course overview introduction to economics and security
play

Course Overview, Introduction to Economics and Security Tyler Moore - PDF document

Jul 15, 2023 •434 likes •769 views

Notes Course Overview, Introduction to Economics and Security Tyler Moore CSE 7338 Computer Science & Engineering Department, SMU, Dallas, TX Lecture 1 Notes Outline Logistics 1 Motivation 2 Intro to Economics: Key notions 3 Intro

  1. Notes Course Overview, Introduction to Economics and Security Tyler Moore CSE 7338 Computer Science & Engineering Department, SMU, Dallas, TX Lecture 1 Notes Outline Logistics 1 Motivation 2 Intro to Economics: Key notions 3 Intro to Economics: Preferences 4 Intro to Economics: Utility 5 Intro to Economics: Expected utility 6 Economics of IT 7 Market failures 8 A very brief introduction to security 9 2 / 135 Logistics Notes Course website Most info: http://lyle.smu.edu/~tylerm/courses/econsec/ Blackboard for announcements Youtube channel for R screencasts 4 / 135 Logistics Syllabus Notes Syllabus http: //lyle.smu.edu/~tylerm/courses/econsec/admin/syllabus.html 5 / 135

  2. Logistics Calendar Notes Calendar http: //lyle.smu.edu/~tylerm/courses/econsec/admin/schedule.html 6 / 135 Motivation Notes Why is a computer scientist talking about economics? The conventional CS approach to security has failed Enumerate possible threats 1 Define attacker capabilities 2 Build systems to protect against these threats 3 Worked for encryption algorithms, but not Internet security 8 / 135 Motivation Why computer science alone can’t fix information security Notes Evidence of security failures: data breaches 9 / 135 Motivation Why computer science alone can’t fix information security Notes Evidence of security failures: phishing websites 10 / 135

  3. Motivation Why computer science alone can’t fix information security Notes Evidence of security failures: botnets 11 / 135 Motivation Why computer science alone can’t fix information security Notes Evidence of security failures: critical infrastructure Source: http://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf 12 / 135 Motivation Why computer science alone can’t fix information security Notes Evidence of security failures: critical infrastructure 13 / 135 Motivation Why computer science alone can’t fix information security Notes Evidence of security failures: critical infrastructure Source: http://www.cl.cam.ac.uk/~fms27/papers/2011-Leverett-industrial.pdf 14 / 135

  4. Motivation Why economics offers a useful perspective Notes But why economics? Economics is a social science Studies behavior of individuals and firms in order to predict outcomes Models of behavior based on systematic observation Usually cannot run experiments as in bench science, but economics has developed ways to cope with differences inherent to observing the world Economics studies trade-offs between conflicting interests Recognizes that people operate strategically Have devised ways to model people’s interests and decision making 15 / 135 Motivation Why economics offers a useful perspective Notes Economics is not just about money Money helps to reveal preferences Money can serve as a common measure for costs and benefits As a discipline, economics examines much more than interactions involving money Economics studies trade-offs between conflicting interests Conflicting interests and incentives appear in many circumstances where money never changes hands 16 / 135 Motivation How economics can help information security Notes Attackers operate strategically Cannot expect attackers to respect stated assumptions of behavior Threat modeling focuses an engineer’s task, which can harden a resource against particular attacks But system design does not exist in a vacuum – attackers can adapt to find holes in areas not considered by the threat model Must understand what motivates attackers For cybercriminals this could be profit For hacktivists this could be attention and disruption In each case, attackers will seek the least costly way to reach their goal 17 / 135 Motivation How economics can help information security Notes Botnet operators operate strategically (motivated by $) 18 / 135

  5. Motivation How economics can help information security Notes Phishing gangs operate strategically (exploit weakest link) 25 Hongkong China phishing site lifetime (days) .hk domain 20 .cn domain 15 10 5 0 March April May Source: Moore & Clayton (2007), own aggregation Take-down latency for phishing attacks targeting different registrars in spring 2007; lines are five-day moving averages broken down by top-level domain 19 / 135 Motivation How economics can help information security Notes Defenders also operate strategically Those responsible for protecting information systems naturally must consider their own interests Often, there are multiple stakeholders responsible for defense Sometimes defenders’ interests conflict Sometimes the interests of defenders do not align with those of society 20 / 135 Motivation How economics can help information security Notes Let’s return to critical infrastructure protection 21 / 135 Motivation How economics can help information security Notes Incentives for critical infrastructure protection Critical infrastructure operators + Upgrading to IP-based systems brings huge efficiency gains - Maintaining physical separation of networks reduces efficiency and drives up operating costs - Likelihood of an attack is low (based on history) - Cost of attack largely borne by society Consumers + Value reliability of service, including against attack - Prefers low cost service - Cannot distinguish between security investments among firms Governments + Value reliability of service, including against attack + Fears political consequences of an attack, given national defense remit - Lack of budget to fund security - Lack of expertise to improve security on privately-controlled systems 22 / 135

  6. Motivation How economics can help information security Notes So what’s the outcome? Absent regulation to compel behavior, stakeholders act in their own interest based on their incentives and capabilities Only operators, not consumers or governments, are capable of improving security So their incentives matter most! On balance, they are likely to tolerate a high level of insecurity in their systems We can also compare this outcome to what seems ‘best’ In economics jargon, this is the search for the social optimum The social optimum maximizes expected utility More detail on how to compute this later on, but for now, we can intuit what the social optimum might be Question #1: is complete security of critical infrastructures socially optimal? Question #2: why hasn’t the market delivered the socially optimal outcome? 23 / 135 Motivation How economics can help information security Notes Economics makes information security empirically grounded Traditional threat modeling states that an attack is possible and should be protected against by definition But what if the threats we envision differ from what actually happens? An economic perspective approaches threat modeling by observing behavior This allows us to construct a more accurate picture of the risks due to information insecurity 24 / 135 Motivation How economics can help information security Notes Economics suggests policies to deploy technology better In addition to describing why security fails and how attackers and defenders operate, economics can recommend policies to improve security Technology alone cannot fix the challenges facing information security; instead, policy can correct market limitations to help security technologies succeed We will discuss many of the options in this course (ex ante safety regulation, ex post liability, cyberinsurance, . . . ) Today we briefly discuss one example: information disclosure 25 / 135 Motivation How economics can help information security Notes Recall our first example? Made possible through policy 26 / 135

  7. Motivation How economics can help information security Notes Information disclosure Louis Brandeis: “sunlight is said to be the best of disinfectants” Information security incidents are often hidden from public view, so one light-touch intervention is to mandate disclosure 27 / 135 Motivation How economics can help information security Notes Data breach legislation California Civil Code 1798.82 (2002): “Any person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” Deirdre Mulligan 28 / 135 Motivation How economics can help information security Notes Many high-profile breaches came to light 29 / 135 Motivation How economics can help information security Notes Many high-profile breaches came to light 30 / 135

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Economics of network security Harald Vranken 1 Economics of network security Note that

Economics of network security Harald Vranken 1 Economics of network security Note that

Advanced Network Security (2019-2020) Economics of network security Harald Vranken 1 Economics of network security Note that network in this lecture means Physical communication network (eg. Internet, telephony, fax, telegraph)

769 views • 49 slides
Chapter7. Security 7.1 Introduction 7.2 Overview of security techniques 7.3 Cryptographic

Chapter7. Security 7.1 Introduction 7.2 Overview of security techniques 7.3 Cryptographic

Chapter7. Security 7.1 Introduction 7.2 Overview of security techniques 7.3 Cryptographic algorithms 7.4 Digital signatures 7.5 Cryptography pragmatics 7.1. Introduction Why need security mechanisms in DS? Share of resources

364 views • 24 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CSCE Intro to Computer Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies Security

472 views • 20 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CPSC 410/611 Operating Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies

419 views • 19 slides
Software In-Security Buffer overflows Overview Web Application security Malware OS

Software In-Security Buffer overflows Overview Web Application security Malware OS

Lecture overview Table of contents: Introduction to SW security Software In-Security Buffer overflows Overview Web Application security Malware OS security topics Code scanning Emmanuel Benoist Taught by Ulrich

479 views • 13 slides
A personal perspective Ross Anderson Cambridge The birth of security economics Why

A personal perspective Ross Anderson Cambridge The birth of security economics Why

Security Economics A personal perspective Ross Anderson Cambridge The birth of security economics Why Information Security is Hard An Economic Perspective, ACSAC, Dec 2001 Now: a field with over 100 active researchers and one

245 views • 20 slides
Introduction to Development Economics Q: What is Development Economics? Traditional

Introduction to Development Economics Q: What is Development Economics? Traditional

Introduction to Development Economics Q: What is Development Economics? Traditional economics, taught in introductory textbooks, is concerned primarily with the efficient, least-cost allocation of scarce resources and with the optimal

819 views • 47 slides
Economics of cybersecurity Measuring security levels Michel van

Economics of cybersecurity Measuring security levels Michel van

Economics of cybersecurity Measuring security levels Michel van Eeten Del. University of Technology Security produc=vity What is measurable? Security level

217 views • 10 slides
Social Capital, Social Capital, Economics and Health: Economics and Health: Overview Overview

Social Capital, Social Capital, Economics and Health: Economics and Health: Overview Overview

Social Capital, Social Capital, Economics and Health: Economics and Health: Overview Overview Richard M. Scheffler, PhD Distinguished Professor of Health Economics and Opening talk Public Policy October 10, 2008 University of The

291 views • 12 slides
CS 134: Operating Systems Security 1 / 29 Overview CS134 Overview 2014-04-22 Introduction

CS 134: Operating Systems Security 1 / 29 Overview CS134 Overview 2014-04-22 Introduction

CS134 2014-04-22 CS 134: Operating Systems Security CS 134: Operating Systems Security 1 / 29 Overview CS134 Overview 2014-04-22 Introduction to Security Classification Cryptography Overview Attacks Introduction to Security

574 views • 38 slides
Economics of Cybersecurity An introduction to economics Ross Anderson The Computer Lab,

Economics of Cybersecurity An introduction to economics Ross Anderson The Computer Lab,

Economics of Cybersecurity An introduction to economics Ross Anderson The Computer Lab, University of Cambridge Economics for engineers To see what makes informa0on markets special, we

253 views • 13 slides
Data Security in the Digital Age Reputation and Strategic Interactions in Security Investment

Data Security in the Digital Age Reputation and Strategic Interactions in Security Investment

Introduction Baseline Model Main Results Extended Model Lit. Review Conclusion Appendix Data Security in the Digital Age Reputation and Strategic Interactions in Security Investment Ying Lei Toh Toulouse School of Economics March 31, 2016

1.03k views • 37 slides
Economics of network security Joeri de Ruiter Outline What economic (dis)incentves are at

Economics of network security Joeri de Ruiter Outline What economic (dis)incentves are at

Advanced Network Security Economics of network security Joeri de Ruiter Outline What economic (dis)incentves are at play in network security? Motiwatnnh exbaplesh Econoic principlesh for econoicsh of shecurity

610 views • 31 slides
A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security Introducing Spring Security View layer security Whats coming in Spring Security 3 E-mail: craig@habuma.com Blog: http://www.springloaded.info

452 views • 19 slides
and its Discontents Introduction The purpose of this presentation is to provide an overview of

and its Discontents Introduction The purpose of this presentation is to provide an overview of

Wireless Security and its Discontents Introduction The purpose of this presentation is to provide an overview of the strengths and weaknesses of Wireless Security solutions. We will cover: - Real-world examples of Wireless Security application

425 views • 38 slides
Company Overview 1 February 2010 Introduction BAE Systems is a global defence, security and

Company Overview 1 February 2010 Introduction BAE Systems is a global defence, security and

Company Overview 1 February 2010 Introduction BAE Systems is a global defence, security and aerospace company delivering a full range of products and services for air, land and naval forces, as well as advanced electronics, security,

390 views • 12 slides
An Empirical View on Semantic Roles Part II Katrin Erk Sebastian Pado Saarland University

An Empirical View on Semantic Roles Part II Katrin Erk Sebastian Pado Saarland University

An Empirical View on Semantic Roles Part II Katrin Erk Sebastian Pado Saarland University ESSLLI 2006 1 Structure History of Semantic Roles 1. Contemporary Frameworks 2. Difficult Phenomena (from an 3. empirical perspective) Role

575 views • 18 slides
Earnings Results Third Quarter 2018 October 30, 2018 Cautionary Language Risk Factors. This

Earnings Results Third Quarter 2018 October 30, 2018 Cautionary Language Risk Factors. This

Earnings Results Third Quarter 2018 October 30, 2018 Cautionary Language Risk Factors. This presentation, including the oral statements made in connection herewith, contains forward-looking statements, estimates and projections within the meaning

1.23k views • 18 slides
ANALYTICS & DATA MASTERY A N D C E R T I F I C A T I O N C L A S S OUR GOAL: To make data

ANALYTICS & DATA MASTERY A N D C E R T I F I C A T I O N C L A S S OUR GOAL: To make data

ANALYTICS & DATA MASTERY A N D C E R T I F I C A T I O N C L A S S OUR GOAL: To make data approachable & useful! Well give you the tools & training to pick the metrics that matter, create accurate reports, and make data

845 views • 82 slides
The Valuation of Callable Financial Commodities with Two Stopping Boundaries Katsushige Sawaki

The Valuation of Callable Financial Commodities with Two Stopping Boundaries Katsushige Sawaki

2008.10 The Valuation of Callable Financial Commodities with Two Stopping Boundaries Katsushige Sawaki (Nanzan Business School, Nanzan University) Atsuo Suzuki (Faculty of Urban Science, Meijo University) Kyoko Yagi (Faculty of

498 views • 36 slides
Network Economics -- Lecture 4: Incentives and games in security Patrick Loiseau EURECOM Fall

Network Economics -- Lecture 4: Incentives and games in security Patrick Loiseau EURECOM Fall

Network Economics -- Lecture 4: Incentives and games in security Patrick Loiseau EURECOM Fall 2016 1 References J. Walrand. Economics Models of Communication Networks, in Performance Modeling and Engineering, Zhen Liu, Cathy H.

939 views • 70 slides
The role of the CDS market in pricing Eurozone sovereign risk Richard Portes London Business

The role of the CDS market in pricing Eurozone sovereign risk Richard Portes London Business

The role of the CDS market in pricing Eurozone sovereign risk Richard Portes London Business School and CEPR The Debt Crisis in the Eurozone Reykjavik University 7-8 October 2011 Road map Background and objectives Procedure and

863 views • 21 slides
Heather Zheng Department of Computer Science p p University of California, Santa Barbara CS201

Heather Zheng Department of Computer Science p p University of California, Santa Barbara CS201

Heather Zheng Department of Computer Science p p University of California, Santa Barbara CS201 UCLA, May 22, 2008 1 Explosion of wireless networks and devices Static spectrum assignments are inefficient p g Under utilization +

365 views • 24 slides
1 Important Things to Know Archive Version (POP-UP)

1 Important Things to Know Archive Version (POP-UP)

50 Most Common Appraisal Review Deficiencies Webinar 9:00 AM Mountain Time All audio for this webinar If you have any is through your computer technical or audio issues there is no separate please review the call-in number Support

771 views • 40 slides

More recommend