Cyber Defence - Service portfolio
Your SlideShare is downloading.
×
Check these out next
Recommended
More Related Content
Similar to Vlad Styran - Cyber Security Economics 101 (20)
More from OWASP Kyiv (20)
Recently uploaded (20)
Vlad Styran - Cyber Security Economics 101
- 1. Cyber Security Economics 101 Vlad Styran OWASP Kyiv Winter 2017
- 2. Agenda 1. The subject of security economics 2. Why security is an economics problem 3. The problems security economics solves 4. Information security investment and management 5. Security economics principles and laws 6. Case studies 7. Conclusion
- 3. Agenda 1. The subject of security economics 2. Why security is an economics problem 3. The problems security economics solves 4. Information security investment and management 5. Security economics principles and laws 6. Case studies 7. Conclusion
- 4. Security players • Security consumers – Budget 1st • Security providers – Business 1st • Security industry – Wat?… • Attackers
- 5. Measuring security productivity Security costs Direct & Indirect Fixed & Variable Onetime & Recurring Sunk & Recoverable Security level Deterministic & Stochastic indicators Security benefits Reduction of losses caused by the absence of security
- 6. Security productivity growth
- 7. Types of security Security providers Network economics Market rewards the 1st Dev costs are sunk Growth strategy Ship today, fix tomorrow Visible features 1st Convenience 2nd Ignore security But plan to add it later Security consumers “Real” security Direct business impact Security for business Indirect business impact Security for customers Support of business strategy Security against customers “Best-practice” security Compliance Security against liability
- 8. Security as a market Market of information goods Marginal cost is zero: information wants to be free Prone to asymmetry of information Vendors know their products are vulnerable (software security) Enterprises know they got breached (incident data) Consumers don’t know any of it Disclosure of incidents Is essential for “security of the world” Is suboptimal for security of each individual business Monopolies are inevitable Monopolists don’t care about security as a public good
- 9. Why “best practice” security sucks Most metrics focus on controls Developed by security providers Easier to measure Selling controls is the business model Controls are deterministic, attackers aren’t Controls are about effort, not actual security Focusing on controls leaves responsibility to buyer
- 10. Security metrics
- 11. 0 2 4 6 8 10 12 14 16 Controls Vulnerabilites Incidents (Prevented) Losses Security metrics applied to “best practice” frameworks PCI DSS ISO27002 CIS SANS BSIMM SAMM CSAN-3
- 12. Regulation Security market can’t regulate itself Regulation? Ex ante (PCI DSS after the fact non-compliance) Ex post (appsec liability and OSS) Certification Information disclosure Intermediary liability
- 13. Use case: payment cards PCI DSS Ex ante self-regulation Opsec of merchants Failure to comply causes liability for fraud Disclosure laws Actual laws Increase indirect cost of insecurity Correct information asymmetry Force security investment
- 14. Security and humans Expected utility theory Utility First $100 are > than the 10th Wealth $10 is much if it’s all u have Rational choice model People are expected to choose the best option Prospect theory People are risk - seeking when faced with potential loss While they are risk averse and prefer certainty for gain
- 15. Economics of privacy (1) Right to be left alone “I have nothing to hide” is bullshit “Good” vs. “Bad” privacy Example: good debtor is OK with it to be known, while bad debtor isn’t Privacy of ads I want firms know what I wanna buy so I get less spam But not how much I want it, or I’ll get ripped off
- 16. Economics of privacy (2) • Perception vs. reality – 1/3 of people say they don’t care – 1/3 say they care a lot! – 1/3 say they could trade – Yet 4/5 give away sensitive info for trivial benefits • Why the difference? – People are irrational economic agents – People ignore risks in the distant future – People are prone to illusion of control • Privacy salience – Normal vs. salient vs. “fun and games” salient
- 17. That’s all folks Secon101x https://www.edx.org/course/cyber-security- economics-delftx-secon101x-0 Ross Anderson’s Economics and Security resource page http://www.cl.cam.ac.uk/%7Erja14/econsec.html Bruce Schneier on Economics of Security https://www.schneier.com/essays/economics/
