Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Boomtime: Risk as Economics (Allison Miller, SiRAcon15)

6,393 views

Published on

When we talk about Risk, and Information Risk as it applies to InfoSec specifically, we often focus on issues of statistics: data, measurement, and our favorite friend: uncertainty. In this talk we’ll look at models and concepts from economics that can augment our thinking, as we move from positive (i.e. primarily descriptive, “how things are”) to normative (i.e. driving policy , “how things should be”) research within the world of risk.

Published in: Technology

Boomtime: Risk as Economics (Allison Miller, SiRAcon15)

  1. 1. Allison Miller allison@societyinforisk.org @selenakyle
  2. 2. THEMES OF SECURITY ECONOMICS Security ROI Cybercrime supply chains Market for Lemons Make it more expensive for the attacker Tragedy of the Commons Risk Tolerance Exploit/Vuln markets Behavioral Economics / Gamification #BO O M TI M E #RI S K @S E L E N A K Y L E
  3. 3. MICROECONOMICS Model for estimating consumption given individual preferences, under a budget constraint •  Utility maximization •  Preferences: Consumption mix •  Good A vs Good B •  Labor vs leisure •  Budget constraint #BO O M TI M E #RI S K @S E L E N A K Y L E
  4. 4. THE CONSUMER MODEL: EXPANDED Extensible from micro into macro •  Extensible to firms Ø  Estimate production given profits under cost/demand/price constraints •  Extensible to competition for resources (consumers, firms) Ø  Roots of game theory •  Extensible to markets Ø  Aggregation across many to many (markets for goods, money, labor) •  Extensible to public sector Ø  Government spend (fiscal) & policy (monetary) •  Extensible to economies #BO O M TI M E #RI S K @S E L E N A K Y L E
  5. 5. THE LANGUAGE OF RISK Some optimization functions assume *certainty* •  e.g. preferences, costs But making decisions under uncertainty is core to: •  Competition •  Investment •  Reality #BO O M TI M E #RI S K @S E L E N A K Y L E
  6. 6. RISK AVERSION Concept where theory meets behavior •  Expected value vs expected variance •  Probability gives you both, we tend to focus on E(x) •  Risk aversion is a condition that relies on V(x) #BO O M TI M E #RI S K @S E L E N A K Y L E
  7. 7. AN EXAMPLE You have $20k, but a 50/50 chance of losing $10k •  Expected value? •  $15k (i.e. .5($20k)+.5($10k)) Insurance costing $5k will cover full loss. Should you buy it or not? •  Expected value w/insurance? •  $15k (for sure) •  Expected value w/o insurance •  $15k (but as EITHER $10k or $20k) The risk averse individual will opt for the same expected value with less uncertainty (less risk) §  People seek utility maximization, not payoffs §  Risk, i.e. uncertainty, reduces overall utility (wealth) #BO O M TI M E #RI S K @S E L E N A K Y L E
  8. 8. AN EXAMPLE…CONTINUED You have $20k, but a 50/50 chance of losing $10k •  Expected value = $15k You are offered partial insurance costing $2.5k will cover half of the loss ($5k). @ No Loss: $17.5k ($20k – 2.5k) @ Loss: $12.5k ($20k – 2.5k – 10k – 5k) •  Expected value = •  $15k (but as EITHER $17.5k or $12.5k) Risk, i.e. uncertainty, is reduced but there is still a $5k variance #BO O M TI M E #RI S K @S E L E N A K Y L E
  9. 9. WHAT THIS LOOKS LIKE Utility Wealth E(V) U(total) U(partial) U(no insurance) 12.5 17.515 #BO O M TI M E #RI S K @S E L E N A K Y L E
  10. 10. HOW TO WIN AT RISK Win or lose? •  Game theory approach: maximize payoff …Tends to gravitate towards expected value •  The “defender’s dilemma” assumes a risk intolerant system manager …Lower expected loss. Ok, sounds like expected value. •  Optimal investments manage to value and variance …Build systems with better risk capacity …Portfolio theory, not just point performance Boom or bust maybe a better analogy? #BO O M TI M E #RI S K @S E L E N A K Y L E
  11. 11. WINNING AT ECONOMICS BOOM! #BO O M TI M E #RI S K @S E L E N A K Y L E
  12. 12. A BIT ABOUT ECONOMICS Speaking of econ #BO O M TI M E #RI S K @S E L E N A K Y L E
  13. 13. META ON MACRO Early 20th century: Ø  Panics! Chaos! Depression! 30’s-50’s: Data Ø  Gather, Count & Measure 50’s-70’s: Models Ø  Keynesians Rule! 70’s - now: Modern Macro Ø  RBC vs New Keynesians Given that the structure of an econometric model consists of optimal decision rules of economic agents, and that optimal decision rules vary systematically with changes in the structure of series relevant to the decision maker, it follows that any change in policy will systematically alter the structure of econometric models. −Lucas' Critique (1976) #BO O M TI M E #RI S K @S E L E N A K Y L E
  14. 14. SUPERMODELS Lucas Critique The α coefficients in Keynesian macroeconometric frameworks should be thought of as depending on government policy directly. Source: Modern Macroeconomics, Sanjay Chugh http://skchugh.com/teachingmanuscript.html #BO O M TI M E #RI S K @S E L E N A K Y L E
  15. 15. POSITIVE VS NORMATIVE ECONOMICS Positive Normative What it is What it should be Descriptions Recommendations #BO O M TI M E #RI S K @S E L E N A K Y L E
  16. 16. CURRENCY OF RISK Preferences Utility Money Returns Competition Tolerances Uncertainty Data Returns Adversaries #BO O M TI M E #RI S K @S E L E N A K Y L E
  17. 17. BOOMTIME Preferences Utility Money Returns Competition Tolerances Uncertainty Data Returns Adversaries Policy Analysis Graph Theory Dynamic Threat Models Cyberinsurance Security Econometrics Classification Inferior Goods Security “CPI” Incentive Design Coalitional Game Theory #BO O M TI M E #RI S K @S E L E N A K Y L E
  18. 18. HOW TO WIN [RISK] FRIENDS & INFLUENCE [INVESTMENT] PEOPLE BoomTime •  Consider framing our goals as “booming” vs “winning” All about that base… variance •  Bring your E(x) AND V(x) game Positive vs Normative Risk •  Your model’s in my policy… your policy’s in my model #BO O M TI M E #RI S K @S E L E N A K Y L E
  19. 19. #BO O M TI M E #RI S K @S E L E N A K Y L E

×