ASSESSING THE VALUE OF DETECTIVE CONTROL IN IT SECURITY

Transcription

1 Assoiation for Information Systems AIS Eletroni Library (AISeL) AMCIS 00 Proeedings Amerias Conferene on Information Systems (AMCIS) Deember 00 ASSESSING THE VALUE OF DETECTIVE CONTROL IN IT SECURITY Huseyin Cavusoglu The Univesity of Texas at Dallas Birendra Mishra The Univesity of Texas at Dallas Srinivasan Raghunathan The Univesity of Texas at Dallas Follow this and additional works at: Reommended Citation Cavusoglu, Huseyin; Mishra, Birendra; and Raghunathan, Srinivasan, "ASSESSING THE VALUE OF DETECTIVE CONTROL IN IT SECURITY" (00). AMCIS 00 Proeedings This material is brought to you by the Amerias Conferene on Information Systems (AMCIS) at AIS Eletroni Library (AISeL). It has been aepted for inlusion in AMCIS 00 Proeedings by an authorized administrator of AIS Eletroni Library (AISeL). For more information, please ontat

2 ASSESSING THE VALUE OF DETECTIVE CONTROL IN IT SECURITY Huseyin Cavusoglu, Birendra Mishra, and Srinivasan Raghunathan The Univesity of Texas at Dallas Abstrat Reently, IT Seurity has beome a salient issue for many organizations. The ost of a single seurity breah an be enormous in terms of monetary damage, orporate liability and redibility. Firms inreasingly deploy firewalls as a preventive ontrol and Intrusion Detetion Systems (IDS) as a detetive ontrol to protet IT assets. The IDS has been among the fastest growing IT seurity produts for the last few years. While the literature on the tehnial aspets of IDS is proliferating, it is not lear how one an quantify the magnitude as well as identify the drivers of IDS benefits. In this paper we seek to assess the value of employing an IDS within an organization s IT seurity arhiteture. We analyze the issue from a strategi perspetive using a game-theoreti approah and derive the value of IDS by omparing the organizational payoffs with and without IDS. Our analysis reveals the value of IDS omes not only from improved detetion of intrusions but also from inreased deterrene to hakers. The effets of model parameters, related to firm, haker, and IDS design, on the value of IDS offer valuable guidane to firms that deploy this tehnology and those that develop them. Keywords: IT seurity, seurity arhiteture, detetive ontrol, preventive ontrol, intrusion detetion systems (IDS), game theory Introdution Inreased interonnetivity among omputers enabled by networking tehnologies, in partiular the Internet, has boosted the sale and sope of information tehnology (IT) related rimes. As the E-Commere ontinues to grow, so does the yber rime. The DOJ aseload itself reflets the growth of yber rime. The number of omputer intrusion ases jumped from 547 in year 998 to 54 in 999. The losses from omputer rime inidents are also rising. Computer Seurity Institute and FBI 00 survey found that firms lost $456 million in 00 in ontrast to $378 million in 00, $66 million in 000 and $4 million in 999 (Power 00). IT seurity management seeks to establish internal ontrols to minimize the risk of loss of information and system resoures, orruption of data, disruption of aess to the data, and unauthorized dislosure of information. Internal mehanisms fall into two major ategories: preventive ontrol and detetive ontrol. Preventive ontrol mehanisms, e.g. firewalls, aim to develop a defensive shield around IT systems to seure them. The detetive ontrol mehanisms try to detet the intrusions when they our. Although preventive ontrol onstitutes an important aspet of IT seurity arhiteture, it is extremely diffiult to build an IT system that is absolutely seure. Detetion-based seurity has beome an important element in overall seurity arhiteture beause IT systems are unproteted without detetive ontrols one intruders manage to break the firewall. Thus, detetion based systems omplement the perimeter seurity by identifying intrusions from both insiders and outsiders. Intrusion Detetion Systems (IDS) are one of the most ommon detetion approahes used by firms. The goal of these systems is to identify, in real time, unauthorized use, misuse, or abuse of omputer systems. They give warning signals when they detet something suspiious, anomalous, or illegal. Sine the signal is not perfet, manual monitoring of log files and audit trails is required to distinguish true alarms from false ones. In addition, manual monitoring is neessary to identify the type of attak the system is under, thereby making it possible to take ations to minimize the damage that ould be inflited on systems Eighth Amerias Conferene on Information Systems

3 Cavusoglu et al./assessing the Value of Detetive Control in IT Seurity Despite the eonomi importane of IT seurity to organizations, very little aademi researh has been devoted to analyze the issue from an eonomi perspetive. Most of the aademi researh on IT seurity has foused on seurity tehnology, suh as the development of algorithms for use in the IDS. An assessment of the value of the IT seurity tehnology is ritial to both firms employing this tehnology as well as firms that develop the tehnology. We seek to understand the eonomi value of different omponents of IT seurity arhiteture and the drivers of the value in order to provide normative guidelines to deision makers in the IT seurity domain. To that end, we first investigate the value of IDS within an IT arhiteture that has firewalls on one side and manual monitoring on the other side surrounding the IDS. We believe that ours is the first study that investigates the IT seurity arhiteture from an eonomi standpoint. We derive the value of IDS by omparing two ases. In the first ase, we fous on an arhiteture that doesn t employ IDS to detet intrusions. Manual monitoring of the system log files and audit trials is the only way to detet intrusions in this senario. In the seond ase, we examine the situation in whih an IDS assists in the detetion of intrusions. The firm that employs the IDS also uses manual monitoring beause the signals from the IDS are imperfet. The objetive in both ases is to minimize total organizational loss, whih inludes the ost of intrusions, both undeteted and deteted, and the ost of manual monitoring. In addition to proposing normative guidelines to the firms, suh as the frequeny of monitoring, we are able to haraterize onditions where the use of the IDS is benefiial to the firm in terms of reduing the total organizational loss. We find that the value of the IDS depends ritially on (i) benefit to ost ratio of intrusion for the haker, (ii) ost to benefit ratio of monitoring for the firm, and (iii) the false-positive and false-negative rates of the IDS. The positive value of IDS is the result of better detetion of intrusions and inreased deterrene to hakers by IDS. A surprising result of our analysis is that in some regions of the parameter spae, IDS inreases the haking ativity, and onsequently, the firm loated in those regions is better off not employing IDS. We also derive valuable insights about the impat of IDS design parameters for IDS developers. Intrusion Detetion Systems An intrusion in the IT seurity ontext an be defined as any set of ations that attempts to ompromise the onfidentiality, integrity and availability of a resoure (Lodin 999). Intrusion detetion systems are software and/or hardware systems that automate the proess of monitoring the events ourring in omputer systems or network segments, and analyze them for signs of intrusions. In reent years, IDS have been aepted as the major tool for the detetion of attaks when the perimeter seurity is breahed or when an internal user initiates the attaks. Aording to International Data Corp. (IDC), the market for the IDS has grown from about $0 million in 997 to $00 million in 999 and is projeted to reah $58 million by 005 (Messmer 999). An IDS uses audit trails and network pakets to detet intrusions. Audit trails store patterns of aess to individual objets and histories of events and individuals (National Computer Seurity Center 988). Audit trails store information suh as date and time of the event, type of the event, origin of the request, and objets aessed, modified or deleted. IDS are lassified as network-based or host-based depending on where they are utilized (Mukherjee et al. 994). There are two primary approahes that IDS use to analyze events in order to detet attaks: Signature-based detetion and anomaly detetion (MHugh et al. 000). Signature-based detetion looks for events that math a predefined pattern of events, alled as signatures, assoiated with a known attak. Anomaly detetion tehniques use a normal ativity profile for a system and flag all system states varying from the established profile in a statistially signifiant manner. IDS are typially deployed within a system proteted by firewalls and other aess ontrol mehanisms at the periphery. Firewalls attempt to prevent intrusions from external hakers. IDS attempt to detet intrusions from internal users as well as external hakers who have suessfully raked the firewalls. An IDS runs ontinually in the bakground, and only notifies when it detets something it onsiders suspiious, anomalous, or illegal. Following a signal from the IDS, a seurity analyst examines audit trails and log files of system resoures to determine the type and the extent of the attak. If an intrusion is onfirmed by the manual investigation, appropriate orretive measures are undertaken to limit further damage and reover, if possible, the damage already inurred. Like other seurity mehanisms, IDS are not perfet. The likelihood of giving a warning signal upon an intrusion and being silent in ase of no intrusion depends on various fators. The design of IDS, that inludes the tehnology used (signature-based versus anomaly-based), and design parameters (for example, the aeptable noise level in an anomaly-based system) and the onfiguration (strit versus loose) plays a signifiant role. The quality of an IDS an be measured using its false positive and false negative rates. A false positive ours when the system lassifies an ation as a possible intrusion when it is a legitimate ation. A false negative ours when an atual intrusion has ourred but the system doesn t lassify it as an intrusion. 00 Eighth Amerias Conferene on Information Systems 9

4 Network and Internet Seurity Model Desription Our goal is to analyze the value of IDS for IT seurity using a simple model that aptures the essene of a typial IT seurity environment disussed in the previous setion. To that goal we make ertain simplifying assumptions. In most IT environments there are two general ategories of assets relevant to the assessments of seurity risk: tangible assets and intangible assets. Tangible assets inlude hardware. Intangible assets, whih might be better haraterized as information assets, are omprised of data and software. Our model is most relevant for risks assoiated with intangible assets suh as illegal aess of information. We assume that when an intrusion ours, the amount of damage is distributed with probability density f(.) with mean d and a finite variane known to both the firm and the intruder with support on (0,d max ). Most ompanies estimate these possible damages along with their likelihoods in the IT seurity risk assessment phase (Tudor 00). A fration 8 of the user traffi (both internal and external) that reahes the IDS is assumed to be dishonest. It is assumed that external intruders login to the system as authorized users, and hene, the IDS annot distinguish between external intruders and dishonest internal users. Previous studies have shown that inentives for intruders are usually not related to a finanial gain. Hakers tend to be motivated by uriosity, self-esteem, vandalism, peer approval, publi attention, tehnial prowess, and politis (Shaw et al. 999; Koerner 999; Rothke 000). Thus, we assume that when the haker breaks into the system he gets a fixed utility of ì. The dominant strategy of the honest users is not to misuse the system. If an intrusion is disovered, the haker inurs a penalty. The penalty is omposed of two omponents: A fixed penalty $ and a variable penalty proportional to the expeted amount of damage, (d. The fixed penalty an be onsidered as the ost of legal proseution and soial humiliation. The variable penalty term reflets the fat that the legal system awards punishments to fit the rime (Niholson et al. 000). Hene, a larger damage results in a larger penalty. Most organizations detet intrusion through some form of monitoring and analysis of audit trails (h8 pg 3 NIST 800-). Manual monitoring takes the form of a seurity team thoroughly investigating or randomly heking system log files and audit trials for possible intrusions. In general, manual monitoring is too ostly to be done all the time and is done intermittently. The firm inurs a ost of eah time it performs a manual monitoring of the audit trail of a user for a possible intrusion. Manual monitoring done by the firm does not detet intrusion with ertainty. This imperfetion of monitoring is aptured by an effetiveness parameter ", the probability with whih monitoring detets a true intrusion. 3 If manual monitoring detets the intrusion, the firm reovers a fration of the damage by the intruder without any additional ost. This fration is aptured by the parameter, N. Sine manual monitoring is quite labor intensive and too ostly to be done all the time, ompanies supplement manual monitoring with the IDS to redue the ost of monitoring and inrease the effetiveness of intrusion detetion. As disussed before (IDS setion), IDS use the audit trails and send a warning signal for further investigation by seurity investigation team. Sine IDS are not perfet and produe both false positive and false negative errors, we model the effetiveness of IDS through two parameters q and q. The parameter q denotes the probability that the IDS gives a warning signal whenever an intrusion ours. We assume that the IDS performs better than random guessing, and so q lies between 0.5 and. That is, ( q ) represents the probability of false negative. Sometimes the system lassifies an ation as a legitimate ation (false positive). The omplement of q, ( q ), reflets the probability of a false positive signal. Thus q represents the probability that there is no signal when there is no intrusion. It is also assumed to be between 0.5 and for the same reason as q. We onsider two different senarios based on whether the firm has employed the IDS or not. In Senario (baseline senario), the firm does not have the IDS in its seurity arhiteture. The firm solely relies on manual monitoring of system log files and audit trials to detet intrusive ativity. In Senario the firm uses the IDS in the seurity arhiteture to omplement the manual monitoring. We assume 8 to be exogenous in our model. Theoretially, 8 an be ontrolled by appropriately onfiguring the firewalls to limit entry by outsiders, and by hiring ethial employees to limit the proportion of insider hakers. Although there are some minor differenes between the terms haker, raker and intruder, these terms will be used interhangeably in this paper to desribe people who intentionally ompromise omputer systems. 3 We assume that the use of IDS does not alter either the ost or the effetiveness of manual monitoring beause urrent IDS do not provide omprehensive information about the intrusion to hange the parameters (pg. 4 Bae 000). In Setion 6, we disuss the impliations of a potential redution in and/or an inrease in " that may be realized if the tehnology underlying IDS improves in the future Eighth Amerias Conferene on Information Systems

5 Cavusoglu et al./assessing the Value of Detetive Control in IT Seurity Model Analysis No IDS Case (Baseline Senario) In this setion we analyze the baseline senario in whih IDS is not used in the seurity arhiteture of the firm. This will allow us to establish a benhmark result that an be ompared with a senario in whih the firm uses an IDS. We depit the baseline senario in figure. honest (-? ) 4 monitor (? ) no hak (-? ) not monitor (-? ) dishonest (? ) hak (? ) 3 monitor (? ) not monitor (-? ) Figure. The Game Tree for Intrusion Detetion Game without the IDS In the game above the ation set of the dishonest user is speified by S th 0 {no intrusion, intrusion}, where intrusion denotes to break into a system to ause an expeted damage d. The pure strategy of the dishonest user is to selet intrusion or no intrusion with probability one. The mixed strategy spae for the dishonest user is a probability distribution R {intrusion, no intrusion} [0,] where R denotes the probability of intrusion. Similarly the mixed strategy spae for the firm an be defined likewise. We denote the probability of monitoring in any mixed strategy by D. When implementing pure strategies, the firm either always inspets log files or ignores them ompletely. In mixed strategies, the firm hooses to inspet randomly with probability p. Analysis and Results of Case The objetive of the haker is to maximize his expeted payoff while the firm tries to minimize the total organizational losses due to haking. The payoff funtion for the firm is F ( ρψ, ) = ρ λψ( ρ) d λψρ( α) d + λψρα ( φ ) d () The first term in () is the expeted monitoring ost. The seond term is the ost of not inspeting intrusions. The third term orresponds to the ost of ineffetive monitoring (monitoring that is not able to ath haking). The fourth term denotes the expeted un-reovered loss from deteted intrusions. A haker s expeted payoff is H ( ρ, ψ ) = ψ ψρα( β + γd ) () The first term in () is the expeted utility of the haker from intrusions. The seond term is the expeted ost to the haker if intrusions are deteted. Next we summarize the equilibrium strategies for the firm and the intruder in the following proposition. 00 Eighth Amerias Conferene on Information Systems 93

6 Network and Internet Seurity Proposition : The following Nash Equilibria obtains in Case. Equilibria < 8 dαφ α ( β + γ d ) > D =, R = < ρ =, ψ = α( β + γ d ) α( β + γ d ) dαφλ dαφ > 8 D =, R = 0 IDS Case This ase differs from the preeding ase in that an IDS is now a part of the seurity arhiteture. The game tree for this ase is depited in figure. The differene between the game trees of ases and is that in ase there is an additional level before the firm s deision to investigate manually where the IDS provides a signal about possible intrusive ativities. Analysis and Results of Case We define 0 # D # as the probability of monitoring given a signal and 0 # D # as the probability of monitoring given no signal. Thus, ( D ) denotes the probability of not monitoring given a signal, and ( D ) the probability of not monitoring given there is no signal. When D i = {0,} implies pure strategies, and 0 < D i < implies mixed strategies for i =,. When the firm observes a signal or no signal from the IDS, it updates its belief using Bayes rule. If the firm gets a signal from IDS, it determines the posterior probability of intrusion qψλ η=p(intrusion signal)= (3) qψλ + ( q )( ψλ) Similarly, when the firm does not get any signal from the IDS, it alulates the probability as ( q ) ψλ η = P(intrusion no-signal) = ( q ) + q ( ) ψλ ψλ (4) The payoff funtion for the firm depends on the state it is in. The payoff funtions for the signal and the no signal states respetively are as follows. F ( ρ, ψ) = ρ η ( ρ ) d η ρ (( α) d + α( φ) d) (5) S [ ] [ ] F ( ρ, ψ) = ρ η ( ρ ) d η ρ (( α) d + α( φ) d) N The probabilities of the firm being in the signal and no signal state are ( q ψλ( q + q )) respetively. Thus, the firm s expeted payoff at node is given by ( q + ψλ( q + q )) F( ρ, ρ, ψ) = ( q + ψλ( q + q )) F ( ρ, ψ) + ( q ψλ( q + q )) F ( ρ, ψ) S N The intruder s expeted payoff is H ( ρ, ρ, ψ) = ψ ψα( β + γd)( ρ q + ρ ( q )) (6) and (7) (8) Now we present the equilibria for the IDS ase Eighth Amerias Conferene on Information Systems

7 Cavusoglu et al./assessing the Value of Detetive Control in IT Seurity 4 no signal (q ) 8 monitor (? ) not monitor (-? ) honest (-? ) dishonest (λ) not hak (-? ) signal (-q ) no signal (-q ) 7 I 6 monitor (? ) not monitor (-? ) monitor (? ) hak (? ) 3 not monitor (-? ) signal (q ) 5 monitor (? ) I not monitor (-? ) Figure. The Game Tree for Intrusion Detetion Game with IDS Proposition. The following Nash equilibria obtains in ase Equilibria a dαφ < a < < a dαφ dαφ > a α β > ( + γ d ) R =, D =, D = R = D =, D =0 R =, D =0, D =0 q α( β + γd ) < < q ψ = q ( + q ) λ + ( q) dαφλ qα( β + γd) ρ = ( q ) α( β + γ d) < q α( β + γd ) ( q) ψ = qdαφλ ( q + q ) λ ρ =, q α( β + γ d) ρ = 0 00 Eighth Amerias Conferene on Information Systems 95

8 Network and Internet Seurity where, a ( q) λ = and ( q ) λ + q ( λ) a = q λ + qλ q )( λ) ( Value of the IDS Figure 3 illustrates the value of IDS graphially. It highlights some interesting results. In most of the parameter spae, IDS either dereases or doesn t affet the firm s loss. The positive value of IDS in several regions is intuitive. The regions where there is no hange to firm s loss when IDS is deployed orresponds to the extreme high monitoring ost and high haker utility ases in whih the firm s and haker s strategies are unaffeted by the presene of IDS. In region and some part of region 3 IDS has a detrimental effet on total organizational loss, that is, the use of the IDS inreases total loss. As q and q approah one, meaning that as the firm employs a more effetive IDS, regions and 3 shrink, and region fills up that spae. In regions, 5, 6, and 7, the use of the IDS ertainly redues the total organizational loss. In regions 4 and 8, sine equilibrium strategies for the firm and the intruder are the same under both ases, the total organizational loss is the same too, as expeted. Hene there is no additional value from signal from the IDS. However as q approahes one, a goes to zero, and region 5 expands to over region 4 while region 4 disappears. Similarly a approahes one as q approahes one. Hene, as the quality of IDS improves, the value assoiated with the IDS beomes positive for more firms as long as the ost of monitoring is lower than expeted benefit from it (i.e. < dαφ ). In all other ases the firm will never monitor, hene the value of employing the IDS as a seurity tool will be zero. αβγ () + d IDS dereases the organizational loss IDS has no effet on the organizational loss 3 IDS inreases the organizational loss q 7 λ a a 0 a dαφ Figure 3. The Value of IDS for Different Equilibria Regions Managerial Impliations In this setion, we disuss the impliations of our results for firms that seek to employ the IDS and those that develop IDS. We fous only on regions,, and 7 in disussing the impliations. Our hoie of these regions is motivated by the fat that only in these regions the more interesting mixed strategy equilibria our with the IDS. In other regions, either all users hak or no user haks. We assume that these senarios are uninteresting Eighth Amerias Conferene on Information Systems

9 Cavusoglu et al./assessing the Value of Detetive Control in IT Seurity Impliation for IDS Deployers A signifiant impliation of our results is that not all firms benefit by deploying IDS. The loation of the firm in the parameter spae determines whether it benefits from IDS and the extent of benefit. The loation of a firm in the parameter spae depends ritially on the expeted damage d, among other fators. A firm with a higher value of d is riskier in some sense beause it has more to lose from an intrusion. If d for a firm inreases, assuming all other parameters remain the same, the firm ultimately moves into region, in whih the firm realizes a positive value from the IDS. Thus, high-risk firms are more likely to benefit by employing IDS. We an also show that the value of the IDS is inreasing in d in regions and 7 implying that higher-risk firms benefit more from IDS than lower-risk firms. However, if the haker and firm profiles are suh that the firm is loated in region, employing IDS hurts the firm. Firms that have a higher d are hurt more when using IDS within this region. The value of the IDS is inreasing in q and q in regions and 7. Thus, a redution in the rates of false positives and/or false negatives (i.e., a higher quality IDS) helps the firms that find IDS to be benefiial. An inrease in q and q has the opposite effet in region similar to the effet of d disussed in the previous paragraph but redues the region itself. These results are onsistent with our intuition. We find that the proportion of hakers in the user population 8 doesn t affet the value of IDS within regions and. However, note that an inrease in 8 expands the total size of regions and 7, indiating an inrease in the likelihood of a firm being loated in these regions (and, hene realizing positive value from the IDS). The value of IDS is inreasing in 8 in region 7. This result also implies that if a firm loated in region 7 an redue 8 by employing a tighter firewall and by hiring honest employees, then the firm will find the IDS less valuable. This result is also intuitive. Preventive ontrol mehanisms derease the need for detetive ontrols suh as the IDS. Thus, the firewall an substitute the IDS to some extent in region 7. However, tighter firewalls also require substantial investment and may have negative onsequenes by preventing legitimate users from getting to systems. Thus, firms have to arefully analyze the relative ost of investments for firewall and the IDS mehanisms before deiding on seurity arhiteture. Probability of detetion either inreases or remains the same if the IDS has a positive effet on the firm. In region 7, use of the IDS inreases the detetion probability whereas it does not hange the detetion probability in region, meaning that the IDS not only redues total organizational loss but also improves detetion of intrusions in these regions. However, in region, in whih the value of the IDS is negative, when the IDS is employed, the probability of detetion inreases only if effetiveness of manual monitoring is higher than probability of signal when there is an intrusion, and dereases otherwise. Impliations for IDS Developers A signifiant insight from our analysis for the IDS developers relates to the priing of IDS. The prie of IDS, being information goods with negligible marginal prodution ost, is dependent primarily on their value to firms. Sine the value is higher for firms with higher d, IDS developers may realize substantial benefits by targeting higher-risk firms. Also, industries that attrat a high proportion of hakers (i.e., high 8), suh as defense and finanial institutions, are likely to have more firms loated in regions and 7. The IDS developers an realize substantial profits if they an design IDS speifially for these industries by analyzing the intrusion patterns and nature of information assets to be proteted. We noted earlier that the value of the IDS to firms that benefit from the IDS inreases with q and q. Thus, an IDS developer an potentially harge a higher prie for a higher quality produt. A higher quality IDS will also result in a larger market for the IDS beause we find that as q and/or q inreases, the size of regions in whih the IDS has positive value inreases. So, more firms would implement the IDS in their seurity arhiteture. A higher quality IDS inreases the prie as well as demand, and hene the revenue for IDS developers. Thus, our result suggests that the IDS developers should improve the quality of the IDS in both these dimensions. However, it should be noted that the tehnology employed by the IDS, that is, whether the detetion algorithm is based on signature analysis or anomaly detetion, affets the q and q values. Depending on the tehnology used, it may be diffiult to improve both q and q simultaneously. An inrease in q may derease q and vie versa. Researh on IDS algorithms suggests that there may indeed be a negative orrelation between q and q (Axelsson 000). An interesting issue that needs to be investigated is the design of the optimal IDS based on the value of the IDS derived in this paper and osts of improving q and q. Although both q and q have positive effets on the value of IDS to firms, it is important to note that the extents of their effets are not equal. We find that, for firms that find IDS to be benefiial, the marginal inrease in value from a unit inrease in q is 00 Eighth Amerias Conferene on Information Systems 97

10 Network and Internet Seurity greater than the marginal inrease in value from a unit inrease in q. This result suggests that IDS developers should try to improve q to generate additional revenue from IDS users. On the other hand, while an inrease in q doesn t inrease the market size (i.e., the number of firms that realize positive value from IDS), an inrease in q inreases the market size. Thus, IDS developers are faed with a tradeoff between inreasing q or q. An IDS developer should arefully weigh in the benefits of inreasing the market size vis-à-vis the benefits of inreasing the value to users who benefit from IDS when designing IDS. Many of the ommerial IDS are passive in the sense that their primary goal is to provide signals about possible intrusions. Only manual monitoring onfirms whether there is an intrusion. The IDS also do not provide omprehensive information that redues the effort needed in manual monitoring for onfirming or rejeting the intrusion. If IDS play a more ative role and thus redue the ost of subsequent monitoring or inrease the effetiveness of manual monitoring ", we an show that the value of IDS inreases substantially. A derease in not only inreases the value but also the market size for IDS. Thus, it is worthwhile for the IDS developers to embed intelligene into the IDS in order to provide more support in the subsequent manual monitoring proess. Conlusion IT seurity has beome a ritial issue for many firms. IDS play a signifiant role within a firm s seurity arhiteture. This paper investigated the value of IDS to firms. We derived the value of IDS by analyzing two ases. In the first ase, we foused on a firm that doesn t employ IDS. Manual monitoring of the system log files and audit trials is the only way to detet intrusions in this ase. In the seond ase, we analyzed a firm that uses IDS. The IDS omplement manual monitoring by giving signals about possible intrusions. We derived the value of the IDS by determining the savings realized by the firm when it employs the IDS ompared to the ase when no IDS is used. We determined the onditions when the use of the IDS is benefiial to firms and when it is not. We also provided several impliations of our results to the firms and to the IDS developers. We made ertain simplifying assumptions to model the role of IDS in an organization s IT arhiteture. Sine formal modeling relies on abstration to address some issues in a stylized setting, limitations are inherent to the modeling proess. However analysis of an abstrat model an help us understand, explain, and predit issues in realisti settings. Future researh may try to model a riher IT seurity arhiteture inluding simultaneous design of multiple levels of preventive and detetive ontrols. Other researh avenues exist in adapting this model to different ontexts, suh as investment in IDS tehnology to improve the effetiveness of IDS. Notwithstanding these potentially attrative avenues for further researh, the present study provides useful insights into how valuable IDS is in a firm s IT seurity arhiteture and impliations for better IDS design and onfiguration. Referenes Axelsson, S. The Base-Rate Falllay and the Diffiulty of Intrusion Detetion, ACM Transations on Information and System Seurity, 3, 3, August 000. Bae, R. G. Intrusion Detetion, Mamillan Tehnial Publishing, 000. Koerner, B. I., Who are hakers, anyway?, U.S News & World Report, 7,, 53, July 4, 999. Lodin S. Intrusion Detetion Produt Evaluation Criteria, Computer Seurity Journal, 5, -0, 999. MHugh, J., Christie A. C., and Allen J. Defending Yourself: The Role of Intrusion Detetion Systems, IEEE Software, September/Otober 000. Messmer, E. Network Intruders, Network World, 6, 67, Ot. 4, 999. Mukherjee, B., Heberlein L. T., and Levitt K. N. Network Intrusion Detetion, IEEE Network, May/June 994. National Computer Seurity Center, A guide to Understanding Audit in Trusted Systems, NCSC-TG-00, Version, June 988. Niholson, L. J., Shebar T. F., and Weinberg M. R. Computer Crimes, The Amerian Criminal Law Review, Chiago, Spring 000. NIST Publiation 800-, An Introdution to Computer Seurity, NIST, 996. Power, R. 00 CSI/FBI Computer Crime and Seurity Survey, Computer Seurity Issues and Trends, 8,, 00. Rothke, B. Hakers then and now: Answers to Some Perennial Questions, Computer Seurity Journal, 6, 3, -4, 000. Shaw, D. S., Post J. M., and Ruby K. G. Inside the Minds of the Insider, Seurity Management, 34-44, De Tudor, J. K., Information Seurity Arhiteture, Auerbah Publiations, 00. Verton, D., Attorneys Debate Making Cyberrime Laws Tougher, Computerworld, 6, Nov. 0, Eighth Amerias Conferene on Information Systems