On Software Diversification, Correlated Failures and Risk Management
38 Pages Posted: 6 Jun 2006
Date Written: April 8, 2006
The increasing dependence on information networks for business operations has focused managerial attention on managing risks posed by failure of these networks. In this paper, we develop models to assess the risk of failure of an information network due to attacks that exploits known software vulnerabilities. Software vulnerabilities arise from software installed on the nodes of the network. When the same software stack is installed on multiple nodes on the network, software vulnerabilities are shared among them. These shared vulnerabilities can result in correlated failure of multiple nodes resulting in longer repair times and greater loss of availability of the network. We show that considering positive network effects (e.g., compatibility) alone without taking the risks of correlated failure and the resulting costs due to lack of availability into account leads to over-investment in homogeneous software installations. The notion of using diversity to limit correlated failure is a widely accepted risk management strategy in many fields e.g. insurance and portfolio management. However, these approaches are advantageous only for risk-averse agents as the expected loss remains unchanged. Using software diversification as a managerial lever, we show that the expected loss under homogeneous software deployment is higher than the expected loss under diverse software deployment, making diversification appealing to even risk-neutral firms. Our analysis suggests that security risk is a cost that firms should take into consideration in developing their IT infrastructure. Exploiting characteristics unique to information systems, we present an analytical framework that allows us to quantify security loss faced by a firm as a function of investment in security technologies to avert attacks, software diversification to limit correlated failure under attacks and IT resources to repair failures due to attacks. We analyze the effectiveness of diversification strategy under different operating conditions.
Suggested Citation: Suggested Citation