Authors: Fabrizio Baiardi, Claudio Telmon, Daniele Sgandurra
Addresses: Dipartimento di Informatica, Universita di Pisa, Largo B. Pontecorvo, 3, 56127 Pisa, Italy. ' Dipartimento di Informatica, Universita di Pisa, Largo B. Pontecorvo, 3, 56127 Pisa, Italy. ' Istituto di Informatica e Telematica, Consiglio Nazionale delle Ricerche, Via Giuseppe Moruzzi, 1, 56124 Pisa, Italy
Abstract: A billing infrastructure is an information and communications technology system that bills a set of customers for some service they access. We discuss how the minimisation of the infrastructure cost may introduce components that are points of catastrophic failure in a security perspective because successful attacks against these components result in a full control of the infrastructure. We describe a classification of both attacks and threats and a mathematical model of attack impacts to prove that the introduction of points of catastrophic failure result in a heavy-tailed probability distribution of impacts. A heavy-tailed distribution has several implications on risk management because the probability of very large impacts may not be neglected and countermeasures cannot be selected according to their cost effectiveness because even the most expensive ones are convenient. For these reasons, risk management should introduce redundant components with a decentralised control to increase resilience and minimise attack impacts.
Keywords: billing infrastructures; heavy-tailed distribution; redundancy; cost effective countermeasures; critical infrastructures; unbounded attack impacts; risk mitigation; risk assessment; ICT; security failure; mathematical modelling; catastrophic failure; risk management; redundant components; decentralised control; resilience.
International Journal of Risk Assessment and Management, 2011 Vol.15 No.2/3, pp.186 - 204
Available online: 26 Aug 2011Full-text access for editors Access for subscribers Purchase this article Comment on this article