Unofficial thoughts on liability Herb Lin 202-334-3191 The viewgraphs following this presentation do not represent the views.

Slides:

Advertisements

Similar presentations

3. Introduction to Strategic Information Systems Planning (SISP)

Advertisements

Biothreats and Public Policy IGCC/AAAS Wye River Biosecurity Workshop Critical Infrastructure Preparedness Michael Kleeman (UC San Diego/American Red Cross)

Risk Analysis Fundamentals and Application Robert L. Griffin International Plant Protection Convention Food and Agriculture Organization of the UN.

Selected Previous Studies Leif E Peterson. Outline Air Force S&E Future Study – 2002 National Defense University – 2008 NRC STEM Study for Air Force –

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group

Presented by Muhamad Abrar Bahaman W. Fatimatul Akmar Md. Hassan

Law I Chapter 18.

OPSM 639, C. Akkan1 Defining Risk Risk is –the undesirable events, their chances of occurring and their consequences. Some risk can be identified before.

Chapter Thirty-Three Law and Economics. Effects of Laws u Property right assignments affect –asset, income and wealth distributions; v e.g. nationalized.

STOP.THINK.CONNECT™ NATIONAL CYBERSECURITY AWARENESS CAMPAIGN SMALL BUSINESS PRESENTATION.

Name of presenter Corporate Climate Change Adaptation Planning Council name Date.

Portor’s Five-Forces Analysis

Leading Corporate Citizens McGraw-Hill/Irwin © 2002 The McGraw-Hill Companies, Inc., All Rights Reserved. In the Global Village Chapter 9 Ecological Thinking.

Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.

1 Estimating the Cost and Benefits of Software Assurance Investments Thomas P. Frazier November 9, 2006.

The Australian/New Zealand Standard on Risk Management

Lecture 11 Reliability and Security in IT infrastructure.

1 Math 479/568 Casualty Actuarial Mathematics Fall 2014 University of Illinois at Urbana-Champaign Professor Rick Gorvett Session 3: Economics and Insurance.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

1 An Empirical Analysis of Vendor Response to Vulnerability Disclosure Ashish Arora, Ramayya Krishnan, Rahul Telang, Yubao Yang Carnegie Mellon University.

Insurance Fundamentals for Policymakers. Four assignments: Insurance Principles Insurance Coverages: Property and Casualty Insurance Coverages: Life and.

Introduction to Network Defense

Software Dependability CIS 376 Bruce R. Maxim UM-Dearborn.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

INTERNATIONAL INSURANCE MEDIATION CONFERENCE Istanbul, March 2011 INTERNATIONAL INSURANCE MEDIATION CONFERENCE Istanbul, March 2011 George.

Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.

Isdefe ISXXXX XX Your best ally Panel: Future scenarios for European critical infrastructures protection Carlos Martí Sempere. Essen.

Council on Competitiveness: Enterprise Resilience.

Risk Management - the process of identifying and controlling hazards to protect the force.  It’s five steps represent a logical thought process from.

Directors and Officers Liability an Overview. Directors and Officers Responsibilities To the stock holder Duty of Care Business Judgment Rule Duty of.

© 2008 Property Casualty Insurers Association of America A Truck is a Truck is a Truck? Not Necessarily Why Insurance Filings Should Not Extend to Private.

Leadership Execution Essentials. 2 Leaders are In Control Expectations & Feedback Consequences & Incentives Skills & Knowledge Tracking & Visibility Inspiring.

Mark Carey, CPA, CISA President x8431 Management-ese: An Introductory Course.

ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:

Introduction to Economics CLASS 1. Scarcity Economics is the study of how society manages its scarce resources. “Scarcity – since there are limited resources.

Liability Issues for TRIO Programs Managing Your Project’s Risk.

IT Strategy for Business © Oxford University Press 2008 All rights reserved Chapter 12 IT Security Strategies.

Risk Management for Business

DIS 605 BY DOROBIN AGOTI REG NO: D61/71443/2008 ICT INNOVATION, LEGAL AND PIRACY ISSUES.

The role of international liability in the regulation of SRM field research: An economic analysis Jesse L. Reynolds – Faculty of Law,

Slides copyright 2010 by Paladin Group, LLC used with permission by UMBC Training Centers, LLC.

Mario Čagalj Sveučilište u Splitu 2014/15. Sigurnost računala i podataka.

IT Risks and Controls Revised on Content Internal Control  What is internal control?  Objectives of internal controls  Types of internal controls.

Applied Software Project Management Andrew Stellman & Jennifer Greene Applied Software Project Management Applied Software.

1 Figure 11-3: Risk Analysis Financially Sensible Protections  Risk analysis: Balance risks and countermeasture costs Enumeration of Assets  Assets:

Solvency II Andrew Mawdsley. Overview The challenges in preparing for Solvency II Adequate financial resources Supervisory Review Process Disclosure Timeline.

Chapter Outline 12.1Risk Identification and Evaluation Identifying Exposures Property Loss Exposures Liability Losses Losses to Human Capital Losses from.

Introduction to Software Engineering Syed Salman Ali B.E, MBA ( MIS, Mktg), PMP.

Chapter 1: Information Security Fundamentals Security+ Guide to Network Security Fundamentals Second Edition.

High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.

1 Banking Risks Management Chapter 8 Issues in Bank Management.

Risk. Step 1-Risk identification Analyze the project to identify the source of risk Step 2-Risk Asessment Assess risk interms of Severity of impact Likely.

Consumer Credit Act 1974 Rebecca & Lee. What is it The Consumer Credit Act 1974 regulates consumer credit and consumer hire agreements for amounts up.

Quantifying Cyber Security Risk in Dollars and Cents to Optimize Budgets CRM008 Speakers: Chris Cooper, VP, Operational Risk Officer; RGA Reinsurance Company.

Can We Trust the Computer? FIRE, Chapter 4. What Can Go Wrong? What are the risks and reasons for computer failures? How much risk must or should we accept?

A. Define the term risk. Business Risk – the potential for loss or failure.

Cybersecurity as a Business Differentiator

CompTIA Security+ Study Guide (SY0-401)

Business Cases Ruben Riestra - Inmark

Athletic Training Management

1 The roles of actuaries & general operating environment

Chapter 34 risk management Section 34.1 Business Risk Management

A Thread Relevant to all Levels of the EA Cube

Forensics Week 11.

I have many checklists: how do I get started with cyber security?

Research for Cyber Security Warwick University Industry Day 2018

Measuring What Matters

Chapter 34 Risk Management

Presentation transcript:

Unofficial thoughts on liability Herb Lin The viewgraphs following this presentation do not represent the views of any organization with which Herb Lin is affiliated, and in particular they do not represent the views of the CSTB, the National Research Council, or the National Academies.

Thoughts on Liability CSTB/NRC report (Cybersecurity: Pay Now or Pay Later) did NOT endorse liability for software vendors. It said: –“Policy makers should consider legislative responses to the failure of existing incentives to cause the market to respond adequately to the security challenge. Possible options include steps that would increase the exposure of software and system vendors and system operators to liability for system breaches and mandated reporting of security breaches that could threaten critical societal functions.”

The broad outline Market forces have failed to provide an environment in which vendors and users have sufficient incentives to provide for security. –Inadequate information about consequences of breaches. –Society often captures benefits of security investments (social needs greater than corporate needs) –Deregulation forces more competitive pressures

Possible Responses to Market Failures Mandate behavioral changes Shift the economic calculus –carrots *yearly award for cybersecurity from Ofc of Homeland Security and the President *Malcom Baldridge Quality Award *ISO certification? *Immunity for early reporting? (like FAA) –Possible sticks *Liability *red team results into public documents *accounting standards to include cybersecurity assessments

Issues raised by liability differentiating between infrastructure and end user for liability purposes (e.g., my program works on your operating system - how to allocate liability?) -holding infrastructure providers liable for economic damage is hard under current case law -uncorrelated damages mean that insurance model won’t work

Issues (continued) reducing incentives to disseminate information or to allow forensics or to provide fixes holding vendors responsible for something they don't know how to do (e.g., how do deal with loss of functionality from security patch, which doesn't always work properly)

Issues (continued) establishing standards of care (best practices? certification?) hard for lay people to understand security breaches - how to decide on liability good methodology to establish extent of liability

Fire vs Cyberhack Prevention Losses due to deliberate action (hence no actuarial basis) (terrorists are not a probability distribution) No metrics for security Fundamental science of cybersecurity is not known Damage is often invisible Technical standardization can be similar to monoculture; weak in face of correlated threat Impact of fix often impossible to be localized Losses largely due to accident (harder to insure against arson than lightening) Fire resistance can be quantified (sort of) Fundamental science of fireproofing and structural engineering is known Damage is visible Standardization is advantageous when failures can be uncorrelated Impact of fixes can be localized