

2. Rerated literature
2.1. Interdependency of economic activity
Information technology has transformed business organizations and the way in which they conduct transactions, exchange goods and provide services [24] [32] [35]. Inter-organizational systems such as EDI enable firms and customers to disseminate information related to purchase orders, shipping notices, invoices, forecasts, and remittances among supply chain partners [14] [29]. Such structural changes have become increasingly widespread among industrial sectors, such as in the computer [6], automotive [21], retail and logistics [3] [8], and financial services [4] [9] [19], respectively. Given this increase in interdependency among firms and sectors brought about by an increased reliance on IT, the economic damage that would arise from an adverse IS incident could easily extend beyond the boundaries of a firm or even sector.

1. Introduction
Information technology (IT) in business has been commoditized as an infrastructure [5]. Sixty three percent of Japanese firms have inter-firm digital networks [27] and 74% of the firms use electronic data interchange (EDI) [26]. Furthermore, through operations such as outsourcing, business processes have changed in such a way that they have transcended the traditional concept of company boundaries [37]. It is thus possible that the information security (IS) process of one firm could affect those of another firm via a connected network, particularly as IS has become increasingly interdependent. Although recent studies have described several models showing the interdependency of IS as shown in

2.2. Interdependency of IS

978-1-4244-4841-8/09/$25.00 2009 IEEE

574

Third International Symposium on Empirical Software Engineering and Measurement

Interdependency with respect to IS is one of the themes of an economic externality [1]. Varian describes three prototypical cases - total effort, weakest link, and best shot - to show that the level of effort invested by an entity will depend on any potential benefits and costs that the entity may incur, the level of effort invested by other entities, and the technology that translates the effort of the entity into outcomes [38]. Kunreuther and Heal apply Nash equilibria to assess interdependent security in situations where the investment of firms against risks depends on the actions of others [22]. Ogut et al. discuss interdependency in terms of insurance and show that the interdependence of security risk reduces the incentive by firms to invest in security technologies and buy insurance coverage [30]. Using a two-firm model, Hausken shows that security investments decrease as interdependence increases [20]. Zhao et al. propose a certification procedure for encouraging Internet service providers to employ collective pressure to improve Internet security based on a theoretical argument related to interdependent security [39]. As shown above, most of the issues affecting security economics deal with formal models and very few quantitative empirical studies regarding the interdependency of IS have been undertaken to date. Haimes and Chittester show the impact of a cyber attack on the telecommunications and electric power infrastructures in a given scenario [15]. Andrijcic and Horowitz provide a framework for evaluating risks associated with cyber-based intellectual property theft from a macroeconomic point of view [2]. Santos et al. present a framework for linking the analysis of metrics associated with plant-level and sector-specific IS disruptions to macroeconomic modeling of interdependencies [34]. These studies all examine cross-sectoral ripple effects based on a Leontief inputoutput model [23].

2.3. Inoperability risk analyses interdependent sector infrastructures

of

As IT has increased the interconnectedness and interdependencies of critical infrastructures, such as telecommunications, electrical power systems, banking and finance, and transportation, there is an emerging need to understand the complex and interconnected nature of sector infrastructures. In addition, the potential impacts of natural phenomena, such as hurricanes and earthquakes, and anthropogenic disruptions, such as terrorism, and their impact on infrastructures needs to be understood [18]. As a result of these concerns, inoperability risk analysis of

interdependent infrastructure sectors has become an important issue. One of the methodologies employed to analyze interdependency among infrastructures within the context of inoperability risk is the Inoperability InputOutput Model (IIM), which was originally proposed by Haimes and Jiang [18] and is based on a Leontief input-output model. Haimes and Jiang [18] also consider the percentage of infrastructure inoperability as a risk metric. Although the original IIM was a physical-based model, subsequent IIM studies (e.g. [2] [16] [17] [33] [34]) used economic models to examine physical interactions due to a lack of data on physical interdependencies. These studies were conducted based on the assumption that the level of economic dependency is the same as the level of physical dependency, implying that companies with extensive economic interactions will have proportionally large physical interdependencies [16]. In addition, although the IIM has been employed in several IS studies [2] [15] [34], as a methodology for analyzing IS interdependency, the IIM has two limitations. The first limitation is related to IIM itself, because IIM does not distinguish between the two cross-sector linkage measures based on Leontief inputoutput analyses; backward linkage (BL) and forward linkage (FL). BL is considered to reflect the measure of a sectors dependence on inputs from other sectors (demand-driven perspective). Conversely, FL is considered to reflect a sectors dependence on other sectors which, in turn, function as buyers of its output (supply-driven perspective); importantly, of these two perspectives, IIM only focuses on BL. Interestingly, as the author demonstrates below, a given sector may have two different characteristics based on these two perspectives. The second limitation of the IIM is related to IT and IS. The aforementioned studies describe a scenario in which a cyber-attack is associated with a certain risk of inoperability in a critical infrastructure sector. However, these studies discuss only economic transactions [2] [34] or capital flows [15] among sectors and do not consider the level of IT dependency and the IS measures employed by each sector. This study therefore attempts to contribute to the study of IS metrics by proposing a practical methodology for measuring sectoral IS interdependency by implementing BL and FL analyses into IIM. Furthermore, the methodology considers the dependency of each sector on IT and the level of IS measures within a sector.

3. Methodology

978-1-4244-4841-8/09/$25.00 2009 IEEE

575