herd immunity – does this concept from immunology have relevance for information security?
DESCRIPTION
Herd immunity (or community immunity) describes a form of immunity that occurs when the vaccination of a significant portion of a population (or herd) provides a measure of protection for individuals who have not developed immunity. Is this a useful concept for Risk Analysis in Information Security? Where does this concept fail to address important issues in Information Security?TRANSCRIPT
Herd Immunity – Does this concept from Immunology have relevance for
Information Security?
Patrick Florer Risk Centric Security, Inc.
www.riskcentricsecurity.com
Risk Analysis for the 21st Century®
Bio Patrick Florer has worked in information technology for 34 years. In addition, he worked a parallel track in medical outcomes research, analysis, and the creation of evidence-based guidelines for medical treatment. His roles have included IT operations, programming, and systems analysis. From 1986 until now, he has worked as an independent consultant, helping customers with strategic development, analytics, risk analysis, and decision analysis. He is a cofounder of Risk Centric Security and currently serves as Chief Technology Officer. In addition, he is a Fellow of the Ponemon Institute.
Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.
Agenda
What is herd immunity? Why does it work? How can it help us when it does work? How does the arithmetic work? Discussion and Q & A
Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.
Once upon a time … .
Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.
Why the Blind Men and the Elephant? Be open – avoid jumping to conclusions. Be skeptical – don’t believe everything you see or hear. This is a work in progress and I appreciate your input.
Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.
Medicine and Information Security Viruses
Worms
Infections
Immunization
Inoculation
Monoculture
Base rates
Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.
What is Herd Immunity? “Herd immunity (or community immunity) describes a form of immunity that occurs when the vaccination of a significant portion of a population (or herd) provides a measure of protection for individuals who have not developed immunity. Herd immunity theory proposes that, in contagious diseases that are transmitted from individual to individual, chains of infection are likely to be disrupted when large numbers of a population are immune or less susceptible to the disease. The greater the proportion of individuals who are resistant, the smaller the probability that a susceptible individual will come into contact with an infectious individual.”
Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.
From wikipedia.com
What is Herd Immunity? “Vaccination acts as a sort of firebreak or firewall in the spread of the disease, slowing or preventing further transmission of the disease to others. Unvaccinated individuals are indirectly protected by vaccinated individuals, as the latter are less likely to contract and transmit the disease between infected and susceptible individuals.” “Herd immunity generally applies only to diseases that are contagious. It does not apply to diseases such as tetanus (which is infectious, but is not contagious), where the vaccine protects only the vaccinated person from disease.”
Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.
From wikipedia.com
Assumptions The individuals in the population are well mixed – i.e.: there are no concentrations of susceptible individuals. The infection spreads by means of contagion – from person to person, entity to entity, etc. The infection has a finite ability to infect others. Immunization is 100% effective.
Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.
Herd Immunity Thresholds
Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.
Estimated Herd Immunity thresholds for vaccine preventable diseases
Disease Transmission R0 Herd immunity threshold
Diphtheria Saliva 6–7 85%
Measles Airborne 12–18 92–94%
Mumps Airborne droplet 4–7 75–86%
Pertussis Airborne droplet 12–17 92–94%
Polio Fecal-oral route 5–7 80–86%
Rubella Airborne droplet 5–7 80–85%
Smallpox Social contact 6–7 83–85%
R0 is the basic reproduction number, or the average number of secondary infectious cases that are produced by a single index case in completely susceptible population.
From wikipedia.com
Why does it work? No contagious disease has an infinite capability to infect. Sooner or later, the disease runs its course, its infection chain is broken, or something shuts it down. Immunization reduces the probability that an infected person will come in contact with a susceptible person.
Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.
How does it help us when it works?
Unless small or circumscribed in some way, it is almost impossible to immunize every member of a population.
Some members of a population cannot tolerate immunization.
It can be very expensive to immunize every member of a population.
By giving us an estimate of a threshold immunization level, herd immunity can help us utilize resources more effectively.
Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.
Definitions
R0 – the basic Reproduction number: the estimated number of secondary infections that a contagious disease can cause
S = the proportion of susceptible/unvaccinated individuals in a population:
S = 1 minus proportion of vaccinated individuals HI = Herd Immunity threshold – percentage of immune individuals
Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.
The Math
In order for a disease not to die off, each infected individual must be able to infect at least one other individual. Mathematically, this means that:
R0 x S = 1
The Herd Immunity threshold (percentage immune) plus the percentage of susceptible individuals must = 1
HI + S = 1
Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.
The Math
If HI + S = 1 Then S = (1 – HI)
If R0 x S = 1 Then you can substitute (1 – HI) for S, which gives: R0 x (1 – HI)= 1
Which transforms to:
HI = 1 – 1/ R0
Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.
The Math – an example
Assume that :
R0 = 7 HI = 1 – 1 / R0
= 1 – 1 / 7 = 1 - .143 = 0.85.7 or ~ 86%
Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.
Results Assumption: Immunization is 100% effective
Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.
Results
Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
0 10 20 30 40 50 60 70 80 90 100
Required Coverage Rate – 100% Effectiveness
Results
You can also account for a vaccine that is less than 100% effective. In this case, you must adjust S by some number.
If S = 10% and HI = 90%, assuming 100% vaccine effectiveness, then, at 90% effectiveness:
HI = 90% x 90% = 81%
And S = 100% - 81% = 19%
Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.
The Math – an example
In this scenario, a 10 percentage point drop in effectiveness means that the susceptible population has almost doubled, from 10% to 19%. This also means that R0, the effective reach (R0)of the disease will almost double, from 5 to 10.
Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.
Summary
The individuals in the population are well mixed – i.e.: there are no concentrations of susceptible individuals. The infection spreads by means of contagion – from person to person, entity to entity, etc. The infection has a finite ability to infect others. The math: HI = 1 – 1/ R0
Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.
Summary
We have covered the easy part.
Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.
Summary
Now, for the hard part
Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.
Application to Infosec Which kinds of “infections” are contagious – i.e.: they spread laterally, from machine or user to machine or user? Do viruses, worms, and malware have a finite ability to infect, or do they just keep pounding away, looking for a way to spread?
Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.
Application to Infosec – Use Cases
Endpoint Security Patching Custom Software Legacy Systems
Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.
How would we measure success? What metrics could we implement in order to understand success and failure? How do we estimate R0 in a computing environment? What kinds of controlled experiments might we design?
Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.
Thank You!
Risk Centric Security, Inc. Confidential and Proprietary . Copyright © 2013 Risk Centric Security, Inc . All rights reserved.
Patrick Florer
214.828.1172 [email protected]
Risk Centric Security, Inc.
www.riskcentricsecurity.com Risk Analysis for the 21st Century®