Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:31 PM

Want Better Security? Reward Your Provider

Security services contracts that offer incentives to notify clients about breaches produce better results, study says

Managed security contracts that reward providers for notifying their clients of breaches provide better security, according to a mathematical analysis conducted by three researchers at the University of Texas at Dallas and the Middle East Technical University.

The research, which will be presented at the Workshop on the Economics of Information Security (WEIS) 2010 next month, analyzed a common type of contract used today in which a provider assesses a fee for its managed security service, but refunds part of the fee -- as a penalty -- if there is a breach.

Using game-theory analysis, the researchers established that this commonly used contract model provides no incentive for the provider to notify its client of a breach.

Two other contract models, however, are more likely to provide incentives for better security, the researchers say. One variant assesses a penalty if there is a breach, but rewards the provider if they are the ones that reveal it. A second variant uses one provider for the managed security service and another to detect breaches.

Without a reward, "You are not providing any incentive for the managed security service provider to detect breaches," says Asunur Cezar, the paper's lead author and an instructor at the Middle East Technical University in Ankara, Turkey. "It may be penalized after some investigation, but that does not necessarily act as an incentive."

The research also found that, when penalties are limited in some way, the second variant -- using one MSSP for monitoring and another for detection -- provides better security. The researchers pointed to court cases that limit penalties against service providers, concluding that such real-world limits mean having one provider essentially audit the other leads to the best performance.

However, using two providers sacrifices any benefits or efficiencies from having a single provider do both functions, Cezar says.

"This trade-off is crucial when choosing to outsource information security," she wrote in the paper.

The results of the study could be interesting academically, but they might not translate well to real-world MSSP contracts, says John Pescatore, vice president of analyst firm Gartner. In the real world, service firms are providing a specific function, not blanket protection, so it is usually difficult to penalize the companies for a breach.

"The contract is to manage your firewalls or manage your firewalls, intrusion detection system, and antiviral -- they are not saying, 'Sign up with us, and we will protect you against all breaches,'" Pescatore says.

If a company's intrusion detection service misses an attack, for example, but after a signature update is able to detect compromised systems, the vendor's service has performed as advertised, Pescatore says. Typically providers offer a service-level agreement (SLA) that requires them to notify the client of any detected events within a certain time period -- say, one hour or 15 minutes.

What might not work for an external service provider, however, could work with an internal IT department, Pescatore argues.

"I think if you turn the calculus around, the argument almost makes more sense when companies are running their own firewalls," he says. "There is a reluctance when there is a serious problem to tell people in the company."

The research does highlight some of the forces that are driving the managed security services market. For example, analysis of the trade-off between monitoring and detection suggests that companies will settle for detecting hard-to-prevent security breaches after the fact if prevention is too costly. Conversely, if detecting security breaches after the fact is too costly -- because of the damage done -- then more money will flow into monitoring and prevention services, the paper argues.

These forces -- in addition to the limits on penalties -- suggest that using two services might be a better choice, METU's Cezar says.

"Our results suggest that we will see more two-MSSP contracts," she says.

Already, there are some signs that such two-party security services are becoming more common, Pescatore says. He points to the use of vulnerability-scanning firms, such as Qualys, to check that a managed firewall service is working appropriately.

"It is not unusual, even today, for people to outsource checks on their security," he says. "There are even SLAs that require software-as-a-service vendors to run vulnerability scans against their services."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-14
Cross Site Scripting (XSS) in Group Office CRM 6.4.196 via the SET_LANGUAGE parameter.
PUBLISHED: 2021-04-14
A Server-Side Request Forgery (SSRF) vulnerability in Group Office 6.4.196 allows a remote attacker to forge GET requests to arbitrary URLs via the url parameter to group/api/upload.php.
PUBLISHED: 2021-04-14
The Windows Installation component of TIBCO Software Inc.'s TIBCO Messaging - Eclipse Mosquitto Distribution - Core - Community Edition and TIBCO Messaging - Eclipse Mosquitto Distribution - Core - Enterprise Edition contains a vulnerability that theoretically allows a low privileged attacker with l...
PUBLISHED: 2021-04-14
The Windows Installation component of TIBCO Software Inc.'s TIBCO Messaging - Eclipse Mosquitto Distribution - Bridge - Community Edition and TIBCO Messaging - Eclipse Mosquitto Distribution - Bridge - Enterprise Edition contains a vulnerability that theoretically allows a low privileged attacker wi...
PUBLISHED: 2021-04-14
In Deark before 1.5.8, a specially crafted input file can cause a NULL pointer dereference in the dbuf_write function (src/deark-dbuf.c).