On Software Diversification, Correlated Failures and Risk Management

38 Pages Posted: 6 Jun 2006

See all articles by Pei-Yu Chen

Pei-Yu Chen

Arizona State University (ASU) - Department of Information Systems

Gaurav Kataria

Carnegie Mellon University - H. John Heinz III School of Public Policy and Management

Ramayya Krishnan

Carnegie Mellon University - H. John Heinz III School of Public Policy and Management

Date Written: April 8, 2006

Abstract

The increasing dependence on information networks for business operations has focused managerial attention on managing risks posed by failure of these networks. In this paper, we develop models to assess the risk of failure of an information network due to attacks that exploits known software vulnerabilities. Software vulnerabilities arise from software installed on the nodes of the network. When the same software stack is installed on multiple nodes on the network, software vulnerabilities are shared among them. These shared vulnerabilities can result in correlated failure of multiple nodes resulting in longer repair times and greater loss of availability of the network. We show that considering positive network effects (e.g., compatibility) alone without taking the risks of correlated failure and the resulting costs due to lack of availability into account leads to over-investment in homogeneous software installations. The notion of using diversity to limit correlated failure is a widely accepted risk management strategy in many fields e.g. insurance and portfolio management. However, these approaches are advantageous only for risk-averse agents as the expected loss remains unchanged. Using software diversification as a managerial lever, we show that the expected loss under homogeneous software deployment is higher than the expected loss under diverse software deployment, making diversification appealing to even risk-neutral firms. Our analysis suggests that security risk is a cost that firms should take into consideration in developing their IT infrastructure. Exploiting characteristics unique to information systems, we present an analytical framework that allows us to quantify security loss faced by a firm as a function of investment in security technologies to avert attacks, software diversification to limit correlated failure under attacks and IT resources to repair failures due to attacks. We analyze the effectiveness of diversification strategy under different operating conditions.

Suggested Citation

Chen, Pei-Yu and Kataria, Gaurav and Krishnan, Ramayya, On Software Diversification, Correlated Failures and Risk Management (April 8, 2006). Available at SSRN: https://ssrn.com/abstract=906481 or http://dx.doi.org/10.2139/ssrn.906481

Pei-Yu Chen

Arizona State University (ASU) - Department of Information Systems ( email )

Tempe, AZ
United States

Gaurav Kataria (Contact Author)

Carnegie Mellon University - H. John Heinz III School of Public Policy and Management ( email )

Pittsburgh, PA 15213-3890
United States

Ramayya Krishnan

Carnegie Mellon University - H. John Heinz III School of Public Policy and Management ( email )

Pittsburgh, PA 15213-3890
United States

Register to save articles to
your library

Register

Paper statistics

Downloads
265
Abstract Views
2,008
rank
114,274
PlumX Metrics