Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Vlad Styran - Cyber Security Economics 101

281 visualizaciones

Publicado el

Vlad Styran - Cyber Security Economics 101

Publicado en: Tecnología
  • Inicia sesión para ver los comentarios

  • Sé el primero en recomendar esto

Vlad Styran - Cyber Security Economics 101

  1. 1. Cyber Security Economics 101 Vlad Styran OWASP Kyiv Winter 2017
  2. 2. Agenda 1. The subject of security economics 2. Why security is an economics problem 3. The problems security economics solves 4. Information security investment and management 5. Security economics principles and laws 6. Case studies 7. Conclusion
  3. 3. Agenda 1. The subject of security economics 2. Why security is an economics problem 3. The problems security economics solves 4. Information security investment and management 5. Security economics principles and laws 6. Case studies 7. Conclusion
  4. 4. Security players • Security consumers – Budget 1st • Security providers – Business 1st • Security industry – Wat?… • Attackers
  5. 5. Measuring security productivity Security costs Direct & Indirect Fixed & Variable Onetime & Recurring Sunk & Recoverable Security level Deterministic & Stochastic indicators Security benefits Reduction of losses caused by the absence of security
  6. 6. Security productivity growth
  7. 7. Types of security Security providers Network economics Market rewards the 1st Dev costs are sunk Growth strategy Ship today, fix tomorrow Visible features 1st Convenience 2nd Ignore security But plan to add it later Security consumers “Real” security Direct business impact Security for business Indirect business impact Security for customers Support of business strategy Security against customers “Best-practice” security Compliance Security against liability
  8. 8. Security as a market Market of information goods Marginal cost is zero: information wants to be free Prone to asymmetry of information Vendors know their products are vulnerable (software security) Enterprises know they got breached (incident data) Consumers don’t know any of it Disclosure of incidents Is essential for “security of the world” Is suboptimal for security of each individual business Monopolies are inevitable Monopolists don’t care about security as a public good
  9. 9. Why “best practice” security sucks Most metrics focus on controls Developed by security providers Easier to measure Selling controls is the business model Controls are deterministic, attackers aren’t Controls are about effort, not actual security Focusing on controls leaves responsibility to buyer
  10. 10. Security metrics
  11. 11. 0 2 4 6 8 10 12 14 16 Controls Vulnerabilites Incidents (Prevented) Losses Security metrics applied to “best practice” frameworks PCI DSS ISO27002 CIS SANS BSIMM SAMM CSAN-3
  12. 12. Regulation Security market can’t regulate itself Regulation? Ex ante (PCI DSS after the fact non-compliance) Ex post (appsec liability and OSS) Certification Information disclosure Intermediary liability
  13. 13. Use case: payment cards PCI DSS Ex ante self-regulation Opsec of merchants Failure to comply causes liability for fraud Disclosure laws Actual laws Increase indirect cost of insecurity Correct information asymmetry Force security investment
  14. 14. Security and humans Expected utility theory Utility First $100 are > than the 10th Wealth $10 is much if it’s all u have Rational choice model People are expected to choose the best option Prospect theory People are risk - seeking when faced with potential loss While they are risk averse and prefer certainty for gain
  15. 15. Economics of privacy (1) Right to be left alone “I have nothing to hide” is bullshit “Good” vs. “Bad” privacy Example: good debtor is OK with it to be known, while bad debtor isn’t Privacy of ads I want firms know what I wanna buy so I get less spam But not how much I want it, or I’ll get ripped off
  16. 16. Economics of privacy (2) • Perception vs. reality – 1/3 of people say they don’t care – 1/3 say they care a lot! – 1/3 say they could trade – Yet 4/5 give away sensitive info for trivial benefits • Why the difference? – People are irrational economic agents – People ignore risks in the distant future – People are prone to illusion of control • Privacy salience – Normal vs. salient vs. “fun and games” salient
  17. 17. That’s all folks Secon101x https://www.edx.org/course/cyber-security- economics-delftx-secon101x-0 Ross Anderson’s Economics and Security resource page http://www.cl.cam.ac.uk/%7Erja14/econsec.html Bruce Schneier on Economics of Security https://www.schneier.com/essays/economics/

×