• Model for estimating consumption given individual preferences, under
a budget constraint
• Utility maximization
• Preferences: Consumption mix
• Good A vs Good B
• Labor vs leisure
• Budget constraint
Themes of Security Economics
• Security ROI
• Cybercrime supply chains
• Market for Lemons
• Make it more expensive for the attacker
• Tragedy of the Commons
• Risk Tolerance
• Exploit/Vuln markets
• Behavioral Economics / Gamiﬁcation
Dynamic Threat Models
Coalitional Game Theory
Toolkit to Consider
Security ROI à Tradeoff distributions
Security Poverty Line à Inferior Goods
Information Asymmetries à Signaling
Repeated Games à Coalitional Game Theory
Risk management à Going for V(X) vs E(X)
coalitional game theory
consumption & maturity
(you’ve just been risk-rolled btw)
Concept where theory meets behavior
• Expected value vs expected variance
• Probability gives you both, we tend to focus on E(x)
• Risk aversion is a condition that relies on V(x)
You have $20k, but a 50/50 chance of losing $10k
• Expected value?
• $15k (i.e. .5($20k)+.5($10k))
Insurance costing $5k will cover full loss. Should you buy it or not?
• E(X) w/insurance? à $15k (for sure)
• E(X) w/o insurance à $15k (but as EITHER $10k or $20k)
A risk averse individual will opt for the same E(X) w/less uncertainty (less risk)
• People seek utility maximization, not payoffs
• Risk, i.e. uncertainty, reduces overall utility (wealth)
You have $20k, but a 50/50 chance of losing $10k
• E(X)= $15k
You are offered partial insurance costing $2.5k will cover half of the loss ($5k).
@ No Loss: $17.5k ($20k – 2.5k)
@ Loss: $12.5k ($20k – 2.5k – 10k – 5k)
• Expected value = $15k (but as EITHER $17.5k or $12.5k)
Risk, i.e. uncertainty, is reduced but there is still a $5k variance
#BOOMTIME #RISK @SELENAKYLE
What this Looks like
The language of risk
• Some optimization functions assume *certainty*
• But making decisions under uncertainty is core to:
• How are we talking about risk? Focus on E(X) or
How to Win at Risk
Win or lose?
• Game theory approach: maximize payoff
…Tends to gravitate towards expected value
• The “defender’s dilemma” assumes a risk intolerant
…Lower expected loss.
• Optimal investments manage to value and variance
…Build systems with better risk capacity
…Portfolio theory, not just point performance
by the pricking of my thumbs,
something wicked this way comes.
Thank You BSidesLV!
Some references (mostly about behavior)
• Improving SSL Warnings: Comprehension and Adherence. A. Felt, A. Ainslie, R. Reeder, S. Consolvo,
S. Thyagaraja, A. Bettes, H. Harris, and J. Grimes. CHI, page 2893-2902. ACM, (2015)
• D. Akhawe and A. P. Felt. Alice in warningland: A large-scale ﬁeld study of browser security warning
effectiveness. In Proc. of USENIX Security, pages 257–272, 2013.
• Ariely, Dan. Predictably Irrational: The Hidden Forces That Shape Our Decisions. New York, NY:
• Arthur, W Brian. All Systems will be Gamed: Exploitive Behavior in Economic and Social Systems.
Santa Fe Institute: SFI WORKING PAPER: 2014-06-016.
http://tuvalu.santafe.edu/~wbarthur/Papers/All%20Systems%20Gamed.pdf To appear in
Complexity and the Economy, W. B Arthur, Oxford University Press, 2014
• Kahneman, Daniel. Thinking, Fast and Slow. New York: Farrar, Straus and Giroux, 2011.
• Leyton-Brown, Kevin, and Yoav Shoham. Essentials of Game Theory: A Concise, Multidisciplinary
Introduction. [San Rafael, Calif.]: Morgan & Claypool, 2008.
• Meadows, Donella. Thinking in Systems: A Primer. London: Chelsea Green Publishing, 2008.
More references (mostly about decisions & game theory)
• Axelrod, Robert M. The Evolution of Cooperation. New York: Basic, 1984.
• Dixit, Avinash and Nalebuff, Barry. The Art of Strategy: A Game Theorist’s Guide to Success in
Business and in Life.
• Dormehl, Luke. Thinking Machines. Tarcher Perigee. New York, 2017.
• Fisher, Len. Rock, Paper, Scissors: Game Theory in Everyday Life. New York: Basic, 2008.
• Gibbons, Robert. Game Theory for Applied Economists. Princeton, NJ: Princeton UP, 1992.
• Gintis, Herbert. Game Theory Evolving: A Problem-centered Introduction to Modeling Strategic
Behavior. Princeton, NJ: Princeton UP, 2000.
• Ignacio Palacios-Heurta (2003) “Professionals Play Minimax”. Review of Economic Studies, Volume
70, pp 395-415.
• Jackson, Leyton-Brown & Shoham. Game Theory. (Stanford University and University of British
Columbia: Coursera), http://www.coursera.org, Accessed 2013.
• Polak, Ben. Game Theory (Yale University: Open Yale Courses),
http://oyc.yale.edu, Accessed 2012. License: Creative Commons BY-NC-SA Thomas, L. C. Games,
Theory, and Applications. Chichester: E. Horwood, 1984.
• Wikipedia’s sections on Game Theory, Economics, & Probability.
Even more references (mostly about security economics)
• Anderson, Ross. "Risk and Privacy Implications of Consumer Payment Innovation." PDF available at
http://www.cl.cam.ac.uk/~rja14/Papers/anderson-frb-kansas-mar27.pdf Paper presented at
"Consumer Payment Innovation in the Connected Age" conference took place March 29-30, 2012, in
Kansas City, Mo.
• Anderson, Ross, Chris Barton, Rainer Bohme, Richard Clayton, Michel J.G. van Eeten, Michael Levi, Tyler
Moore, and Stefan Savage. “Measuring the cost of cybercrime”. (2012) PDF available at:
• Camp, L. Jean and Wolfram, Catherine D., “Pricing Security: Vulnerabilities as Externalities.” Economics
of Information Security, Vol. 12, 2004. Available at SSRN: http://ssrn.com/abstract=894966.
• MacCarthy, Mark. “Information Security Policy in the U.S. Retail Payments Industry.” Workshop on the
Economics of Information Security, June 2010.
• Sullivan, Richard J. “The Changing Nature of U.S. Card Payment Fraud: Issues for Industry and Public
Policy.” For presentation at the 2010 Workshop of Economics of Information Security. May 21, 2010.
• Skeen, Dale. "How Real-Time Analytics Protects Banks from Large Scale Cyber Attacks." Information
Security Buzz, accessed Feb 23, 2014.
• Varian, Hal. “Managing Online Security Risks.” New York Times; New York, N.Y.; Jun 1,2000.