economics of cyber security
TRANSCRIPT
Economics of CyberSecurity
Fernando Montenegro@fsmontenegro
Economics of CyberSecurity – TASK July 2015
Economics of CyberSecurity – TASK July 2015
Assumptions
• Know that "it's bad out there".
• Technically skilled• Blue Team perspective• Interested in self-
improvement
Economics of CyberSecurity – TASK July 2015
About This Talk
• Why economics• We got attention, now what? • Intro econ concepts• Topics from the edX MOOC• CyberSec applications - "Cyber"
• Slides will be up at http://www.slideshare.net/fsmontenegro
Economics of CyberSecurity – TASK July 2015
PSA: Why do This?
Economics of CyberSecurity – TASK July 2015
PSA: Why do This?
MYTH?
Economics of CyberSecurity – TASK July 2015
About me
@fsmontenegro• Sales Engineer– Fraud Prevention/Detection
• CompSci ’94• Greying hair
• Curious– Finance (DIY)– Economics (EMH, Behaviour)– Data Science (Coursera)
Economics of CyberSecurity – TASK July 2015
INTRO TO ECON
Economics of CyberSecurity – TASK July 2015
Econ History in ~5 minutes
• Pre-classical– Philosophy until middle ages– Mercantilism
• Adam Smith– 1759 – Theory of Moral Sentiments– 1776 – Wealth of Nations
Economics of CyberSecurity – TASK July 2015
Econ History (cont.)
• Many others 18th, 19th – Jeremy Bentham– Jean Baptiste Say– John Stuart Mill– David Ricardo• Comparative Advantage
– Karl Marx• Labor Theory of Value• Capitalism
Economics of CyberSecurity – TASK July 2015
Econ History (cont.)
• 19th into 20th– Austrian School– John Maynard Keynes• Boost Demand
– Chicago School• Milton Friedman, Coase, Becker, …• Rational Expectations
– Arrow & Debreu• Efficient Outcomes in Markets
Economics of CyberSecurity – TASK July 2015
Econ History (cont.)
• Game Theory– vonNeumann & Morgenstern– John Nash
• Information Economics– Akerlof, Spence, Stiglitz
• Economics of Security– Rumblings in 80s-90s– Anderson & Varian, ~2000– WEIS 2002 ? ?
Economics of CyberSecurity – TASK July 2015
Macroeconomics
• National Economies• Fiscal & Monetary Policy– Monetary Supply– Interest Rates
• Inflation• Unemployment– Frictional– Cyclical– Structural
Economics of CyberSecurity – TASK July 2015
Microeconomics
• Allocation of Scarce Resources• Individuals & Markets– Market Mechanisms– Types of Goods
• Supply and Demand• Maximize Utility• Information Economics• Decision & Game Theory• Incentives!
(Behavioural Economics)
• "Bounded rationality of economic agents"– Humans vs Econs
• Daniel Kahneman, Amos Tversky• Richard Thaler, Cass Sustein• Popular - Dan Ariely, Steven Levitt• Cognitive Biases
– Availability– Confirmation– Intertemporal Choice
• Hyperbolic Discounting
– ...• Incentives!
Economics of CyberSecurity – TASK July 2015
Economics of CyberSecurity – TASK July 2015
101 - Demand, Supply & Price
p
q
p1
p2
q2q1
Economics of CyberSecurity – TASK July 2015
101 - Demand, Supply & Price
p
q
p1
p2
q2q1
Economics of CyberSecurity – TASK July 2015
101 - Demand, Supply & Price
p
q
p1
q1
Marginal Cost = Marginal Demand
Economics of CyberSecurity – TASK July 2015
101 - Demand, Supply & Price
p
q
p1
q1 q2
p2
MOARDemand!
Economics of CyberSecurity – TASK July 2015
101 - Demand, Supply & Price
p
q
p1
q1q2
p2
LessDemand!
Economics of CyberSecurity – TASK July 2015
101 - Demand, Supply & Price
p
q
p1
q1
Marginal Cost = Marginal Demand
Economics of CyberSecurity – TASK July 2015
101 - Demand, Supply & Price
p
q
p1
q1 q2
p2
MOARSupply!
Economics of CyberSecurity – TASK July 2015
101 - Demand, Supply & Price
p
q
p1
q1q2
p2
LESSSupply!
Market Functions
• [Perfect] Markets– Goods, Labour, …, even
Money itself– Price is signal
• Private vs. Public Goods• Market Efficiency
– Everyone is “better off”– Goods produced/consumed– Arrow & Debreu
What does a Market Need?• Large # of buyers and sellers• Complete property rights• Complete information• Rational actors• No/low transactions costs• Non-increasing returns to
scale
Economics of CyberSecurity – TASK July 2015
Economics of CyberSecurity – TASK July 2015
Market Failures
# of Buyers & Sellers• Monopoly / Monopsony
– Inefficient– Barriers to entry– Price Discrimination– Monopoly captures consumer
surplus
Property Rights• Externalities
– Negative• Free Riding• Too much production• Moral Hazard
– Positive• Not enough production
• How to address?– Taxation, Regulation, Assign
Property Rights (Coase)
Economics of CyberSecurity – TASK July 2015
Market Failures
Completeness of Information• Information Asymmetry• Adverse Selection• Moral Hazard• Principal-Agent Problem
• How to address– Signaling– Screening
Others• Irrational actors
– Biases
• High transaction costs– Lower production– Lower agility– Barriers to entry– Regulatory Capture
Economics of CyberSecurity – TASK July 2015
Marginal Cost
p
q
MC
MC digital
physical
Economics of CyberSecurity – TASK July 2015
Information Goods
• HIGH fixed costs, low marginal cost• Prone to monopolies• Market race -> TIME-TO-MARKET!– First mover advantage– Technical lock-in– Network effects! (Metcalfe’s Law n^2)– Appeal to Complementary Goods
Economics of CyberSecurity – TASK July 2015
Information Asymmetry
• Akerlof’s “Market for Lemons”• Adverse Selection
• Addressing it:– Spence -> Signaling– Stiglitz -> Screening
Economics of CyberSecurity – TASK July 2015
APPLICATIONS IN CYBERSECURITY
Economics of CyberSecurity – TASK July 2015
Software Development & Systems Design, Operations
• Misaligned Incentives– Allocation of Liability – Security -> Increased Time to Market– Opportunity Cost of Patching
• Information Asymmetry– Is the product secure? We can’t tell!
• Anderson, 2001
• Externalities– Onus of patching falls on customer– Free riding in open source
Economics of CyberSecurity – TASK July 2015
Externalities...
Economics of CyberSecurity – TASK July 2015
Vulnerability Markets & Bug Bounties
• Long history– iDefense, Tipping Point ~2002– Schecter, 2002 paper
• Lowering transaction costs (+)• Perverse incentives (-)– Vulns remain secret– Nationalistic aspects (Wassenaar)
• Information Asymmetry– Signaling & Screening
• HackerOne, BugCrowd, ...
Economics of CyberSecurity – TASK July 2015
Vulnerability Markets
• Hacker One – Wolves of Vuln Street– Not Price Alone– Bug bounties can work– Work on Defensive Tools
• Hacker One – Signal over 10,000 bugs– Reputation as Signal
Economics of CyberSecurity – TASK July 2015
HackerOne Study
Economics of CyberSecurity – TASK July 2015
Privacy
• Stated preferences vs actual preferences• Hyperbolic Discounting– Present benefit undervaluing future privacy
• Extraction of ‘willingness to pay’– Price discrimination
• Privacy is not salient
Economics of CyberSecurity – TASK July 2015
Risk Management
• Security investments – Gordon-Loeb model• Conflict Theory• Risk transfer (insurance)– Adverse Selection -> Higher Premiums– Correlated risks
• Perverse Incentives– providers x consumers
• Information Asymmetry– Moral Hazards, Principal-Agent Problems
Economics of CyberSecurity – TASK July 2015
Cybercrime & Anti-Fraud
• Liability & Incentives– Fraud liability and 3DS/EMV liability shifts
• Underground Markets– Lower barriers to entry– Possible bottlenecks in cash-outs and mules
• Externalities– Cost of Crime– Cryptolocker et al. changing user behaviour?
• Perverse Incentives– High volume, low scale crime not aggregated
Economics of CyberSecurity – TASK July 2015
Security Awareness
• Incentives!• Behaviour Economics – defaults, nudges• Moral Hazard• Principal-Agent Problem– Management– Individuals
Economics of CyberSecurity – TASK July 2015
Security Labour Market
• 0% Unemployment?• Opportunity costs of higher salaries• Perverse Incentives– Candidates– Hiring Process itself
• Information Asymmetry– Signaling – Credentials, Certifications– Screening – Interviews, Job Options
Economics of CyberSecurity – TASK July 2015
WRAPPING UP
Economics of CyberSecurity – TASK July 2015
Recap
• Key concepts– Markets & Market Failures– Information Asymmetry– Incentives, incentives, incentives!
• Key areas– End-user Behaviour (Corporate and Consumer)– Risk Management– Software Development Practices
Economics of CyberSecurity – TASK July 2015
More info - Introductory
• Khan Academy - https://www.khanacademy.org/
• Coursera - https://www.coursera.org
• edX - https://courses.edx.org
– Behaviour Economics in Action (UofT)• Your Public Library… ebooks FTW!• Freakonomics – http://freakonomics.com
• MRUniversity - http://mruniversity.com/
Economics of CyberSecurity – TASK July 2015
More info - Intermediate
• edX EconSec (to be offered again)• Twitter
– https://twitter.com/fsmontenegro/lists/econcybersec• Youtube
– My list - http://bit.ly/1LQ8Ud8– SecAppDev LearnLiberty– EconStories EconTalk– ACDCLeadership
• Books– Security Engineering– Geekonomics– New School of InfoSec
Economics of CyberSecurity – TASK July 2015
More info - Advanced
• Workshop on Economics of Information Security (WEIS)– http://weis2015.econinfosec.org/– Ross Anderson, Alessandro Acquisti [Privacy],
Tyler Moore, Jean Camp, Bruce Schneier, ...– Economics of Information Security and Privacy
book series• http://www.cl.cam.ac.uk/~rja14/econsec.html• http://infosecon.net/workshop/bibliography.php
Economics of CyberSecurity – TASK July 2015
More info - Advanced
• Security and Human Behaviour– Invite only, but papers available.– http://www.heinz.cmu.edu/~acquisti/SHB2015/index.htm
• Society of Information Risk Analysts– https://www.societyinforisk.org/– SIRACON – Detroit, Oct 8-9 !
Economics of CyberSecurity – TASK July 2015
Call to Action
• Consumer– Understand markets, tradeoffs, incentives
• Citizen– Understand incentives at play in government
• Professional– Focus on the right levers (incentives...)– Be mindful: isn’t “security” itself an externality?