Economics of CyberSecurity

foreign

good morning everyone this is my first time with a Mac so if I mess up apologies in advance now first of all thank you very much to besides for the opportunity to speak this is a topic that's near and dear to me and um why are we having this conversation we're having this conversation because first of all besides on the on the on the PSP we had something that was interesting sometimes of interest to you and well this fits the bill perfectly fundamentally why are we talking about economics in the security conference we're talking about economics here because it's my firm belief that understanding the economic reality of where security fits is essential for us to have any effect

as an as a security professional right we cannot just appeal to the better angels of people of nature if it just doesn't work right if we understand the economics behind it it helps move our cause along also it's interesting because once you understand economics just some topics anyway you start seeing them all over the place in security areas and that's what this talk is about uh Scott Adams from Dilbert Fame he referred to economics of having kind of a superpower and it's somewhat true but um most of the topics for for this came out of a massive online course I took earlier in the in the winter did anyone take the Dex cyber security course

nope okay um anyway so why are we let's take a look at a couple economic Concepts and we'll see where they apply in in security a little bit about me I'm a system I'm a sales engineer at I just switched jobs I'm now at the startup that does on the network security micro segmentation side of the house I've been around for a while you can tell from the gray hair I like to say that my my degree now is old enough to drink right and I became very interested in finance and economics when I first bought a house right so way back when uh a huge mortgage what what the heck of that right and then from there you start

going into uh into Finance you start understanding how Investments work and whatnot and that led to an interest in uh in economics overall and I have a I mentioned edx earlier I'm uh I'm a fan of Coursera and then taking the data science specialization there I'm almost wrapping up with that so it's it's it's a great time to be a a learner so let's quick talk about a few basic economic Concepts and we'll go from there economics is broken down into two major Fields right one of them you call macroeconomics and macroeconomics is fundamentally the study of the economy at large it's understanding interest rates what's going to happen to the Canadian dollar now that uh Keystone was

rejected I mean so what's that kind of conversation right it affects our pocketbooks when interests interest rates get set it affects our uh the the health of the economy overall but as far as Acuity is concerned it's not really a major factor for what we're talking about here microeconomics though is much more interesting microeconomics is the study of human interaction it's the study of how we as individuals and the RS companies deal with scarce resources economics is fundamentally the study of scarcity and it is built around the notion that we have individuals that are going to interact in the market those individuals will buy and sell different types of goods there is what we we may

have heard that supply and demand of of those particular goods and it's interesting because microeconomics kind of assumes that individuals are rational and they're going to maximize their utility they are going to do transactions in a way that's going to get them the best outcome that they want right that's that's fundamentally classical economics and then there's a couple of interesting sub areas to it information economics being one because information goods are different and we'll see that later on and also the decision and and and Game Theory right you may have heard of Game Theory funny story about game theory is that one of the first courses I signed up on Coursera was in Game Theory and the

amount of people who signed up for that course thinking it was about video games was staggering anyway those are two major areas but there's a third area that's not really part of considered a third part of Economics but I think it's important enough that we should highlight it out it's called behavioral economics and behavioral economics is a combination of microeconomics with psychology with Finance with sociology what have you and it deals with the fact that as it says they are the bounded rationality of economic agents basically means that people are not rational and people make mistakes in predictable ways and those ways represent themselves into the into the economic transaction you're going to be dealing with later on the this

gentleman here so Daniel Kahneman is uh he won the Nobel Prize for his work in in behavioral economics he wrote a famous book called thinking fast and slow I highly recommend it Richard thaler is the guy in the back there he wrote a book called nudge again about how economic how you can use behavioral economics to nudge people to do things there was a very interesting talk at besides here last year Augusto bajo is delivered on uh on on behavioral economics overall so I recommend you to go watch and I think Augusta is going to be here later on so you can hit him up about it as well but anyway behavioral economics then deals with

these biases that we have and how they can how we can affect what we do now I talked about markets earlier right so what is a market first of all a market is more of a model than anything else there's no perfect Market but if it did exist it means you'd see that a market is where buyers and sellers interact just to exchange goods and in the market the price for a particular good is a signal both to the buyer and to the seller of whether you should be producing more of that good or you should be consuming more of that good right that's that's basic economics now what happens is again the market is more

of a of a constrict than anything else and for a market to work as it's supposed to there's many conditions that should happen right one of them is there should be a large enough number of people involved in the market uh there's something called property rights we'll talk about that in a second there's something about information that people should know what they're buying and they're selling right where again we expect humans to be the market expect humans to be rational and so on if those things don't happen you get into what's called a market failure and the market failure is not necessarily a stock market crash or the market failure is the market not behaving in a way you would expect it to

if you don't have enough buyers and salaries in the market what do you have you get into what's called a monopoly or a monopoly which is when you don't have enough enough buyers why is the Monopoly bad well a monopoly is bad because it it it's inefficient to begin with and but also it allow it it means that price no longer functions as a good enough signal and why where do we have monopolies and and and it's it's a rational expectation for someone to try to fix that so let me throw an I.T concept at you guys everyone here has heard of Shadow I.T right to what extent doesn't shot didn't Shadow I.T grow as a as a phenomenon in

our companies because of the Monopoly of I.T Services provided by it those Services were considered too expensive well it's the rational expectations for users to go find an alternative and that's why Shadow it grew right that's how economic applies to security there's other Concepts as well so the notion of property rights what do I mean by property rights it's a phenomenon where if you're doing a transaction in a market you should pay the full cost of that transaction or you should capture the full benefit of that transaction and if you don't you have what's basically called an externality it means that you are not being told let's say that you are producing a good if it costs you to if it costs you X to

produce that good but the overall cost of that good to society is 5X you don't know that you're going to keep producing X so pollution is a perfect example of an externality in security we have externalities as well why don't people care if their machines are infected I don't care I mean it's it's not not gonna affect me I'm just going to re-image it right that's an externality other kind of failures if we don't have perfect information about the transaction you get into what's called information of symmetry and that's like and that's one of the key areas for security because we will find later security is something that you can't really evaluate if security is more of a

latent construct we call it right so security is something that you can't really measure so it's difficult to uh to know if something is truly secure or not and that's a that's a Cornerstone of the of this area now there's other things as well uh if you have if you don't have rational actor if you get into the bias if they spoke about Behavior economics earlier on and there's other things if you have for example very high transaction costs it means the market doesn't behave as well uh and you may get into scenarios one thing that's called for example regulatory capture which is when someone tries to use the rules of the market to kind of

monopolize it and I'm just using an example not naming names but or I mean I am I mean fire I try to do that uh earlier this year with that regulation about hey if you're if you're if you use FireEye you can now be certified against the uh you're you're not liable for particular cyber cyber terrorism examples anyway that's an example of a market failure this may have seen they may have seen some of this before this is a basic uh curve right you have a demand curve and you have a supply curve and this is just an example to show that the price for a particular good is when the supply curve and the demand curve kind of meet and

they tend to meet at the point where it's called the marginal so that in a well-functioning market the marginal cost for a good how much it costs to produce that next good is matches the marginal demand which of how much someone's willing to pay for that particular good and that's where the and that is where the price is where the marginal cost meets the marginal demand why is this important this is important because if you look at the typical marginal cost it starts off very high when you're building a product and then it sort of levels off and then at some point when you run out of capacity it it spikes up again right except that this is a marginal cost for

a physical product for a digital product it's different a digital product behaves more like this you start with a very high marginal cost and the and the marginal cost tends to towards zero as you have more quantity it's just very easy to issue another CD right the cost of a download right so this is fundamentally what people mean by information wants to be free right it's the idea that the marginal cost for information Goods Trends towards uh zero or very low so this means that information Goods behave very differently if information Goods behaves differently what do they what do I mean by this they have very high fixed costs and very low marginal costs we spoke about that already it's

an economic reality that in that kind of Market the only rational way for a company to survive is to try to monopolize that market as fast as it can and if it's going to monopolize that market as fast as it can it means it's a market race which means that there are things like first mover Advantage there are things such as Network effects right there are things such as effective to appeal to complementary Goods let me give you an example of that why did Microsoft win the desktop battle you may anybody here remember seeing the the Steve Ballmer video developers developers developers right he was absolutely right that's an appeal to complementary Goods you're trying to get

your product out the market as fast as you can and you're trying to get other people to use your product so that your product is going to be the basis for an ecosystem I venture to say that for example um Microsoft did it extremely well I venture to say that Splunk is doing that really well right now using building apps on top of Splunk I would say that to some extent the threat connect who's doing threat intelligence is trying to do that as well build the community around your product right and this is important because it means that if you are a security individual within an organization you are not going to be able to stop this right again

doesn't matter how much you want to appeal to people's sense of what should be done this is how the market behaves and if we don't recognize that we are going to fall flat on our faces the other concept I want to talk about was information and symmetry information of symmetry is the notion that you don't know the quality of what you're buying right so and this is the typical example that is a paper by George akerloff in the early 70s called market for lemons it's about a used car if you don't know the quality of a used car how much you're going to pay for that car is going to be uh different than if

you knew the quality of that car which means that and and there's a tendency on the market for that for that for that price to tend to drop so if you are a if you are selling a good car you're not going to you're not going to accept a bad price for your good car so you're going to step out of the market which means that on aggregate the market is going to shift towards lower and lower and lower quality right this is this is something called adverse selection and we see that in Insurance all the time how do you solve information in symmetry there's two methods one is called signaling there are the ones called

screening signaling is as a buyer you try to show that your product is good that's when you say something it's like certified right 15.500 point a thousand point inspection whatever that is a signaling mechanism and from the screening side of the house you might you might ask your buyer to go through so many Hoops to prove the quality and anybody here has worked on rfps before right anybody feels that that anyway uh that's why right why do we go through rfps because it's important to answer the buyer is trying to screen us for because of an information symmetry so when you start looking at some this concept so you start seeing them applied on on security all the time any one of

these topics now could be a whole lecture on its own but software development and and basically systems design right there's a tremendous information asymmetry that you don't know if the if the something is secure or not there's a paper by Ross Anderson back in 2001 that pretty much launched the discipline of Economics of information security and if you can't tell that it's secure it's not rational for a company to invest in the security for that product they're going to invest the minimum necessary to get the job done right so it helps explain some of that also you start seeing into the externalities and I mentioned earlier right why did we have heart bleed last year right why is

such an important Library do I why was there no more effort on that open Library well because everyone can free ride on open source right why do why is patching such prevalent so prevalent now because it's not in the best interest it it's it's an economic incentive for us for a software vendor to okay I'll just issue a patch later they're not paying for the cost of that patching operation so this is just an example an example of an externality at played this paper this just came out this month it's on on how the Google ecosystem you have on the under eye ecosystem it is a paper that was published on wise just a few months ago that uh sorry this month

that uh 88 of android devices have been exposed to at least one major vulnerability out of 11 that they looked at why is this because there's no economic incentive within the within that Trend Market transaction to do that patching right so this is just an example privacy is another area where we see a lot of impact of information of economics as an individual trying to how people say they want to behave with private information how how private they want to be versus how they actually are is a key area of private of security research on economics here is where those biases come into play there's something called hyperbolic discounting which means that that bias means that you value the

present a lot more than you value the future even if the future is significantly more should be significantly more valuable or this is an example why people are going to click on stupid stuff all the time without thinking of the consequences they are not it's not that they are stupid it's they are human right and if we don't recognize that if we build our systems expecting them to behave differently we are going to fail it's that simple right the other thing about privacy I think it's important is the notion of capturing the the people's intent to pay it's not it people want your private information not because they want to sell you better ads they want to they

want private information because they want to sell you their product at a different price if they know that I'm willing to pay 200 bucks for something and you know they know that you're willing to pay 300 bucks for something if they are able to be in the Monopoly situation they will do that right and that's where that's why privacy is important risk management is a an area all on its own um there I highly recommend people check out uh fira the Society of information risk analysis that they just had a conference back in the back in early October now but the notion of security Investments where they play in into um into economics there is information of

symmetries at play here one example of an information a symmetry that someone pointed out to me was that on in Risk Management if let's say that and this was an example that an audit came back with a high risk a particular issue on an audit was rated High well the individual that managed that group they fought not to fix the vulnerability they fought to move their vulnerability from a high to a medium why did they do that because the incentive at play was that Medium vulnerabilities didn't get reported up the food chain right so that's an example of an information of how information of symmetry affects the decisions that we take previous to my role in network security

I was big into into a fraud and this is a huge area for economics right not only you have the notion of incentives about credit card fraud and the 3DS uh the the just the finally the U.S caught up with EMG just now the for the chip cards but Market studies like the underground markets they are extremely interesting from an economic scenario the economics of the underground markets are an area of research on its own and that these markets have evolved extremely well the reason they have evolved is something that's called I mean my theory anyway something called the Red Queen hypothesis it's the idea that if you don't evolve you die right so these

markets have evolved and it means that you as a security uh professional it may be better for you to understand the economics of how that market is behaving and try to stop that to use as an example maybe it's easier instead I mean you do what you can to fix your infrastructure but maybe if you under if you are worried about credit card fraud maybe you stop the cash out at in the end as opposed to as opposed to just worrying about the security upfront right security awareness as you can expect is another huge area for information for economics in the terms of Behavioral economics plays a huge part here right how how people should react to stuff is

going to depend on how we incentivize them like I work in fails and and fail of incentives or something that that pops up all the time that's a that's an example of it but you also have that in um in just everyday life if you're not incentivizing people to respond properly to security they're not going to there was um the the principal agent problem pops up here as well there was a controversy a couple of weeks ago uh some very senior executive some very senior official in the US government was saying that they want to pull credit they want to pull clearances of anybody who falls through a phishing attempts I'm not sure if anyone if those people

saw that you know what and there's some pushback against that and I and I and I understand and I agree with some of the pushback but you know what that's not a bad idea if you hold if you have a top secret security clearance you should be able to respond to phishing much much better right maybe not the first fish maybe not the second fish but the 50th fish yeah sure here's an example of behavior economics in action just now Google pushed this out just a couple of weeks ago and they made a change on the they made a change on how the browser reports uh mixed mode or or poorly configured https why did

they do that before it used to be that there were multiple States for how the browser was reporting SSL or a bad https now they simplified it right now there's only three why did they do that because they understand that the users are going to respond to the signals from that environment differently okay and I want to wrap up the the examples with something that's near and dear to us the security labor and Market itself all of us here some uh some were asking about who wants who's looking for for work and very few of us are which is a good thing but fundamentally there are consequences to that as well right one of the things might be that what's the

opportunity cost of paying our salaries it means that an organization may not be able to purchase the tools they want to purchase and they may have to do with other things another consequence of that is that your vendors might have a bigger economic point of making of okay let's reduce let's automate to reduce head count so once you once you start thinking in economic terms it pops up all over the place one thing I like is that I hope that understanding information and symmetry helps settle the question should I get a certification or not right if you look at certification as a signaling mechanism then you understand for yourself whether in your scenario it might be valuable or

not what is a certification if not an intent to signal to your employer potential employer that hey you care about the industry you care about this area right by the same token you should expect very weird and very nitty-gritty interview questions why is that that's a screening mechanism at play right the vendor the the your employer your potential employer doesn't know if you're good or not so how are they going to try to do that they're going to try to screen you with stupid questions and yeah or and but again it's not that people are stupid it's the economic reality of of why these things are happening so that's the message I wanted to get across here once we understand

the economic reality of things the world becomes a lot more rational and and we can function in that a lot better so let's wrap up we presented we looked at a couple of key Concepts here we looked at What markets are or what markets and how a market can fail an example of market failures I'm a huge believer that information and symmetry is a key concept for us to understand and if if I could do I'm not going to do a Steve Ballmer dance here but if I could I instead of shouting developers developers developers I'd be shouting incentives incentives incentives right until we understand that and then and then thrill until we can uh work those

into how we do our our work we're going to fail right just a couple of key areas for us to consider I think that behavior and user Behavior both for end users as consumers of security as well as end users as employees of your company I think it's important I think risk management is a key area for this and then software development we saw that already I'll wrap up with a call to action number one f as consumers as yourself right when you walk out of here think about try to think try to look at the transactions you do from an economic perspective why do you buy what you buy right what what does advertising is

trying to tell you what incentives are being done to you buy this product because you're going to look cool buy this product because it's going to save you time right as a citizen we just we just went through the election not too long ago understand the incentives that play for government students I mean economics there's a huge area of public Choice Theory and understanding how economics affects public policy but understand the incentives at play for economics why are someone offering you money a particular benefit to you in an election campaign think about if you once you start thinking about the reality of Economics it I'll go back to it to Scott Adams he said that he was going to his idea was

to create a political party that was nothing but found economics it wouldn't do well but it would be it it it would be a rational party and then finally as as professionals right what we're doing here understand the right levers that you need to pull in your particular field right publishing that report that has these vulnerability findings well understand the incentives for addressing those vulnerable for that those findings or not and then I'll leave you just with a with a comment that I presented the concept of an externality earlier on an externality is When someone tells you to do something and the person who's telling you what what should be done doesn't really pay the cost for that isn't that the perfect

description of what we do with security overall and how are we going and and then we complain that users don't follow our policies well I'm here to tell you that the reality of it if users not following those instructions is perfectly rational from an economic fence and we'll get better at our jobs once we understand that and work that into our conversations thank you very much I'll have the I'll have the slides up

the slides will be up on SlideShare yes sir I think so

I'm sorry I didn't quite get the middle part

so the question was if we can combine human understanding of of human hacking with the economic behavior and then the answer is absolutely right I I um I'll have on the slide note later on some more references for for sites and and things like that but there's um there is a very interesting project coming out of Norway called the security culture framework that Cairo runs and that talks to some extent about how secure how culture affects security and we can mix economics into that as well and you seem like I have another question I've never so thinking fast and slow is an interesting book because it describes how people have two systems called system one and system two and system one

I'll get this wrong now Augusta's not here if he can help me out or anybody else so you have psychologically you have two systems you have something that thinks about uh what you're going to be doing and you have things that react much more instinctive right and the interplay between those two systems called system one and system two means that you can only dedicate so much effort to one and if you try to tax the user with too much uh I believe it's system two thinking the user will at some point start reacting with your system one which is their instinctive stuff let me give you a very practical example you give the user a warning

big big warning saying hey you have to read all the security policy and whatnot and the user has a deadline right there they just want to get through okay they'll click OK without you without thinking for a second right fast or slow so the idea here is that absolutely So Daniel kinderman is a good source for this you also have other writers on actually if you want to look at system one and system two there is a post by Gunnar Peterson that where he wrote security fast and slow I'll put it up on the on the links on the like on the presentation later this if you search for gunar Peterson gun rgu and then AR

uh and system one system two I think you'll find it but I'll put it up any other questions uh sorry go

away right so isn't it's a contradiction and what is I I wouldn't say that so the comment was that the Monopoly is bad and then that company is trying to uh the rational response for companies to monopolize and this being a contradiction I wouldn't call it as much a contradiction as that there are different points of view it means that for the market itself it's better if there is no Monopoly for you as a consumer it's better if there's no Monopoly but for a company especially in especially a company dealing in information Goods it is very much in their interest to become a monopoly and it's the rational response becoming a monopoly if the only way a

company can survive in that market where the marginal cost is going to tend towards zero so I wouldn't call it necessarily a contradiction yes sir

how do we create better economic incentives for security in the iot space I'll take a path now let's work this I'll do the Consulting after it depends really this is this is this is a big conversation and I think that it it will come back to who are we trying to incentivize are we trying to incentivize the users to think about security are we trying to incentivize the vendors to think about security are we trying to incentivize a regulator to think about security uh on that note in terms of multi multiplayer talks uh there is a very good there's an effort for example by Alan Friedman in the U.S government about how to have multi-party talks in

terms of vulnerability disclosure I would say we could use that as a model for this kind of conversations also for iot security the work that open DNS was doing uh that Andrew Haye and Mark nunikovan put out earlier this year was very interesting on security as well thank you very much everybody it's an honor to be here