economics of network security
play

Economics of network security Harald Vranken 1 Economics of - PowerPoint PPT Presentation

Nov 17, 2022 •266 likes •769 views

Advanced Network Security (2019-2020) Economics of network security Harald Vranken 1 Economics of network security Note that network in this lecture means Physical communication network (eg. Internet, telephony, fax, telegraph)

  1. Advanced Network Security (2019-2020) Economics of network security Harald Vranken 1

  2. Economics of network security • Note that network in this lecture means – Physical communication network (eg. Internet, telephony, fax, telegraph) – Economic/virtual network of commercial and non-commercial transactions (eg. community of software users or credit card users) • We focus on network economics to explain security problems • How to handle security problems? – Technical measures (improve access control policy models, formal proofs of cryptographic protocols, approved firewalls, better ways of detecting intrusions and malicious code, …) – Organisational measures (improve regulations, responsibilities, governance, …) – Economic measures o What are costs (monetary, reputation, …) and benefits, for whom? o Can we adjust economic incentives ? 2

  3. Economics of network security • More and more devices are connected to the Internet(-of-Things) • Actions by one party might affect another party positively or negatively • Can we explain why users/organisations (not) take particular security decisions? – Can we influence these decisions? • We will look at security on a more societal level 3

  4. Agenda • Economically rational behaviour • Incentives • Externalities • Liability • Tragedy of the commons • Markets for lemons (asymmetric information) • Examples 4

  5. Economically rational behaviour • In economics: people only do things if these are economically rational to do – “Money makes the world go round” • Why do people reject security advice? – Following the advice will shield them from direct costs of attacks, but burdens them with increased indirect costs • Direct costs are generally small compared to indirect costs – Small chance of being attacked, and recovery requires one-time costs – Security advice applies to everyone, and following requires continuous costs – Hence, from a cost perspective, rejecting security advice makes sense! 5

  6. Economically rational behaviour: patching • Most malware attacks exploit known vulnerabilities for which patches are available • Attacks could have been prevented if users would have patched their system • Why didn’t they patch? – Because they are lazy? – Because they are uninformed? – Because installing patches is difficult/not user-friendly? – Because they lack resources? – Or, because it is not economically rational to patch? 6

  7. Economically rational behaviour: patching Why is patching not economically rational? • It is not just one patch – Eg. 22,538 vulnerabilities reported by VulnDB in 2019 (ie. more than 60 each day) • Patching can break your systems – Majority of the outages at a large Dutch telecom provider was due to their own patching 7

  8. Economically rational behaviour: anti-virus • Is it economically rational to use anti-virus software? – Costs: buying software, daily updating, regular scanning – Benefits: once in a while you catch malware (that might have caused harm) • Banks require you to install anti-virus software when online banking – Who pays for anti-virus software? – Who is liable? – Who benefits? 8

  9. Economically rational behaviour: more examples • Example: security advice on choosing strong passwords – Largely ineffective if phishing and keylogging are main threats – Lock-out after n tries prevents online brute-force guessing or dictionary attacks • Example: security advice to check URLs and recognize phishing sites – Largely ineffective since direct loss of users is on average less than a dollar a year • Example: security advice on checking SSL certificates – Attackers avoid using certificates (no certificates on phishing sites and malware hosting sites) – Largely ineffective since nearly all certificate errors seen by users are false positives (expired or self-signed certificates, but no malicious intension) • Also, benefits of security advice are often hugely exaggerated – Benefits are projected for worst-case harms, while users care only about average or actual harm – Even actual harms of some attacks appear greatly exaggerated (eg. ‘only’ 0.37% of users per year are victimized by phishing) 9

  10. Economically rational behaviour: good or bad? • Hence, not following security advices is economically rational: – Advices are complex and growing – Users pay indirect costs (mostly by spending their time) – Benefits are questionable – Users are only partly liable • Although it is economically rational for users to ignore security advice, the advice is not bad! – It is still better to have strong passwords, change them often, and have a different one for each account 10

  11. Economically rational behaviour: how to change? • Need better understanding of the actual harms endured by user – Users mainly loose time and not money when attacked – Users also loose time when following security advice • Cost of security advice should be in proportion to the victimization rate – All users bear costs for user education (security advices), while only victims have benefit – Target the at-risk users • Respect users' time and effort • Prioritize advice • Retire advice that is no longer compelling 11

  12. Economic incentives • Incentives: factors that influence decisions made by individuals and organizations • Rooted in economic, formal-legal, and informal mechanisms – Specific economic market conditions – Interdependence with other players – Laws – Social norms • “Security failure is caused at least as often by bad incentives as by bad design” (Ross Anderson & Tyler Moore, 2006) 12

  13. Security incentives • Stakeholders of a system – The party who can implement security – The party who suffers from a securiy incident – The party who is liable in case of a security incident • What is the incentive for implementing security if these parties are different? • Example: stakeholders for medical payment system – Healthcare insurers pay for development of system – Healthcare providers (hospitals, …) should protect medical data – Patients privacy 13

  14. Security incentives • Motivations for a party to (not) perform an action – Monetary gain/loss – Reputation – Peer pressure – Liability 14

  15. Security incentives: ISPs • ISPs have security-enhancing incentives (but implementation depends on their business models) 15

  16. Security incentives: ISPs • Example: incentives for dealing with spam • Initially – Emails considered as personal property of recipients – Inspecting content of mails is a violation of privacy – End users are responsible for protecting their own systems and for dealing with spam • Later – Exorbitant growth of spam (> 80% of all emails) changed financial implications for ISPs – Flood of spam became burden for network infrastructure requiring additional investment – Users of infected machines call help desk or customer service, with high cost for ISP – Abuse notifications from other ISPs and requests to fix the problem – In extreme cases, whole ISP could be blacklisted – ISPs started to filter incoming mail and to manage their customers’ security more proactively 16

  17. Misaligned/conflicting incentives • Incentives for one party reward behaviour that is detrimental to other parties • Can be repaired by removing/changing/adding incentives • Typically done by regulation from government • Example: carbon tax → polluter pays 17

  18. Conflicting incentives Source: Cybersecurity: Stakeholder incentives, externalities, and policy options J.M.Bauer & M.J.G. van Eeten Telecommunications Policy 33(2009):706–719 18

  19. Incentives of information technology markets • Value of a product to a user depends on how many other users adopt it • Technology often has high fixed costs and low marginal costs – Developing software is expensive, but manufacturing copies costs very little – Price competition drives revenues steadily down towards marginal cost of production • Large costs to users from switching technologies (‘vendor lock-in’) • Incentives for businesses – Selling on value rather than on cost – Create customer lock-in (instead of standard, well analyzed and tested architectures, implement security-by-obscurity) – First-mover advantages (“ship it on Tuesday and get it right by version 3”) – Make life easy for application developers (no mandatory security) 19

  20. Externalities • Definition (Oxford Dictionary) – A consequence of an industrial or commercial activity – which affects other parties – without this being reflected in market prices • Side-effect of an event/transaction on third parties • Can be either positive of negative 20

  21. Negative externalities • Classical example: pollution • Reduction of pollution by a company costs money and has no direct effect on the company • Society bears the consequences (externalities) – For example longevity, increased costs of healthcare, cleaning up Source: https://flic.kr/p/2iGM5z 21

  22. Positive externalities • Example: improvement of houses in a neighbourhood – Will increase the value of other houses in the neighbourhood as well • Example: vaccination – Majority of population vaccinated protects the other part of the population as well • Opposite (degeneration if houses are not renovated, refusing vaccination) has negative externalities Source: https://flic.kr/p/byeLgc 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Economics of network security Joeri de Ruiter Outline What economic (dis)incentves are at

Economics of network security Joeri de Ruiter Outline What economic (dis)incentves are at

Advanced Network Security Economics of network security Joeri de Ruiter Outline What economic (dis)incentves are at play in network security? Motiwatnnh exbaplesh Econoic principlesh for econoicsh of shecurity

610 views • 31 slides
What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
Network Economics -- Lecture 4: Incentives and games in security Patrick Loiseau EURECOM Fall

Network Economics -- Lecture 4: Incentives and games in security Patrick Loiseau EURECOM Fall

Network Economics -- Lecture 4: Incentives and games in security Patrick Loiseau EURECOM Fall 2016 1 References J. Walrand. Economics Models of Communication Networks, in Performance Modeling and Engineering, Zhen Liu, Cathy H.

939 views • 70 slides
Network Economics -- Lecture 4: Incen5ves and games

Network Economics -- Lecture 4: Incen5ves and games

Network Economics -- Lecture 4: Incen5ves and games in security Patrick Loiseau EURECOM Fall 2015 1 References J. Walrand. Economics

882 views • 70 slides
Network Economics and Security Engineering Tyler Moore (joint with Ross Anderson and Shishir

Network Economics and Security Engineering Tyler Moore (joint with Ross Anderson and Shishir

Relevant network properties Example Applications Conclusions Network Economics and Security Engineering Tyler Moore (joint with Ross Anderson and Shishir Nagaraja) Computer Laboratory University of Cambridge DIMACS January 18, 2007

596 views • 20 slides
Communications Network Economics Jianwei Huang Network Communications and Economics Lab

Communications Network Economics Jianwei Huang Network Communications and Economics Lab

Communications Network Economics Jianwei Huang Network Communications and Economics Lab Department of Information Engineering The Chinese University of Hong Kong March 2017 Jianwei Huang (CUHK) Communications Network Economics March 2017 1

1.18k views • 66 slides
Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able

Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able

Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able to Skills identify design and Ability to analyze the implementation security of networked vulnerabilities in network systems protocols

564 views • 33 slides
Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn Black J CSCI 6268/TLEN 5831, Fall 2004 Introduction UC Davis PhD in 2000 Cryptography Interested in broader security as well

492 views • 12 slides
Network Security Where we are in the Course Security crosses all layers Applicatjon

Network Security Where we are in the Course Security crosses all layers Applicatjon

Network Security Where we are in the Course Security crosses all layers Applicatjon Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

1.12k views • 92 slides
Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

374 views • 13 slides
Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

932 views • 55 slides
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 3 Network Protocol Attacks Roadmap Network security The basic objectives: CIA

1.68k views • 39 slides
Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J.

Hands-On Network Security: Practical Tools & Methods Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012 Hands-On Network Security Module 3 Network Protocol Attacks Roadmap Network security The

502 views • 39 slides
Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn Black J Lecture #2 Aug 25 th 2005 CSCI 6268/TLEN 5831, Fall 2005 Economist Survey Please read it Main points Security is a MUCH

600 views • 27 slides
TCP/IP: ICMP, UDP Network Security Lecture 5 Recap and overview Looking at security of

TCP/IP: ICMP, UDP Network Security Lecture 5 Recap and overview Looking at security of

TCP/IP: ICMP, UDP Network Security Lecture 5 Recap and overview Looking at security of TCP/IP IP, Ethernet, ARP Sniffing the network and forging packets tcpdump, wireshark Today: ICMP and UDP Eike Ritter Network Security -

881 views • 38 slides
CS7038 - Malware Analysis - Wk05.1 Static Analyzers Coleman Kane kaneca@mail.uc.edu February 7,

CS7038 - Malware Analysis - Wk05.1 Static Analyzers Coleman Kane kaneca@mail.uc.edu February 7,

CS7038 - Malware Analysis - Wk05.1 Static Analyzers Coleman Kane kaneca@mail.uc.edu February 7, 2017 Signature-based Anti-Virus Systems By far, the most popular weapon against cyber attacks is signature-based antivirus software. When

709 views • 12 slides
AN INSIDE LOOK AT Rationale BOTNETS Codebase Analysis (Agobot, SDBot, SpyBot, GT Bot)

AN INSIDE LOOK AT Rationale BOTNETS Codebase Analysis (Agobot, SDBot, SpyBot, GT Bot)

Table of Contents AN INSIDE LOOK AT Rationale BOTNETS Codebase Analysis (Agobot, SDBot, SpyBot, GT Bot) Architecture Paul Barford and Vinod Yagneswaran Remote Control Mechanisms Host Control Propagation Exploits and

158 views • 4 slides
What is Secure? Engineering Secure Software Last Revised: August 19, 2020 SWEN-331: Engineering

What is Secure? Engineering Secure Software Last Revised: August 19, 2020 SWEN-331: Engineering

What is Secure? Engineering Secure Software Last Revised: August 19, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 Recent Security Incidents Garmin Ransomware -- $10 million Sync servers down for many days

506 views • 21 slides
On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware

On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware

On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware Detection The number of new malware exceeds 75 million by the end of 2011, and is still increasing. The number of malware that produced

1.34k views • 91 slides
CS344M Autonomous Multiagent Systems Patrick MacAlpine Department or Computer Science The

CS344M Autonomous Multiagent Systems Patrick MacAlpine Department or Computer Science The

CS344M Autonomous Multiagent Systems Patrick MacAlpine Department or Computer Science The University of Texas at Austin Good Afternoon, Colleagues Patrick MacAlpine Good Afternoon, Colleagues Are there any questions? Patrick MacAlpine

587 views • 35 slides
IETF middleware highlights Leif Johansson SWAMI.se IETF Internet Engineering Task Force

IETF middleware highlights Leif Johansson SWAMI.se IETF Internet Engineering Task Force

IETF middleware highlights Leif Johansson SWAMI.se IETF Internet Engineering Task Force Internet-Drafts turns into RFCs by magic: NEA Patches? We don't need no stinkin' patches! NEA Network Endpoint Assessment Network Admission

396 views • 16 slides
Why Phishing is Different on Mobile Aaron Cockerill Gartner Security & Risk Management Summit

Why Phishing is Different on Mobile Aaron Cockerill Gartner Security & Risk Management Summit

Why Phishing is Different on Mobile Aaron Cockerill Gartner Security & Risk Management Summit 2018 1 The world has changed The corporate data center is in the cloud Starbucks is the new corporate Wi-Fi Employees have all gone mobile

733 views • 37 slides
OS Security Thierry Sans Security is a wide topic CSCD27 Computer and Network Security covers

OS Security Thierry Sans Security is a wide topic CSCD27 Computer and Network Security covers

OS Security Thierry Sans Security is a wide topic CSCD27 Computer and Network Security covers Cryptography Network security System security Web security (recap) Protection File systems implement a protection system Who

800 views • 30 slides

More recommend