Economics of SCADA Security

I’ve been wanting to go to the Workshop on the Economics of Information Security (WEIS) for a decade now. This year it is in Berlin so I’m registered, committed with plane tickets in hand for WEIS 2012, June 25-26.

Economics of Information Security is still a green field for the broader IT security community and is almost untouched in the ICS security arena. We had Dr. Ross Anderson from the University of Cambridge keynote at S4 2009, and Miles McQueen and his colleagues at INL have presented a few metrics papers at S4 and other events. Other than that there has been very little of value in this area, although I’m sure there are a few academic papers. The biggest problem is the paucity of hard data, but I doubt this is unique to the ICS security space.

WEIS is kind enough to put past event papers up on their site. I’ll be reading a number of those as prep work and trying to remember the mathematics and statistics from my NSA days. Expect an article or two in this space on the past papers worth considering for applicability to SCADA and DCS.

My interest in WEIS focuses on two areas.

  1. Statistics related to quantifying risk for large impact, low probability events
  2. Metrics for measuring the improvement in security posture

And hopefully I’ll have something worthwhile to propose in the RUMP session on the 2nd day.