1 / 19

The Economics of Security

The Economics of Security. [And08a] R. J. Anderson, R. Boehme, R. Clayton, and T. Moore. Security economics and the internal market. Technical report, ENISA - the European Network and Information Security Agency, Jan 2008. http:// www.enisa.europa.eu/act/sr/reports/econ-sec/economics-sec.

arlo
Download Presentation

The Economics of Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Economics of Security [And08a] R. J. Anderson, R. Boehme, R. Clayton, and T. Moore. Security economics and the internal market. Technical report, ENISA - the European Network and Information Security Agency, Jan 2008. http://www.enisa.europa.eu/act/sr/reports/econ-sec/economics-sec

  2. Market failure • Asymmetric information • Perverse Incentives • Tragedy of the Commons • Externalities • Liability assignment • Lack of diversity • Fragmentation of legislation Cyber-crime Science

  3. Asymmetric information • One party knows more than another, hence the bad drives out the good Cyber-crime Science

  4. Security examples • The attackers have the advantage • 35M LOC Windows  1 bug per 2K LOC = 17K bugs • Offenders need one bug, defenders must fix them all • Fewer but better coders, more testers ([And08a] p39) • Reluctance to share data on incidents • Many incentives not to share (examples?) but also to share (examples?) • Security breach disclosure laws ([And08a] p22) Cyber-crime Science

  5. Perverse incentives • Incentive with unintended result • Researchers pay for bone fragments hence the locals smash up large finds • Remedy? • Taking risk when the costs will be borne by others • E.g. driving carelessly with well insured car • Speed limit enforcement Cyber-crime Science

  6. Security examples • Bank card fraud • UK banks not liable leading to more fraud (why?) • US banks are liable leading to less fraud • Anti-virus product purchase • Consumers will not spend money to protect their PC (why?) • Remedies? [And06a] R. J. Anderson and T. Moore. The economics of information security. Science, 314(5799):610-613, Oct 2006. http://dx.doi.org/10.1126/science.1130992 [And94a] R. J. Anderson. Why cryptosystems fail. Commun. ACM, 37(11):32-40, Nov 1994. http://dx.doi.org/10.1145/188280.188291 Cyber-crime Science

  7. Tragedy of the Commons • Self-interest depletes common good • Remedy? Cyber-crime Science

  8. Security Examples • Phishing • Growth in SPAM & phishing (so?) • Often reported cost of phishing inaccurate (why?) Population Wealth [Her08] C. Herley and D. Florêncio. A profitless endeavor: phishing as tragedy of the commons. In Workshop on New security paradigms (NSPW), pages 59-70, Lake Tahoe, California, USA, Sep 2008. ACM. http://dx.doi.org/10.1145/1595676.1595686 [Flo11b] D. Florêncio and G. Herley. Sex, lies and cyber-crime surveys. Technical report MSR-TR-2011-75, Microsoft Research, Jun 2011. http://research.microsoft.com/apps/pubs/default.aspx?id=149886 Cyber-crime Science

  9. Externalities • Caused by large external cost • Control? Cyber-crime Science

  10. Security examples • System reliability • Program correctness depends on minimum effort (why?) • Program testing depends on sum of efforts • Fewer but better coders, more testers ([And06a] p611) • Botnets • Herder activity raises costs for users & ISPs (why?) • More later [Eet09] M. van Eeten and J. M. Bauer. Emerging threats to Internet security: Incentives, externalities and policy implications. J. of Contingencies and Crisis Management, 17(4):221-232, Dec 2009. http://dx.doi.org/10.1111/j.1468-5973.2009.00592.x Cyber-crime Science

  11. Network Externalities • More users makes it more useful up to a point when congestion happens Cyber-crime Science

  12. Security examples • Digital “pollution” • An infected PC because it harms others on the net • Quarantine ([And08a] p51) • An ISP with many infected customers (why?) • Blacklist Cyber-crime Science

  13. Liability assignment • Liability should be assigned to the party that can best manage the risk • Buyer or vendor? • Patient strategy ([And08a] p59) [And01b] R. J. Anderson. Why information security is Hard-An economic perspective. In 17th Annual Computer Security Applications Conf. (ACSAC), pages 358-365, New Orleans, Louisiana, Dec 2001. IEEE. http://dx.doi.org/10.1109/ACSAC.2001.991552 Cyber-crime Science

  14. Security examples • Software liability • The Customer shall be responsible for securing all Means of Access and any other means used by or under the control of the Customer or other holders, which may be applied in order to use the Means of Access on behalf of the Customer. Any misuse of Means of Access or the other means referred tot shall therefore be at the Customer’s risk. • Make vendors liable ([And08a] p 59) Cyber-crime Science

  15. Lack of diversity • Absence of single point of failure (why?) Cyber-crime Science

  16. Security examples • Monoculture • Common architecture with common bugs • Open standards • Governments requiring MS formats • City of Munich uses Linux ([And08a] p 71) Cyber-crime Science

  17. Fragmentation of legislation Cyber-crime Science

  18. Security examples • Few cyber criminals are ever caught (why?) • Joint operations and Mutual Legal Assistance Treaties ([And08a] p81) • Cyber-security co-operation (NATO model) Cyber-crime Science

  19. Conclusions • Openness about incidents • Incentives for the ISPs • Liability for the vendors • Responsibility for the users Cyber-crime Science

More Related