session 4: economics of...web vulnerability data 4 hackerone wooyun hq us & nl china founded...

Session 4: Economics of

Privacy & Security

Jens GrossklagsPennsylvania State University

An Empirical Study of Web Vulnerability Discovery Ecosystems

Co-authors: Mingyi Zhao, Peng Liu (Pennsylvania State University)

An Empirical Study of Web Vulnerability Discovery Ecosystems

Mingyi Zhao, Jens Grossklags, Peng Liu

Pennsylvania State University

(1995)

Bug Bounty HistoryBug Bounty Platforms

(Web Vulnerability Discovery Ecosystems)

HackerOne

Wooyun

2

Motivation and Approach

• Motivation: Detailed studies of Web vulnerability discovery ecosystems are absent– Debate on the impact of bug bounties for web security– Policy: e.g., limits on legality of vulnerability research

• Approach: Empirically study characteristics, trajectories and impact of two representative ecosystems– Stakeholders: Companies/organizations, white hats, black hats,

public, policymakers, bounty platform providers etc.– Focus of this presentation: Perspective of companies and

organizations

3

Web Vulnerability Data

4

HackerOne WooyunHQ US & NL ChinaFounded 2013‐11 2010‐07# Vulnerabilities 10,997 64,134# White hats 1,653 7,744Participation Model Organization‐initiated White hat‐initiatedBounty Level Avg. $424 (Various) Very LowDisclosure Partial FullData Collected Bounty Amount 

Response TimelineVulnerability Type Severity

(Data until 2015‐07)

Participation by Organizations

5

Organization Types

6

• HackerOne: 99 organizations– All IT companies– Social networking, security, bitcoin …

• Wooyun: 17328 organizations

# Orgs # VulnGov 3179 4772Edu 1457 4017Fin 1040 2794

IT Sector Non‐IT Sectors

• The white hat-initiated model (Wooyun) achieves a much broader coverage of organizations– Less constraints for targeting organizations with web security

issues– Growing size and diversity of the white hat community

• More limited participation under the organization-initiated model (HackerOne)– Raises question about ways to increase participation by

companies and white hats

7

Takeaways: Participation

Types of Vulnerabilities & Severity

8

Types & Severity - Wooyun

9

* OWASP TOP 10 in bold font

High: 44%Med: 40%Low: 16% 

Severity – HackerOne

• Infer medium and high severity percentage from bounty distribution and policy statement

10

21% 23% 19%

35% 37% 8%

• White hats make considerable contributions– Broad range of vulnerability types– Significant percentage of medium/high severity reports

• White hat-initiated model (Wooyun) harvests potential of the community more comprehensively– Occasional contributors perform as a group almost as well as top

white hats in terms of finding high severity issues– Can organizations properly handle all reports?

11

Takeaways: Types & Severity

Response Behaviors by Organizations

12

Response - Wooyun

13

• Segmenting organizations by Alexa rank (i.e., popularity) reveals differences in response patterns

0%10%20%30%40%50%60%70%80%

Handled Handled(Third Party)

No Response

Large (Alexa 1 ‐ 200)Medium (Alexa 201 ‐ 2000)Small (Alexa > 2000)

Types of Response to Vulnerability Reports

Percentage of R

eports

Response - HackerOne

14

• Organization-initiated programs handle most reports and have quick response times– First response time median: 4.5 hours– 90% of the disclosed reports were resolved in 30 days

15

• Wooyun: Many organizations are not prepared!– Particularly smaller, less popular websites (Alexa > 2000)

• White hat-initiated model may increase risk for unprepared organizations– Vulnerabilities are published after 45 days; vulnerabilities with

no response (unhandled) could still be exploitable– Balance trade-off between applying pressure and reasonable

expectations for response by small companies

Takeaways: Response

Cost and Impact of Bounties

16

• Different levels of bounties:

Impact of bounties?

Bounty Structure - HackerOne

17

020406080100120

0 50 171 319 487 538 611 700

Avg # Vu

ln. p

er M

onth

Average Bounty ($)

Impact of Bounties

• Regression methodology

• Dependent variable: – Average # reports per month

• Independent variables:– Average bounty– Alexa rank– Platform manpower (time-weighted # white hats / # org.)

18

Regression Analysis Results

19

+$100 ~ +3 vuln./month

More popular

More attentionMore complex

More reports

20

• While HackerOne puts focus on monetary compensation of white hats, we still observe many contributions (20% of all reports) to programs without bounties (33% of all programs)– Pay-nothing is a viable approach

• However, higher bounty amount is associated with considerable increase of number of vulnerability reports

Takeaways: Bounties

Security Improvements

21

Vulnerability Trend: Data

22

• Wooyun:

• HackerOne:

Statistical Trend Test

• Laplace Test – Used in previous vulnerability study (Ozment, 2006)– Criteria: >= 4 months and >= 50 reports

23

Decrease Increase No TrendHackerOne 32 8 9

Wooyun 11 81 17

• Despite/because monetary incentives on HackerOne: Fewer vulnerabilities are found over time– Indicative of improved web security of participating IT companies– Initial spike: With sufficient incentive, many vulnerabilities which

likely where known/existed before launch are reported when the program opens

• Opposing trend for Wooyun programs– Likely worse integration between bug bounty program and SDL

24

Takeaways: Trends

Thank you.

25

• Comparison between different Web vulnerability ecosystems provides unique opportunities to study effectiveness of policies and practices– Many more results in the paper(s)

• Jury is still out about which participation model offers the most important benefits

Veronica MarottaCarnegie Mellon University

Alessandro AcquistiCarnegie Mellon University

Who Benefits from Targeted Advertising?Co-author: Kaifu Zhang (Carnegie Mellon University)

Veronica Marotta, Kaifu Zhang, Alessandro Acquisti

Carnegie Mellon University

Federal Trade CommissionPrivacyCon 2016

Who Benefits From Targeted Advertising?

Personal information is the lifeblood of the Internet

Loss of privacy is the price to pay for the benefits of big data

Sharing personal data is an economic win‐win

Who Benefits from Targeted Advertising?

• To what extent availability of more and more preciseinformation about consumers leads to:– An increase in total welfare?– A change of allocation of benefits between different stakeholders?

• Firms• Consumers• Intermediaries (i.e. ad exchanges)

Methodology

• Multi‐stage, 3‐players model of online targeted advertising

• Compare scenarios that differ in the type and amount ofconsumer’s information available during the targeting process

• Account for the role of the intermediary (the ad exchange) inthe advertising ecosystem

• Focus on “Real‐Time Bidding” (RBT)

Advertisers are Bidding for Consumers

Ad Exchange

Advertisers are Bidding for Consumers

Ad Exchange

- Impression- Users

parameters- Cookies

Advertisers are Bidding for Consumers

Ad Exchange

Winner

- Impression- Users

parameters- Cookies

AD

The Model: Basic Setting

3. Consumers:• Have product preference, but need to find seller• Differ along two dimensions: horizontal (brand preference) and

vertical (purchase power)

1. Firms (the Advertisers):• Profit‐Maximizer• Cannot target consumers directly

2. Intermediary (the Ad Exchange):• Profit‐Maximizer• Runs auctions for advertisements’ allocation

The Model: Sequence of Events

ConsumerTwo Dimensions:• Horizontal• Vertical

1 Ad Exchange

2

Firms

Information about consumers made

available

3

Second-Price Auction

4

• Bid for Advertisement (Consumer)

• Price of the product

5

Winner of the Auction• Pays second-highest

bid• Shows the Ad 6

• Sees the Ad• Purchase decision

Consumer

Observes the consumer’s information

The Model: Sequence of Events

ConsumerTwo Dimensions:• Horizontal• Vertical

1 Ad Exchange

2

FirmsObserves the

consumer’s information

3

Second-Price Auction• Horizontal Info• Vertical Info• Both Info• No Info 4

• Bid for Advertisement (Consumer)

• Price of the product

5

Winner of the Auction• Pays second-highest

bid• Shows the Ad 6

• Sees the Ad• Purchase decision

Consumer

Analysis

1. For each scenario, we derive:• Firm’s bidding strategy (for advertisement)• Firm’s pricing strategy (for product being advertised)• Intermediary’s profit• Consumer’s choice

Equilibrium Concept: Nash Equilibrium for Second‐PriceAuctions

2. Through simulations of the model, we analyze how the outcome interms of consumers’ welfare, intermediary’s profit and firms’ profitchanges under the different scenarios

“Consumers at Auction," Veronica Marotta, Alessandro Acquisti, and Kaifu Zhang, ICIS 2015

Welfare Analysis

Consumers’ surplus

X axis: degree of horizontal differentiation

Y ax

is: d

egre

e of

ver

tical

diff

eren

tiatio

n

Horizontal Information

No Information

“Consumers at Auction," Veronica Marotta, Alessandro Acquisti, and Kaifu Zhang, ICIS 2015

Welfare Analysis

Consumers’ surplus

X axis: degree of horizontal differentiation

Y ax

is: d

egre

e of

ver

tical

diff

eren

tiatio

n

Horizontal Information

No Information

Intermediary’s profit

No Information

Vertical Information

Welfare Analysis

• Allocation of Benefits (proportions) among Consumer, Advertiser and Intermediary under the four scenarios

a. No Information

Welfare Analysis

• Allocation of Benefits (proportions) among Consumer, Advertiser and Intermediary under the four scenarios

d. Complete Information

b. Horizontal Information

c. Vertical Information

a. No Information

Results

1. Consumer’s surplus is higher when only specific type of informationis available (horizontal information) and, generally, when lessinformation is available

2. There exist situations in which the incentives of the Intermediary aremisaligned with respect to consumer‘s interest

3. Under certain conditions, the Intermediary obtains the highestproportion of benefits from the targeting process

4. A strategic intermediary may choose to selectively share consumerdata in order to maximize its profits

Limitations/Future work

• Competition among ad networks

• Costs/investments for ad networks

• Reduction in consumer search costs

• Empirical analysis

“The Economics of Privacy,” Acquisti, Taylor, and Wagman, Journal of Economic Literature, (forthcoming)

Personal information is the lifeblood of the Internet

How is the surplus generated by personal data allocated?

Loss of privacy is the price to pay for the benefits of big data

Who bears the costs of privacy enhancing technologies?

Sharing personal datais an economic win‐win

When do consumers benefit from trades in their data?

Catherine TuckerMassachusetts Institute of Technology

Privacy Protection, Personalized Medicine and Genetic Testing

Co-author: Amalia Miller (University of Virginia)

Privacy Protection,Personalized

Medicine andGenetic Testing

Amalia R. Miller andCatherine Tucker

Our research questionWhat kinds of privacyprotections encourage ordiscourage the spread ofhospital genetic testingfor cancer?

What cangenetic tests beused for?Identifying geneticinformation to predict

• susceptibility to disease• course of disease• response to treatment.

BRCA1 mutation

Look at state law variation from2000-2010 which echoes3approaches toprivacy

• Informed consent (EU privacydirectiveof 1996?)

• Regulating datause (USapproach?)

• Establishing property rightsover data(Coasian)

Weuse anational survey tounderstand who gets agenetictest

• National Health InterviewSurveys (NHIS) - part of CDC

• In 2000, 2005, 2010 theyasked30k survey takersabout genetic testing.

There are pros andcons of thedependent variable

• Yes: Testing for predictors ofbreast, ovarian cancer. Actionable.

• But: Few positiveobservations (< 1%)

Weuse standard econometrictechniques

• Statistically relatethe decisionto takeagenetic test tochanges in the patient’s state’sprivacy law.

• Seethe paper for theequations andmethods

Informed Consent reducesgenetic testing by one third,Individual Control increasesgenetic testing by one third

InformedConsent

Usage Restriction

Individual Control

The controls hadweak butexpectedeffects

• Female, black, family cancerpositively affect decision

• No insurance(weakly)negatively affects decision

• Statecharacteristics, age,private insurancearen’tsignificant

The positiveeffect forIndividual Control is notdriven by hospitals

• Hospitals react negatively toconsent laws

• But also react negatively topatient property rights

Weprovide evidencethat oureffect is causal with placebos

• No effect for genetic laws forHIV testing - not drivenbytastes for privacy

• No effect for genetic laws onflu shots - not driven by tastesfor preventativecare

What is going on?• Discrimination laws - lack of information?

• Consent without control-highlights powerlessness?

• Data ownership - Perception ofcontrol or Coase?

Pure consent

Consent with Property Rights

Our effects appear tobedriven by privacy concerns

• Larger effects for those withhigher underlying risk

• No effects for those withpast cancer diagnosis

• Larger effects for‘privacy-protecting’individuals

Summing Up

There are of course limitations1. The unobserved2. No information about

interpretation3. Early stage of diffusion.

When states givemore controlover how their privateinformationis shared genetic testing increases

• Particularly for those whoaremore worried about ‘badnews’

• Hospitals respondnegatively

Wefind that informed consentdeters patients andhospitalsfrom testing

Data usage policies have littleeffect

• Goodor badnewsdepending on how you lookat it

Thank you! cetucker@mit.edu

Sasha RomanoskyRAND Corporation

Examining the Costs and Causes of Cyber Incidents

Costs and Consequences of Cyber IncidentsSasha Romanosky

Costs and Consequences of Cyber IncidentsSasha Romanosky

Motivation

• Data breaches and privacy violations have become commonplace, affecting thousands of firms, and millions of individuals,

- yet we don’t fully understand their costs or impacts- nor do we properly understand the firm’s incentives to invest in

cyber security controls

• Therefore, using a dataset of 12,000 events, we examine the costs, scale, and overall risk of events, by industry and over time

Four types of cyber events

Unauthorized disclosure of private information

Unauthorized disclosure of personal infoData breaches

Security incidents

Privacy violations

Computer attacks against a company

A company’s willful collection or use of personal info

Phishing/skimming Financial criminal acts committed against individuals and firms

We observe publicly available data

Cyber event occurs

Detected

Disclosed

Recorded

Legal action

Notdetected

Notdisclosed

Notrecorded

No legal action

Data breaches greatly outnumber all other incidents

1,500

1,000

500

250

200

150

100

50

0

2004 2006 2008 2010 2012 2014

Databreaches

/////////////////////////////////////////////////////////////////////////////////////////

Numberof

cyberevents

Privacy violations

Securityincidents

Phishing

But security incidents are increasing rapidly

1,500

1,000

500

250

200

150

100

50

0

/////////////////////////////////////////////////////////////////////////////////////////

Numberof

cyberevents

Databreaches

Privacy violations

Phishing

Securityincidents

2004 2006 2008 2010 2012 2014

Industry analysis

• There are many ways to understand risk by industry:- Total incidents, and incident rate- Total lawsuits, and litigation rate- Costs per event

• This helps us understand which industries pose the greatest risk

Finance and Insurance, and Health Care sectorssuffer highest number of incidents

Total incidents

2,000

Finance and

Ins.

Health care

Government

Education

Manufacturing

1,0000

But Govt, and Education sectors suffer highest incident rates

Total incidents Incident rate

.015

Government

Education

Information

Finance and

Ins.

Utilities

.01.0502,000

Finance and

Ins.

Health care

Government

Education

Manufacturing

1,0000

Firms in Information and Finance/Insurance sectors are most often litigated

Number of lawsuits

200

Information

Finance and

Ins.

Manufacturing

Retail Trade

Health Care

1000 25015050

But, Oil & Gas suffers the highest litigation rate

Number of lawsuits Litigation rate

.3

Mining, Oil & Gas

Admin and SupportServices

Ag., Fishing, Hunting

Retail Trade

Information

.2.10200

Information

Finance and

Ins.

Manufacturing

Retail Trade

Health Care

1000 25015050 .4

Next, let’s examine legal actionsAll Legal Actions (1,687)

Civil (1,394) Criminal (293)

State (271) Federal (202) State (91)

Private(922)

Public(201)

Private (221)

Public(50)

Federal (1,123)

2004 2006 2008 2010 2012 2014

Privacy litigation has increased sharply

150

100

50

Total number of lawsuits

0

Databreaches

Privacy violations

Phishing

Securityincidents

2004 2006 2008 2010 2012 2014

150

100

50

Total number of lawsuits

0

Databreaches

Privacy violations

Phishing

Securityincidents

2004 2006 2008

1.0

0.8

0.6

2010 2012

Litigation rate

0.4

0.2

0

2014

But overall litigation rates are declining

Most data breaches cost firms less than $200K

Min Max Median N

Data Breaches $25 $572m $170 K 602Security Incidents $100 $100m $330 K 36Privacy Violations $180 $750m $1.34 M 234Phishing/Skimming $0 $710 m $150 K 49

963These costs are much lower than the $5m often cited

Repeat Players

• 38% of firms (almost 4800) in our dataset suffered multiple incidents

• 50% of all incidents within the Information and Finance/Insurance industries involve repeat players

• No significant difference in legal actions or litigation rate for this group, relative to single players

• However, data breach costs are twice as large for repeat players:- $9.8m vs $4m for single players

Annual losses from cyber events are comparatively small

3.5

10

33

69

70

97

105

151

200

0 100 200 300

Online fraud

Losses from cyber events

Retail shrinkage

Healthcare fraud

Global spending on cybersecurity

Insurance fraud

Cybercrime

Hurricane Katrina

Loss of intellectual property

$ Billions

As a percent of revenue, the cost of cyber events is also very small

0.4

0.9

1.4

3.1

5.2

5.9

20.0

0 10 20 30

Cyber events

Online fraud

Retail shrinkage

Healthcare fraud

Global payment card fraud

Hospitals (bad debt)

Restaurant industry shrinkage

Percent of revenue/volume

Troubling paradox; where do the incentives lie?

• On one hand, cyber events and legal actions are increasing- Compromising the most sensitive kinds of personal information

• On the other hand, typical costs are relatively small- And consumers seem quite satisfied with firm responses (Ablon et

al, 2016)

• What does this suggest for firm incentives in cyber security?

Questions?

sromanos@rand.org

Retail, Information, and Manufacturing sectorssuffer highest losses

Total losses (in Millions $) Loss per event

1.5

Management

Retail

Information

Manufacturing

Wholesale Trade

1.502,000

Information

Manufacturing

Retail

Finance and Ins.

Health care

1,0000 2

• Breach notification, counsel, forensics, IT repair, consumer redress

• Also includes money stolen from banks,financial companies

• Settlements and other judicial awards• Administrative rulings, cy pres

1st-party losses

3rd-party losses

Losses are typically of two types

Total recorded losses of $10 billion

But this represents only 10% of all observed events

$(billions)

Data breaches

8

6

2

0

4

Securityincidents

Privacy violations

Phishing

1st Party

3rd Party

0

20

40

60

80

Numberof cyberevents

In most cases, cyber events cost firms about what they spend on IT security

Annual cost of IT security minus annual cost of cyber events

–$5M $0 $5M

Distribution of Repeat Players

Single

8

6

2

0

4

2-5 6-10 > 10

Number of Firms(in’000s)

Number of repeat incidents

Discussion of Session 4Discussants:• Kevin Moriarty, Federal

Trade Commission

• Doug Smith, Federal Trade Commission

• Siona Listokin, George Mason University

Presenters:• Jens Grossklags,

Pennsylvania State University

• Veronica Marotta,Carnegie Mellon University& Alessandro Acquisti,Carnegie Mellon University

• Catherine Tucker, Massachusetts Institute of Technology

• Sasha Romanosky,RAND Corporation