Lecture 5: Economics of Information Security

Lecture 5: Economics of Information Security

Lecture 5: Economics of Information Security Rachel Greenstadt January 30, 2017 Market Failures: Moral Hazard https://www.youtube.com/watch?v=

5v7TWKlYoN0 Amateurs Study Cryptography Professionals Study Economics A solved problem? You pay for content or services with anonymous electronic cash. You connect to content and service

providers with an anonymizing mixnet. You authenticate yourself with anonymous credential schemes or zero-knowledge identification protocols. You download content via private information retrieval or oblivious transfer. You use secure function evaluation when interacting with services that require some information. - [Feigenbaum, Sander, Freedman, Shostack]

Problems with this? Many of these techniques are not deployed. Users must be able to access unencrypted data cannot store keys in our head Other computers must be able to access unencrypted data keys must be stored on machines where they can be stolen

Old School InfoSec Cryptography Formal Methods Trusted Computing Base Privacy in dot com days

And then... How the market reacted Economic challenges pushed merchants to more restrictive policies This policy may change from time to time so please check back periodically

- Yahoo privacy policy circa 2001 And governments have noticed this dynamic... Why do Nigerian Scammers say they are from Nigeria?

Web Infections aka Drive-By Downloads Hypotheses Data security and privacy are really hard, we are failing despite high investment No one cares about security and privacy, so the invisible hand reflects that

Something is wrong with the market for data privacy and security Hypotheses Data security and privacy are really hard, we are failing despite high investment Many things were not doing (cryptography, extensive code review, self insurance, etc)

Software security knowledge is located precisely nowhere a developer spends their time. (1raindrop) No one cares about security and privacy, so the invisible hand reflects that Something is wrong with the market for data privacy and security

Hypotheses Data security and privacy are really hard, we are failing despite high investment No one cares about security and privacy, so the invisible hand reflects that People say they care

Argument that rational actors ought to care Something is wrong with the market for data privacy and security Hypotheses Data security and privacy are really hard, we are failing despite high investment

No one cares about security and privacy, so the invisible hand reflects that Something is wrong with the market for data privacy and security Market Failures Markets work when people have incentives to do the right thing How can they fail?

Externalities Asymmetric/Imperfect Information Bounded rationality Free Riding All present in information security and privacy! Externalities

Occur when decisions cause external costs or benefits to stakeholders who did not directly affect the transaction Externalities in Web Infections Web infections typically affect the end users (browsers) Often don't know that they are infected If they do, they don't know why

No incentive for sites to do the right thing Some evidence to suggest overt security measures actually reduce customer confidence Revealing infections can only harm companies brands and reputations Most harm is even further removed Attacks carried out/ phishing sites hosted/ SPAM sent from

infected machines Externalities in Password Choice Adverse Selection: Akerlofs Market for Lemons Comes from analysis of Used Car market Hidden characteristics: Buyer doesn't know if the car they

are buying is good or a 'lemon' Seller does have this information Given uncertainty buyer will not pay much Result: Adverse Selection, sellers won't sell good cars (can't get a good price) only lemons Solution: Reduce customer uncertainty (Independent Inspections, Guarantees, etc)

Asymmetric Information in Web Insecurity End user doesn't know if site they visit is safe or attacking them Hosting provider doesn't know if webmaster is incompetent or malicious Webmasters don't know if hosting provider is secure Adverse selection : Takes resources to be secure, so

why bother if no one can notice? Bounded Rationality Market assumes not only perfect information, but also perfect rationality Reality - Behavioral distortions Humans bad at assessing risk Tend to pick the first reasonable

sounding option, not weigh all costs Coherent arbitrariness Hyperbolic discounting Consumer Webmasters Most webmasters are not tech geeks

Just want things to work Use off the shelf software Do not believe they are infected Do not know how to evaluate security properties of hosting providers (or that they should)

Can not identify or remove malware Risk Compensation / Risk Homeostatis Anti-lock brake systems increased crashes, seat belt laws increased fatalities in UK People thought they could take more risks

Automatic parachute deployment Same fatalities, people try harder jumps Really hard to reduce risk if people think risk level is ok (Moral hazard) Solutions Invisible security measures

Measures that do not depend on user actions Security as a Public Good? Non-rival use by one person doesnt exclude others Non-excludable not possible to exclude people from using it What types of security might fit this

description? Free Riding Nash Equilibrium Strategy (S, T) Player A cannot do better by choosing a strategy other than S, given that player B

chooses T Player B cannot do better by choosing a strategy other than T, given that player A chooses S Car Insurance in Philly Car insurance is expensive Many people dont buy it

Smaller risk pool + other party in accident might lack insurance Car insurance even more expensive Outcomes Depend on Others Actions DNS weaknesses (upgrade to DNSSEC?) Anonymity system

Minimal adoption level before any benefit Network Effect Value of a technology much higher the more people use it: The Internet Fax machines Social networks

Payment methods Approaches to Fixing

King of the Internet Bundling with a new product Government subsidies Internal use of large organizations SCION New version of the Internet with security properties

Currently being adopted by some Swiss banks Product Stages Early Adopters Problems here

Mass market Best chance for adoption Direct and immediately perceived benefit Why is most software insecure Features >> security What does good security even mean?

Could hire consultants to give you advice High transaction cost Transaction Costs Costs to buy a product Closing costs when buying a house Credit card costs (3%) Understanding terms and conditions

Security has high transaction costs Hard to evaluate software security No data to do so Free-riding would be good here! Ideally someone pays the costs to figure out what is secure

Everyone uses that analysis Problem: no good analyses Example: Web hosting providers Back to the lemons market Security hard/expensive to evaluate Not prioritized

Vendors choose not to compete on security Programmers and managers with security expertise are expensive Form of technical debt Signaling Traditional solution to lemons market Problem: everyone wants to send good

signals, no one wants to invest in security Lots of worthless signals Claims of unbreakable or virus-proof software Claims of good processes Liability for security issues How far should this extend? Open source software / small players

Dangerous for innovation No one wants to kill the goose that lays the golden eggs (tech industry) Have long manuals and blame all problems on users Spam: Why do we still get it?

Lots of effort to defeat filters Send from compromised zombies Can profit off low conversion rate Sending spam not always illegal or a priority Victims in other countries (externality) Principal-Agent Problem Hire someone to work for you, how to

incentivize them to do a good job? Boards and CEOs Dont want them to take too many risks, or too few (hard problem) Hiring security experts or auditors is similar Reading for the week

Economics and Internet Security: a Survey of Recent Analytical, Empirical and Behavioral Research Tyler Moore and Ross Anderson Based on an article in Science

Recently Viewed Presentations

  • Exploring Microsoft Office Excel 2010 by Robert Grauer,

    Exploring Microsoft Office Excel 2010 by Robert Grauer,

    To change settings, click Gridlines in the Axes group, and point to either Primary Horizontal Gridlines or Primary Vertical Gridlines. Select from options to remove gridlines or add Minor Gridlines for more detail on the chart. Figure 3.44 displays two...
  • Data Refinement - University at Buffalo

    Data Refinement - University at Buffalo

    Stabilizing Tracking : Demos on Berkeley's Mote Platform Anish Arora, Murat Demirbas, Sandip Bapat, Sohail Munir Ohio State
  • Microwave Device - Cermin Diri Hiasi Peribadi...

    Microwave Device - Cermin Diri Hiasi Peribadi...

    4.1.2.4 VARACTOR DIODES The variable-reactance (varactor) diode makes use of the change in capacitance of a pn junction is designed to be highly dependent on the applied reverse bias. The capacitance change results from a widening of the depletion layer...
  • WV Geographic Regions

    WV Geographic Regions

    WV's Four Geographic Regions Potomac Section Home to many apple and peach orchards Where the Golden Delicious Apple originated Home of the first "spa" Close to nation's capital Includes Harpers Ferry Fairfax Stone located here Potomac Section Name 3 festivals...
  • Global Health and You!!!! - AMSA

    Global Health and You!!!! - AMSA

    Global Health Disparities The Universal Declaration of Human Rights "Everyone has the right to a standard of living adequate for the health and well being of himself and his family, including food, clothing, housing and medical care."
  • SI Session - passingby124.weebly.com

    SI Session - passingby124.weebly.com

    Compare and contrast G- protein linked receptors, tyrosine-kinase receptors, and ligand gated ion channels. One of the major categories of receptors in the plasma membrane reacts by forming dimers, adding phosphate groups, and then activating relay proteins.
  • faraconesh.com

    faraconesh.com

    Slides' References. AvinashKak, Buffer Overflow Attack, Computer & Network Security, Purdue University, April 2016. David A. Wheeler, Secure . Software Design ...
  • Embedding Social Skills Instruction into a Multi-tiered ...

    Embedding Social Skills Instruction into a Multi-tiered ...

    VTPBIS Coordinators as Coaches Learning & Networking Workshop May 2017 Presented by the VTPBIS State Team Amy * Sherry * Sherry * Sherry * Sherry * By the end of this session, you will: Have some idea of how to...