course overview introduction to economics and security
play

Course Overview, Introduction to Economics and Security Tyler Moore - PDF document

Notes Course Overview, Introduction to Economics and Security Tyler Moore CSE 7338 Computer Science & Engineering Department, SMU, Dallas, TX Lecture 1 Notes Outline Logistics 1 Motivation 2 Intro to Economics: Key notions 3 Intro


  1. Notes Course Overview, Introduction to Economics and Security Tyler Moore CSE 7338 Computer Science & Engineering Department, SMU, Dallas, TX Lecture 1 Notes Outline Logistics 1 Motivation 2 Intro to Economics: Key notions 3 Intro to Economics: Preferences 4 Intro to Economics: Utility 5 Intro to Economics: Expected utility 6 Economics of IT 7 Market failures 8 A very brief introduction to security 9 2 / 135 Logistics Notes Course website Most info: http://lyle.smu.edu/~tylerm/courses/econsec/ Blackboard for announcements Youtube channel for R screencasts 4 / 135 Logistics Syllabus Notes Syllabus http: //lyle.smu.edu/~tylerm/courses/econsec/admin/syllabus.html 5 / 135

  2. Logistics Calendar Notes Calendar http: //lyle.smu.edu/~tylerm/courses/econsec/admin/schedule.html 6 / 135 Motivation Notes Why is a computer scientist talking about economics? The conventional CS approach to security has failed Enumerate possible threats 1 Define attacker capabilities 2 Build systems to protect against these threats 3 Worked for encryption algorithms, but not Internet security 8 / 135 Motivation Why computer science alone can’t fix information security Notes Evidence of security failures: data breaches 9 / 135 Motivation Why computer science alone can’t fix information security Notes Evidence of security failures: phishing websites 10 / 135

  3. Motivation Why computer science alone can’t fix information security Notes Evidence of security failures: botnets 11 / 135 Motivation Why computer science alone can’t fix information security Notes Evidence of security failures: critical infrastructure Source: http://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf 12 / 135 Motivation Why computer science alone can’t fix information security Notes Evidence of security failures: critical infrastructure 13 / 135 Motivation Why computer science alone can’t fix information security Notes Evidence of security failures: critical infrastructure Source: http://www.cl.cam.ac.uk/~fms27/papers/2011-Leverett-industrial.pdf 14 / 135

  4. Motivation Why economics offers a useful perspective Notes But why economics? Economics is a social science Studies behavior of individuals and firms in order to predict outcomes Models of behavior based on systematic observation Usually cannot run experiments as in bench science, but economics has developed ways to cope with differences inherent to observing the world Economics studies trade-offs between conflicting interests Recognizes that people operate strategically Have devised ways to model people’s interests and decision making 15 / 135 Motivation Why economics offers a useful perspective Notes Economics is not just about money Money helps to reveal preferences Money can serve as a common measure for costs and benefits As a discipline, economics examines much more than interactions involving money Economics studies trade-offs between conflicting interests Conflicting interests and incentives appear in many circumstances where money never changes hands 16 / 135 Motivation How economics can help information security Notes Attackers operate strategically Cannot expect attackers to respect stated assumptions of behavior Threat modeling focuses an engineer’s task, which can harden a resource against particular attacks But system design does not exist in a vacuum – attackers can adapt to find holes in areas not considered by the threat model Must understand what motivates attackers For cybercriminals this could be profit For hacktivists this could be attention and disruption In each case, attackers will seek the least costly way to reach their goal 17 / 135 Motivation How economics can help information security Notes Botnet operators operate strategically (motivated by $) 18 / 135

  5. Motivation How economics can help information security Notes Phishing gangs operate strategically (exploit weakest link) 25 Hongkong China phishing site lifetime (days) .hk domain 20 .cn domain 15 10 5 0 March April May Source: Moore & Clayton (2007), own aggregation Take-down latency for phishing attacks targeting different registrars in spring 2007; lines are five-day moving averages broken down by top-level domain 19 / 135 Motivation How economics can help information security Notes Defenders also operate strategically Those responsible for protecting information systems naturally must consider their own interests Often, there are multiple stakeholders responsible for defense Sometimes defenders’ interests conflict Sometimes the interests of defenders do not align with those of society 20 / 135 Motivation How economics can help information security Notes Let’s return to critical infrastructure protection 21 / 135 Motivation How economics can help information security Notes Incentives for critical infrastructure protection Critical infrastructure operators + Upgrading to IP-based systems brings huge efficiency gains - Maintaining physical separation of networks reduces efficiency and drives up operating costs - Likelihood of an attack is low (based on history) - Cost of attack largely borne by society Consumers + Value reliability of service, including against attack - Prefers low cost service - Cannot distinguish between security investments among firms Governments + Value reliability of service, including against attack + Fears political consequences of an attack, given national defense remit - Lack of budget to fund security - Lack of expertise to improve security on privately-controlled systems 22 / 135

  6. Motivation How economics can help information security Notes So what’s the outcome? Absent regulation to compel behavior, stakeholders act in their own interest based on their incentives and capabilities Only operators, not consumers or governments, are capable of improving security So their incentives matter most! On balance, they are likely to tolerate a high level of insecurity in their systems We can also compare this outcome to what seems ‘best’ In economics jargon, this is the search for the social optimum The social optimum maximizes expected utility More detail on how to compute this later on, but for now, we can intuit what the social optimum might be Question #1: is complete security of critical infrastructures socially optimal? Question #2: why hasn’t the market delivered the socially optimal outcome? 23 / 135 Motivation How economics can help information security Notes Economics makes information security empirically grounded Traditional threat modeling states that an attack is possible and should be protected against by definition But what if the threats we envision differ from what actually happens? An economic perspective approaches threat modeling by observing behavior This allows us to construct a more accurate picture of the risks due to information insecurity 24 / 135 Motivation How economics can help information security Notes Economics suggests policies to deploy technology better In addition to describing why security fails and how attackers and defenders operate, economics can recommend policies to improve security Technology alone cannot fix the challenges facing information security; instead, policy can correct market limitations to help security technologies succeed We will discuss many of the options in this course (ex ante safety regulation, ex post liability, cyberinsurance, . . . ) Today we briefly discuss one example: information disclosure 25 / 135 Motivation How economics can help information security Notes Recall our first example? Made possible through policy 26 / 135

  7. Motivation How economics can help information security Notes Information disclosure Louis Brandeis: “sunlight is said to be the best of disinfectants” Information security incidents are often hidden from public view, so one light-touch intervention is to mandate disclosure 27 / 135 Motivation How economics can help information security Notes Data breach legislation California Civil Code 1798.82 (2002): “Any person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” Deirdre Mulligan 28 / 135 Motivation How economics can help information security Notes Many high-profile breaches came to light 29 / 135 Motivation How economics can help information security Notes Many high-profile breaches came to light 30 / 135

Recommend


More recommend