Agenda 1. The subject of security economics 2. Why security is an economics problem 3. The problems security economics solves 4. Information security investment and management 5. Security economics principles and laws 6. Case studies 7. Conclusion
Agenda 1. The subject of security economics 2. Why security is an economics problem 3. The problems security economics solves 4. Information security investment and management 5. Security economics principles and laws 6. Case studies 7. Conclusion
Types of security Security providers Network economics Market rewards the 1st Dev costs are sunk Growth strategy Ship today, fix tomorrow Visible features 1st Convenience 2nd Ignore security But plan to add it later Security consumers “Real” security Direct business impact Security for business Indirect business impact Security for customers Support of business strategy Security against customers “Best-practice” security Compliance Security against liability
Security as a market Market of information goods Marginal cost is zero: information wants to be free Prone to asymmetry of information Vendors know their products are vulnerable (software security) Enterprises know they got breached (incident data) Consumers don’t know any of it Disclosure of incidents Is essential for “security of the world” Is suboptimal for security of each individual business Monopolies are inevitable Monopolists don’t care about security as a public good
Why “best practice” security sucks Most metrics focus on controls Developed by security providers Easier to measure Selling controls is the business model Controls are deterministic, attackers aren’t Controls are about effort, not actual security Focusing on controls leaves responsibility to buyer
Regulation Security market can’t regulate itself Regulation? Ex ante (PCI DSS after the fact non-compliance) Ex post (appsec liability and OSS) Certification Information disclosure Intermediary liability
Use case: payment cards PCI DSS Ex ante self-regulation Opsec of merchants Failure to comply causes liability for fraud Disclosure laws Actual laws Increase indirect cost of insecurity Correct information asymmetry Force security investment
Security and humans Expected utility theory Utility First $100 are > than the 10th Wealth $10 is much if it’s all u have Rational choice model People are expected to choose the best option Prospect theory People are risk - seeking when faced with potential loss While they are risk averse and prefer certainty for gain
Economics of privacy (1) Right to be left alone “I have nothing to hide” is bullshit “Good” vs. “Bad” privacy Example: good debtor is OK with it to be known, while bad debtor isn’t Privacy of ads I want firms know what I wanna buy so I get less spam But not how much I want it, or I’ll get ripped off
Economics of privacy (2) • Perception vs. reality – 1/3 of people say they don’t care – 1/3 say they care a lot! – 1/3 say they could trade – Yet 4/5 give away sensitive info for trivial benefits • Why the difference? – People are irrational economic agents – People ignore risks in the distant future – People are prone to illusion of control • Privacy salience – Normal vs. salient vs. “fun and games” salient
That’s all folks Secon101x https://www.edx.org/course/cyber-security- economics-delftx-secon101x-0 Ross Anderson’s Economics and Security resource page http://www.cl.cam.ac.uk/%7Erja14/econsec.html Bruce Schneier on Economics of Security https://www.schneier.com/essays/economics/
sapran
sansantech
bengo4com
naohachi89
yoshidashingo
lmi
baseballyama
optimisuke
okamototakuyasr2
sansan_randd
utam0k
dahatake
oracle4engineer
productmarketing
zakiyama
andyhume
aleyda
thoeni
tanoku
jennybc
stephaniewalter
cassininazir
bkeepers
revolveconf
shpigford