Lecture 5: Economics of Information Security Rachel Greenstadt January 30, 2017 Market Failures: Moral Hazard https://www.youtube.com/watch?v=
5v7TWKlYoN0 Amateurs Study Cryptography Professionals Study Economics A solved problem? You pay for content or services with anonymous electronic cash. You connect to content and service
providers with an anonymizing mixnet. You authenticate yourself with anonymous credential schemes or zero-knowledge identification protocols. You download content via private information retrieval or oblivious transfer. You use secure function evaluation when interacting with services that require some information. - [Feigenbaum, Sander, Freedman, Shostack]
Problems with this? Many of these techniques are not deployed. Users must be able to access unencrypted data cannot store keys in our head Other computers must be able to access unencrypted data keys must be stored on machines where they can be stolen
Old School InfoSec Cryptography Formal Methods Trusted Computing Base Privacy in dot com days
And then... How the market reacted Economic challenges pushed merchants to more restrictive policies This policy may change from time to time so please check back periodically
Web Infections aka Drive-By Downloads Hypotheses Data security and privacy are really hard, we are failing despite high investment No one cares about security and privacy, so the invisible hand reflects that
Something is wrong with the market for data privacy and security Hypotheses Data security and privacy are really hard, we are failing despite high investment Many things were not doing (cryptography, extensive code review, self insurance, etc)
Software security knowledge is located precisely nowhere a developer spends their time. (1raindrop) No one cares about security and privacy, so the invisible hand reflects that Something is wrong with the market for data privacy and security
Hypotheses Data security and privacy are really hard, we are failing despite high investment No one cares about security and privacy, so the invisible hand reflects that People say they care
Argument that rational actors ought to care Something is wrong with the market for data privacy and security Hypotheses Data security and privacy are really hard, we are failing despite high investment
No one cares about security and privacy, so the invisible hand reflects that Something is wrong with the market for data privacy and security Market Failures Markets work when people have incentives to do the right thing How can they fail?
Externalities Asymmetric/Imperfect Information Bounded rationality Free Riding All present in information security and privacy! Externalities
Occur when decisions cause external costs or benefits to stakeholders who did not directly affect the transaction Externalities in Web Infections Web infections typically affect the end users (browsers) Often don't know that they are infected If they do, they don't know why
No incentive for sites to do the right thing Some evidence to suggest overt security measures actually reduce customer confidence Revealing infections can only harm companies brands and reputations Most harm is even further removed Attacks carried out/ phishing sites hosted/ SPAM sent from
infected machines Externalities in Password Choice Adverse Selection: Akerlofs Market for Lemons Comes from analysis of Used Car market Hidden characteristics: Buyer doesn't know if the car they
are buying is good or a 'lemon' Seller does have this information Given uncertainty buyer will not pay much Result: Adverse Selection, sellers won't sell good cars (can't get a good price) only lemons Solution: Reduce customer uncertainty (Independent Inspections, Guarantees, etc)
Asymmetric Information in Web Insecurity End user doesn't know if site they visit is safe or attacking them Hosting provider doesn't know if webmaster is incompetent or malicious Webmasters don't know if hosting provider is secure Adverse selection : Takes resources to be secure, so
why bother if no one can notice? Bounded Rationality Market assumes not only perfect information, but also perfect rationality Reality - Behavioral distortions Humans bad at assessing risk Tend to pick the first reasonable
sounding option, not weigh all costs Coherent arbitrariness Hyperbolic discounting Consumer Webmasters Most webmasters are not tech geeks
Just want things to work Use off the shelf software Do not believe they are infected Do not know how to evaluate security properties of hosting providers (or that they should)
Can not identify or remove malware Risk Compensation / Risk Homeostatis Anti-lock brake systems increased crashes, seat belt laws increased fatalities in UK People thought they could take more risks
Automatic parachute deployment Same fatalities, people try harder jumps Really hard to reduce risk if people think risk level is ok (Moral hazard) Solutions Invisible security measures
Measures that do not depend on user actions Security as a Public Good? Non-rival use by one person doesnt exclude others Non-excludable not possible to exclude people from using it What types of security might fit this
description? Free Riding Nash Equilibrium Strategy (S, T) Player A cannot do better by choosing a strategy other than S, given that player B
chooses T Player B cannot do better by choosing a strategy other than T, given that player A chooses S Car Insurance in Philly Car insurance is expensive Many people dont buy it
Smaller risk pool + other party in accident might lack insurance Car insurance even more expensive Outcomes Depend on Others Actions DNS weaknesses (upgrade to DNSSEC?) Anonymity system
Minimal adoption level before any benefit Network Effect Value of a technology much higher the more people use it: The Internet Fax machines Social networks
Payment methods Approaches to Fixing
King of the Internet Bundling with a new product Government subsidies Internal use of large organizations SCION New version of the Internet with security properties
Currently being adopted by some Swiss banks Product Stages Early Adopters Problems here
Mass market Best chance for adoption Direct and immediately perceived benefit Why is most software insecure Features >> security What does good security even mean?
Could hire consultants to give you advice High transaction cost Transaction Costs Costs to buy a product Closing costs when buying a house Credit card costs (3%) Understanding terms and conditions
Security has high transaction costs Hard to evaluate software security No data to do so Free-riding would be good here! Ideally someone pays the costs to figure out what is secure
Everyone uses that analysis Problem: no good analyses Example: Web hosting providers Back to the lemons market Security hard/expensive to evaluate Not prioritized
Vendors choose not to compete on security Programmers and managers with security expertise are expensive Form of technical debt Signaling Traditional solution to lemons market Problem: everyone wants to send good
signals, no one wants to invest in security Lots of worthless signals Claims of unbreakable or virus-proof software Claims of good processes Liability for security issues How far should this extend? Open source software / small players
Dangerous for innovation No one wants to kill the goose that lays the golden eggs (tech industry) Have long manuals and blame all problems on users Spam: Why do we still get it?
Lots of effort to defeat filters Send from compromised zombies Can profit off low conversion rate Sending spam not always illegal or a priority Victims in other countries (externality) Principal-Agent Problem Hire someone to work for you, how to
incentivize them to do a good job? Boards and CEOs Dont want them to take too many risks, or too few (hard problem) Hiring security experts or auditors is similar Reading for the week
Economics and Internet Security: a Survey of Recent Analytical, Empirical and Behavioral Research Tyler Moore and Ross Anderson Based on an article in Science
Integration. You can use numerical integration. In C2 you saw how to estimate the area under a curve by using the trapezium rule. This method can take time and is only an approximation, but it allows you to find areas...
SSG-2 Deterministic Safety Analysis for Nuclear Power Plants (2009) NS-G-2.15 Severe Accident Management Programmes for Nuclear Power Plants (2009) SSG-15 Storage of Spent Fuel (in publication) GS-G-2.1 Arrangements for Preparedness for a Nuclear or Radiological Emergency (2007)
Preparing Students for Global Citizenship in the Foreign Language Classroom: Teacher Perceptions and Beliefs about Teaching Culture and the Effects of these Beliefs on Instructional Practices in an Era of Standards-based Instruction A Design Map for a Dissertation Proposal Melissa...
Book thief. Good girl. Bed-wetter. Maxi Taxi. Jewish fist fighter. Jew lover. Fruit stealer. Giver of bread and teddy bears. Black Magic. Best Friend. Triple Hitler youth athletics champion. Stupid Cow
Reaction against stereotype. No Response (to question 9) ~ half more negative ~ half more positive. Respondents with generally positive responses. Self-identified using the word . n. erd. Self-identified using the word . geek. in their description. Self-identified as both...
The "Notice about the bidding" will be called under the following circumstances. ... and VAT amount. 2. The item information included in the selected contract number will be displayed at the bottom, such as the item code, UOM (unit of...
Consideration of other WOKs and AOKs, such as language and ethics (how does emotion help us to understand linguistic concepts; how is our ethical awareness affected by a lack of emotion, etc.) (2 points) Example: Are emotions simply a matter...
Maria Gavin Strategic Lead for development of Strategic Commissioning ... Head of Climate Change & Env. Raj Mack: Head of Digital Birmingham Lesley Edwards: Funding Manager LOCAL SERVICES Strategic Director - Local Services SHARON LEA Service Dir Transformation Rob James...
Ready to download the document? Go ahead and hit continue!