economics and computer security
play

Economics and computer security Hal R. Varian UC Berkeley - PowerPoint PPT Presentation

Nov 24, 2022 •113 likes •304 views

Economics and computer security Hal R. Varian UC Berkeley http://www.sims.berkeley.edu/~hal Outline Assignment of liability Role of insurance Efficiency and coordination costs Implications of weakest link technology

  1. Economics and computer security Hal R. Varian UC Berkeley http://www.sims.berkeley.edu/~hal

  2. Outline • Assignment of liability • Role of insurance • Efficiency and coordination costs • Implications of weakest link technology 11/16/2005 2

  3. Assignment of liability • Want to reduce expected cost of accidents – Parties can affect the probability of accidents happening – Want to set up incentives to get the right parties invest effort in reducing expected costs of accidents – Liability: who has to pay and how much if accident occurs. Sets incentives to reduce expected costs. • Basic principles – Least cost avoider: assign liability to the party that is best positioned to reduce expected costs – Due care standard: set a due care standard, no liability if you meet the due care standard, otherwise pay accident cost 11/16/2005 3

  4. Least cost avoider • ECost = Prob(e1+e2) A – c1 e1 – c2 e2 – ECost = expected cost – Prob(e1+e2) = prob accident occurs – A = cost of accident/event – e1, e2 = effort to reduce prob of accident – c1, c2 = cost of effort • Observe: you want the party with the lowest effort cost to exert all the effort • This drives the other party’s effort to zero, but that’s OK in this case 11/16/2005 4

  5. Due care standard • EC = Prob(e1,e2) A – c1 e1 – c2 e2 – Find efforts that minimize expected costs, (e1*,e2*) – Set due care standards equal to this effort level – No liability if you meet due care standard – Otherwise, pay fine equal to cost A if accident occurs – See Steven Shavell, Economic Analysis of Accident Law 11/16/2005 5

  6. Computer security • Sometimes the effort cost is so extreme (e.g., technical knowledge) that liability goes to one party • Other times due care standard is plausible – Due care standard determined by courts, but guided by industry practices – Could be very important role for security community – Better to be proactive than just let these standards evolve – Should there be a FASB-like board? 11/16/2005 6

  7. Example: ATM machines • Ross Anderson: “Why cryptosystems fail” • Suppose there is a dispute between you and your bank about your ATM usage – England: bank is right unless you can prove them wrong – US: you are right unless the bank can prove you wrong • Two different default assignments of liability 11/16/2005 7

  8. Result of ATM liability assignment • US: banks invest in risk reduction technology • England: banks typically do not invest in such technology • Credit card and phone card risk management • Role of competition: debit cards 11/16/2005 8

  9. Role of insurance • Two major risk management institutions – Stock market – Insurance market • Why do corporations buy insurance? – Value of shares depend on portfolio value – Shareholders can diversify risk themselves – Particularly good question in case of computer security 11/16/2005 9

  10. Why do corporations buy insurance? • Answer: risk management services • Insurance companies are well placed to – recommend actions – require compliance – disseminate best practices – insurance contract is incentive compatible! • Especially valuable services for rare events 11/16/2005 10

  11. Examples • Expert certification – Year 2000 problem • Could do more – CERT patches requirement for insurance – SATAN test • Prediction – insurance companies will move into computer security (supplemented by expert advisors) 11/16/2005 11

  12. Insurance: moral hazard • Want the insured to bear some risk – full insurance has bad incentives – deductible/co-pay is much better • Want to structure incentives to reduce risk – liability assignments – as discussed – deductible – moral hazard 11/16/2005 12

  13. Adverse selection • Those who need insurance most buy it • Pool that purchases insurance is not representative of entire population • Adverse selection can destroy market – argument for social insurance – e.g., infrastructure protection above and beyond that covered by private incentives 11/16/2005 13

  14. Infrastructure as public good • Private good v public good – excludability – rivalry • Public good aspect to security – national defense ; police services • How to pay for security? – individual or social choice? 11/16/2005 14

  15. Private or public? • Gated communities or private walls? 11/16/2005 15

  16. Costs • Production costs – economies of scale in protection? • Countervailing effects – decision costs: social v private decisions – coordination/complexity management costs – effectiveness of measures – clarity of who is responsible – genetic diversity 11/16/2005 16

  17. Total effort v weakest link • Public goods usually involve total effort • Security often has weakest-link character – makes public good more costly – private incentives • leadership is critical • coordination is critical 11/16/2005 17

  18. Why systems fail? • Ross Anderson paper “Why cryptosystems fail” – http://www.cl.cam.ac.uk/~rja14 • What to do about human failure? – get incentives right (e.g., liability assignments) – outside monitors and auditors (insurance) – follow procedures (banking) – standards setting role of military (e.g., aviation) 11/16/2005 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Course Overview, Introduction to Economics and Security Tyler Moore CSE 7338 Computer Science

Course Overview, Introduction to Economics and Security Tyler Moore CSE 7338 Computer Science

Notes Course Overview, Introduction to Economics and Security Tyler Moore CSE 7338 Computer Science & Engineering Department, SMU, Dallas, TX Lecture 1 Notes Outline Logistics 1 Motivation 2 Intro to Economics: Key notions 3 Intro

769 views • 32 slides
Economics of network security Harald Vranken 1 Economics of network security Note that

Economics of network security Harald Vranken 1 Economics of network security Note that

Advanced Network Security (2019-2020) Economics of network security Harald Vranken 1 Economics of network security Note that network in this lecture means Physical communication network (eg. Internet, telephony, fax, telegraph)

769 views • 49 slides
Welcome to CSE 5/7338 Economics of Information Security Tyler Moore Computer Science &

Welcome to CSE 5/7338 Economics of Information Security Tyler Moore Computer Science &

Notes Welcome to CSE 5/7338 Economics of Information Security Tyler Moore Computer Science & Engineering Department, SMU, Dallas, TX Lecture 1 Logistics Syllabus Motivation Calendar Notes Course website Most info:

229 views • 8 slides
Introduction to Computer Security Rev. Sept 2015 What is Computer Security? 2 Computer

Introduction to Computer Security Rev. Sept 2015 What is Computer Security? 2 Computer

Introduction to Computer Security Rev. Sept 2015 What is Computer Security? 2 Computer Security is the protection of computing systems and the data that they store or access 3 Why is Computer Security Important? Computer Security allows

690 views • 19 slides
Compositional Security Modelling: Structure, Economics, and Behaviour Tristan Caulfield 1 David

Compositional Security Modelling: Structure, Economics, and Behaviour Tristan Caulfield 1 David

Compositional Security Modelling: Structure, Economics, and Behaviour Tristan Caulfield 1 David Pym 1 Julian Williams 2 1 Department of Computer Science, University College London 2 Business School, University of Durham 26th June 2014 Security

439 views • 10 slides
A personal perspective Ross Anderson Cambridge The birth of security economics Why

A personal perspective Ross Anderson Cambridge The birth of security economics Why

Security Economics A personal perspective Ross Anderson Cambridge The birth of security economics Why Information Security is Hard An Economic Perspective, ACSAC, Dec 2001 Now: a field with over 100 active researchers and one

245 views • 20 slides
Quick Intro to Computer Security What is computer security? Securing communication

Quick Intro to Computer Security What is computer security? Securing communication

Carnegie Mellon Quick Intro to Computer Security What is computer security? Securing communication Cryptographic tools Access control User authentication Computer security and usability Thanks to Mike Reiter for the

412 views • 38 slides
Economics of Cybersecurity An introduction to economics Ross Anderson The Computer Lab,

Economics of Cybersecurity An introduction to economics Ross Anderson The Computer Lab,

Economics of Cybersecurity An introduction to economics Ross Anderson The Computer Lab, University of Cambridge Economics for engineers To see what makes informa0on markets special, we

253 views • 13 slides
Introduction to Computer Security Why do we need computer security? What are our goals and

Introduction to Computer Security Why do we need computer security? What are our goals and

Introduction to Computer Security Why do we need computer security? What are our goals and what threatens them? Lecture 1 Page 1 CS 236 Online Why Is Security Necessary? Because people arent always nice Because a lot of

415 views • 25 slides
Economics of cybersecurity Measuring security levels Michel van

Economics of cybersecurity Measuring security levels Michel van

Economics of cybersecurity Measuring security levels Michel van Eeten Del. University of Technology Security produc=vity What is measurable? Security level

217 views • 10 slides
Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn Black J CSCI 6268/TLEN 5831, Fall 2004 Introduction UC Davis PhD in 2000 Cryptography Interested in broader security as well

492 views • 12 slides
Introduction Attacks Security Goals Fall 2010 CS 334 Computer Security 1 What is Computer

Introduction Attacks Security Goals Fall 2010 CS 334 Computer Security 1 What is Computer

Introduction Attacks Security Goals Fall 2010 CS 334 Computer Security 1 What is Computer Security? Generally concerned with protection of computer related assets Risk analysis and management! Manage could mean prevention of

537 views • 26 slides
Computer Security Foundations What is Security? Attacker Assets Threat Counter- measure

Computer Security Foundations What is Security? Attacker Assets Threat Counter- measure

IN3210 Network Security Computer Security Foundations What is Security? Attacker Assets Threat Counter- measure Computer Security Security of computers and networks Protection of digital assets Axioms of Computer Security:

240 views • 23 slides
Network Economics and Security Engineering Tyler Moore (joint with Ross Anderson and Shishir

Network Economics and Security Engineering Tyler Moore (joint with Ross Anderson and Shishir

Relevant network properties Example Applications Conclusions Network Economics and Security Engineering Tyler Moore (joint with Ross Anderson and Shishir Nagaraja) Computer Laboratory University of Cambridge DIMACS January 18, 2007

596 views • 20 slides
Basic Ciphers Computer Security: Ensure security of data kept on the computer Ahmet Burak

Basic Ciphers Computer Security: Ensure security of data kept on the computer Ahmet Burak

8.10.2019 Information Security Basic Ciphers Computer Security: Ensure security of data kept on the computer Ahmet Burak Can Network Security: Hacettepe University Ensure security of communication over insecure medium

267 views • 10 slides
Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn Black J Lecture #2 Aug 25 th 2005 CSCI 6268/TLEN 5831, Fall 2005 Economist Survey Please read it Main points Security is a MUCH

600 views • 27 slides
Multi- Category Security (MCS) Daniel J Walsh SELinux Lead Engineer dwalsh@ redhat.com

Multi- Category Security (MCS) Daniel J Walsh SELinux Lead Engineer dwalsh@ redhat.com

Multi- Category Security (MCS) Daniel J Walsh SELinux Lead Engineer dwalsh@ redhat.com Oops!!!! 2 Setting the record straight Example Policy - > Reference Policy Base policies package used by distributions to build shipping

561 views • 12 slides
Computer-aided cryptography Gilles Barthe IMDEA Software Institute, Madrid, Spain December 1,

Computer-aided cryptography Gilles Barthe IMDEA Software Institute, Madrid, Spain December 1,

Computer-aided cryptography Gilles Barthe IMDEA Software Institute, Madrid, Spain December 1, 2015 Introduction Two models of cryptography: Computational: strong guarantees but complex proofs Symbolic: automated proofs but weak

1.42k views • 26 slides
Transport Layer Security Chester Rebeiro IIT Madras Some of the slides borrowed from the book

Transport Layer Security Chester Rebeiro IIT Madras Some of the slides borrowed from the book

Transport Layer Security Chester Rebeiro IIT Madras Some of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du TLS: Protocol to achieve secure communication TLS provides secure communication channel

834 views • 66 slides
Can DREs Provide Long- Lasting Security? The Case of Return-Oriented Programming and the AVC

Can DREs Provide Long- Lasting Security? The Case of Return-Oriented Programming and the AVC

Can DREs Provide Long- Lasting Security? The Case of Return-Oriented Programming and the AVC Advantage Stephen Checkoway, * Ariel J. Feldman, Brian Kantor, * J. Alex Halderman, Edward W. Felten, Hovav Shacham * * UCSD, Princeton,

641 views • 40 slides
Module 3 Doing a Noise Audit This module and Module 2 provide the necessary training needed

Module 3 Doing a Noise Audit This module and Module 2 provide the necessary training needed

Module 3 Doing a Noise Audit This module and Module 2 provide the necessary training needed to do a noise audit. This module covers the following topics: Conducting basic noise measurements Assessing hearing protection use

506 views • 21 slides
Single Audit Training Workshop Assessing Single Audit Quality of Local Governments in Virginia

Single Audit Training Workshop Assessing Single Audit Quality of Local Governments in Virginia

Single Audit Training Workshop Assessing Single Audit Quality of Local Governments in Virginia _____________________________________ August 6, 2015 Michael A. Sidell, CGFM Audit Supervisor Auditor of Public Accounts Quote The goal is to

496 views • 49 slides
http://cs246.stanford.edu Data contains value and knowledge 1/7/20 Jure Leskovec, Stanford

http://cs246.stanford.edu Data contains value and knowledge 1/7/20 Jure Leskovec, Stanford

Note to other teachers and users of these slides: We would be delighted if you found our material useful for giving your own lectures. Feel free to use these slides verbatim, or to modify them to fit your own needs. If you make use of a

1.21k views • 69 slides
Partial Interviews in the Consumer Expenditure Survey Laura Erhard, Supervisory Economist

Partial Interviews in the Consumer Expenditure Survey Laura Erhard, Supervisory Economist

Exploring the Characteristics of Partial Interviews in the Consumer Expenditure Survey Laura Erhard, Supervisory Economist Division of Consumer Expenditure Surveys DC-AAPOR/WSS Review-Preview Summer Conference July 10, 2019 1 U.S. B UREAU

458 views • 27 slides

More recommend