Team 1 Sec4.1

From CyberSecurity
Jump to: navigation, search

Santtu 08:15, 21 October 2005 (PDT)

Current incentives for defending against cyber attacks:

  1. Regulatory
    1. Gramm-Leach-Bliley Act
    2. Sarbanes-Oxley
    3. Stock exchange rules and regulations
  2. Contract law
  3. Bad press and loss of customer confidence due to attacks which can make company appear insecure.
  4. Cost of downtime in terms of lost business (cite numbers for $ per hour lost)
  5. Cost of downtime in terms of human and hardware resources required to repair
  6. Financial liability for effects of attack, such as covering for bad trades submitted by attacker


Notes on above:

The regulatory acts do not directly relate to critical information technology infrastructure since they deal mostly with protection of customers private information. Even though protecting private information requires attention to computer crime defenses, the actions needed to protect private information does not cover all computer crime. For example if Merrill Lynches trade system were hacked, the attacker could wreck plenty of damage on the financial markets without accessing any private customer information.

Most laws related to computer crime currently deal with punishing attackers rather than forcing targets to protect themselves from attacks.


First draft -- Financial:

While many of the existing incentives to provide defenses for home and corporate systems also apply to financial systems, such as a trading system at an investment bank which is connected to a stock exchange, there are also unique or amplified incentives to protect these systems. The far greater financial liability from damages caused by an attack is a leading incentive for protecting these systems. The financial liability is composed not only of the trades lost due to an attack, but any fraudulent trades executed by the attacker and financial judgments brought under applicable laws, such as contract law. A loss of investors and customers due to loss of confidence in the investment firm is another financial incentive to maintain proper protection.

Regulations by both government and stock exchange, although not directly regulating defenses of systems, are also significant incentives to protect systems. An attack, attempted attack, or even a disclosed vulnerability exposes the financial firm to sanctions, and even expulsion, under the stock exchanges rules governing member company responsibilities and requirements in financial transactions. Similarly government regulations such as the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act establish protection requirements for data indirectly are incentives for upgraded defenses because failure to upgrade could be seen as failure to adequately protect the data.

Retrieved from "http://cubist.cs.washington.edu/CyberSecurity/index.php?title=Team_1_Sec4.1&oldid=2030"