Lecture 5: Economics of Information Security Rachel Greenstadt January 30, 2017 Market Failures: Moral Hazard https://www.youtube.com/watch?v=
5v7TWKlYoN0 Amateurs Study Cryptography Professionals Study Economics A solved problem? You pay for content or services with anonymous electronic cash. You connect to content and service
providers with an anonymizing mixnet. You authenticate yourself with anonymous credential schemes or zero-knowledge identification protocols. You download content via private information retrieval or oblivious transfer. You use secure function evaluation when interacting with services that require some information. - [Feigenbaum, Sander, Freedman, Shostack]
Problems with this? Many of these techniques are not deployed. Users must be able to access unencrypted data cannot store keys in our head Other computers must be able to access unencrypted data keys must be stored on machines where they can be stolen
Old School InfoSec Cryptography Formal Methods Trusted Computing Base Privacy in dot com days
And then... How the market reacted Economic challenges pushed merchants to more restrictive policies This policy may change from time to time so please check back periodically
Web Infections aka Drive-By Downloads Hypotheses Data security and privacy are really hard, we are failing despite high investment No one cares about security and privacy, so the invisible hand reflects that
Something is wrong with the market for data privacy and security Hypotheses Data security and privacy are really hard, we are failing despite high investment Many things were not doing (cryptography, extensive code review, self insurance, etc)
Software security knowledge is located precisely nowhere a developer spends their time. (1raindrop) No one cares about security and privacy, so the invisible hand reflects that Something is wrong with the market for data privacy and security
Hypotheses Data security and privacy are really hard, we are failing despite high investment No one cares about security and privacy, so the invisible hand reflects that People say they care
Argument that rational actors ought to care Something is wrong with the market for data privacy and security Hypotheses Data security and privacy are really hard, we are failing despite high investment
No one cares about security and privacy, so the invisible hand reflects that Something is wrong with the market for data privacy and security Market Failures Markets work when people have incentives to do the right thing How can they fail?
Externalities Asymmetric/Imperfect Information Bounded rationality Free Riding All present in information security and privacy! Externalities
Occur when decisions cause external costs or benefits to stakeholders who did not directly affect the transaction Externalities in Web Infections Web infections typically affect the end users (browsers) Often don't know that they are infected If they do, they don't know why
No incentive for sites to do the right thing Some evidence to suggest overt security measures actually reduce customer confidence Revealing infections can only harm companies brands and reputations Most harm is even further removed Attacks carried out/ phishing sites hosted/ SPAM sent from
infected machines Externalities in Password Choice Adverse Selection: Akerlofs Market for Lemons Comes from analysis of Used Car market Hidden characteristics: Buyer doesn't know if the car they
are buying is good or a 'lemon' Seller does have this information Given uncertainty buyer will not pay much Result: Adverse Selection, sellers won't sell good cars (can't get a good price) only lemons Solution: Reduce customer uncertainty (Independent Inspections, Guarantees, etc)
Asymmetric Information in Web Insecurity End user doesn't know if site they visit is safe or attacking them Hosting provider doesn't know if webmaster is incompetent or malicious Webmasters don't know if hosting provider is secure Adverse selection : Takes resources to be secure, so
why bother if no one can notice? Bounded Rationality Market assumes not only perfect information, but also perfect rationality Reality - Behavioral distortions Humans bad at assessing risk Tend to pick the first reasonable
sounding option, not weigh all costs Coherent arbitrariness Hyperbolic discounting Consumer Webmasters Most webmasters are not tech geeks
Just want things to work Use off the shelf software Do not believe they are infected Do not know how to evaluate security properties of hosting providers (or that they should)
Can not identify or remove malware Risk Compensation / Risk Homeostatis Anti-lock brake systems increased crashes, seat belt laws increased fatalities in UK People thought they could take more risks
Automatic parachute deployment Same fatalities, people try harder jumps Really hard to reduce risk if people think risk level is ok (Moral hazard) Solutions Invisible security measures
Measures that do not depend on user actions Security as a Public Good? Non-rival use by one person doesnt exclude others Non-excludable not possible to exclude people from using it What types of security might fit this
description? Free Riding Nash Equilibrium Strategy (S, T) Player A cannot do better by choosing a strategy other than S, given that player B
chooses T Player B cannot do better by choosing a strategy other than T, given that player A chooses S Car Insurance in Philly Car insurance is expensive Many people dont buy it
Smaller risk pool + other party in accident might lack insurance Car insurance even more expensive Outcomes Depend on Others Actions DNS weaknesses (upgrade to DNSSEC?) Anonymity system
Minimal adoption level before any benefit Network Effect Value of a technology much higher the more people use it: The Internet Fax machines Social networks
Payment methods Approaches to Fixing
King of the Internet Bundling with a new product Government subsidies Internal use of large organizations SCION New version of the Internet with security properties
Currently being adopted by some Swiss banks Product Stages Early Adopters Problems here
Mass market Best chance for adoption Direct and immediately perceived benefit Why is most software insecure Features >> security What does good security even mean?
Could hire consultants to give you advice High transaction cost Transaction Costs Costs to buy a product Closing costs when buying a house Credit card costs (3%) Understanding terms and conditions
Security has high transaction costs Hard to evaluate software security No data to do so Free-riding would be good here! Ideally someone pays the costs to figure out what is secure
Everyone uses that analysis Problem: no good analyses Example: Web hosting providers Back to the lemons market Security hard/expensive to evaluate Not prioritized
Vendors choose not to compete on security Programmers and managers with security expertise are expensive Form of technical debt Signaling Traditional solution to lemons market Problem: everyone wants to send good
signals, no one wants to invest in security Lots of worthless signals Claims of unbreakable or virus-proof software Claims of good processes Liability for security issues How far should this extend? Open source software / small players
Dangerous for innovation No one wants to kill the goose that lays the golden eggs (tech industry) Have long manuals and blame all problems on users Spam: Why do we still get it?
Lots of effort to defeat filters Send from compromised zombies Can profit off low conversion rate Sending spam not always illegal or a priority Victims in other countries (externality) Principal-Agent Problem Hire someone to work for you, how to
incentivize them to do a good job? Boards and CEOs Dont want them to take too many risks, or too few (hard problem) Hiring security experts or auditors is similar Reading for the week
Economics and Internet Security: a Survey of Recent Analytical, Empirical and Behavioral Research Tyler Moore and Ross Anderson Based on an article in Science
15.2 Chi-Square Tests for Goodness-of-Fit. 15.3 Uniform Goodness-of-Fit Test. 15.4 Poisson Goodness-of-Fit Test. 15.5 Normal Chi-Square Goodness-of-Fit Test. 15.6 ECDF Tests (Optional) Chapter 15. So many topics, so little time … Contents of the Chapter: There are six sections in...
Types of Genetic Disorders Nondisjunction: the addition or deletion of a whole chromosome During anaphase I chromosomes do NOT separate The cell with an additional chromosome is called trisomy once fertilization occurs The cell with a deletion of a chromosome...
[email protected] Training Outline. Moodle & Mahara. E-Portfolio. L. og on and navigate . Benefits. Why use e-portfolio. Moodle & Mahara. Moodle is a Virtual Learning Environment. Structural Learning. Mahara is an E-portfolio System. Reflective Learning.
Do-NowWrite the Questions and Answers. Plant cells and animal cells contain many of the same organelles. Which of the following organelles, however, would be indicative of a plant cell rather than an animal cell?
Bureau of Home Care & Rehabilitative Standards Bureau Update Lisa Coots, RN Bureau Administrator * * * * * * * Personnel Qualifications Revisions The administrator is required to be a physician, registered nurse, or someone who holds an undergraduate...
"Edict of Milan" by Constantine granted religious freedom to all in Roman empire and Theodosius made Christianity official religion of Rome and the Church gained power Welcomed women in service at first, later bared from any title.
After the chemical change, the mass decreased by about 2-3 grams becausethe gas that was produced (now in the balloon) isn't accounted for on the scale. However, the same amount of matter is in the closed system, so the mass/matter...
Ready to download the document? Go ahead and hit continue!