Vlad Styran - Security Economics

Transcript

1. Cyber Security Economics 101 Vlad Styran OWASP Kyiv Winter 2017

2. Agenda 1. The subject of security economics 2. Why security

   is an economics problem 3. The problems security economics solves 4. Information security investment and management 5. Security economics principles and laws 6. Case studies 7. Conclusion

3. Agenda 1. The subject of security economics 2. Why security

   is an economics problem 3. The problems security economics solves 4. Information security investment and management 5. Security economics principles and laws 6. Case studies 7. Conclusion

4. Security players • Security consumers – Budget 1st • Security

   providers – Business 1st • Security industry – Wat?… • Attackers

5. Measuring security productivity Security costs Direct & Indirect Fixed &

   Variable Onetime & Recurring Sunk & Recoverable Security level Deterministic & Stochastic indicators Security benefits Reduction of losses caused by the absence of security

6. Security productivity growth

7. Types of security Security providers Network economics Market rewards the

   1st Dev costs are sunk Growth strategy Ship today, fix tomorrow Visible features 1st Convenience 2nd Ignore security But plan to add it later Security consumers “Real” security Direct business impact Security for business Indirect business impact Security for customers Support of business strategy Security against customers “Best-practice” security Compliance Security against liability

8. Security as a market Market of information goods Marginal cost

   is zero: information wants to be free Prone to asymmetry of information Vendors know their products are vulnerable (software security) Enterprises know they got breached (incident data) Consumers don’t know any of it Disclosure of incidents Is essential for “security of the world” Is suboptimal for security of each individual business Monopolies are inevitable Monopolists don’t care about security as a public good

9. Why “best practice” security sucks Most metrics focus on controls

   Developed by security providers Easier to measure Selling controls is the business model Controls are deterministic, attackers aren’t Controls are about effort, not actual security Focusing on controls leaves responsibility to buyer

10. Security metrics

11. 0 2 4 6 8 10 12 14 16 Controls

    Vulnerabilites Incidents (Prevented) Losses Security metrics applied to “best practice” frameworks PCI DSS ISO27002 CIS SANS BSIMM SAMM CSAN-3

12. Regulation Security market can’t regulate itself Regulation? Ex ante (PCI

    DSS after the fact non-compliance) Ex post (appsec liability and OSS) Certification Information disclosure Intermediary liability

13. Use case: payment cards PCI DSS Ex ante self-regulation Opsec

    of merchants Failure to comply causes liability for fraud Disclosure laws Actual laws Increase indirect cost of insecurity Correct information asymmetry Force security investment

14. Security and humans Expected utility theory Utility First $100 are

    > than the 10th Wealth $10 is much if it’s all u have Rational choice model People are expected to choose the best option Prospect theory People are risk - seeking when faced with potential loss While they are risk averse and prefer certainty for gain

15. Economics of privacy (1) Right to be left alone “I

    have nothing to hide” is bullshit “Good” vs. “Bad” privacy Example: good debtor is OK with it to be known, while bad debtor isn’t Privacy of ads I want firms know what I wanna buy so I get less spam But not how much I want it, or I’ll get ripped off

16. Economics of privacy (2) • Perception vs. reality – 1/3

    of people say they don’t care – 1/3 say they care a lot! – 1/3 say they could trade – Yet 4/5 give away sensitive info for trivial benefits • Why the difference? – People are irrational economic agents – People ignore risks in the distant future – People are prone to illusion of control • Privacy salience – Normal vs. salient vs. “fun and games” salient

17. That’s all folks Secon101x https://www.edx.org/course/cyber-security- economics-delftx-secon101x-0 Ross Anderson’s Economics and

    Security resource page http://www.cl.cam.ac.uk/%7Erja14/econsec.html Bruce Schneier on Economics of Security https://www.schneier.com/essays/economics/