Welcome to CSE 5/7338 Economics of Information Security Tyler Moore - - PDF document

Welcome to CSE 5/7338

Economics of Information Security Tyler Moore

Computer Science & Engineering Department, SMU, Dallas, TX

Lecture 1

Logistics Motivation Syllabus Calendar

Course website

Most info: http://lyle.smu.edu/~tylerm/courses/econsec/ Blackboard for announcements, turning in assignments (distance students) Youtube channel for R screencasts

3 / 31 Logistics Motivation Syllabus Calendar

Syllabus

http://lyle.smu.edu/~tylerm/courses/econsec/admin/ syllabus.html

4 / 31 Logistics Motivation Syllabus Calendar

Calendar

http://lyle.smu.edu/~tylerm/courses/econsec/admin/ schedule.html

5 / 31

Notes Notes Notes Notes

Logistics Motivation Why computer science alone can’t fix information security Why economics offers a useful perspective How economics can help information security

Why is a computer scientist talking about economics?

The conventional CS approach to security has failed

1

Enumerate possible threats

2

Define attacker capabilities

3

Build systems to protect against these threats

Worked for encryption algorithms, but not Internet security

7 / 31 Logistics Motivation Why computer science alone can’t fix information security Why economics offers a useful perspective How economics can help information security

Evidence of security failures: data breaches

8 / 31 Logistics Motivation Why computer science alone can’t fix information security Why economics offers a useful perspective How economics can help information security

Evidence of security failures: phishing websites

9 / 31 Logistics Motivation Why computer science alone can’t fix information security Why economics offers a useful perspective How economics can help information security

Evidence of security failures: botnets

10 / 31

Notes Notes Notes Notes

Logistics Motivation Why computer science alone can’t fix information security Why economics offers a useful perspective How economics can help information security

Evidence of security failures: critical infrastructure

Source: http://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf 11 / 31 Logistics Motivation Why computer science alone can’t fix information security Why economics offers a useful perspective How economics can help information security

Evidence of security failures: critical infrastructure

12 / 31 Logistics Motivation Why computer science alone can’t fix information security Why economics offers a useful perspective How economics can help information security

Evidence of security failures: critical infrastructure

Source: http://www.cl.cam.ac.uk/~fms27/papers/2011-Leverett-industrial.pdf 13 / 31 Logistics Motivation Why computer science alone can’t fix information security Why economics offers a useful perspective How economics can help information security

But why economics?

Economics is a social science

Studies behavior of individuals and firms in order to predict

• utcomes

Models of behavior based on systematic observation Usually cannot run experiments as in bench science, but economics has developed ways to cope with differences inherent to observing the world

Economics studies trade-offs between conflicting interests

Recognizes that people operate strategically Have devised ways to model people’s interests and decision making

14 / 31

Notes Notes Notes Notes

Logistics Motivation Why computer science alone can’t fix information security Why economics offers a useful perspective How economics can help information security

Economics is not just about money

Money helps to reveal preferences Money can serve as a common measure for costs and benefits As a discipline, economics examines much more than interactions involving money

Economics studies trade-offs between conflicting interests Conflicting interests and incentives appear in many circumstances where money never changes hands

15 / 31 Logistics Motivation Why computer science alone can’t fix information security Why economics offers a useful perspective How economics can help information security

Attackers operate strategically

Cannot expect attackers to respect stated assumptions of behavior

Threat modeling focuses an engineer’s task, which can harden a resource against particular attacks But system design does not exist in a vacuum – attackers can adapt to find holes in areas not considered by the threat model

Must understand what motivates attackers

For cybercriminals this could be profit For hacktivists this could be attention and disruption In each case, attackers will seek the least costly way to reach their goal

16 / 31 Logistics Motivation Why computer science alone can’t fix information security Why economics offers a useful perspective How economics can help information security

Botnet operators operate strategically (motivated by $)

17 / 31 Logistics Motivation Why computer science alone can’t fix information security Why economics offers a useful perspective How economics can help information security

Phishing gangs operate strategically (exploit weakest link)

phishing site lifetime (days) March April May 5 10 15 20 25 Hongkong China .hk domain .cn domain

Source: Moore & Clayton (2007), own aggregation

Take-down latency for phishing attacks targeting different registrars in spring 2007; lines are five-day moving averages broken down by top-level domain

18 / 31

Notes Notes Notes Notes

Logistics Motivation Why computer science alone can’t fix information security Why economics offers a useful perspective How economics can help information security

Defenders also operate strategically

Those responsible for protecting information systems naturally must consider their own interests Often, there are multiple stakeholders responsible for defense Sometimes defenders’ interests conflict Sometimes the interests of defenders do not align with those

• f society

19 / 31 Logistics Motivation Why computer science alone can’t fix information security Why economics offers a useful perspective How economics can help information security

Let’s return to critical infrastructure protection

20 / 31 Logistics Motivation Why computer science alone can’t fix information security Why economics offers a useful perspective How economics can help information security

Incentives for critical infrastructure protection

Critical infrastructure operators

+ Upgrading to IP-based systems brings huge efficiency gains

• Maintaining physical separation of networks reduces efficiency

and drives up operating costs

• Likelihood of an attack is low (based on history)
• Cost of attack largely borne by society

Consumers

+ Value reliability of service, including against attack

• Prefers low cost service
• Cannot distinguish between security investments among firms

Governments

+ Value reliability of service, including against attack + Fears political consequences of an attack, given national defense remit

• Lack of budget to fund security
• Lack of expertise to improve security on privately-controlled

systems

21 / 31 Logistics Motivation Why computer science alone can’t fix information security Why economics offers a useful perspective How economics can help information security

So what’s the outcome?

Absent regulation to compel behavior, stakeholders act in their own interest based on their incentives and capabilities

Only operators, not consumers or governments, are capable of improving security So their incentives matter most! On balance, they are likely to tolerate a high level of insecurity in their systems

We can also compare this outcome to what seems ‘best’

In economics jargon, this is the search for the social optimum The social optimum maximizes expected utility More detail on how to compute this later on, but for now, we can intuit what the social optimum might be

Question #1: is complete security of critical infrastructures socially optimal? Question #2: why hasn’t the market delivered the socially

• ptimal outcome?

22 / 31

Notes Notes Notes Notes

Logistics Motivation Why computer science alone can’t fix information security Why economics offers a useful perspective How economics can help information security

Economics makes information security empirically grounded

Traditional threat modeling states that an attack is possible and should be protected against by definition But what if the threats we envision differ from what actually happens? An economic perspective approaches threat modeling by

• bserving behavior

This allows us to construct a more accurate picture of the risks due to information insecurity

23 / 31 Logistics Motivation Why computer science alone can’t fix information security Why economics offers a useful perspective How economics can help information security

Economics suggests policies to deploy technology better

In addition to describing why security fails and how attackers and defenders operate, economics can recommend policies to improve security Technology alone cannot fix the challenges facing information security; instead, policy can correct market limitations to help security technologies succeed We will discuss many of the options in this course (ex ante safety regulation, ex post liability, cyberinsurance, . . . ) Today we briefly discuss one example: information disclosure

24 / 31 Logistics Motivation Why computer science alone can’t fix information security Why economics offers a useful perspective How economics can help information security

Recall our first example? Made possible through policy

25 / 31 Logistics Motivation Why computer science alone can’t fix information security Why economics offers a useful perspective How economics can help information security

Information disclosure

Louis Brandeis: “sunlight is said to be the best of disinfectants” Information security incidents are often hidden from public view, so one light-touch intervention is to mandate disclosure

26 / 31

Notes Notes Notes Notes

Logistics Motivation Why computer science alone can’t fix information security Why economics offers a useful perspective How economics can help information security

Data breach legislation

California Civil Code 1798.82 (2002): “Any person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.”

Deirdre Mulligan

27 / 31 Logistics Motivation Why computer science alone can’t fix information security Why economics offers a useful perspective How economics can help information security

Many high-profile breaches came to light

28 / 31 Logistics Motivation Why computer science alone can’t fix information security Why economics offers a useful perspective How economics can help information security

Many high-profile breaches came to light

29 / 31 Logistics Motivation Why computer science alone can’t fix information security Why economics offers a useful perspective How economics can help information security

Effect of data breach legislation

Data breach legislation has two main goals

1

Consumer empowerment: give people the chance to protect themselves following a breach

2

Offer an incentive for firms to make breaches less likely

Can also be viewed as a means of correcting information asymmetries

1

Between consumers and firms

2

Between competing firms

30 / 31

Notes Notes Notes Notes

Logistics Motivation Why computer science alone can’t fix information security Why economics offers a useful perspective How economics can help information security

Recap of what economics offers information security

Means of understanding strategic behavior (for attackers and defenders) Makes information security empirically grounded Suggests policies to deploy technology better

31 / 31

Notes Notes Notes Notes