cybersecurity24012017vlinkedin
TRANSCRIPT
1
_________________________________________________________________________www.irp-management.com Cyber SecurityPage: 1 Date: 27 januari 2017 Draft version
Cyber Security Economics
Hans OosterlingJanuary 2017
General Framework-version 0.1-
2
_________________________________________________________________________www.irp-management.com Cyber SecurityPage: 2 Date: 27 januari 2017 Draft version
Markets for Information Goods
Data and Software– High fixed Costs unlimited volume, low or near zero variable costs
– Strategy: Growth Increase switching costs, lock-in customers
– Information Asymmetry in the market Markets of lemons, “bad quality drives out good quality” Metcalf’s Law: network value is proportional to the square of number of
users (like telephone)
3
_________________________________________________________________________www.irp-management.com Cyber SecurityPage: 3 Date: 27 januari 2017 Draft version
Classical Economics
Market price tends to the marginal costs– Marginal costs = variable costs + fixed costs / volume
The variable costs for information good producers is near zero so they will go for ever increasing market share and market dominancy (or even for monopoly)
Strategy of information good providers prefer market share over improved quality
Traditional business€
#Fixed/Volume
Variable
SW business
Fixed/VolumeVariable
#
4
_________________________________________________________________________www.irp-management.com Cyber SecurityPage: 4 Date: 27 januari 2017 Draft version
Market for Security Services / Products
The market of security services / products is battlefield for market dominancy and a race for ever increasing market share
Asymmetric incentives– Unsecure PIN entry device, could be solved by acquiring bank (of the merchant)
but issuing Bank (of the customer) bear the risk of fraud or skimming
Information Asymmetry– Buyers can’t assess the quality of the security software, so the market price will
tend to the cheapest (and possibly the less quality) product, so there is no incentive to invest in good quality software
– Solving the asymmetry by introducing certification, protocols, guarantees etc– Providers go for market share and after reaching market dominancy, act like a
monopolist with pricing close to “willingness to pay”
5
_________________________________________________________________________www.irp-management.com Cyber SecurityPage: 5 Date: 27 januari 2017 Draft version
Monopoly
If you know what everyone wants to / can pay, charge them accordingly (price differentiation)
Assume fixed price, revenue will be you miss out the customers who wants to pay less and there is lost revenue from the customers who were willing to pay more than the fixed market price
In a perfect market with many suppliers, price erosion will occur and tends to lowest level
Fixed Market price
enterprises students
Price
Volume
LostCustomers
Lost Revenue
6
_________________________________________________________________________www.irp-management.com Cyber SecurityPage: 6 Date: 27 januari 2017 Draft version
Security Management
Risk Reduction / Mitigation– Mitigated Risk, residual Risk
Risk Acceptance– Incorporate security risk into your general business risk
Risk Avoidance– Forgone profits from risky activities
Risk Transfer– Insurance– Moral Hazard– Lack of Historical Data (legislation on data breach reporting)
7
_________________________________________________________________________www.irp-management.com Cyber SecurityPage: 7 Date: 27 januari 2017 Draft version
Optimal Risk Mitigation
ExpectedLoss
Cost of Security Mitigation
SecurityExpenses
FinancialImpact €
MitigatedRisk
ResidualRisk
OptimalInvestment levelInformation Security
According to Gordon-Loeb modelInvestment level max 37% of expected Loss
8
_________________________________________________________________________www.irp-management.com Cyber SecurityPage: 8 Date: 27 januari 2017 Draft version
Security Metrics
Proactive tasks– CSA Control Matrix
133 identified controls by Cloud Security Alliance– Security Maturity Model (BSIMM)
Reactive tasks– Patch management– Intrusion detection – Incident management– Forensics
Events are difficult to measure and the effectiveness of more security measures is difficult to verify
– Many anticipated threats never materialize– Some of the unanticipated threats do occur
Controls Vulnerabilities Incidents (Prevented)Losses
Stochastics, event-drivenDeterministic, action-driven
9
_________________________________________________________________________www.irp-management.com Cyber SecurityPage: 9 Date: 27 januari 2017 Draft version
Closing Remarks
Cyber crime appears in the late 80th carried out by lone amateurs, but nowadays it’s a professional international business (teamwork)
Defense is always behind newly created attacks and law makers areslowly following new criminal inventions
Allocation of liability is difficult and complex:– Network providers (telecom, WAN, LAN etc)– SW suppliers (infrastructure, applications, antivirus providers etc)– HW suppliers– Internet users (DDoS meant insecure systems at firm A could harm firm B)
Police is biased: Bank robbery of > € 5 mio gets full attention but a cyber criminal stealing € 500 from 10.000 internet users has no priority (and is often difficult to investigate)
People don’t act rationally: underestimating risk factors they can’teasily understand or imagine (and overestimating the likelihood of events which can be thought of easily)