Economics of Information Security

Economics of Information Security

Economics of Information Security www.infosecon.net www.ljean.com Emergence of a (sub) Discipline Economics of .. whoops! Economics of Security No confidentiality without security No privacy without confidentiality

The security market is broken SSL - a case in point Authentication doesnt work (phishing) Confidentiality undermined by economic assumptions about CAs Economics of Information Security Fundamentals - what kind of good?

Valuing investments - ROI, using classic business methods Privacy Openness -Sharing vs Secrecy Case Studies

Security as an Externality Vulnerabilities are a negative externality Polluters will go on producing pollution until the costs to the polluter outweigh the benefits. Those who abuse personal data will go on until the costs to the abuser outweigh the benefits. Secure systems offer positive externalities Lojack causes auto theft in a neighborhood to go down because it is not visible High levels of trust increase Internet use and value

Security As an Externality Shared trust rhosts Password files Address books Increased resources DDoS attacks

The ability for the attacker to confuse the trail Governmental Responses to Externalities Information provision Classification Standards settings Rule-making Prohibitions

Subsidies Support incident response teams (e.g. provision of the good), Purchase secure technologies Support computer security research First Workshop Economic theory applied to computer security Computer security Incentives, liability, optimal investments, metrics and markets

Keynote We spend too much - by Bruce Schneier No, we spend too little - Ross Anderson Underscoring that expenses are not qualified in terms of ROI How should security investments be evaluated? 2003 Second Keynote Applications of risk management to security

Introduction of options as a method Schneier on qualitative evaluation of security choices Five questions Now available in text form as Beyond Fear 2004 Keynote: Dan Geer The essence of security is really risk management Interdependence, location irrelevance No safe neighborhoods on the net

Tech advances faster than public comprehension - clue is dropping Assets are in motion - where we should be looking? Cascade failure Victims become attackers at a higher rate Epidemic modeling

Unique assets, e. g. DNS Concentrated data or communication Attack: Targeted attack of high power Counter: defense in depth of unit, replication of functionality Third Workshop & New Text Fundamentals Hal Varian, Berkeley, System reliability and Free Riding What type of good is computer security Security is a function of most investment, average investment, least investment Ross Anderson, Cryptology and Competition Policy - Issues with Trusted Computing

What are the incentives of private companies? To use security to limit competition Car repair, printer cartridges, cellular batteries Jean Camp and C. Wolfram, Pricing Security Security vulnerabilities as externalities Vulnerability Market Stuart Schecter Towards Econometric Models of Software Security Risks From Remote Attacks

Can use markets for vulnerabilities Andy Ozment Bug Auctions: Vulnerability Markets reconsidered No good way to measure software security market for lemons Producers motivation for vulnerability markets Improved product quality Useful metrics Vulnerability Auctions single buyer, many sellers Auctions are a tool to pay for vulnerabilities that coordinate those at risk. Vulnerability Sharing

Hao Xu : Optimal Policy for Software Vulnerability Disclosure Vendors are tempted to release vulnerabilities after their own customers have been protected Markets require coordination Ashish Arora - Honey Pots, Impact of Vulnerability Disclosure and Patch Availability Honeypots, two experiments Publication & patching increase attacks by .02 attacks/day Disclosure increases attacks by .26, patching decreases by .5 Vulnerability Markets

Rahul Telang An Economic Analysis of Market for Software Vulnerabilities With Karthik Kannan Motivation users voluntarily report vulnerability organization BUT what if there was a market for vulnerability information? Benign identifier exerts negative externality on hackers Need to define compensation as greater than the reputation capital Markets will increase investigation Privacy Hal Varian - Who Signed up for the Do-not-call List? Us high education, high network use, credit cards .

The highest value consumers sign up Is privacy a luxury good? Alessandro Acquisti - Privacy and Rationality Do individuals care? Can they protect themselves? Should they? Privacy Shostack, Sylverson, What Price Privacy People do not value investments with invisible return Lack of information for consumers privacy market failure

Vila, Greenstadt, Molnar, Why We Cant be Bothered to Read Privacy Policies Because they are worthless Privacy policies is a lemons market Landwher, Improving Information Flow in the Information Security Market The entire security market is a lemons market Spam Economics Richard Clayton - Proof-of-work proves not to work

Real world email analysis People really do send a lot of email Pure proof-of-work schemes dont work Spammers have a lower cost of processing because of zoombies To allow normal email users to use email, the threshold must be low enough to be subverted by spammers 75 emails/day Cost of subverted machines is too low for this to be effective Application of Theory to Security Investment Esther Gal-Or, University of Pittsburgh & Anindya Ghose, The Economic Consequences of Sharing Security Information

More concentrated markets have incentives to make larger security investments Lawrence A. Gordon, Martin P. Loeb & William Lucyshyn Economic Aspects of Controlling Capital Investments in Cyberspace Security for Critical Infrastructure Assets Optimal investment does not always increase with vulnerability It increases with network value Consumer Concepts of Privacy Acquisit, Grossklags, Privacy Attitudes and Privacy Behavior

Individuals see immediate value to information exposure, discount risk Acquisti, Privacy and Security of Personal Information Odlyzko, Privacy, Economics and Price Discrimination Economics of IT-based industry requires price discrimination This requires privacy loss Privacy is for pricing Investment Roger Adkins An Insurance Style Model for Determining the Appropriate Investment Level against Maximum Loss arising

from an Information Security Breach Traditional capital budgeting select investment to maximize NPV BUT change the level of risk, and thus the discount Conceptual model as a Binomial Option Pricing Model Either a net savings, or not Underinsurance if you havent had an incident Over insurance if you have invested Current practices are reasonable Security Technologies Are Not in User Interest Mauro Sandrini, We Want Security But We Hate It: The Foundations of Security Techo-Economics in

the Social World Security is a Technology of Control Until incentives are aligned, users will resist Case Studies Tom Lookabaugh & Douglas C. Sicker, University of Colorado, Security and Lock-in: The Case of the U.S. Cable Industry Security works only when incentives align Nicholas Rosasco University of Maryland, Baltimore County & David Larochelle, University of Virginia, How and Why More Secure Technologies Succeed in the Legacy Markets: Lessons for

the Success of SSH Security diffusion requires incentive alignment Bruce Scheierm, Evaluating Security Systems Five Security Questions Workshops are Critical Component in Investigation Multiple publication paths after the workshop

Workshops enable cross-barrier Without requiring commitment to publish Full proceedings on-line for All workshops Economics of Information Security edited text First to Fourth Changes Open workshop www.infosecon.org

Organizational infrastructure More institutional focus Harvard, CMU, Cambridge, Berkeley, Indiana Multiple journals, more dissemination ACM TOIT or IEEE Security & Privacy Economist IEEE/ACM Journal is valuable but not top ten Legal scholars Law reviews valuable

Future May 2005 Harvard Economics Workshop www.infosecon.net/workshop P2P Economics Workshop PET Workshop CACR

Recently Viewed Presentations

  • Biotic and Abiotic Factors - TypePad

    Biotic and Abiotic Factors - TypePad

    Work Session Open your IAN to page 19 Write the date Title: Chapter 18.1- Everything is Connected the study of the relationships between biotic and abiotic factors in environments eco (G) root home, abode ecoclimate ecosystem ecotourism log, -o, y...
  • Overview of FAS 113 - casact.org

    Overview of FAS 113 - casact.org

    FAS 113 Considerations on Risk Transfer Testing Gary Venter & Paul Brehm CLRS 2002 Introduction Overview of FAS 113 Overview of FAS 113 Establishes the conditions required for a Contract with a reinsurer to be accounted for as reinsurance and...
  • Sport and Physical Education Skill Acquisition LEARNING KNAPPs

    Sport and Physical Education Skill Acquisition LEARNING KNAPPs

    Sport and Physical Education Skill Acquisition MOTOR AND EXECUTIVE PROGRAMMES Motor and Executive Programmes STRUCTURE OF EXECUTIVE PROGRAMME FOR A TENNIS SERVE MOTOR CONTROL Motor Control OPEN LOOP CONTROL this applies to executive programmes whose subroutines are simple and well-learned...
  • CSCI 4333 Database Design and Implementation Review for ...

    CSCI 4333 Database Design and Implementation Review for ...

    CSCI 4333 Database Design and ImplementationReview for Final Exam. Xiang Lian. The University of Texas Rio Grande Valley. Edinburg, TX 78539. [email protected] Review. Chapters 5, 6, 9, and 10 in your textbook. ... set of buckets forms an integrated storage...
  • Chapter 3 The Basic Structure of a Cell

    Chapter 3 The Basic Structure of a Cell

    = L x W. Volume of a cell = L x W x H. Therefore, Volume increases FASTER than the surface area. copyright cmassengale. Cell Size. ... Cheek cells. Specialized Plant cells. Xylem cells. Pollen. Guard Cells. copyright cmassengale. Types...
  • World War II - Ms. Xiques' Classroom - Home

    World War II - Ms. Xiques' Classroom - Home

    Luftwaffe. vs. RAF (German Air Force vs. British Royal Air Force) The Blitz. Turning point in the war due to British success---Hitler postponed attack on British Isles (Thank you, United States and enraged British citizens!) Were we really neutral?
  • Galasirs 3:23-29 God nooi ons uit  en ons

    Galasirs 3:23-29 God nooi ons uit en ons

    Dis beskikbaar op kindle. Hier is 'n video van die storie. I'm Like You, You're Like Me deur Cindy Gainer, is ook beskikbaar op Kindle. Die video begin eintlik eers op 58 sekondes. Jonger kinders sal hou van One Family...
  • Cellular Biology Pa r t I  RED SLIDE:

    Cellular Biology Pa r t I RED SLIDE:

    -Nice neat notes that are legible and use indentations when appropriate. -Example of indent. -Skip a line between topics -Don't skip pages -Make visuals clear and well drawn.