Notes Welcome to CSE 5/7338 Economics of Information Security Tyler Moore Computer Science & Engineering Department, SMU, Dallas, TX Lecture 1 Logistics Syllabus Motivation Calendar Notes Course website Most info: http://lyle.smu.edu/~tylerm/courses/econsec/ Blackboard for announcements, turning in assignments (distance students) Youtube channel for R screencasts 3 / 31 Logistics Syllabus Motivation Calendar Notes Syllabus http://lyle.smu.edu/~tylerm/courses/econsec/admin/ syllabus.html 4 / 31 Logistics Syllabus Motivation Calendar Notes Calendar http://lyle.smu.edu/~tylerm/courses/econsec/admin/ schedule.html 5 / 31
Why computer science alone can’t fix information security Logistics Why economics offers a useful perspective Motivation How economics can help information security Notes Why is a computer scientist talking about economics? The conventional CS approach to security has failed Enumerate possible threats 1 Define attacker capabilities 2 Build systems to protect against these threats 3 Worked for encryption algorithms, but not Internet security 7 / 31 Why computer science alone can’t fix information security Logistics Why economics offers a useful perspective Motivation How economics can help information security Notes Evidence of security failures: data breaches 8 / 31 Why computer science alone can’t fix information security Logistics Why economics offers a useful perspective Motivation How economics can help information security Notes Evidence of security failures: phishing websites 9 / 31 Why computer science alone can’t fix information security Logistics Why economics offers a useful perspective Motivation How economics can help information security Notes Evidence of security failures: botnets 10 / 31
Why computer science alone can’t fix information security Logistics Why economics offers a useful perspective Motivation How economics can help information security Notes Evidence of security failures: critical infrastructure Source: http://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf 11 / 31 Why computer science alone can’t fix information security Logistics Why economics offers a useful perspective Motivation How economics can help information security Notes Evidence of security failures: critical infrastructure 12 / 31 Why computer science alone can’t fix information security Logistics Why economics offers a useful perspective Motivation How economics can help information security Notes Evidence of security failures: critical infrastructure Source: http://www.cl.cam.ac.uk/~fms27/papers/2011-Leverett-industrial.pdf 13 / 31 Why computer science alone can’t fix information security Logistics Why economics offers a useful perspective Motivation How economics can help information security Notes But why economics? Economics is a social science Studies behavior of individuals and firms in order to predict outcomes Models of behavior based on systematic observation Usually cannot run experiments as in bench science, but economics has developed ways to cope with differences inherent to observing the world Economics studies trade-offs between conflicting interests Recognizes that people operate strategically Have devised ways to model people’s interests and decision making 14 / 31
Why computer science alone can’t fix information security Logistics Why economics offers a useful perspective Motivation How economics can help information security Notes Economics is not just about money Money helps to reveal preferences Money can serve as a common measure for costs and benefits As a discipline, economics examines much more than interactions involving money Economics studies trade-offs between conflicting interests Conflicting interests and incentives appear in many circumstances where money never changes hands 15 / 31 Why computer science alone can’t fix information security Logistics Why economics offers a useful perspective Motivation How economics can help information security Notes Attackers operate strategically Cannot expect attackers to respect stated assumptions of behavior Threat modeling focuses an engineer’s task, which can harden a resource against particular attacks But system design does not exist in a vacuum – attackers can adapt to find holes in areas not considered by the threat model Must understand what motivates attackers For cybercriminals this could be profit For hacktivists this could be attention and disruption In each case, attackers will seek the least costly way to reach their goal 16 / 31 Why computer science alone can’t fix information security Logistics Why economics offers a useful perspective Motivation How economics can help information security Notes Botnet operators operate strategically (motivated by $) 17 / 31 Why computer science alone can’t fix information security Logistics Why economics offers a useful perspective Motivation How economics can help information security Notes Phishing gangs operate strategically (exploit weakest link) 25 Hongkong China .hk domain phishing site lifetime (days) 20 .cn domain 15 10 5 0 March April May Source: Moore & Clayton (2007), own aggregation Take-down latency for phishing attacks targeting different registrars in spring 2007; lines are five-day moving averages broken down by top-level domain 18 / 31
Why computer science alone can’t fix information security Logistics Why economics offers a useful perspective Motivation How economics can help information security Notes Defenders also operate strategically Those responsible for protecting information systems naturally must consider their own interests Often, there are multiple stakeholders responsible for defense Sometimes defenders’ interests conflict Sometimes the interests of defenders do not align with those of society 19 / 31 Why computer science alone can’t fix information security Logistics Why economics offers a useful perspective Motivation How economics can help information security Notes Let’s return to critical infrastructure protection 20 / 31 Why computer science alone can’t fix information security Logistics Why economics offers a useful perspective Motivation How economics can help information security Notes Incentives for critical infrastructure protection Critical infrastructure operators + Upgrading to IP-based systems brings huge efficiency gains - Maintaining physical separation of networks reduces efficiency and drives up operating costs - Likelihood of an attack is low (based on history) - Cost of attack largely borne by society Consumers + Value reliability of service, including against attack - Prefers low cost service - Cannot distinguish between security investments among firms Governments + Value reliability of service, including against attack + Fears political consequences of an attack, given national defense remit - Lack of budget to fund security - Lack of expertise to improve security on privately-controlled systems 21 / 31 Why computer science alone can’t fix information security Logistics Why economics offers a useful perspective Motivation How economics can help information security Notes So what’s the outcome? Absent regulation to compel behavior, stakeholders act in their own interest based on their incentives and capabilities Only operators, not consumers or governments, are capable of improving security So their incentives matter most! On balance, they are likely to tolerate a high level of insecurity in their systems We can also compare this outcome to what seems ‘best’ In economics jargon, this is the search for the social optimum The social optimum maximizes expected utility More detail on how to compute this later on, but for now, we can intuit what the social optimum might be Question #1: is complete security of critical infrastructures socially optimal? Question #2: why hasn’t the market delivered the socially optimal outcome? 22 / 31
Recommend
More recommend