economics of cyber security

Economics of CyberSecurity

Fernando Montenegro@fsmontenegro

Economics of CyberSecurity – TASK July 2015


Assumptions

• Know that "it's bad out there".

• Technically skilled• Blue Team perspective• Interested in self-

improvement


About This Talk

• Why economics• We got attention, now what? • Intro econ concepts• Topics from the edX MOOC• CyberSec applications - "Cyber"

• Slides will be up at http://www.slideshare.net/fsmontenegro

http://www.slideshare.net/fsmontenegro




PSA: Why do This?


PSA: Why do This?

MYTH?


About me

@fsmontenegro• Sales Engineer– Fraud Prevention/Detection

• CompSci ’94• Greying hair

• Curious– Finance (DIY)– Economics (EMH, Behaviour)– Data Science (Coursera)


INTRO TO ECON


Econ History in ~5 minutes

• Pre-classical– Philosophy until middle ages– Mercantilism

• Adam Smith– 1759 – Theory of Moral Sentiments– 1776 – Wealth of Nations


Econ History (cont.)

• Many others 18th, 19th – Jeremy Bentham– Jean Baptiste Say– John Stuart Mill– David Ricardo• Comparative Advantage

– Karl Marx• Labor Theory of Value• Capitalism



• 19th into 20th– Austrian School– John Maynard Keynes• Boost Demand

– Chicago School• Milton Friedman, Coase, Becker, …• Rational Expectations

– Arrow & Debreu• Efficient Outcomes in Markets



• Game Theory– vonNeumann & Morgenstern– John Nash

• Information Economics– Akerlof, Spence, Stiglitz

• Economics of Security– Rumblings in 80s-90s– Anderson & Varian, ~2000– WEIS 2002 ? ?


Macroeconomics

• National Economies• Fiscal & Monetary Policy– Monetary Supply– Interest Rates

• Inflation• Unemployment– Frictional– Cyclical– Structural


Microeconomics

• Allocation of Scarce Resources• Individuals & Markets– Market Mechanisms– Types of Goods

• Supply and Demand• Maximize Utility• Information Economics• Decision & Game Theory• Incentives!

(Behavioural Economics)

• "Bounded rationality of economic agents"– Humans vs Econs

• Daniel Kahneman, Amos Tversky• Richard Thaler, Cass Sustein• Popular - Dan Ariely, Steven Levitt• Cognitive Biases

– Availability– Confirmation– Intertemporal Choice

• Hyperbolic Discounting

– ...• Incentives!



101 - Demand, Supply & Price

p

q

p1

p2

q2q1



p

q

p1

q1

Marginal Cost = Marginal Demand



p

q

p1

q1 q2

p2

MOARDemand!



p

q

p1

q1q2

p2

LessDemand!



p

q

p1

q1

Marginal Cost = Marginal Demand



p

q

p1

q1 q2

p2

MOARSupply!



p

q

p1

q1q2

p2

LESSSupply!

Market Functions

• [Perfect] Markets– Goods, Labour, …, even

Money itself– Price is signal

• Private vs. Public Goods• Market Efficiency

– Everyone is “better off”– Goods produced/consumed– Arrow & Debreu

What does a Market Need?• Large # of buyers and sellers• Complete property rights• Complete information• Rational actors• No/low transactions costs• Non-increasing returns to

scale



Market Failures

# of Buyers & Sellers• Monopoly / Monopsony

– Inefficient– Barriers to entry– Price Discrimination– Monopoly captures consumer

surplus

Property Rights• Externalities

– Negative• Free Riding• Too much production• Moral Hazard

– Positive• Not enough production

• How to address?– Taxation, Regulation, Assign

Property Rights (Coase)


Market Failures

Completeness of Information• Information Asymmetry• Adverse Selection• Moral Hazard• Principal-Agent Problem

• How to address– Signaling– Screening

Others• Irrational actors

– Biases

• High transaction costs– Lower production– Lower agility– Barriers to entry– Regulatory Capture


Marginal Cost

p

q

MC

MC digital

physical


Information Goods

• HIGH fixed costs, low marginal cost• Prone to monopolies• Market race -> TIME-TO-MARKET!– First mover advantage– Technical lock-in– Network effects! (Metcalfe’s Law n^2)– Appeal to Complementary Goods


Information Asymmetry

• Akerlof’s “Market for Lemons”• Adverse Selection

• Addressing it:– Spence -> Signaling– Stiglitz -> Screening


APPLICATIONS IN CYBERSECURITY


Software Development & Systems Design, Operations

• Misaligned Incentives– Allocation of Liability – Security -> Increased Time to Market– Opportunity Cost of Patching

• Information Asymmetry– Is the product secure? We can’t tell!

• Anderson, 2001

• Externalities– Onus of patching falls on customer– Free riding in open source


Externalities...


Vulnerability Markets & Bug Bounties

• Long history– iDefense, Tipping Point ~2002– Schecter, 2002 paper

• Lowering transaction costs (+)• Perverse incentives (-)– Vulns remain secret– Nationalistic aspects (Wassenaar)

• Information Asymmetry– Signaling & Screening

• HackerOne, BugCrowd, ...


Vulnerability Markets

• Hacker One – Wolves of Vuln Street– Not Price Alone– Bug bounties can work– Work on Defensive Tools

• Hacker One – Signal over 10,000 bugs– Reputation as Signal

https://hackerone.com/blog/the-wolves-of-vuln-street

https://hackerone.com/blog/improving-signal-over-10000-bugs


HackerOne Study


Privacy

• Stated preferences vs actual preferences• Hyperbolic Discounting– Present benefit undervaluing future privacy

• Extraction of ‘willingness to pay’– Price discrimination

• Privacy is not salient


Risk Management

• Security investments – Gordon-Loeb model• Conflict Theory• Risk transfer (insurance)– Adverse Selection -> Higher Premiums– Correlated risks

• Perverse Incentives– providers x consumers

• Information Asymmetry– Moral Hazards, Principal-Agent Problems


Cybercrime & Anti-Fraud

• Liability & Incentives– Fraud liability and 3DS/EMV liability shifts

• Underground Markets– Lower barriers to entry– Possible bottlenecks in cash-outs and mules

• Externalities– Cost of Crime– Cryptolocker et al. changing user behaviour?

• Perverse Incentives– High volume, low scale crime not aggregated


Security Awareness

• Incentives!• Behaviour Economics – defaults, nudges• Moral Hazard• Principal-Agent Problem– Management– Individuals


Security Labour Market

• 0% Unemployment?• Opportunity costs of higher salaries• Perverse Incentives– Candidates– Hiring Process itself

• Information Asymmetry– Signaling – Credentials, Certifications– Screening – Interviews, Job Options


WRAPPING UP


Recap

• Key concepts– Markets & Market Failures– Information Asymmetry– Incentives, incentives, incentives!

• Key areas– End-user Behaviour (Corporate and Consumer)– Risk Management– Software Development Practices


More info - Introductory

• Khan Academy - https://www.khanacademy.org/

• Coursera - https://www.coursera.org

• edX - https://courses.edx.org

– Behaviour Economics in Action (UofT)• Your Public Library… ebooks FTW!• Freakonomics – http://freakonomics.com

• MRUniversity - http://mruniversity.com/

https://www.khanacademy.org/

https://www.khanacademy.org/

https://www.coursera.org/courses?query=economics

https://www.coursera.org/courses?query=economics

https://courses.edx.org/

https://courses.edx.org/

http://freakonomics.com/

http://mruniversity.com/


More info - Intermediate

• edX EconSec (to be offered again)• Twitter

– https://twitter.com/fsmontenegro/lists/econcybersec• Youtube

– My list - http://bit.ly/1LQ8Ud8– SecAppDev LearnLiberty– EconStories EconTalk– ACDCLeadership

• Books– Security Engineering– Geekonomics– New School of InfoSec

https://twitter.com/fsmontenegro/lists/econcybersec



http://bit.ly/1LQ8Ud8


More info - Advanced

• Workshop on Economics of Information Security (WEIS)– http://weis2015.econinfosec.org/– Ross Anderson, Alessandro Acquisti [Privacy],

Tyler Moore, Jean Camp, Bruce Schneier, ...– Economics of Information Security and Privacy

book series• http://www.cl.cam.ac.uk/~rja14/econsec.html• http://infosecon.net/workshop/bibliography.php

http://weis2015.econinfosec.org/

http://weis2015.econinfosec.org/

http://infosecon.net/workshop/bibliography.php





More info - Advanced

• Security and Human Behaviour– Invite only, but papers available.– http://www.heinz.cmu.edu/~acquisti/SHB2015/index.htm

• Society of Information Risk Analysts– https://www.societyinforisk.org/– SIRACON – Detroit, Oct 8-9 !

http://www.heinz.cmu.edu/~acquisti/SHB2015/index.htm

http://www.heinz.cmu.edu/~acquisti/SHB2015/index.htm

https://www.societyinforisk.org/

https://www.societyinforisk.org/


Call to Action

• Consumer– Understand markets, tradeoffs, incentives

• Citizen– Understand incentives at play in government

• Professional– Focus on the right levers (incentives...)– Be mindful: isn’t “security” itself an externality?

economics of cyber security

Technology

marginal demand

p q p1 q1 q2 p2 moar

p q p1 p2 q2 q1

econ history

p q p1 q1 marginal cost

p q p1 q1q2 p2

intro econ concepts

john stuart