The Economics of Security

hotbroodSecurity

Nov 3, 2013 (4 years and 1 month ago)

133 views

The Economics of Security

[And08a] R. J. Anderson, R. Boehme, R. Clayton, and T. Moore. Security economics
and the internal market. Technical report, ENISA
-

the European Network and
Information Security Agency, Jan 2008.
http://
www.enisa.europa.eu/act/sr/reports/econ
-
sec/economics
-
sec


Cyber
-
crime Science

5

M
arket failure


Asymmetric information


Perverse Incentives

»
Tragedy of the Commons


Externalities


Liability assignment


Lack of diversity


Fragmentation of legislation

Asymmetric information


One party knows more than another,
hence the bad drives out the good

Cyber
-
crime Science

6

Cyber
-
crime Science

7

S
ecurity
e
xamples


The attackers have the advantage

»
35M LOC Windows


1 bug per 2K LOC = 17K bugs

»
Offenders need one bug, defenders must fix them all

»
Fewer
but better
coders, more testers ([And08a] p39)


Reluctance to share data on incidents

»
Many incentives not to share (examples?) but also to
share (examples?)

»
Security
breach disclosure
laws
([And08a] p22
)


Cyber
-
crime Science

9

Perverse incentives


Incentive with unintended
result

»
Researchers pay for bone fragments hence the locals
smash up large finds

»
Remedy
?





Taking risk when the costs will be borne
by others

»
E.g. driving carelessly with well insured car

»
Speed limit enforcement

Security examples


Bank card fraud

»
UK banks not liable leading to more fraud (why?)

»
US banks are liable leading to less fraud


Anti
-
virus product purchase

»
Consumers will not spend money to protect their PC
(why?)

»
Remedies?

Cyber
-
crime Science

10

[And06a] R. J. Anderson and T. Moore. The economics of information security.
Science, 314(5799):610
-
613, Oct 2006.
http://
dx.doi.org/10.1126/science.1130992


[And94a] R. J. Anderson. Why cryptosystems fail.
Commun
. ACM, 37(11):32
-
40, Nov
1994.
http://
dx.doi.org/10.1145/188280.188291



Tragedy of the Commons


Self
-
interest depletes common good


Remedy?

Cyber
-
crime Science

11

Security Examples


Phishing

»
G
rowth in SPAM
& phishing (so?)

»
Often reported
cost of phishing
inaccurate (why?)

Cyber
-
crime Science

12


[
Her08] C.
Herley

and D.
Florêncio
. A profitless endeavor: phishing as tragedy of the
commons. In Workshop on New security paradigms (NSPW), pages 59
-
70, Lake
Tahoe, California, USA, Sep 2008. ACM.
http://
dx.doi.org/10.1145/1595676.1595686


[Flo11b] D.
Florêncio

and G.
Herley
. Sex, lies and cyber
-
crime surveys. Technical
report MSR
-
TR
-
2011
-
75, Microsoft Research, Jun 2011.
http://research.microsoft.com/apps/pubs/default.aspx?id=149886



Population Wealth

Externalities


Caused by large external cost


Control?

Cyber
-
crime Science

13

Security examples


System reliability

»
Program correctness depends on minimum effort (why?)

»
Program testing depends on sum of efforts

»
Fewer but better coders, more testers ([
And06a
]
p611)


Botnets

»
Herder activity raises costs for users & ISPs (why?)

»
More later

Cyber
-
crime Science

14

[Eet09] M. van
Eeten

and J. M. Bauer. Emerging threats to Internet security: Incentives,
externalities and policy implications. J. of Contingencies and Crisis Management,
17(4):221
-
232, Dec 2009.
http://dx.doi.org/10.1111/j.1468
-
5973.2009.00592.x


Network Externalities


More users makes it more useful up to a
point when congestion happens

Cyber
-
crime Science

15

Security examples


Digital “pollution”

»
An infected PC because it harms others on the net

»
Quarantine
([And08a] p51
)

»
An ISP with many infected
customers (why?)

»
Blacklist

Cyber
-
crime Science

16

Liability assignment


Liability should be assigned to the party
that can best manage the risk

»
Buyer or vendor?

»
Patient strategy ([And08a] p59)



Cyber
-
crime Science

17

[And01b] R. J. Anderson. Why information security is Hard
-
An economic perspective. In
17th Annual Computer Security Applications Conf. (ACSAC), pages 358
-
365, New
Orleans, Louisiana, Dec 2001. IEEE.
http://
dx.doi.org/10.1109/ACSAC.2001.991552

Cyber
-
crime Science

19

Security examples


Software liability

»
The Customer shall be responsible
for securing all Means of Access
and any other means used by or
under the control of the Customer or
other holders, which may be applied
in order to use the Means of Access
on behalf of the Customer. Any
misuse of Means of Access or the
other means referred tot shall
therefore be at the Customer

s risk.

»
Make vendors liable ([And08a] p
59)

Lack of diversity


Absence of single point of failure (why?)

Cyber
-
crime Science

20

Security examples


Monoculture

»
Common architecture with common bugs

»
Open standards

»
Governments requiring MS formats

»
City of Munich uses Linux ([And08a] p 71)

Cyber
-
crime Science

21

Cyber
-
crime Science

22

Fragmentation of legislation

Cyber
-
crime Science

23

Security examples


Few cyber criminals are ever caught
(why?)


Joint operations and Mutual
Legal
Assistance
T
reaties
([And08a]
p81)


Cyber
-
security co
-
operation (NATO model)

Cyber
-
crime Science

35

Conclusions


Openness about incidents


Incentives for the ISPs


Liability for the vendors


Responsibility for
the
users