Something Wicked: Defensible Social Architecture in the Context of Big Data, Behavioral Econ, Bot Hives, and Bad Actors

all right so now we're going to go on to our keynote speaker her name is Alison Miller you might see her on Twitter her name is at Selina Kyle on there she has a long career in the industry building large-scale detection systems and infrastructure for major major companies and bTW she is not here with her employer she's incredibly talented oh man and she is wicked smart she is wicked wicked smaht give it up for Alice and Miller anarchy notes something wicked defensible social architecture in the context of big data behavioral econ bot hides and bad actors [Applause] [Music] [Applause] [Music]

[Music] that was my awesome special speaker requests yes let's see yeah exactly

dramatic pause for effect oh that part could be you think

all right hello everyone so Something Wicked This Way Comes open locks whoo right on the keyboard whoever not it's gonna get a paper towel

closer all right okay I'll just keep talking how's that yes now wrong display

there we go all right cool everybody cool let's start from the top Something Wicked This Way Comes open locks whoever knocks and ain't that the truth I like that last line that part about open locks whoever knocks cuz Shakespeare got it right and he didn't even know you guys whoever knocks so friends foes and the rest of youth fabulous beside Ian's it is my pleasure to kick off besides Las Vegas 2017 with you I've actually been in the 'besides community for quite a while since the beginning actually first is a citizen participant then as a volunteer I actually organized the first b-sides in the San Francisco Bay Area after attending the first b-sides here in Las

Vegas I've emceed moderated and mentored but this is my first time speaking and so I'm really excited to be sharing some of my ideas with you well we're thank you what we're gonna talk about today is where I see the future of Defense heading because what I see us evolving into is needing better meaning more defensible designs of social and economic systems and those need to incorporate modeling for the human factor as well as a renewed focus on human outcomes because that's really the point so Big Data behavioral analytics machine learning AI these are actually all technologies that we've been grappling with and leveraging in information security for decades despite the fact that they're also apparently

the new hot words or hot hot hot things and buzz phrases that you hear around vendor floors they've been here for a while but now what we have an opportunity to do is fuse this data science with the more human focused social sciences like psychology sociology different types of social research and my favorite economics so and if we want to get to our goal of having defensible social infrastructure what that means is we need to have more of an understanding of the influence but also the influences but there are also a lot of ideas and innovations coming our way so maybe it's time to start broadening our own toolkits as we approach architecting and operating ever more elaborate social

and economic systems so that we can protect the people in them so what does that mean let's see if the slide advances this slide does not advance here we go all right the slide is advancing ok so where do we come from we come from a world we still sort of are defined by a world where we define protection by isolation did you do okay so you remember the concept of the perimeter how that has changed security used to be about system boundaries and isolation and adding in virtual walls and doors and locks but now the modern defender has to be in the enablement business and we have to figure out how to interconnect all of these different

systems and people and keep them protected at the same time the vulnerability surface is expanding faster than we can invent the next generation of perimeters and moats we've been modeling for technical outcomes and they're certainly on a lot of risk there especially in the in-between places at integrations and boundaries but now we're dealing with the perimeter laced with bull's-eyes in fact the perimeter is people as perhaps Charlton Heston might say soylent perimeter is people so and we've come full circle and InfoSec where it's not about the tech it is about the people and no longer is it about keeping the outsides on the outside we need to connect with everyone and do something that's even harder which is sort out

good intent from bad all as al with everything sort of running in real-time if we don't then social systems get overwhelmed with Scituate with issues like scammer spammers BOTS botnets and fraud and they flood our systems new platforms are developed and then new exploits arrive we know it's inevitable breach happens all systems get gamed and people don't always behave nicely when they're sitting behind the keyboard and we wonder how is it in 2017 that this is a surprise for anyone who builds a new system app device or network we look at the writing on the wall when new text shows up and we think to when things go down when things go sideways we say how could you

not have known this would happen when the trolls invade when the bots show up when the apps and the things and accounts become vulnerable assets and not just tools to empower the graphs we've built how could they not know and the answer is we learned a lot on the way between trading our local BBS's and pound takun for twitter and 22 tabs just for slack but everything old is new again open locks whoever knocks so now it comes down to detecting behaviors and worse for us trying to understand the intent behind the behavior because of social and economic systems what is bad behavior looks a lot like good behavior from an application perspective it's simply the intent that's different and

the harm that occurs so we can find cold comfort in our own presence which is called cynicism in some circles the foundations we've built for protecting people are built on technology of technology and actually for the technology but its behavior that drives outcomes its behavior that's going to manifest as the new blade end of the issues we're facing intense threat fulness awareness a vulnerability exploitation and risk it's a human behavior problem and at the same time while sometimes we find ourselves clinging to some kind of technical purity of a security strategy we should build it like this we should leverage this tool we should limit access in this way security isn't designed in a vacuum

we're actually going to have to compete for any of these precious resources that we want to apply and we compete for mind share for talent and budget which is an economic problem so with this in mind where do we find ourselves are we just going to sit around gather the proverbial cauldron of boil boil toil and a whole lot of trouble no the tools we need now are not just hardware and software tools tools that solidify the existing foundation but wetware tools so welcome back to the realm of psychology so sociology in Econ where we can focus because what we're doing is inherently competitive and where we live in the information age competition is fundamentally asymmetric

asymmetric meaning things aren't exactly fair not everybody starts with the same amount of information but actually I think instead of sitting around around the cauldron what we need to do is kind of stand up and get ourselves together and compete harder the field of play is squarely in the domain of decisions and behaviors of incentives and economics and so that's where I think we're going to find our solution so personally one of the things that I'm really loving is that part a lot of my work I live in the world of data data and analytics preventing fraud building these models on the other hand where my head is at is in economics and so I love how these

concepts are interconnected and what's happening and where we can go I have a little bit of a sidebar you guys cool with a sidebar cool you're cool with a sidebar so recently I was asked during an interview of sorts about how I thought we should set CISOs up for success and it turns out that I actually have a lot of opinions on this but one of the primary ones is that it's really difficult for someone who's not privy to the details of the business to be tasked with protecting it and I've seen us groom security analysts and engineers for bigger roles simply by cross-training them and more security tools more IP bits and bytes but what

would really inspire me and what I hope for for our CISOs is that I want to see them shoulder-to-shoulder with their peers in this C suite that's what we need to be ready for its leaders so the interview oh thank you so the interviewer was pretty impressed and said oh yeah yeah okay I get it like you know analysis and human behavior soft skills right that's what you're interested in and I kind of looked it no all my skills are hard but anyway what I'm looking for what I you don't exactly remember how I answered but it was something along the lines of that it's not actually about soft skills it's about hard skills it's just about

different skills quantitative skills business skills financial modeling I don't think that's very soft but anyway I really hope that soon we can have CISOs who are ready to debate ROI with heads of marketing who can go head to head with product vp is about user experience and you can have really good discussions with CFOs and chiefs chief counsels about risk we need to go bigger we have to play the game with the stakes and outcomes and minds and in order to do that we need to see the board and it's it's it's not for us to get caught up in red team versus blue team whose news has it harder it's not noobs versus grey beards or AB stock versus threat

Intel we just need to broaden out our toolkit and leverage what other human-centric systems do which is to design things better foster innovation leverage data better and go for the win so do I have ideas on that I do look the circle is merged that's adorable alright okay so I think I think the way it to get there is actually through technology but kind of a different path which is I think we really need to incorporate things like system theory and machine learning to get to smarter social systems and while I'm on the topic of social systems I want to talk about the worth the terms social engineering for a sec because it's sort of become a default

term for manipulating people ticking tricking people the long con and that's not really a big enough concept for us anymore it's not a productive concept how it's used in conversation what we need is a word or a concept of people who are like civil engineers who actually build more resilient social and economic systems bolster connections between people make things safer and to engineer them not to be fool if this will just make better fools but to be resistance to the inevitable gaming and a wickedness that lurks in our reality today and since this is a design problem as much as a construction problem I'm going to talk about it this using the term social architecture

that's what I mean by that so I wanted to make a quick shout out to Brian Arthur who's one of my freakin heroes his paper all systems will be games which came out of the Santa Fe Institute it's really brilliant he kind of breaks it down how we see all these large systems fail and it's because there's no one who's there who can really assess the quality and and build social and these dynamic systems and ways that work and that's really important because you know if if we're building the apartment complexes and office parks of the future if earthquakes are coming we consider how to make a foundation that can survive and sustain tremors literal

earth moving if blizzards are on the horizon if tornadoes are coming if hurricanes are on their merry way there are other issues that would be considered so cyber knots if something wicked is coming this way and it always is let's talk about what would be in our go-to kit to make sure that our systems Apps accounts and things can stand up to their own little earthquakes hurricanes etc so I think that I think that a lot of these tools come from acute a few key places and so that's why we're going to talk a little bit about data and learning systems we're going to talk about behavioral economics and we're going to talk about actual economics and

I say that with a little sneer it's like you didn't imagine it at all okay so first up is data and what I try to do is tease out a few things this technical talks sorry but I'm going to kind of breeze through a few of the concepts these are some of the concepts that I think are important and what we're trying to do with data is we have a chance to observe what's happening and systems and then model to get to more optimized outcomes this is usually a lot of math so first we'll cover models and feedback okay what you see up there and I hope you can see it I know there's a lot of folks in the back is my

simplification of a modern detection system as it might be used to prevent against something like spam account hijacking fraud and even to a certain extent things like malware so I have on top here that's swim lane on top is the user experience it's what the user sees is they go through whatever flow and user in this context in our context it could mean the end user of a system like a customer or it could mean an employee or some other system agent and then this middle layer is kind of it's an media to online in real-time in production thing that's happening and then we have the back-office things that are happening behind the scenes a little bit decoupled

from the user experience so the way that almost every one of these system works whether we're talking about spam or malware certain except networked issues intersection there's some sort of events that gets evaluated and then based on what is observed and what the sort of policies are of the system there's gonna be a response now the response could just be write to a log but in a lot of modern systems the response is a little bit different it might be change the user experience ask for a second factor of a decline a transaction and then it goes back and there's some sort of affect on the user and then and then what happens next so what happened next

behind the scenes is all of those observations and what has happened all of those events you figure out if they were good or bad and you plug those back into building new models now I'm talking about models and I usually mean sort of machine learning type models that approach AI but pretty squarely in the statistical machine learning camp but it could just be rules it could just be algorithms models is just a way of describing when you let the Machine make the decision and you've kind of given it a clue in advance what your priorities are and while that whole cycle is really cool the mote the coolest thing about it isn't the models that's just out the algorithms in math

that's just a few seconds of pressing enter and getting back whatever the Machine sort of tells you the logic is going to be the coolest thing the most critical thing about this system is actually that feedback loop that understanding what has happened being able to understand what has been observed and feedback into the system that's how you teach the system it's a learning system so machine learning and learning systems are slightly different concepts but the real power is in learning systems and machine learning and an AI so it's just helped power it and helped make it work but the key is the feedback loop and one other thing that I like about this something to sort

of think about is well this is sort of almost like a system diagram you could think of it as it also is something that you can use to understand where to put your threat models and what I mean by that is that most in most systems most users will simply go through a happy path because people are basically good on average and so you would expect just to have a sort of happy path experience but working with your product teams working with your tools working with how your policies are enforced understanding what happens is the unhappy path is also interesting because you may be able to get more information out and also there's a user experience there you need

to manage too but one quick note on that is that as I mentioned the feedback loop is really the most powerful piece of that system that means that you really do have to understand what happened and in a lot of what we do as security professionals we focus on the bad events we have a little less insight into the good events but those are equally important when you're training a learning system because a learning system will learn whatever you teach it and if you only feed it badness it starts to get super paranoid and that doesn't always work out for us okay next up on data and one of the reasons why these systems are quite interesting

is because we can then get to a place where we can figure out costs so as anyone in here ever tried to come up with a pitch for putting a new tool or new process in place and the business came back to you with well what's that worth how do I prioritize that investment it's really hard to come up with the security are a lie if you don't actually know the cost and impact of bad decisions so this is how you can kind of think about this is that you know you're gonna make yes and no decisions on events maybe you think they're good or bad and then based on whether they're good or bad you offer the happy path let

them through or maybe it's a different path you're gonna block something let's say in general when you get the decision right everything's good everything's good to go the costs show up when you get things wrong and it's always a trade-off between false positives and false negatives so a false positive is a user you get stuck a false or you know your your pager goes off a hundred thousand times in the middle of the night that's also a cost or on the other hand a false negative is something bad gets through uh-oh incident event breach and those are those are things that those are trade-offs but costs that you can ask mate once you have some of this sort of

event based transactional data you can get a sense of it the trick is though is that sometimes even when you're decisioning technology is right there's still a cost and an example of that is something like account hijacking where you are right you blocked a bad guy from getting into a good persons account but then you still have costs because you have a good user who needs to restore access to their account they've been victimized and they need to go through these extra steps that has a cost to and then when you have a sense of the costs oh my gosh the world that opens up to you and you have discussions with management because you can actually do things like

quantify performance let me let me share with you real quick one of my favorite diagrams which is how to evaluate a model performance okay everybody ready I know it's getting kind of hard there's a lot of graphs so what we have here is imagine we'll use fraud as an example okay so imagine you have a hundred thousand transactions coming through that's your total your number of transactions and some portion of them are bad where you're going to mark them as bad so that you can not experience the fraud so across our horizontal access we have percent of total and going up we have the portion that you're going to mark bad is true now the blue line the

straight line is random so you have terrible logic it's totally random but in general if you have a random way of marking something bad is true then in order to catch 50 percent of the fraud how many of the transactions would you have to block 50 percent that's why it's a straight line kind of like a slope of 1 if you wanted to block all of the fraud you'd have to block all the transactions and that sounds like a bad idea so what we do is we try and get models that can actually catch as much of the bad as true as possible but leave the portion of total transactions alone and we describe that as gain this is a

gains chart so you always want to work on the on the edge of that on the edge of that curve to be as productive as possible you want as much gain between randomness and your decisioning technology and you definitely don't want to be in a situation where you are for example declining eighty percent of all of your transactions only to get ten percent of the fraud that's that little dot off the horizon so what you're going for is good gain and you can benchmark logic against each other when you have a sense of the cost of negatives and false positives is that's what this sort of reflects you can sit wherever you want to on the curve do you

want awesome do you want really awesome user experience and so you want to decline as few as possible well you won't get us much fraud but you can you can choose that and then equally you could equally choose to reduce more fraud by defining more transactions it's a choice it's a trade-off and when you can get it into quantitative or financial terms it makes it so much easier to have a conversation about where you're gonna sit ok so we just did a quick shallow dive into quantitative modeling and using data an AI in order to improve security and the advantage of it is that it actually helps it's fast its performance is predictable so you

can have really good discussions about the trade-offs that you are making in terms of financial or user experience impact versus security impact but that's those are what we've been talking about are our decisions and how we put them in software and we know that users have preferences and their behavior is going to reflect their preferences too right within the framework of options we give them in our lane are our decisions but we're still kind of at the mercy of all of our irrational users right well sort of and that this is our segue into behavioral economics which is where we go over the choices that users make who here has heard of behavioral economics who loves behavioral economics whose

kind of tired of hearing all this yappin about behavioral economics okay I'm in both camps some of you admitted it I like that you admitted it okay so I'm going to give a quick shout out to Kahneman Tversky and Ariely so Kahneman and Tversky are the authors of Thinking Fast and Slow Gen Ariely I think he's still at Duke doing some great work into decision-making and irrationality so we're moving in we're moving out of in science and into kind of a new realm not the pure operations management we were just talking about and machine learning but into the human computers how our brains work and the science of this just gets hairier the more the

humans are involved because there can be a little bit unpredictable they can be irrational so comments are brisk in Ariely are all psychologists and to kind of give a tldr on their work this is the TLDR humans aren't robots they make your rational decisions and not only are they not strictly utility maximizing the way the economists kind of hope we all are or in a way that can be externally observed but they can be nudged in two different directions by the gamemaster so these types of concepts around irrationality or optimal decision-making they work in economic concepts sort of because it's easy sort of to see when people make decisions that are in their best interest because utility can be

measured in dollars and cents now we get to deal with this a security folk because it results in the following no matter how much we train or how much information we disclose into warnings queues or user flows we can't control for the internal whatever that's going on in anybody's had or the external whatever is happening so users are simply not going to make decisions in their own best interest 100% of the time and for that matter that's true of all system agents we can't count on them to make decisions in the best interest of system health a hundred percent of time and system agents includes our executives our product developer friends our co-workers and us so the good news

is that some of these biases can make behavior more predictable not less and the other reason why we should embrace this rather than getting freaked out by another imperfection or vulnerability in our system is that we are the game masters and we can leverage what we learn and in core paraded into system design in the form of choice architecture to reinforce good behavior when or when we are wearing our social engineering hats to see the behavior breakpoints so here are a few quick concepts we're going to go over related to behavioral analytics choice architecture opinionated design dated devaluation and I'm just gonna kind of dot-dot-dot into competition so choice architecture is kind of as the as the

ten reads how we set up in frame choices that we asked users to make and one of the some of the key concepts that you'll hear a lot about are framing and anchoring so what you see up in the picture is actually a kind of an example of framing one blue dot looks bigger than the other because of what's around them but actually they're the same size and those types of visual tricks they can also be choice tricks you can nudge someone to make one decision versus another just based on the way you present the choices to them another example of this which I like a lot is anchoring so there's an experiment that I think is pretty cool where you can do

it to just play along in your head in your head imagine to yourself what are the last two digits of your phone number and you write them down so last two digits of the phone number then I hold up some object a guitar a bottle of wine a loaf of bread I don't know and ask you how much it costs and studies will show that folks who have higher last two digits of their phone numbers will guess that the object is worth more then folks you have lower last two digits of their phone number isn't that weird it's totally weird but the thing is is that you you are anchored by a random piece of

information basically random the last two digits of your phone number you are anchored by that and that affected your decision making no matter how rational you are and so when we set up things like privacy policy disclosures or secure your account type choices how we set those up really changes it can really influence it can help Rick and harm how folks end up configuring those those situations and the choices that they make when they're faced with warning dialogues or system system messages anywhere which brings me to opinion in a design so opinionated design there's a lot of really cool research happening on this right now there's a conference soups and some of the EU's next conferences that are

associated with user experience and research opinionated design again it's actually kind of what it says which is instead of forcing users to make choices and simply presenting all choices as if all choices are equal like do you want to go ahead to scary thing or you know do you not want to go ahead to scary thing and forcing a user to kind of make that decision instead designing a warning or designing an experience so that the default behavior is the one that is optimal or safer or more secure and and I I think we're gonna see some really useful impacts on user behavior in using opinionated design the last thing I want to talk about related to

behavioral econ is actually kind of pushing on the other lever which is data devaluation so instead of working so hard to to change a choice someone's making instead designing situations or systems where if they make a mistake or around choice it doesn't hurt so bad so the classic example of this would be something like two Raptor authentication indeed so - after authentication is really useful when the t-rex are throwing Ixia thesauruses your way what are the fish free stroke fish okay we don't know but but fishing right fishing oh no I gave him my password I was tricked that wasn't really Microsoft wanting to give me a million dollars or whatever um when you when you lose

credentials it doesn't matter as much if that doesn't end up causing a harm data devaluation is also a strategy used elsewhere where you find a lot of encryption right because if encryption or in fact was part of the argument behind chip-and-pin and I won't I won't go there I'm just gonna say chip-and-pin but I'm not gonna freak out about it most of you don't know why that's funny but it's it's funny I promise you okay so when it comes to behavioral econ we're talking about two main approaches which is either changing the choices to change outcomes or changing the outcomes to reduce harm so make the easy to make the right choice make it really hard to

make a wrong choice or remove the impact if there's a wrong choice and what's really interesting here is that we've moved this from an administrative sort of detection problem into a design problem which feels like a better place for it anyway because in powers our friends who are product developers and responsible for overall experience of end-users to give to to actually create better experiences and building it in is always better than bolting it on I think that we can all agree on that and there's some excellent researchers research and also new products that are leveraging these capabilities in this type of approach but wait there's more because remember that behavioral ism isn't just a system user dynamic I think

it's worth it to remember and to think about us when we make decisions that we also have some of these cognitive biases at play and those those show up does show up in our work in a lot of different places so the takeaway is design approaches to setting up decisions can either add or reduce bias and harm and this is true how we set things up for users and also how we set things up for themselves all right besides I'm so sorry maybe you should not ask economists to takeno because now we're going to get into the gist science so everybody kind of like shake it off because I'm gonna actually talk about real econ for a minute

so framing and choice architecture and like behavioral game theory are awesome and fun to think about because we can relate to them we see them every day and I'm absolutely happy to talk more about that I have a lot of stories and ideas buy me a drink sometime but what I actually want to bring to the table and why I thought this was such a cool opportunity to share with you guys it's because I think that we can do more by digging into technical econ even understanding that people are irrational I think there's some really interesting models from econ that we can leverage and I've got to do something with this applied econ degree that I'm working on

so let's have at it when we talked about data and we talked about behavioral and behavioral economics we were talking about how to improve the Glee the gameplay and influence moves made by users but when we start to get into more formal models of economics we're talking about the board itself which is pretty fun in my mind pretty cool so for anyone who has a post-traumatic stress disorder related to econ cover your ears everyone else the TLDR is that microeconomics is really a model for estimating how folks are going to consume resources given their preferences and under a budget and the basic rule underneath that is that all of us seek to maximize our utility

meaning we want to consume as much as we can every tiny little wafer and continuing to maximize utility as far as we can and given given that budget constraint and so how preferences play in is that we all have budget constraints and so we have to make choices into how we leverage that that budget that we're given and that shows up in trade-offs and in micro that's going to get into very exciting good a versus good B or a labor versus leisure but anytime that we anytime that we have a budget it means that we're prioritizing choices and that budget constraint is a big deal okay this graph sir we don't need this another thing that I think has

been interesting in looking into economics is understanding that there's two schools or two types of economics positive and normative so positive is basically what is happening what is it and it yields descriptions metrics models in order to sort of predict outcomes the other is normative what should it be and this is where policies come from economic analysis how do we think this is going to work if we make this change if we add this policy what will be the overall effect that's normative and so what you see a lot actually is folks trying to apply positive techniques to normative situations and that's where Dragons lie and in economics there's actually a lot of well-trod grounds when it comes to

the security world leveraging economics and and here are some of the concepts that you'll hear spoken about like ROI or the game theory concepts like tragedy of the Commons volunteers dilemma chicken and risk tolerances I think one of my favorites is market for lemons which is about information asymmetries but also this concept that maybe what we can do is make things more expensive for the attacker I think that's a really cool idea although I still haven't actually seen how we make that so so the way the places where these concepts connect these very basic building blocks from micro like preferences utility and money returns where they kind of get real is when they bump into concepts

related to risk tolerances uncertainty data because because even in economics we don't assume everyone has perfect information all the time and adversaries are really just another word for competitors depending on how wicked your brain works and so I have seen a lot of promise in other concepts coming out of economics things like inferior goods and sent to design coalitional game theory and those can lead to better policy analysis which is actually a pressing issue for everyone in cybersecurity to understand how we're going to get to better policies we can want better policies we can try and encourage better policies but I think the way that we get there is by bolstering our own arguments with

models that are working are accepted by these folks and then there's of course commercial applications too I think we're going to see cyber insurance take off relatively soon and a classification is basically just another word for machine learning in this situation so when I was thinking about formal economics and and what we might add to our toolkit I kind of took a different approach which is I looked at some of the problems that I keep hearing about over and over again and then I was thinking about what concepts am i hearing about in economics that we can apply so for something like are you all familiar with the security poverty line I think that's a Wednesday neither and

also yeah I think that's a winning either thing so Security poverty line is this idea that that there's a certain link you must be this high to ride this ride you must have this much budget or this much maturity in order to like even be at the minimum and there's a concept that I want to sort of mention which I really like inferior goods so inferior goods aren't necessarily what they sound like at the beginning inferior goods are things that are consumed more by folks who have less income when income Rises the consumption of inferior goods go down which is counter one of the two the basic tenants of economics which is that everyone is utility maximizing so you

would expect that as incomes go up they would can simply consume more of things but inferior goods they consume less and so what I wonder when we're sort of looking at something like the security poverty line is we have this concept of maturity maturity models right and you know that as you get more mature you do more but as you get more mature as you get more budgets to throw at cybersecurity what are you doing less of because I think that that would be really insightful and something interesting to consider for folks who are under the security poverty line is to understand what are there things that they can consume until they get above the poverty

line that's one thing and I have one other there are a couple of themes that I pulled out of some of these different concepts that that I just shared with you there which is places where I see promise for research and things that might actually help us kind of level up our game when it comes to cybersecurity writ large and policy development so I'll just shout them out coalitional game theory consumption and maturity signal development and oh my god risk so coalition love game theory is basically game theory on teams I'm just gonna put that out there and that you can actually change outcomes and you can do things to reduce asymmetries which is one of the

biggest economic problems that we have to deal with in cybersecurity as information asymmetries if you up in all markets bond markets all kinds of places so coalitional game theory is a place where I see we may be able to leverage and make change consumption and maturity it kind of just talked about that related to maturity models and then signal development so we live in a world where we have a lot of negative signals meaning we know when something has gone wrong we know when someone is not doing something right we see when things are broken but what's kind of missing for us are more positive signals I think that signal development or this idea of I

mean I'm not suggesting that we're gonna put a stamp on every website or every piece of software needs to get certified somehow but positive signals for us as practitioners within the industry understanding being able to differentiate product quality and also potentially understanding signals that can help us understand if we're practicing security in the best that way that we can is there's there's a definite opportunity there so then oh my god risk okay so you've just been risk rolled I like to never go get you up and they let you down okay so I like to throw in a little bit of risk and in every presentation I give because I love risk and when it

comes to economics risk is where Theory meets behavior and one of the things that when I think that we should think about is how we talk about risk because right now when we talk about risk we talk about expected value and we sort of were managing to some kind of mean but actually when we talk when economists talk or financial professionals in the real world talk about risk they're really talking about variance of returns not the average value and what I mean is if you've ever looked at a payoff matrix a little bit of game theory a little bit of threat modeling there what you then focus on is figuring out the the expected value of each chain that you

might go through and I'm not gonna make you guys do this whole example I'm just gonna cut right just trust me just trust me all the math is right is that what we see is when folks are risk averse what they really want to minimize is the variance between the return they can expect they're not managing strictly to an average expected value and I'm running a low on time so I'm not gonna walk you through that plus it's a key note you guys don't need to see all of those details but but my point from that is that when we talk about risk a lot of optimization functions assume certainty but we're always going to be making

decisions under terms of uncertainty anytime we're competing anytime we're investing pretty much just any time and so understanding that variance it's going to be just as important we're more important in how you play this game as expected value is kind of a big deal because I actually think that's how we win we have designed a game that we play where there are a hundred thousand ways to lose and no ways to win and this isn't a red team versus blue team thing I think we have built a game for ourselves that is all about losing or not losing and I think that it's time for us to take a little bit of control back and figure out how we're going to

win all right give me a cheer for that because I anyone who's ready or with cool so as we regroup for a moment sorry about all of the econ notice how many of the topics that we struggle with have an aspect to competition to them and I want to clarify that I'm a fan of competition of free markets because after all I'm studying economics but I also want to clarify that when markets can get to a healthy equilibrium regulators tend to leave them alone and if there are structural inefficiencies that make it difficult for our market to clear if there's brokenness in the economics that tends to invite regulators and that's true in all markets so many market

dynamics have a lot of good economics around them that guide policymakers but we're still in a nascent ecosystem with a ton of asymmetries and while we've certainly nailed getting cyber into TV and in the hearts of minds of the public the underlying economics are still being defined and that's a big deal when the engines of public policy get warmed up so I want to give a shout out here to a couple of foundational researchers that I look to again and again which is the pricing security paper by Elgin camp and Katherine Wolfram in 2004 and the the work on exploit derivatives that Rainer Boehm did in 2006 in his comparison of market approaches to software

vulnerability disclosures so we we have a lot of work that we can extend and high regulators out there I'm excited to see you I love your work but we've got to figure out some of the economics on this so policy development can occur in yield positive results mm-hmm okay we're gonna skip that one we're just gonna assume you guys are sure about how units work okay ready for Big Finish finish it oh right josh is here all right we're gonna fight before he gets to take the stage okay so ultimately security is a series of doors and windows and lock boxes and keys and we all have choices in the decisions we make we can choose to leverage every tool at

our disposal or not we can choose to collaborate with sister disciplines or we can get keep our own domain we can choose to design systems that flex and flow or we can try and white-knuckle control to the nth degree we can choose to recognize incentives that drive good and bad actors alike and design for those flows or we can stick to constrained threat models that consider only the interests of one player on the board personally I think we're headed in the right direction and I'm just hoping that we collectively choose to step up to the challenges and meet them likewise collectively and recognize the full game as it's in play because it's not just about us it's not just about red and

blue and purple it's not even about the larger us black hat white hat and the mighty gray zone know the full game is all of us and all of our colleagues and all of our industries and all of our friends and family around the world so all we need to do is build history's best security in a reality that's insecure and full of holes we can do it though we will do it but what got us here isn't gonna get us where we want to go the underlying tech and how it works is our first principles but we hide behind the tax when what's vulnerable isn't the software it's the wetware it's not the perimeter it's the

people the check that the tech got us here and it's how we work and now we have unlocked the next level and so we need to start modeling for the human factor the path forward is through cafe and Wi-Fi and TCP and the social graph incentive design and competition and leveraging all of the different tools available to us like hackers to within our world of wickedness and wonder we choose the way we work we choose the way we win it's true to defend against attackers we need to understand how attackers think but it's equally true that to protect people we need to understand how people behave and we need to get ready because the future is here

mag McNeil it's made of ones and zeroes and supply and demands and preferences and philosophies and we need engineers and architects and operators and designers to make it work it's easy to focus on the brokenness the loss the losing because that's a certainty it's all around us and cyber isn't immune to that but what's amazing what's thrilling is what we're building and that we're building things better even in the face of ambiguity even in the reality of uncertainty and complexity I'm hopeful because what I've learned and a lot of the ideas that I've been exposed to I'm hopeful because you are here we are here we are together thank you