Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Economics	of	CyberSecurity	
Fernando	Montenegro	
@fsmontenegro	
2016-11-02	 EconCyberSec	–	O'ReillySecurity	 1
About	me	
@fsmontenegro	
•  Sales	Engineer	
–  Network	Security,	Fraud	DetecHon	
–  Previous	PS,	Ops,	Arch	roles…	
•  Comp...
O’Reilly	Media…	
2016-11-02	 EconCyberSec	–	O'ReillySecurity	 3
InfoSec	is	MulHdisciplinary	
•  InformaHon	Technology	
–  Dev,	Ops,	and	in	
between…	
•  Psychology	
•  Stats/	DataScience...
[Micro]	Economics	
•  Study	of	Scarcity	
–  Scarce	Resources	
–  Scarce	InformaHon	
–  Scarce	A`enHon	
•  Individuals	&	Ma...
Why	is	Sodware	“Insecure”?	
•  “Security”	as	a	“latent	construct”	
•  Dynamics	of	Marginal	Costs…	
2016-11-02	 EconCyberSe...
Marginal	Cost	
$	
units	
MC	
MC	digital	
physical	
2016-11-02	 EconCyberSec	–	O'ReillySecurity	 7
Market	for	InformaHon	Goods	
•  HIGH	fixed	costs,	low	marginal	cost	
•  Prone	to	monopolies	
•  Market	race	
–  1st	mover	a...
About	those	Patches…	
•  Patching	is	imperfect	compromise	
– Time	to	Market	x	Sodware	Security	x	Cost	
•  Patching	oden	re...
(NegaHve)	ExternaliHes	
•  TaxaHon	/	Subsidies	
•  RegulaHon	
•  Common	provision	
•  Liability	
•  MediaHon	
Source:	h`ps...
InformaHon	Asymmetry	
•  Akerlof’s	“Market	for	Lemons”	
•  Adverse	SelecHon	
	
	
•  Signalling	&	Screening	
Sources:h`p://...
Market	for	Silver	Bullets	
Buyer	Has	Informa?on	 Buyer	Lacks	Informa?on	
Seller	Has	Informa?on	 Perfect	Market	 Lemons	(Us...
Moving	Forward…	
Do	LESS	of	
•  Blaming	Developers	
•  UnrealisHc	ExpectaHons	
–  Security	just	because	
–  No	due	diligen...
Why	are	people…	
•  …	dumb/gullible	to	fall	for	phishing?	
•  ...	against	security?	
2016-11-02	 EconCyberSec	–	O'ReillySe...
(Behavioural)	Economics	
•  "Bounded	ra/onality	of	economic	agents"	
–  Humans	vs	Econs	
•  Daniel	Kahneman,	Richard	Thale...
Behavioural	Econ	
•  Prospect	Theory	
– Misjudgement	of	ProbabiliHes	&	Risk	
•  CogniHve	Biases	galore	
– Availability,	Co...
InformaHon	Asymmetry	(again)	
Principal-Agent	Problem	(Agency	Theory)	
It’s	5pm	on	a	Friday	and	a	sensi/ve	
report	must	be...
ExternaliHes,	again…	
•  User	acHons	impacHng	security	
– Moral	hazard:	taking	more	risk	on	behalf	of	others	
•  Also:	Sec...
Ransomware	
Source:	Symantec	
2016-11-02	 EconCyberSec	–	O'ReillySecurity	 19
Moving	Forward…	
Do	LESS	of	
•  blaming	users	and	
defenders	
•  assuming	“errors”	
•  unrealisHc	expectaHons	
–  Perfect	...
Where	is	management	in	all	this?	
•  Busy	with	strategic	alignment	
•  Framing	Infosec	with	compeHng	prioriHes	
2016-11-02...
Risk	Management	
Acceptance	 Avoidance	 MiHgaHon	 Transfer	
What	is	Policy?	
Risk	AppeHte?	
IniHaHve	Alignment?		
Missed	O...
Security	Decisions	
•  Risk	Acceptance,	Risk	MiHgaHon,	Risk	Transfer	
•  Subject	to:	
– Hyperbolic	DiscounHng	(again)	
– P...
Security	Investment	
•  How	much	to	invest?	
–  Gordon	Loeb	model:	“37%”	
•  What	is	impact	of	security	breach?	
–  Sasha	...
Moving	Forward…	
Do	LESS	of	
•  blaming	management	
•  cargo	cult,	silver-bullet,	
absoluHst	security	
	
Do	MORE	of	
•  in...
Hiring	and	EducaHon	
•  InformaHon	Asymmetry	
– Signaling	–	CredenHals,	CerHficaHons	
– Screening	–	Interviews,	Job	OpHons	...
Moving	Forward…	
Do	LESS	of	
•  Blaming	HR/others	
•  Misunderstanding	signals	
•  FUD-based	messaging	
Do	MORE	of	
•  “Fo...
What	did	we	cover?	
•  Market	Dynamics	
•  InformaHon	Asymmetry	
•  ExternaliHes	
•  “IncenHves,	incenHves,	incenHves!”	
2...
AddiHonal	Content	
•  Market	for	Silver	Bullets	–	Ian	Grigg	
•  So	Long,	and	no	Thanks	for	the	ExternaliHes	–	Cormac	Herle...
What’s	Next?	
•  AffecHng	change	must	include	economics	
•  IdenHfy	what	economic	forces	are	at	play	
•  Address	imbalances...
@fsmontenegro	
2016-11-02	 EconCyberSec	–	O'ReillySecurity	 31
Upcoming SlideShare
Loading in …5
×

Economics of Cyber Security

458 views

Published on

This is the latest version of my Economics of CyberSecurity deck, recently delivered at the inaugural (and excellent!) O'Reilly Security conference, held in NYC Oct31-Nov2 2016

Published in: Technology
  • Be the first to comment

Economics of Cyber Security

  1. 1. Economics of CyberSecurity Fernando Montenegro @fsmontenegro 2016-11-02 EconCyberSec – O'ReillySecurity 1
  2. 2. About me @fsmontenegro •  Sales Engineer –  Network Security, Fraud DetecHon –  Previous PS, Ops, Arch roles… •  CompSci ’94 •  Greying hair •  Curious –  Finance (DIY) –  Economics (EMH, Behaviour) –  Data Science (Coursera) Source:memegenerator.net 2016-11-02 EconCyberSec – O'ReillySecurity 2
  3. 3. O’Reilly Media… 2016-11-02 EconCyberSec – O'ReillySecurity 3
  4. 4. InfoSec is MulHdisciplinary •  InformaHon Technology –  Dev, Ops, and in between… •  Psychology •  Stats/ DataScience •  Design •  Law •  Epidemiology •  MathemaHcs •  … •  Economics 2016-11-02 EconCyberSec – O'ReillySecurity 4
  5. 5. [Micro] Economics •  Study of Scarcity –  Scarce Resources –  Scarce InformaHon –  Scarce A`enHon •  Individuals & Markets •  InformaHon Economics •  Decision & Game Theory Source:wikimedia commons 2016-11-02 EconCyberSec – O'ReillySecurity 5
  6. 6. Why is Sodware “Insecure”? •  “Security” as a “latent construct” •  Dynamics of Marginal Costs… 2016-11-02 EconCyberSec – O'ReillySecurity 6
  7. 7. Marginal Cost $ units MC MC digital physical 2016-11-02 EconCyberSec – O'ReillySecurity 7
  8. 8. Market for InformaHon Goods •  HIGH fixed costs, low marginal cost •  Prone to monopolies •  Market race –  1st mover advantage •  TIME-TO-MARKET! •  MINIMUM VIABLE PRODUCT –  Appeal to Complementary Goods –  Network effects! (Metcalfe’s Law: n2) –  … 2016-11-02 EconCyberSec – O'ReillySecurity 8
  9. 9. About those Patches… •  Patching is imperfect compromise – Time to Market x Sodware Security x Cost •  Patching oden represents an Externality 2016-11-02 EconCyberSec – O'ReillySecurity 9
  10. 10. (NegaHve) ExternaliHes •  TaxaHon / Subsidies •  RegulaHon •  Common provision •  Liability •  MediaHon Source: h`ps://commons.wikimedia.org/w/index.php?curid=3363860 2016-11-02 EconCyberSec – O'ReillySecurity 10
  11. 11. InformaHon Asymmetry •  Akerlof’s “Market for Lemons” •  Adverse SelecHon •  Signalling & Screening Sources:h`p://usedcarsofausHntx.com/ and wikimedia commons 2016-11-02 EconCyberSec – O'ReillySecurity 11
  12. 12. Market for Silver Bullets Buyer Has Informa?on Buyer Lacks Informa?on Seller Has Informa?on Perfect Market Lemons (Used Cars) Seller Lacks Informa?on Limes (Insurance) Silver Bullets (Security) Ian Grigg, 2008 Security Goods are of INSUFFICIENT informaHon Decisions made on SIGNALS to other parHcipants HERDING and Silver Bullets -> “Best PracHces” 2016-11-02 EconCyberSec – O'ReillySecurity 12
  13. 13. Moving Forward… Do LESS of •  Blaming Developers •  UnrealisHc ExpectaHons –  Security just because –  No due diligence •  Ignoring stakeholders Do MORE of •  Understand signalling, screening: –  Product Warranty –  Lifecycle Maturity (MS) –  RFPs, C&A •  Engage debate on regulaHon, liability –  US Gov, IamtheCavalry, … 2016-11-02 EconCyberSec – O'ReillySecurity 13
  14. 14. Why are people… •  … dumb/gullible to fall for phishing? •  ... against security? 2016-11-02 EconCyberSec – O'ReillySecurity 14
  15. 15. (Behavioural) Economics •  "Bounded ra/onality of economic agents" –  Humans vs Econs •  Daniel Kahneman, Richard Thaler •  Others: –  Dan Ariely, Steven Levi` –  InfoSec – Kelly Shortridge, others 2016-11-02 EconCyberSec – O'ReillySecurity 15
  16. 16. Behavioural Econ •  Prospect Theory – Misjudgement of ProbabiliHes & Risk •  CogniHve Biases galore – Availability, ConfirmaHon, Sunk Cost, many more – Intertemporal Choice (Hyperbolic DiscounHng) 2016-11-02 EconCyberSec – O'ReillySecurity 16
  17. 17. InformaHon Asymmetry (again) Principal-Agent Problem (Agency Theory) It’s 5pm on a Friday and a sensi/ve report must be sent out by EoD. Will user X: a.  Use the approved workflow for sending sensi/ve informa/on. b.  Just send the file via email. 2016-11-02 EconCyberSec – O'ReillySecurity 17
  18. 18. ExternaliHes, again… •  User acHons impacHng security – Moral hazard: taking more risk on behalf of others •  Also: Security advice as externality – Cormac Herley (MS) 2009: rejecHon of advice. – Security FaHgue Study (2016) 2016-11-02 EconCyberSec – O'ReillySecurity 18
  19. 19. Ransomware Source: Symantec 2016-11-02 EconCyberSec – O'ReillySecurity 19
  20. 20. Moving Forward… Do LESS of •  blaming users and defenders •  assuming “errors” •  unrealisHc expectaHons –  Perfect behaviour Do MORE of •  Choice architecture –  Don’t assume perfecHon –  Sensible defaults –  User endpoint protecHons –  User design (Google Chrome) •  IncenHve Design –  Reward meaningful results –  Data-driven, not rhetorical –  Drive accountability 2016-11-02 EconCyberSec – O'ReillySecurity 20
  21. 21. Where is management in all this? •  Busy with strategic alignment •  Framing Infosec with compeHng prioriHes 2016-11-02 EconCyberSec – O'ReillySecurity 21
  22. 22. Risk Management Acceptance Avoidance MiHgaHon Transfer What is Policy? Risk AppeHte? IniHaHve Alignment? Missed OpportuniHes? Are Investments Adequate? Is [Cyber] Insurance Coverage Adequate? All this using QualitaHve Frameworks… •  Medium+Medium = “Red”? 2016-11-02 EconCyberSec – O'ReillySecurity 22
  23. 23. Security Decisions •  Risk Acceptance, Risk MiHgaHon, Risk Transfer •  Subject to: – Hyperbolic DiscounHng (again) – Principal-Agent Problem (again) – Misaligned IncenHves (again) 2016-11-02 EconCyberSec – O'ReillySecurity 23
  24. 24. Security Investment •  How much to invest? –  Gordon Loeb model: “37%” •  What is impact of security breach? –  Sasha Romanosky (RAND) –  Cost per record metrics vary wildly… –  Is ‘breach’ totality of your threat model??? •  Looking for efficiencies –  COTS vs OSS, *aaS, … –  Bug bounHes (BugCrowd,Hacker1,SynAck, …) Source: h`ps://en.wikipedia.org/wiki/File:Unstructured_peer-to-peer_network_diagram.png 2016-11-02 EconCyberSec – O'ReillySecurity 24
  25. 25. Moving Forward… Do LESS of •  blaming management •  cargo cult, silver-bullet, absoluHst security Do MORE of •  incenHve design •  due diligence on cyber insurance •  quanHtaHve risk management (FAIR, …) 2016-11-02 EconCyberSec – O'ReillySecurity 25
  26. 26. Hiring and EducaHon •  InformaHon Asymmetry – Signaling – CredenHals, CerHficaHons – Screening – Interviews, Job OpHons •  Perverse IncenHves also exist – Diploma mills, cerHficaHon bubble – Stunthacking Source:pixabay 2016-11-02 EconCyberSec – O'ReillySecurity 26
  27. 27. Moving Forward… Do LESS of •  Blaming HR/others •  Misunderstanding signals •  FUD-based messaging Do MORE of •  “Follow the money” •  Mentor new entrants •  Broader view of InfoSec •  Rethink/strengthen hiring process –  UniHve 2016-11-02 EconCyberSec – O'ReillySecurity 27
  28. 28. What did we cover? •  Market Dynamics •  InformaHon Asymmetry •  ExternaliHes •  “IncenHves, incenHves, incenHves!” 2016-11-02 EconCyberSec – O'ReillySecurity 28
  29. 29. AddiHonal Content •  Market for Silver Bullets – Ian Grigg •  So Long, and no Thanks for the ExternaliHes – Cormac Herley •  Economics of Cyber Security – Ross Anderson, Tyler Moore •  Behavioural Models of Infosec – Kelly Shortridge –  h`ps://medium.com/@kshortridge •  Workshop on Economics of InformaHon Security (WEIS) - h`p://econinfosec.org/ •  Society of InformaHon Risk Analysts (SIRA) - h`ps://www.societyinforisk.org/ 2016-11-02 EconCyberSec – O'ReillySecurity 29
  30. 30. What’s Next? •  AffecHng change must include economics •  IdenHfy what economic forces are at play •  Address imbalances –  SituaHons with informaHon asymmetry, externaliHes –  Focus on the right levers (incenHves) –  Don’t be an externality 2016-11-02 EconCyberSec – O'ReillySecurity 30
  31. 31. @fsmontenegro 2016-11-02 EconCyberSec – O'ReillySecurity 31

×