economics of cyber security
TRANSCRIPT
![Page 1: Economics of cyber security](https://reader036.vdocuments.us/reader036/viewer/2022062515/55ce6ffdbb61eb3d2f8b46ab/html5/thumbnails/1.jpg)
Economics of CyberSecurity
Fernando Montenegro@fsmontenegro
![Page 2: Economics of cyber security](https://reader036.vdocuments.us/reader036/viewer/2022062515/55ce6ffdbb61eb3d2f8b46ab/html5/thumbnails/2.jpg)
Economics of CyberSecurity – TASK July 2015
![Page 3: Economics of cyber security](https://reader036.vdocuments.us/reader036/viewer/2022062515/55ce6ffdbb61eb3d2f8b46ab/html5/thumbnails/3.jpg)
Economics of CyberSecurity – TASK July 2015
Assumptions
• Know that "it's bad out there".
• Technically skilled• Blue Team perspective• Interested in self-
improvement
![Page 4: Economics of cyber security](https://reader036.vdocuments.us/reader036/viewer/2022062515/55ce6ffdbb61eb3d2f8b46ab/html5/thumbnails/4.jpg)
Economics of CyberSecurity – TASK July 2015
About This Talk
• Why economics• We got attention, now what? • Intro econ concepts• Topics from the edX MOOC• CyberSec applications - "Cyber"
• Slides will be up at http://www.slideshare.net/fsmontenegro
![Page 5: Economics of cyber security](https://reader036.vdocuments.us/reader036/viewer/2022062515/55ce6ffdbb61eb3d2f8b46ab/html5/thumbnails/5.jpg)
Economics of CyberSecurity – TASK July 2015
PSA: Why do This?
![Page 6: Economics of cyber security](https://reader036.vdocuments.us/reader036/viewer/2022062515/55ce6ffdbb61eb3d2f8b46ab/html5/thumbnails/6.jpg)
Economics of CyberSecurity – TASK July 2015
PSA: Why do This?
MYTH?
![Page 7: Economics of cyber security](https://reader036.vdocuments.us/reader036/viewer/2022062515/55ce6ffdbb61eb3d2f8b46ab/html5/thumbnails/7.jpg)
Economics of CyberSecurity – TASK July 2015
About me
@fsmontenegro• Sales Engineer– Fraud Prevention/Detection
• CompSci ’94• Greying hair
• Curious– Finance (DIY)– Economics (EMH, Behaviour)– Data Science (Coursera)
![Page 8: Economics of cyber security](https://reader036.vdocuments.us/reader036/viewer/2022062515/55ce6ffdbb61eb3d2f8b46ab/html5/thumbnails/8.jpg)
Economics of CyberSecurity – TASK July 2015
INTRO TO ECON
![Page 9: Economics of cyber security](https://reader036.vdocuments.us/reader036/viewer/2022062515/55ce6ffdbb61eb3d2f8b46ab/html5/thumbnails/9.jpg)
Economics of CyberSecurity – TASK July 2015
Econ History in ~5 minutes
• Pre-classical– Philosophy until middle ages– Mercantilism
• Adam Smith– 1759 – Theory of Moral Sentiments– 1776 – Wealth of Nations
![Page 10: Economics of cyber security](https://reader036.vdocuments.us/reader036/viewer/2022062515/55ce6ffdbb61eb3d2f8b46ab/html5/thumbnails/10.jpg)
Economics of CyberSecurity – TASK July 2015
Econ History (cont.)
• Many others 18th, 19th – Jeremy Bentham– Jean Baptiste Say– John Stuart Mill– David Ricardo• Comparative Advantage
– Karl Marx• Labor Theory of Value• Capitalism
![Page 11: Economics of cyber security](https://reader036.vdocuments.us/reader036/viewer/2022062515/55ce6ffdbb61eb3d2f8b46ab/html5/thumbnails/11.jpg)
Economics of CyberSecurity – TASK July 2015
Econ History (cont.)
• 19th into 20th– Austrian School– John Maynard Keynes• Boost Demand
– Chicago School• Milton Friedman, Coase, Becker, …• Rational Expectations
– Arrow & Debreu• Efficient Outcomes in Markets
![Page 12: Economics of cyber security](https://reader036.vdocuments.us/reader036/viewer/2022062515/55ce6ffdbb61eb3d2f8b46ab/html5/thumbnails/12.jpg)
Economics of CyberSecurity – TASK July 2015
Econ History (cont.)
• Game Theory– vonNeumann & Morgenstern– John Nash
• Information Economics– Akerlof, Spence, Stiglitz
• Economics of Security– Rumblings in 80s-90s– Anderson & Varian, ~2000– WEIS 2002 ? ?
![Page 13: Economics of cyber security](https://reader036.vdocuments.us/reader036/viewer/2022062515/55ce6ffdbb61eb3d2f8b46ab/html5/thumbnails/13.jpg)
Economics of CyberSecurity – TASK July 2015
Macroeconomics
• National Economies• Fiscal & Monetary Policy– Monetary Supply– Interest Rates
• Inflation• Unemployment– Frictional– Cyclical– Structural
![Page 14: Economics of cyber security](https://reader036.vdocuments.us/reader036/viewer/2022062515/55ce6ffdbb61eb3d2f8b46ab/html5/thumbnails/14.jpg)
Economics of CyberSecurity – TASK July 2015
Microeconomics
• Allocation of Scarce Resources• Individuals & Markets– Market Mechanisms– Types of Goods
• Supply and Demand• Maximize Utility• Information Economics• Decision & Game Theory• Incentives!
![Page 15: Economics of cyber security](https://reader036.vdocuments.us/reader036/viewer/2022062515/55ce6ffdbb61eb3d2f8b46ab/html5/thumbnails/15.jpg)
(Behavioural Economics)
• "Bounded rationality of economic agents"– Humans vs Econs
• Daniel Kahneman, Amos Tversky• Richard Thaler, Cass Sustein• Popular - Dan Ariely, Steven Levitt• Cognitive Biases
– Availability– Confirmation– Intertemporal Choice
• Hyperbolic Discounting
– ...• Incentives!
Economics of CyberSecurity – TASK July 2015
![Page 16: Economics of cyber security](https://reader036.vdocuments.us/reader036/viewer/2022062515/55ce6ffdbb61eb3d2f8b46ab/html5/thumbnails/16.jpg)
Economics of CyberSecurity – TASK July 2015
101 - Demand, Supply & Price
p
q
p1
p2
q2q1
![Page 17: Economics of cyber security](https://reader036.vdocuments.us/reader036/viewer/2022062515/55ce6ffdbb61eb3d2f8b46ab/html5/thumbnails/17.jpg)
Economics of CyberSecurity – TASK July 2015
101 - Demand, Supply & Price
p
q
p1
p2
q2q1
![Page 18: Economics of cyber security](https://reader036.vdocuments.us/reader036/viewer/2022062515/55ce6ffdbb61eb3d2f8b46ab/html5/thumbnails/18.jpg)
Economics of CyberSecurity – TASK July 2015
101 - Demand, Supply & Price
p
q
p1
q1
Marginal Cost = Marginal Demand
![Page 19: Economics of cyber security](https://reader036.vdocuments.us/reader036/viewer/2022062515/55ce6ffdbb61eb3d2f8b46ab/html5/thumbnails/19.jpg)
Economics of CyberSecurity – TASK July 2015
101 - Demand, Supply & Price
p
q
p1
q1 q2
p2
MOARDemand!
![Page 20: Economics of cyber security](https://reader036.vdocuments.us/reader036/viewer/2022062515/55ce6ffdbb61eb3d2f8b46ab/html5/thumbnails/20.jpg)
Economics of CyberSecurity – TASK July 2015
101 - Demand, Supply & Price
p
q
p1
q1q2
p2
LessDemand!
![Page 21: Economics of cyber security](https://reader036.vdocuments.us/reader036/viewer/2022062515/55ce6ffdbb61eb3d2f8b46ab/html5/thumbnails/21.jpg)
Economics of CyberSecurity – TASK July 2015
101 - Demand, Supply & Price
p
q
p1
q1
Marginal Cost = Marginal Demand
![Page 22: Economics of cyber security](https://reader036.vdocuments.us/reader036/viewer/2022062515/55ce6ffdbb61eb3d2f8b46ab/html5/thumbnails/22.jpg)
Economics of CyberSecurity – TASK July 2015
101 - Demand, Supply & Price
p
q
p1
q1 q2
p2
MOARSupply!
![Page 23: Economics of cyber security](https://reader036.vdocuments.us/reader036/viewer/2022062515/55ce6ffdbb61eb3d2f8b46ab/html5/thumbnails/23.jpg)
Economics of CyberSecurity – TASK July 2015
101 - Demand, Supply & Price
p
q
p1
q1q2
p2
LESSSupply!
![Page 24: Economics of cyber security](https://reader036.vdocuments.us/reader036/viewer/2022062515/55ce6ffdbb61eb3d2f8b46ab/html5/thumbnails/24.jpg)
Market Functions
• [Perfect] Markets– Goods, Labour, …, even
Money itself– Price is signal
• Private vs. Public Goods• Market Efficiency
– Everyone is “better off”– Goods produced/consumed– Arrow & Debreu
What does a Market Need?• Large # of buyers and sellers• Complete property rights• Complete information• Rational actors• No/low transactions costs• Non-increasing returns to
scale
Economics of CyberSecurity – TASK July 2015
![Page 25: Economics of cyber security](https://reader036.vdocuments.us/reader036/viewer/2022062515/55ce6ffdbb61eb3d2f8b46ab/html5/thumbnails/25.jpg)
Economics of CyberSecurity – TASK July 2015
Market Failures
# of Buyers & Sellers• Monopoly / Monopsony
– Inefficient– Barriers to entry– Price Discrimination– Monopoly captures consumer
surplus
Property Rights• Externalities
– Negative• Free Riding• Too much production• Moral Hazard
– Positive• Not enough production
• How to address?– Taxation, Regulation, Assign
Property Rights (Coase)
![Page 26: Economics of cyber security](https://reader036.vdocuments.us/reader036/viewer/2022062515/55ce6ffdbb61eb3d2f8b46ab/html5/thumbnails/26.jpg)
Economics of CyberSecurity – TASK July 2015
Market Failures
Completeness of Information• Information Asymmetry• Adverse Selection• Moral Hazard• Principal-Agent Problem
• How to address– Signaling– Screening
Others• Irrational actors
– Biases
• High transaction costs– Lower production– Lower agility– Barriers to entry– Regulatory Capture
![Page 27: Economics of cyber security](https://reader036.vdocuments.us/reader036/viewer/2022062515/55ce6ffdbb61eb3d2f8b46ab/html5/thumbnails/27.jpg)
Economics of CyberSecurity – TASK July 2015
Marginal Cost
p
q
MC
MC digital
physical
![Page 28: Economics of cyber security](https://reader036.vdocuments.us/reader036/viewer/2022062515/55ce6ffdbb61eb3d2f8b46ab/html5/thumbnails/28.jpg)
Economics of CyberSecurity – TASK July 2015
Information Goods
• HIGH fixed costs, low marginal cost• Prone to monopolies• Market race -> TIME-TO-MARKET!– First mover advantage– Technical lock-in– Network effects! (Metcalfe’s Law n^2)– Appeal to Complementary Goods
![Page 29: Economics of cyber security](https://reader036.vdocuments.us/reader036/viewer/2022062515/55ce6ffdbb61eb3d2f8b46ab/html5/thumbnails/29.jpg)
Economics of CyberSecurity – TASK July 2015
Information Asymmetry
• Akerlof’s “Market for Lemons”• Adverse Selection
• Addressing it:– Spence -> Signaling– Stiglitz -> Screening
![Page 30: Economics of cyber security](https://reader036.vdocuments.us/reader036/viewer/2022062515/55ce6ffdbb61eb3d2f8b46ab/html5/thumbnails/30.jpg)
Economics of CyberSecurity – TASK July 2015
APPLICATIONS IN CYBERSECURITY
![Page 31: Economics of cyber security](https://reader036.vdocuments.us/reader036/viewer/2022062515/55ce6ffdbb61eb3d2f8b46ab/html5/thumbnails/31.jpg)
Economics of CyberSecurity – TASK July 2015
Software Development & Systems Design, Operations
• Misaligned Incentives– Allocation of Liability – Security -> Increased Time to Market– Opportunity Cost of Patching
• Information Asymmetry– Is the product secure? We can’t tell!
• Anderson, 2001
• Externalities– Onus of patching falls on customer– Free riding in open source
![Page 32: Economics of cyber security](https://reader036.vdocuments.us/reader036/viewer/2022062515/55ce6ffdbb61eb3d2f8b46ab/html5/thumbnails/32.jpg)
Economics of CyberSecurity – TASK July 2015
Externalities...
![Page 33: Economics of cyber security](https://reader036.vdocuments.us/reader036/viewer/2022062515/55ce6ffdbb61eb3d2f8b46ab/html5/thumbnails/33.jpg)
Economics of CyberSecurity – TASK July 2015
Vulnerability Markets & Bug Bounties
• Long history– iDefense, Tipping Point ~2002– Schecter, 2002 paper
• Lowering transaction costs (+)• Perverse incentives (-)– Vulns remain secret– Nationalistic aspects (Wassenaar)
• Information Asymmetry– Signaling & Screening
• HackerOne, BugCrowd, ...
![Page 34: Economics of cyber security](https://reader036.vdocuments.us/reader036/viewer/2022062515/55ce6ffdbb61eb3d2f8b46ab/html5/thumbnails/34.jpg)
Economics of CyberSecurity – TASK July 2015
Vulnerability Markets
• Hacker One – Wolves of Vuln Street– Not Price Alone– Bug bounties can work– Work on Defensive Tools
• Hacker One – Signal over 10,000 bugs– Reputation as Signal
![Page 35: Economics of cyber security](https://reader036.vdocuments.us/reader036/viewer/2022062515/55ce6ffdbb61eb3d2f8b46ab/html5/thumbnails/35.jpg)
Economics of CyberSecurity – TASK July 2015
HackerOne Study
![Page 36: Economics of cyber security](https://reader036.vdocuments.us/reader036/viewer/2022062515/55ce6ffdbb61eb3d2f8b46ab/html5/thumbnails/36.jpg)
Economics of CyberSecurity – TASK July 2015
Privacy
• Stated preferences vs actual preferences• Hyperbolic Discounting– Present benefit undervaluing future privacy
• Extraction of ‘willingness to pay’– Price discrimination
• Privacy is not salient
![Page 37: Economics of cyber security](https://reader036.vdocuments.us/reader036/viewer/2022062515/55ce6ffdbb61eb3d2f8b46ab/html5/thumbnails/37.jpg)
Economics of CyberSecurity – TASK July 2015
Risk Management
• Security investments – Gordon-Loeb model• Conflict Theory• Risk transfer (insurance)– Adverse Selection -> Higher Premiums– Correlated risks
• Perverse Incentives– providers x consumers
• Information Asymmetry– Moral Hazards, Principal-Agent Problems
![Page 38: Economics of cyber security](https://reader036.vdocuments.us/reader036/viewer/2022062515/55ce6ffdbb61eb3d2f8b46ab/html5/thumbnails/38.jpg)
Economics of CyberSecurity – TASK July 2015
Cybercrime & Anti-Fraud
• Liability & Incentives– Fraud liability and 3DS/EMV liability shifts
• Underground Markets– Lower barriers to entry– Possible bottlenecks in cash-outs and mules
• Externalities– Cost of Crime– Cryptolocker et al. changing user behaviour?
• Perverse Incentives– High volume, low scale crime not aggregated
![Page 39: Economics of cyber security](https://reader036.vdocuments.us/reader036/viewer/2022062515/55ce6ffdbb61eb3d2f8b46ab/html5/thumbnails/39.jpg)
Economics of CyberSecurity – TASK July 2015
Security Awareness
• Incentives!• Behaviour Economics – defaults, nudges• Moral Hazard• Principal-Agent Problem– Management– Individuals
![Page 40: Economics of cyber security](https://reader036.vdocuments.us/reader036/viewer/2022062515/55ce6ffdbb61eb3d2f8b46ab/html5/thumbnails/40.jpg)
Economics of CyberSecurity – TASK July 2015
Security Labour Market
• 0% Unemployment?• Opportunity costs of higher salaries• Perverse Incentives– Candidates– Hiring Process itself
• Information Asymmetry– Signaling – Credentials, Certifications– Screening – Interviews, Job Options
![Page 41: Economics of cyber security](https://reader036.vdocuments.us/reader036/viewer/2022062515/55ce6ffdbb61eb3d2f8b46ab/html5/thumbnails/41.jpg)
Economics of CyberSecurity – TASK July 2015
WRAPPING UP
![Page 42: Economics of cyber security](https://reader036.vdocuments.us/reader036/viewer/2022062515/55ce6ffdbb61eb3d2f8b46ab/html5/thumbnails/42.jpg)
Economics of CyberSecurity – TASK July 2015
Recap
• Key concepts– Markets & Market Failures– Information Asymmetry– Incentives, incentives, incentives!
• Key areas– End-user Behaviour (Corporate and Consumer)– Risk Management– Software Development Practices
![Page 43: Economics of cyber security](https://reader036.vdocuments.us/reader036/viewer/2022062515/55ce6ffdbb61eb3d2f8b46ab/html5/thumbnails/43.jpg)
Economics of CyberSecurity – TASK July 2015
More info - Introductory
• Khan Academy - https://www.khanacademy.org/
• Coursera - https://www.coursera.org
• edX - https://courses.edx.org
– Behaviour Economics in Action (UofT)• Your Public Library… ebooks FTW!• Freakonomics – http://freakonomics.com
• MRUniversity - http://mruniversity.com/
![Page 44: Economics of cyber security](https://reader036.vdocuments.us/reader036/viewer/2022062515/55ce6ffdbb61eb3d2f8b46ab/html5/thumbnails/44.jpg)
Economics of CyberSecurity – TASK July 2015
More info - Intermediate
• edX EconSec (to be offered again)• Twitter
– https://twitter.com/fsmontenegro/lists/econcybersec• Youtube
– My list - http://bit.ly/1LQ8Ud8– SecAppDev LearnLiberty– EconStories EconTalk– ACDCLeadership
• Books– Security Engineering– Geekonomics– New School of InfoSec
![Page 45: Economics of cyber security](https://reader036.vdocuments.us/reader036/viewer/2022062515/55ce6ffdbb61eb3d2f8b46ab/html5/thumbnails/45.jpg)
Economics of CyberSecurity – TASK July 2015
More info - Advanced
• Workshop on Economics of Information Security (WEIS)– http://weis2015.econinfosec.org/– Ross Anderson, Alessandro Acquisti [Privacy],
Tyler Moore, Jean Camp, Bruce Schneier, ...– Economics of Information Security and Privacy
book series• http://www.cl.cam.ac.uk/~rja14/econsec.html• http://infosecon.net/workshop/bibliography.php
![Page 46: Economics of cyber security](https://reader036.vdocuments.us/reader036/viewer/2022062515/55ce6ffdbb61eb3d2f8b46ab/html5/thumbnails/46.jpg)
Economics of CyberSecurity – TASK July 2015
More info - Advanced
• Security and Human Behaviour– Invite only, but papers available.– http://www.heinz.cmu.edu/~acquisti/SHB2015/index.htm
• Society of Information Risk Analysts– https://www.societyinforisk.org/– SIRACON – Detroit, Oct 8-9 !
![Page 47: Economics of cyber security](https://reader036.vdocuments.us/reader036/viewer/2022062515/55ce6ffdbb61eb3d2f8b46ab/html5/thumbnails/47.jpg)
Economics of CyberSecurity – TASK July 2015
Call to Action
• Consumer– Understand markets, tradeoffs, incentives
• Citizen– Understand incentives at play in government
• Professional– Focus on the right levers (incentives...)– Be mindful: isn’t “security” itself an externality?