Vlad Styran

Cyber Security Economics 101 Vlad Styran OWASP Kyiv Winter 2017

Agenda 1. The subject of security economics 2. Why security
is an economics problem 3. The problems security economics solves 4. Information security investment and management 5. Security economics principles and laws 6. Case studies 7. Conclusion

Security players • Security consumers – Budget 1st • Security
providers – Business 1st • Security industry – Wat?… • Attackers

Measuring security productivity Security costs Direct & Indirect Fixed &
Variable Onetime & Recurring Sunk & Recoverable Security level Deterministic & Stochastic indicators Security benefits Reduction of losses caused by the absence of security

Security productivity growth

Types of security Security providers Network economics Market rewards the
1st Dev costs are sunk Growth strategy Ship today, fix tomorrow Visible features 1st Convenience 2nd Ignore security But plan to add it later Security consumers “Real” security Direct business impact Security for business Indirect business impact Security for customers Support of business strategy Security against customers “Best-practice” security Compliance Security against liability

Security as a market Market of information goods Marginal cost
is zero: information wants to be free Prone to asymmetry of information Vendors know their products are vulnerable (software security) Enterprises know they got breached (incident data) Consumers don’t know any of it Disclosure of incidents Is essential for “security of the world” Is suboptimal for security of each individual business Monopolies are inevitable Monopolists don’t care about security as a public good

Why “best practice” security sucks Most metrics focus on controls
Developed by security providers Easier to measure Selling controls is the business model Controls are deterministic, attackers aren’t Controls are about effort, not actual security Focusing on controls leaves responsibility to buyer

Security metrics

0 2 4 6 8 10 12 14 16 Controls
Vulnerabilites Incidents (Prevented) Losses Security metrics applied to “best practice” frameworks PCI DSS ISO27002 CIS SANS BSIMM SAMM CSAN-3

Regulation Security market can’t regulate itself Regulation? Ex ante (PCI
DSS after the fact non-compliance) Ex post (appsec liability and OSS) Certification Information disclosure Intermediary liability

Use case: payment cards PCI DSS Ex ante self-regulation Opsec
of merchants Failure to comply causes liability for fraud Disclosure laws Actual laws Increase indirect cost of insecurity Correct information asymmetry Force security investment

Security and humans Expected utility theory Utility First $100 are
> than the 10th Wealth $10 is much if it’s all u have Rational choice model People are expected to choose the best option Prospect theory People are risk - seeking when faced with potential loss While they are risk averse and prefer certainty for gain

Economics of privacy (1) Right to be left alone “I
have nothing to hide” is bullshit “Good” vs. “Bad” privacy Example: good debtor is OK with it to be known, while bad debtor isn’t Privacy of ads I want firms know what I wanna buy so I get less spam But not how much I want it, or I’ll get ripped off

Economics of privacy (2) • Perception vs. reality – 1/3
of people say they don’t care – 1/3 say they care a lot! – 1/3 say they could trade – Yet 4/5 give away sensitive info for trivial benefits • Why the difference? – People are irrational economic agents – People ignore risks in the distant future – People are prone to illusion of control • Privacy salience – Normal vs. salient vs. “fun and games” salient

That’s all folks Secon101x https://www.edx.org/course/cyber-security- economics-delftx-secon101x-0 Ross Anderson’s Economics and
Security resource page http://www.cl.cam.ac.uk/%7Erja14/econsec.html Bruce Schneier on Economics of Security https://www.schneier.com/essays/economics/

Vlad Styran - Security Economics

Vlad Styran - Security Economics

More Decks by Vlad Styran

Other Decks in Technology

Featured

Transcript

Cyber Security Economics 101 Vlad Styran OWASP Kyiv Winter 2017

Agenda 1. The subject of security economics 2. Why security

Agenda 1. The subject of security economics 2. Why security

Security players • Security consumers – Budget 1st • Security

Measuring security productivity Security costs Direct & Indirect Fixed &

Security productivity growth

Types of security Security providers Network economics Market rewards the

Security as a market Market of information goods Marginal cost

Why “best practice” security sucks Most metrics focus on controls

Security metrics

0 2 4 6 8 10 12 14 16 Controls

Regulation Security market can’t regulate itself Regulation? Ex ante (PCI

Use case: payment cards PCI DSS Ex ante self-regulation Opsec

Security and humans Expected utility theory Utility First $100 are

Economics of privacy (1) Right to be left alone “I

Economics of privacy (2) • Perception vs. reality – 1/3

That’s all folks Secon101x https://www.edx.org/course/cyber-security- economics-delftx-secon101x-0 Ross Anderson’s Economics and