BSides Rochester 2016: Fernando Montenegro: Economics of Information Security

my name is Fernando moneger I'm a um I'm a security professional with some gray hair that uh I'm based out of uh Toronto and um it's thank you very very much for for having me here why are we talking about this what's why economics what are we going to talk about this it's the the notion that in um when we talk about Security in general we we're talking about the all the technical aspects of it there is something else going on as well and at the end of the day there are technical elements to what we're doing but there's also the non-technical stuff this is a non-technical talk if you will and what we're doing is we're talking about how

humans interact right economics fundamentally is the study of scarcity we'll get to that in a second and this plays A Part here because resources are not infinite attention is not infinite the incentives of why people do things are are very well defined in economics and I think that as Security Professionals if we understand that we're going to have a lot more success as a as a profession this is uh the the topics from this uh from this presentation derived from a a a Muk I took at addex uh a little while ago called the economics of information security which I thought were extremely interesting so this is this is not so much a lecture as a almost like a book

report on what did I come across and with a little bit of I added of what I added before people ask I will the slides will be up on SlideShare I timed it so they'll be released at 11:00 and um if you need to they'll they'll have additional content on the slides and that they're not here as well so a little bit about me I'm I'm currently a sales engineer at the startup dealing the network security space I've been I've had a number of Professional Services roles I've done some operations I've done some architecture as it says here my degree is from '94 which I like to say that my degree is now old enough to drink right

and the green hair comes from just being around the industry for a long time I'm why am I giving this talk on economics is because I find a topic that's extremely interesting and I think and that I urge you as you consider your own careers and you consider doing presentations and stuff do that I mean you you find something you like come up and talk uh I'm particularly curious about Finance I going doing to self investor kind of thing eventually I got this thing called a mortgage what the heck is that and then try to figure out from there I like economics uh there's a couple of areas one is the efficient market hypothesis and the other one is

behavior economics and behavior economics will play A Part here in a second and then um and then data science right so I'm I'm I'm a few hours away from a Capstone at corsera and I'll be done with that specialization let's talk about uh sorry just second the slides here are a little off there you go that's better so let's talk about a little bit about economics economics as a discipline has been something that people have looked at for thousands of years it was part of philosophy originally but then uh espec in the in the late 1700s kind of thing it's S callest as a as a discipline more on its own some people here may have heard of

Adam Adam Smith he's the guy who came up with the the notion of the invisible hand of the market right so what they were doing that the market kind of arranges itself and and and guides what people will do what so that was a book called The Wealth of Nations in 1776 what people don't know is that Adam Smith or I don't know much is that in 1769 he published a book called the theory of moral sentiment which is very interesting because the theory of moral sentiments dealt more with the motivations for why people do things and it's interesting that 200 300 years later discussing some of that in Behavior economics moving up very quickly I in

terms of um where people were economics kind of developed as a uh kind of developed in two major Trends macro and micro will got to those in a second throughout the 18th and 19th century uh I wanted to point out a couple of people Jeremy benam is interesting because one of the topics they discussed is that Jeremy bam introduced the notion of the Pano economy which is uh he is the guy who originally developed like a prison where you would have someone in the center and you could watch all around it and and I would argue that Jeremy bentam is kind of the the the inspiration if you will for a lot of the security

monitoring you do nowadays as a model we want to watch what everything is what everyone is doing and then uh David Ricardo was interesting because he introduced the notion or he discussed the notion of comparative advantage with what's comparative advantage let's say you have two people they both do a task a and task B and person number one is better at task a and at task B than person number two it's still in the benefit for both people one and two for one of them to specialize in one thing and one for the other and I'm butchering economics as as I as I mentioned but it's the notion that introduces specialization so as a as a as a whole

we've been uh we've been refining the science of Economics for for a few years getting getting into the the 19th and 20th Century you start the discussion around what is what should governments be doing how should you uh stimulate an eony up some of you may have heard of John mayard Kings John Mayor Kings is is a I would say the philosophical inspiration for the quantitative easing that we've been doing as an economy since the 2008 crisis the idea that you can boost Demand by increasing ing the money supply for example in contrast to that you had people uh Frederick haek was one of them that kind of discusses the the view of the market as something

that is better left to the market itself and you should have uh the the animal spirits of the market kind of fight off each other this is interesting because throughout the years we've we've been kind of narrowing down what people expect to see in terms of U of how people react how people act in the in the market uh it was particularly so the little stars here the little uh medals here are actually Nobel prizes in economics that has been awarded since the 40s these guys will come back to us in a second but for example AR and the bre they they they won their Nobel Prize by spe by basically proving that the market

a market mechanism is an efficient way of organizing and of obtaining uh outputs if you will moving then into the into the the latter part of the 20th century we start getting into a more mathematical analysis of Economics right and some some of you may have heard of John Nash right amazing movie amazing book A Beautiful Mind so John Ash was was one of the leading figures in what's called Game Theory which is the the analysis of the of how people play games and uh in the more strategic way then in the late 7 in the mid '70s we start getting into the notion of treating information as a different good the notion of information economics and this

will play a huge part in what we talk about for security uh George AOS uh Michael Spence and Joseph stiglet they won the Nobel Prize in 2001 I think it was for their work on this and it'll play it play a huge part in what we do as security Now One tiic Jor akov his U his wife is jenet y who the current chair chairwoman of the FED right so it's a these kind of things play together and but as we get to security itself the economics of security it kindur of started from a computer security perspective looking to the early in the ' 80s and '90s as people as the Department of Defense started

looking to how it's spending Security money it started with some some authors collaborating uh Ross Anderson and H Varian did some very nice collaboration in the early 2000s that event led to the white security conference in 2002 the workshop on the economics of information security and I say that if I could you know you can nominate people for Nobel prizes for the Peace Prize you cannot do that for economics if I did I would uh I would nominate these two guys now there's two areas to economics the first one the two major areas to economics first one is microeconomics and and I realize I'm but in the video and microeconomics is the study of the

broader economy like how how is going how is the money supply going to affect the the economic output of a nation and so on it's not as interesting to us from a security perspective unless you count that as a as the economy goes into expansion or contraction that affects budgets and and what have you it is interesting that it does study things like unemployment unemployment as is more of a u unemployment is is interesting there's different elements to unemployment there's frictional unemployment cyclical and and and and structural and that we'll play a part in security later on but that's that's macroeconomics microeconomics is a lot more interesting microeconomics is the other major branch of economics and

that's the study of Scar it's the study of how people in a particular interaction are going to look for the best outcome in a transaction it's the as it says here it's the study of individuals and markets when you hear the Notions of supply and demand yes it plays a part in macro as well but here here is where people you're you're analyzing how people are maximizing their own utility in other words you're trying to in a particular transaction do the best that you can for yourself that's the that's the the theory and within microeconomics is where you find the notion of discussing information economics and uh and both decision and Game Theory so it is extremely

interesting from uh U that that's the area where is you're going to study how security affects economics that's where you're going to find yourself most of the time it's not a formal part of Economics but I find that behavioral economics is absolutely essential as a security professional for you to understand Behavior economics is more a a multidisciplinary field if you will that includes psychology it includes Finance it includes e eics it includes sociology it and it's as the title says there it's the funny expression is the bounded rationality of economic agents which basically is a very nice way of saying people are not rational we don't always maximize you're not always trying to you're not always calculating the

maximum payoff for a particular transaction we have our inherent biases and we'll act on those biases and behavior economics is a way of analyzing that and and looking at how we can factor that in as you develop systems for this Behavior economics it was started I mean the one of the most famous names is Daniel kman he won the Nobel Prize a few years ago and there there are other authors Richard Taylor's uh cast sisting if you have uh if you like podcasts and if you like to to um if you like to listen to this from more not not as academic stuff both then II and Steven levit have excellent content out there denelli is a researcher out of

Duke and Steven levit out of the University of Chicago and so and they study as it says here cognitive biases and these are biases that we have so for example um intertemporal Choice hyperbolic discounting we will prefer an outcome uh a smaller outcome now than a better outcome in the future and that explains why I had a bagel this morning right because I uh I I should probably have had a salad right but and behavior economics is fundamentally about the study of these biases and also of incentives how do you incentivize people to do anyway that's uh that's Behavior economics I promise you this this does come back to security the other thing I want to talk about are markets a market

what is a market right you talk about a stock market you talk about the labor market well a market is more of a model than anything else it's how you're going to interact to analyze how people interact and in the market you have something called the price and the price is a very is a signal on that market to indicate how much you should produce or not produce and a market is more of a social it's more of it's not it's not a uh a perfect description of things but it's a very good approximation and remember I mentioned uh the bur and arrow a few slids back well they kind of proved that for some definition of

people being better off a market is a very efficient way of of of achieving that buying and selling good so how do you get a an efficient market which is what slide says here you need a number of things to happen you need to have lots of people buying and selling you need to have what's called property rights it's the notion that if I buy something I get the full benefit of that and if I sell something I get the full benefit of that and and I also pay the same costs so if I I I I receive I have the full as says property rights for a particular transaction you you assume that there is perfect information people

know what they're buying and selling you assume that people are rational hey we talk about that in a little bit right and you assume things like low transaction costs and and as it says here non-increasing returns to scale we are going to see in the next few slides how all of this is different in the security in information security specifically if you don't have those conditions you have what are called market failures and I don't mean a market crashing the can can you define nonincreasing returns to scale hold your thought I will get non increasing returns to scale you'll see that in a second it's the notion that the more that that the as you get

larger your cost at some point will rise again that hold that hold that do there's thank you for the question though you market failures if you don't have a large number of buyers and sellers you you get into what's called a monopoly or a monopsony right a monopsony is when you have fewer buyers than you than you need and we all know we all heard of monopolies and there's several negative things to monopolies but what I will say is that from a from a an economic perspect from a information perspective monopolies are interesting because they try to do they find a way of doing price discrimination of buying of selling you something for what you can bear to pay

and not necessarily what that you what they they are willing to sell for right so I'll sell you a $10 bottle of what is a $10 bottle of wine I'll sell it to you for 20 because I know that you can pay property rights if you don't have property rights you get into what's called an externality and that's the notion that you make an economic decision but you are not responsible for the costs associated with that decision the typical example we always talk about is pollution right if you pollute you may not by definition you're not you're not bearing the full cost of that pollution right society as a whole is and that has very interesting

consequences because that leads to things such as free riding right people if I'm not paying for the cost of pollution I'll just keep polluting if I'm not paying for um if I'm not not paying for for all that cleanup what's my incentives what's my economic incentives to not do that and there's also positive uh there's also positive externalities in that if you don't capture the full value of something positive you're not going to do as much of it people usually refer to education as something that has a positive externality people don't uh people should capture B more of their education and I am other market failures that we talk about is if you don't have information

about what's going on you get into what's called information as symmetry you don't know uh the full details about what you're buying on your celling that leads to things such as as it says here adverse selection what this is particularly interesting in the field of insurance right what ends up happening if you buy a uh if you we analyze and say that Hey listen if only sick people sorry I shouldn't say sick but if only uh sick people will go and and buy insurance into a market it's too expensive for a healthy person to join so the premiums are going to be higher well if the premiums are going to be higher then uh only if you're really

sick are you going to to pay for that and that's and that's a uh a negative feedback if you will there's a few others we talk about IR rational the irrationality as a as a little bit and then uh transaction costs are particularly interesting as well if the if the cost of making a switch is too high you're not necessarily going to make that switch right some of you may have seen this from from uh if you if you've taken Eon in the past this is your typical uh summarized version of a supply and demand curve right the way to read this chart is if you are a producer right what is your incentive to produce it's a so the

quality the quantity is over here and uh and the price is over here remember price is a signal so if you have if the price is high as a producer it's your you are incented to make more of whatever it is you're doing by the same token if you are a consumer and the price is high you don't have an incentive to consume that much as you lower the price of something there is an increased demand and as you lower the price of something as you lower the price of that same something there is a reduced Supply and at some point you meet and the marginal and and typically the the marginal cost is where the the

the supply and demand are going to me again I'm butchering economics a little bit but if you if if you hold this thought for a second we're going to get to that gentleman's question right now which is so what is the marginal cost it's the cost that for you as a producer it costs to make that next good okay so this is your typical marginal cost you start off with the you start off at first you haven't produced much so your cost per unit is pretty high as you have to set up a factory and you start hiring people and they don't produce as much early on and so on well at some point to get into a Groove and

now your marginal cost kind of gets to where um you're producing well Etc at some point you're going to reach capacity and then you have to start paying overtime maybe you need the maybe your suppliers don't have as much of the good as much of the the raw materials then you have to buy raw materials at a higher price so you're you're your uh your marginal costs increases at that point in time you would probably open up another Factory and so on this is beautiful for physical Goods digital goods are different the digital good marginal cost curve is more like this what this means is at first there's a higher cost as you're building something

but eventually as you as you produce more of your digital good the marginal cost decreases and this is what's called an increasing return to scale right and this has extremely interesting consequences for for software markets why well if you have in in that uh in that curve as I just showed you you have very high fixed costs and very low marginal costs what this means is that it introduces the notion that this kind of Market will tend to forget security Right In general the way that a company is going to survive in this market is by getting as large as they can and monopolizing that market as fast as they can right so this is this Market is

prone to monopolies well if that market is prone to monopolies then we get to a a strong incentive for that company to go into a market race to have first mover Advantage time to Market becomes essential getting the minimum viable product out the door as fast as it's humanly possible is absolutely essential and this is why we can't have nice security why because security security is something that is really hard to measure security is something that's really difficult to uh for it it doesn't add to that it doesn't add to this to this Dynamic here and I'm not saying that it's not that companies are evil absolutely not it's the rational economic decision to do a

first mover Advantage right and this is why we I think that as an industry we should stop saying oh this software companies are they they're stupid for not fixing bugs Etc it's not that it's it's not in their economic interest and it's absolutely rational for them to do so I think that's the underlying message here now what I wanted to cover is that there's a ton of other things as well you have Notions that uh in once you get to this Market you you start appealing it's in your rational interest to appeal to complimentary Goods you build a platform and you build around it how many here heard Steve Balmer yell developers developers developers at the

Microsoft conference right it's a famous video on YouTube he was absolutely right that's how Microsoft won Microsoft didn't win by making the best operating system right it won by making the best a minimum viable operating system that appealed to a lot of developers in my opinion and uh I speak for myself not for my employer or anything this is why I think Splunk got such a good position in the Sim Market Splunk built a really nice platform where you can build on top of right and there's others as well but anyway so the reality is that information Goods behave differently and I think this is what this has a profound effect on security I covered information of

symmetry I talked about information of symmetry earlier I want to get back to this for a second information of symmetry uh this is the paper from George aof market for lens that uh pretty much won him the Nobel Prize it's the notion that and I I talked about this briefly the dynamic that if you don't know the quality of something that you're buying then it leads to a a scenario where only people who don't have uh only people who have poor quality goods are going to want to sell it to you because if you sell a good quality if you have a high quality good to sell but you can't get a good price for it you're not going to to go into

that market well then the the the consequence this is why you end up with the market for lemons right that's the the the used car type of a analysis where this came from this has interesting consequences on how do you analyze this how do you get information about a particular good there were two mechanisms one's called signaling the other one's called screening one was from sticklets the other one was from Spence I forget which one was which I believe Spence was signaling and the stiglets were screening in signaling what you do is you you try to signal to your buyer that your good has higher quality in screening if you are the buyer you try to screen out the your

sellers so that only good sellers are going to eventually make it through and these are not perfect signals well these are not perfect mechanisms you know another word for the word signaling it's certified right so if you getting a certification is nothing more than providing a signal that you know what I have some level of quality and as you can see as you can imagine this has tremendous consequences if in information security oh my product is certified and whatnot this also leads to interesting scenarios where sometimes the certification process gets abused I'm still very curious what's going to happen I mean I love the notion of the ls en Crypt movement that we now have

everybody can have ASL third but what's the consequence of that from a signaling perspective for the quality for the for the security of uh of a a certificate anyway that signal screening has another name anybody here working for a vendor software vendor or service vendor V like I work for a software vendor everybody heard of an RFP right what is an RFP if not a screening mechanism so this is why we have uh so these are just examples of that being implemented in uh in security jumping into security areas themselves any one of these next slides could be a 1hour lecture of their own so bear with me here this came out uh this is not new by

the way what I'm talking about is not new I read a paper not too long ago by Ian Grigg Ian grig is a financial cryptographer he's deeply involved with Bitcoin nowadays and he actually argues that the market for security is not a a market for lemons it's not a market for Alliance he talks about insurance it's a market what he call silver bullets and it's interesting because it describes the dynamic of the market pretty well security goods are insufficient information it means that the buyers don't really know what they're buying and the sellers they have some idea of what they're selling but not that much as well right so you end up that the decisions about the markets are done on

the signals and not on the security itself in other words you start looking for some external evidence of some that something is secure and you buy into that you don't buy into the the actual security of a good itself and this leads to a very interesting Hing effect in that and again I'm I'm picking I'm I'm mentioning company names not as an endorsement as a criticisms just as for reference this is why Whenever there is an incident everybody calls mandant or firey right it they they may do good work they may not do good work I'm not getting into that I'm getting into the economics of it's a signal that you're throwing out to your market so this is

extremely relevant other areas uh development by itself I mentioned this briefly earlier there is a tremendous uh there's a tremendous filer in terms of of uh getting the first to Market we get into issues of information symmetry this is the paper that Ross Anderson wrote back in 2001 that kind of G got the whole economics of security going how hard is it to tell if a product is secure or not it's very difficult so it's the rational expectation of a software vendor to get it with as as little as they possibly can and for us to expect different is naive right that's the that's the message I'm trying to get across here there's there's significant

externalities in software development I mean the whole on free open source movement I mean open SSL how many people actually use open SSL versus how many people contribute to it that's your typical free writing uh that comes from an externality right and a huge one the owners of patch right why do we get into a patch cycle well because the vendor doesn't pay for the doesn't pay for the cost of the patch if he passes it on to the to the consumer right so to expect people to uh to expect people to change you have to understand why this happens in the first place and this which brings us to this lecture right why why I find

economics so interesting how are we going to solve this well realistically never mind if you like it or not the economic approach to solving an externality is for example regulation so we are going to see more regulation in security and it's not because uh people are evil it's because people are people right I one example of externalities at play right and U this was uh released late last year that at some point there were 87% of android devices were exposed to at least one high risk vulnerability for a large period of time why is this because it was not in the um in the phone manufacturer or the service provider's interest they they were not incented to

fix that to push that vulnerability out now Google may have fixed it very quickly but the model itself is not uh it doesn't it doesn't inent the service provider or the carrier sorry service provider or the pH manufacturer to push that to push that upgrade out so this is an example of why externalities play a part in security Now another interesting areas is uh vulnerability markets and and and Bug bounties right it's interesting that vulnerab how you price a vulnerability has been a part of Economics or a part of the economics of security since pretty much when it started right you had the initial markets where uh ey defense and Tipping Point would buy vulnerabilities and the have extremely

interesting economic consequences first of all it lowers the transaction cost for a uh for uh uh buying and selling a vulnerability if I know that I can go to someplace and sell that it's easier for me to do that I may be incented to do more of that by the same token depending on how the market is structured there may be a perverse incentive on that market uh I believe it was zerodium that put out a 1 million bounty on a remote uh remote execution on on a ja non jailbroken iOS device I'm not sure if I don't think it's been paid yet well but somebody's they're willing to pay a million dollars for it

wonderful what are they going to do with it I don't know are they going to tell to give Apple the vulnerability right away probably not they're going to sell it somewhere else so the moment that you introduce this kind of payments you can get into the notion of perverse incentives about the vulnerability if you care about the vulnerability being fixed are you going to give it to Apple or you going to give it to the RO and get a million bucks it depends there uh there were aspects around if you could sell the vulnerability only to your to your local government I mean that kind of creat some monopsony we were talking about earlier right so you only have one if

you only have one one legal buyer which is your government what are you going to do about it I what what does that tell you about the price that someone's going to pay for that and there is and uh I I really recommend that you look up the work that the likes of bug crowd are doing and and hacker one and z in terms of bug bounties it's it's extremely interesting bug uh I like bug Crow a lot they've been doing some very interesting work in solving that information and symmetry in the security Community itself if you if you sell a vulnerability how well are you doing that and U how are you going to uh how do you signal to to a buyer

that you are a legitimate resurge privacy is another huge area in terms of the economics of privacy are tremendously uh uh very important in the sense that people analyze how do you actually behave so for example I talked about hyperbolic discounting earlier right present benefit undervaluing future privacy we we keep talking about how uh people don't respect they don't read the the the Privacy they don't they don't read the permissions that an app asks for of course they don't read them right why don't they read them no matter how much you teach them that Hey listen you should pay attention to these specific permissions being asked no one is going to do that not only they may not have

the technical expertise to figure out what uh remote access means on an application they are under the influence of a bias called hyperbolic discounting I want to get my Flappy Bird game going right if you if you understand that you're going to be a better security professional right and I talk a little bit about uh monopolies we can talk about it later the whole area of risk management is pretty much economics applied you find that how much you invest in security there is an interesting model called the Gordon Li model that tells you that really you should you should really apply uh uh for a particular to fix a particular vulnerability 37% of the the your

expected loss and it it'll go through the the calculations there's a there is a battle going on between qualitative and quantitative risk management people love their their high medium low matrices and other people love their statistics based probability based uh uh calculations this is everything to do with how much you're going to invest information symmetry plays a huge part one of the areas I I uh uh I didn't cover too much is What's called the principal agent problem in economics and that is if you have two people and you are the principal and you have an agent you have someone working on your behalf if there is an information as symmetry in that you don't know what that agent

is actually doing there is an incentive for that agent to act on their self-interest more than your as a principal this is why um I'm not picking on on on particular Fields but for example uh real estate so if if you are if you are a real estate agent there's been research that tells that you sell your house for more than you would sell a comparable person's houses and you leave it in the market for longer that's the fre economics stuff earlier on why is that because hey your your your interest of of selling the your house is different than when you're selling your own versus when you're selling someone else's right the same thing applies in

other areas the thing I wanted to mention here is that I've been in many audits security audits over the years and one of the One cases i' I've heard cases I've seen is you come up again with lots of vulnerability lot lots of findings on an audit high medium low finding right I've seen people argue more not for fixing the vulnerability but for reclassifying it not as a high but as a medium why do they do that well because only High vulnerabilities get bumped up to management right so that's a principal agent problem at play here right and if you don't understand that you're going to oh but they didn't fix all of that of course not they were not

incented to do so insurance is another huge area we could get into know lot of re I've done fraud prevention for a number of years and I think that cyber crime is a extremely interesting area from an economic perspective you have the whole liability and incentives play here about credit card security what's going to happen I mean we now have theoretically uh chip cards chip and pin or chip and sign cards the us we've had them in Canada for a little longer and how does that affect the LI the liability this is a little more specific with fraud prevention but in a broader security discussion underground markets are tremendously interesting right I wish I could I think next session I'm

going to do will be on underground markets alone there's something called the Red Queen hypothesis in economics and that is the fact that if you don't evolve you die and we see that happening in underground markets all the time right you see prices for exploits dropping over time because they get more efficient uh underground markets are extremely efficient and which this is interesting for you to analyze not because you want to necessarily close your technical vulnerability but if you understand what the economic objective of the your attacker is maybe you can try to fix that issue as opposed to necessarily your technical issue and there's tons of other externalities this would not be a presentation in 2016

if I did not include ransomware right so here's the the mandatory ransomware Slide the thing about ransomware that's extremely interesting from an economic perspective is that up until now why does everyone care about this why did this thing blow up as much as it did and it's going to keep blowing up because from an economic perspective two things happened number one it's now uh the criminal element found a very easy way to monze it whereas before if they broke into your machine and they were able to to get remote execution they will use you as a Spam platform and sell out and and use it to to sell spam they still do that by the way but now they can charge 400

bucks for your machine to do something so it's their economic incentives to do that and and this is what this is why ransomware picked up so much well the other thing about that there real quick is is that um the ransomware they actually have to behave as a legit business in order for people to actually get comfortable paying so it it it speaks to going thank you it speaks back to that red f hypothesis here that if you as a m as a ransomware platform if you don't know how to behave people are not going to trust you and they're not going to pay and you're going to not do that I think ransomware is extremely

interesting in a morbid sense I apologize in the sense that it brought it brings back to the user some of the owners of doing security you do most people wouldn't care I I when you talk to to end user they may not necessarily care oh yeah somebody send this spam from my account I don't care oh oh some I may have to be I may have to pay 400 500 bucks I do care so I'm still curious to see what the long-term effect is going to be of ransomware on user perceptions of security I think that's an interesting area to do research over the next year or so right which brings us to security awareness I think that if you are doing

anything to do with security awareness for your user Community you absolutely must understand Behavior economics you absolutely should understand that people have their uh their biases and I urge you to please do not treat your users are stupid they are not stupid they are doing when they don't follow your security advice they are doing the exactly rational thing to do there's a fantastic paper by uh corac har Harley from Microsoft I I have on the on the not lator uh called the so long and no thanks for the externalities the paper is from 2008 or 6 I forget but it's a u it's a little dated in the examples that he gives in terms of spam and things

like that but it's a fantastic paper arguing that people ignoring security advice is absolutely the rational thing for them to do so we tell people Hey listen you should pay attention to the https on the on the browser oh by the way you should check the see if the domain uh is a valid format oh by the way you have to check to see if the certificate hasn't expired and so on and so on and so on all that has an economic cost and on aggregate people are rational when they ignore it and if we don't take that into account when we write security policy when we write end user documentation we are just setting ourselves up for

failure right the same thing about the the principal agent problem applies here as well I mean acting on their self-interest it's 5:00 p.m. on a Friday and you have to send a file out to your uh you have to send a file out to your uh partner somewhere else are you really going to go through the trouble of uh uh setting up secure file sharing and exchanging ke and whatnot or you're just going to send an email out right it's human behavior right it's not stupid it's the rational thing that you're doing from an economic perspective it may not be what you want but it's the rational that they're doing this is just an example that came from Google last

year on the kind of things they've done to address Behavior economics in a little bit this was how Chrome used to do um this was how Chrome used to do a uh warnings you see that they had multiple levels of warning and they simplified that on Chrome 46 why did they do that because people were they found through a data focused analysis that people were not paying as much attention to these kind of errors here right there's a there's an interesting study uh on human behavior called the Paradox of choice and uh if I find the reference I mean hit me up on Twitter or what not later I'll send it to you they analyzed whether people would buy more

if you give them six Choice six choices of jam or whether you give them 24 choices of them jam and people were literally choosing to buy less if they had more choice right kind of the same thing applies here I'll just wrap up by talking the security labor market is extremely interesting as well from our own from our own perspectives right you end up with do we have 0% unemployment insecurity I don't know maybe we do this introduces uh just introduces all the the Mania about automating things right if you can't uh if you can't uh hire people you're going to look for an alternative in terms of Automation and head count reduction you should be aware

of that as a security professional right uh I find it interesting that I recommend like I have a a little bit in in in networking as well and software defined networks are are the rage have been the rage in in networking for the past few years and everyone kind of recommends Network Engineers to learn some programming and and Automation and scripting and what have you I give the same advice to security people learn some programming learn learn how to automate things uh extremely useful and then the the same discussion of information and symmetry applies here as well and I talked about those as a bit how do you signal that you are a a good

security professional well one of the ways is credentials and you get your University degree you get your uh you get your your professional certification your vendor certification what have you right this is the rational way of leading of of dealing with the information of symmetry of hiring someone and from the screening perspective we should expect interviews to be a little more annoying to be a little more uh to be a little more confusing Etc people are trying to screen it out are trying to screen whether you are a good professional or not I will say that perverse incentives also exist in Security in terms of U if the if the salary that if the money

that someone can get in security is very high then the incentive for someone to cheat their way into security is higher as well and this kind of drives why you have uh certification paper Nos and and and whatnot and this is one of the reasons why interviews are getting tougher and tougher and tougher anyway just to wrap up we looked at a few broader economic Concepts we talked a little bit about markets and market failures we talked about information a symmetry which I think is absolutely essential for security and if I could do my best Steve Balmer impression here I would not be shouting developers developers developers I would be shouting incentives incentives incentives right

if we as Security Professionals do not understand the incentives behind the economic incentives behind why people are doing things we're just spinning our Wheels right I think some of the key areas to study are as I mentioned here end user Behavior if you have anything to do with user awareness or whether as a as a as a someone just dealing with your end user population or whether you are a consumer yourself risk management uh huge conversation there and what we can expect from software development expecting people to provide uh higher level of security than minimal on their products is not rational and if you expect that we're going to fail I'll leave with a call to action as a

consumer right understand what you how do you play a part in a market we always hear people talking about hey if you're not paying for the product that means that you are the product on social media understand how that works right understand what incentives are there Hey listen uh buy now because this is the last day to buy something understand the biases that you are involved in I think one of the most influential books I ever read is called influence the psychology of persuasion right by a guy named Robert feldini I highly recommend it as a citizen I'm not going to get into politics but understand what incentives are at play when you are dealing as in your in your or uh in your

community right are you going to expect uh who is going to take part in community discussions who's going to take part in government what are the incentives for doing so right and then lastly as a security professional I think we should absolutely focus on the right levers right we should absolutely understand the incentives and how people uh behave and I'll leave you with one final thought which is isn't a lot of what we do in security nowadays itself an externality in other words we are asking people Hey listen uh you should not do this and we make that as a dictat and and people yeah you should not uh uh you can only use the approved whatever

people are going to rationally look for a way around it people are going to rationally ignore us and we shouldn't do that right thank you very much for listening to me I do have the the slides up in about 12 minutes if a slide share is to be believed I'll happily take any questions you may have yes sir you mentioned that uh underground which I I assume criminal markets are extremely efficient why do they experience fewer or lesser market failures that legitimate markets so uh for the video the question is why do underground markets experience few fewer failures than traditional markets is that is that the question yeah I would say that this happens because the markets they they

have fewer uh fewer of those failures all those conditions I listed there are lots of players buyers and sellers there is enough information in that market in other words if you're buying if you you're there are knowledgeable buyers and sellers there are um the cost of the transaction is particularly low you can go to a uh there is competition in that market so I would say those markets are more evolved than uh than our traditional Market do they not have the information as symmetry problems they have everybody has information and symmetry problems but they resolve them through the exactly the same methods that we do they resolve them through signaling and through screening so for

example you are only going to be able to buy in a particular Underground Market if you've been vetted into that market and by the way I'm going to give you I'm going to signal to you that I'm selling you a good a good batch of stolen credit cards by giving you a few cards up front if I if you use those cards and those cards fail I'm going to pay you back right so they have it information symmetry is a condition in any market and they have resolved some of those so you had you had a comment yeah I was just going to comment that like you know the the dark web markets are really the

epitome of of the free market idea to some extent no you know no regul no regulation and all that yeah that has to be part of contribution okay any other questions and Incredibly enough I

Ro I have if you go on the if you go if you download the slides later I have slide links uh Twitter uh I have a list of people follow books workshops Etc that you can take a look at I highly just download this link thank you very much everybody thank