CyberSecurity24012017Vlinkedin

1
_________________________________________________________________________
www.irp-management.com Cyber Security
Page: 1 Date: 27 januari 2017 Draft version
Cyber Security
Economics
Hans Oosterling
January 2017
General Framework
-version 0.1-

2
_________________________________________________________________________
Markets for Information Goods
 Data and Software
– High fixed Costs unlimited volume, low or near zero variable costs
– Strategy:
 Growth
 Increase switching costs, lock-in customers
– Information Asymmetry in the market
 Markets of lemons, “bad quality drives out good quality”
 Metcalf’s Law: network value is proportional to the square of number of
users (like telephone)

3
_________________________________________________________________________
Classical Economics
 Market price tends to the marginal costs
– Marginal costs = variable costs + fixed costs / volume
 The variable costs for information good producers is near zero so
they will go for ever increasing market share and market
dominancy (or even for monopoly)
 Strategy of information good providers prefer market share over
improved quality
Traditional business
€
#
Fixed/Volume
Variable
SW business
Fixed/Volume
Variable
#

4
_________________________________________________________________________
Market for Security Services / Products
 The market of security services / products is battlefield for
market dominancy and a race for ever increasing market share
 Asymmetric incentives
– Unsecure PIN entry device, could be solved by acquiring bank (of the merchant)
but issuing Bank (of the customer) bear the risk of fraud or skimming
 Information Asymmetry
– Buyers can’t assess the quality of the security software, so the market price will
tend to the cheapest (and possibly the less quality) product, so there is no
incentive to invest in good quality software
– Solving the asymmetry by introducing certification, protocols, guarantees etc
– Providers go for market share and after reaching market dominancy, act like a
monopolist with pricing close to “willingness to pay”

5
_________________________________________________________________________
Monopoly
 If you know what everyone wants to / can pay,
charge them accordingly (price differentiation)
 Assume fixed price, revenue will be
you miss out the customers who wants to pay
less and there is lost revenue from the
customers who were willing to pay more than
the fixed market price
 In a perfect market with many suppliers, price
erosion will occur and tends to lowest level
Fixed
Market
price
enterprises students
Price
Volume
Lost
Customers
Lost Revenue

6
_________________________________________________________________________
Security Management
 Risk Reduction / Mitigation
– Mitigated Risk, residual Risk
 Risk Acceptance
– Incorporate security risk into your general business risk
 Risk Avoidance
– Forgone profits from risky activities
 Risk Transfer
– Insurance
– Moral Hazard
– Lack of Historical Data (legislation on data breach reporting)

7
_________________________________________________________________________
Optimal Risk Mitigation
Expected
Loss
Cost of Security
Mitigation
Security
Expenses
Financial
Impact €
Mitigated
Risk
Residual
Risk
Optimal
Investment level
Information Security
According to Gordon-Loeb model
Investment level max 37% of expected Loss

8
_________________________________________________________________________
Security Metrics
 Proactive tasks
– CSA Control Matrix
 133 identified controls by Cloud Security Alliance
– Security Maturity Model (BSIMM)
 Reactive tasks
– Patch management
– Intrusion detection
– Incident management
– Forensics
 Events are difficult to measure and the effectiveness of more
security measures is difficult to verify
– Many anticipated threats never materialize
– Some of the unanticipated threats do occur
Controls Vulnerabilities Incidents (Prevented)
Losses
Stochastics, event-drivenDeterministic, action-driven

9
_________________________________________________________________________
Closing Remarks
 Cyber crime appears in the late 80th carried out by lone amateurs,
but nowadays it’s a professional international business (teamwork)
 Defense is always behind newly created attacks and law makers are
slowly following new criminal inventions
 Allocation of liability is difficult and complex:
– Network providers (telecom, WAN, LAN etc)
– SW suppliers (infrastructure, applications, antivirus providers etc)
– HW suppliers
– Internet users (DDoS meant insecure systems at firm A could harm firm B)
 Police is biased: Bank robbery of > € 5 mio gets full attention but a
cyber criminal stealing € 500 from 10.000 internet users has no
priority (and is often difficult to investigate)
 People don’t act rationally: underestimating risk factors they can’t
easily understand or imagine (and overestimating the likelihood of
events which can be thought of easily)

CyberSecurity24012017Vlinkedin

More Related Content

Viewers also liked

Similar to CyberSecurity24012017Vlinkedin

CyberSecurity24012017Vlinkedin