Cyber Security Economics
101
Vlad Styran
OWASP Kyiv Winter 2017

Agenda
1. The subject of security economics
2. Why security is an economics problem
3. The problems security economics solves
4. Information security investment and management
5. Security economics principles and laws
6. Case studies
7. Conclusion

Agenda
1. The subject of security economics
2. Why security is an economics problem
3. The problems security economics solves
4. Information security investment and management
5. Security economics principles and laws
6. Case studies
7. Conclusion

Security players
• Security consumers
– Budget 1st
• Security providers
– Business 1st
• Security industry
– Wat?…
• Attackers

Measuring security productivity
Security costs
Direct & Indirect
Fixed & Variable
Onetime & Recurring
Sunk & Recoverable
Security level
Deterministic &
Stochastic indicators
Security benefits
Reduction of losses caused by
the absence of security

Security productivity growth

Types of security
Security providers
Network economics
Market rewards the 1st
Dev costs are sunk
Growth strategy
Ship today, fix tomorrow
Visible features 1st
Convenience 2nd
Ignore security
But plan to add it later
Security consumers
“Real” security
Direct business impact
Security for business
Indirect business impact
Security for customers
Support of business strategy
Security against customers
“Best-practice” security
Compliance
Security against liability

Security as a market
Market of information goods
Marginal cost is zero: information wants to be free
Prone to asymmetry of information
Vendors know their products are vulnerable (software security)
Enterprises know they got breached (incident data)
Consumers don’t know any of it
Disclosure of incidents
Is essential for “security of the world”
Is suboptimal for security of each individual business
Monopolies are inevitable
Monopolists don’t care about security as a public good

Why “best practice” security sucks
Most metrics focus on controls
Developed by security providers
Easier to measure
Selling controls is the business model
Controls are deterministic, attackers aren’t
Controls are about effort, not actual security
Focusing on controls leaves responsibility to buyer

Security metrics

0
2
4
6
8
10
12
14
16
Controls
Vulnerabilites
Incidents
(Prevented) Losses
Security metrics applied to “best practice” frameworks
PCI DSS ISO27002 CIS SANS BSIMM SAMM CSAN-3

Regulation
Security market can’t regulate itself
Regulation?
Ex ante (PCI DSS after the fact non-compliance)
Ex post (appsec liability and OSS)
Certification
Information disclosure
Intermediary liability

Use case: payment cards
PCI DSS
Ex ante self-regulation
Opsec of merchants
Failure to comply causes
liability for fraud
Disclosure laws
Actual laws
Increase indirect cost of
insecurity
Correct information
asymmetry
Force security investment

Security and humans
Expected utility theory
Utility
First $100 are > than the 10th
Wealth
$10 is much if it’s all u have
Rational choice model
People are expected to
choose the best option
Prospect theory
People are risk - seeking when
faced with potential loss
While they are risk averse and
prefer certainty for gain

Economics of privacy (1)
Right to be left alone
“I have nothing to hide” is bullshit
“Good” vs. “Bad” privacy
Example: good debtor is OK with it to be known, while
bad debtor isn’t
Privacy of ads
I want firms know what I wanna buy so I get less spam
But not how much I want it, or I’ll get ripped off

Economics of privacy (2)
• Perception vs. reality
– 1/3 of people say they don’t care
– 1/3 say they care a lot!
– 1/3 say they could trade
– Yet 4/5 give away sensitive info for trivial benefits
• Why the difference?
– People are irrational economic agents
– People ignore risks in the distant future
– People are prone to illusion of control
• Privacy salience
– Normal vs. salient vs. “fun and games” salient

That’s all folks
Secon101x
https://www.edx.org/course/cyber-security-
economics-delftx-secon101x-0
Ross Anderson’s Economics and Security
resource page
http://www.cl.cam.ac.uk/%7Erja14/econsec.html
Bruce Schneier on Economics of Security
https://www.schneier.com/essays/economics/