herd immunity – does this concept from immunology have relevance for information security?

Herd Immunity – Does this concept from Immunology have relevance for

Information Security?

Patrick Florer Risk Centric Security, Inc.

www.riskcentricsecurity.com

Risk Analysis for the 21st Century®

Bio Patrick Florer has worked in information technology for 34 years. In addition, he worked a parallel track in medical outcomes research, analysis, and the creation of evidence-based guidelines for medical treatment. His roles have included IT operations, programming, and systems analysis. From 1986 until now, he has worked as an independent consultant, helping customers with strategic development, analytics, risk analysis, and decision analysis. He is a cofounder of Risk Centric Security and currently serves as Chief Technology Officer. In addition, he is a Fellow of the Ponemon Institute.

Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.

Agenda

What is herd immunity? Why does it work? How can it help us when it does work? How does the arithmetic work? Discussion and Q & A

Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.

Once upon a time … .

Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.

Why the Blind Men and the Elephant? Be open – avoid jumping to conclusions. Be skeptical – don’t believe everything you see or hear. This is a work in progress and I appreciate your input.

Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.

Medicine and Information Security Viruses

Worms

Infections

Immunization

Inoculation

Monoculture

Base rates

Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.

What is Herd Immunity? “Herd immunity (or community immunity) describes a form of immunity that occurs when the vaccination of a significant portion of a population (or herd) provides a measure of protection for individuals who have not developed immunity. Herd immunity theory proposes that, in contagious diseases that are transmitted from individual to individual, chains of infection are likely to be disrupted when large numbers of a population are immune or less susceptible to the disease. The greater the proportion of individuals who are resistant, the smaller the probability that a susceptible individual will come into contact with an infectious individual.”

Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.

From wikipedia.com

What is Herd Immunity? “Vaccination acts as a sort of firebreak or firewall in the spread of the disease, slowing or preventing further transmission of the disease to others. Unvaccinated individuals are indirectly protected by vaccinated individuals, as the latter are less likely to contract and transmit the disease between infected and susceptible individuals.” “Herd immunity generally applies only to diseases that are contagious. It does not apply to diseases such as tetanus (which is infectious, but is not contagious), where the vaccine protects only the vaccinated person from disease.”

Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.

From wikipedia.com

Assumptions The individuals in the population are well mixed – i.e.: there are no concentrations of susceptible individuals. The infection spreads by means of contagion – from person to person, entity to entity, etc. The infection has a finite ability to infect others. Immunization is 100% effective.

Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.

Herd Immunity Thresholds

Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.

Estimated Herd Immunity thresholds for vaccine preventable diseases

Disease Transmission R0 Herd immunity threshold

Diphtheria Saliva 6–7 85%

Measles Airborne 12–18 92–94%

Mumps Airborne droplet 4–7 75–86%

Pertussis Airborne droplet 12–17 92–94%

Polio Fecal-oral route 5–7 80–86%

Rubella Airborne droplet 5–7 80–85%

Smallpox Social contact 6–7 83–85%

R0 is the basic reproduction number, or the average number of secondary infectious cases that are produced by a single index case in completely susceptible population.

From wikipedia.com

Why does it work? No contagious disease has an infinite capability to infect. Sooner or later, the disease runs its course, its infection chain is broken, or something shuts it down. Immunization reduces the probability that an infected person will come in contact with a susceptible person.

Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.

How does it help us when it works?

Unless small or circumscribed in some way, it is almost impossible to immunize every member of a population.

Some members of a population cannot tolerate immunization.

It can be very expensive to immunize every member of a population.

By giving us an estimate of a threshold immunization level, herd immunity can help us utilize resources more effectively.

Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.

Definitions

R0 – the basic Reproduction number: the estimated number of secondary infections that a contagious disease can cause

S = the proportion of susceptible/unvaccinated individuals in a population:

S = 1 minus proportion of vaccinated individuals HI = Herd Immunity threshold – percentage of immune individuals

Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.

The Math

In order for a disease not to die off, each infected individual must be able to infect at least one other individual. Mathematically, this means that:

R0 x S = 1

The Herd Immunity threshold (percentage immune) plus the percentage of susceptible individuals must = 1

HI + S = 1

Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.

The Math

If HI + S = 1 Then S = (1 – HI)

If R0 x S = 1 Then you can substitute (1 – HI) for S, which gives: R0 x (1 – HI)= 1

Which transforms to:

HI = 1 – 1/ R0

Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.

The Math – an example

Assume that :

R0 = 7 HI = 1 – 1 / R0

= 1 – 1 / 7 = 1 - .143 = 0.85.7 or ~ 86%

Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.

Results Assumption: Immunization is 100% effective

Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.

Results

Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

0 10 20 30 40 50 60 70 80 90 100

Required Coverage Rate – 100% Effectiveness

Results

You can also account for a vaccine that is less than 100% effective. In this case, you must adjust S by some number.

If S = 10% and HI = 90%, assuming 100% vaccine effectiveness, then, at 90% effectiveness:

HI = 90% x 90% = 81%

And S = 100% - 81% = 19%

Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.

The Math – an example

In this scenario, a 10 percentage point drop in effectiveness means that the susceptible population has almost doubled, from 10% to 19%. This also means that R0, the effective reach (R0)of the disease will almost double, from 5 to 10.

Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.

Summary

The individuals in the population are well mixed – i.e.: there are no concentrations of susceptible individuals. The infection spreads by means of contagion – from person to person, entity to entity, etc. The infection has a finite ability to infect others. The math: HI = 1 – 1/ R0

Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.

Summary

We have covered the easy part.

Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.

Summary

Now, for the hard part

Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.

Application to Infosec Which kinds of “infections” are contagious – i.e.: they spread laterally, from machine or user to machine or user? Do viruses, worms, and malware have a finite ability to infect, or do they just keep pounding away, looking for a way to spread?

Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.

Application to Infosec – Use Cases

Endpoint Security Patching Custom Software Legacy Systems

Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.

How would we measure success? What metrics could we implement in order to understand success and failure? How do we estimate R0 in a computing environment? What kinds of controlled experiments might we design?

Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.

Thank You!

Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.

Patrick Florer

214.828.1172 patrick@riskcentricsecurity.com

Risk Centric Security, Inc.

www.riskcentricsecurity.com Risk Analysis for the 21st Century®