June 1-3, 2005
Kennedy
Investment in Security (Larry Gordon)
Pei-yu Chen, Gaurav Kataria and Ramayya Krishnan,
"Software Diversity for Information Security"
Anindya Ghose, Arun Sundararajan, "Pricing Security Software: Theory and Evidence"
Responses to Security Failure (Stuart Schechter)
Jennifer S. Granick, "Faking It: Criminal Sanctions
and the Cost of Computer Intrustions"
Tyler Moore, "Countering Hidden-Action Attacks on Networked Systems"
Yooki Park and Suzanne Scotchmer, "Digital Rights
Management and the Pricing of Digital Products"
Andrei Serjantov and Richard Clayton, "Modeling Incentives for Email Blocking Strategies"
Incentive Modeling (Rahul Telang)
Rainer Böhme, "Cyber-Insurance Revisited"
Experiments & Field Studies (Alessandro Acquisti )
Luc Wathieu and Allan Friedman, "An empirical
approach to the valuing privacy valuation"
Bernardo A. Huberman, Eytan Adar and Leslie R. Fine,
"Valuating Privacy"
Alessandro Acquisti, and Jens Grossklags,
"Uncertainty, Ambiguity and Privacy"
Rachel Greenstadt and Michael D. Smith, "Protecting
Personal Information: Obstacles and Directions
Vulnerabilities (Huseyin Cavusoglu)
(from
Investment as a function of expert models that have uncertainty
Expand existing model (Longstaff)
Vary the intrusion rates (original at 2/year)
New: 20% chance of increase to 10/year
Model specs
Poisson distr
Output: benefit/cost ratio
Results – appears to be two overlapping poisson, fairly simple
Don’t want to average the values, since it hides details
Experts are relieved to disclose uncertainty
MC techniques are useful
Understand extreme events
Q: using more complexity?
A: Apply it to graphical models – use lower level, capture at network topology
Tik-rant
(CMU)
Diversity not new to security
Correlation failure
Promoting diversity inside a single firm/entity
How to introduce diversity?
Choose a different product
Different builds with different components (Mime handler in email clients)
Sensor nets with small enough OS that multiple OS in ROM
Diversity modeled as % of SW in a duopoly system
Correlated failure – beta-binomial distribution (Dependent bernouilli)
Loss of attack is downtime à measure mean time to recover
Security investment tradeoffs
Model of correlated failures
Prob that a fraction will fail
Expected attack
Correlation
Costs
IT modeled as service queue (contrained)
Time to go back as M/G/1 queue
M: poisson attack
G: service time – increasing in number of nodes
Service capacity is a fn of capability and %
1: [missed]
Attacks are a poisson process, with arrival assuming economies of scale
Computation using P-K mean formula
Results
Curvilinear relationship with diversity: better to have diversity, than all with the most vulnerable SW
Diversity is good, even when
Future works
Game theory: each agent decides which to choose
à draw from ABM!
RIchard: Economies of scale in having a one-system shops (non-homogenous queue)
A: …
C: Cost of service might be the same for either software
Bruce: Added complexity is the number of choices to make
C: Interoperability costs
Q: Economies of scale in types of attacks (old attacks are easier to solve)
Susan: What is the right metric of diversity?
A: Collecting lists of real-world products, libraries, etc
Can use the vulnerabilities to determine shared code base
A: define diversity as shared vulnerability
Horizontally bundling SW components to build theory
Gather panel data of SW demand and pricing
Data from amazon & buy.com (direct consumer purchases)
Hidden market for security (gmail spam filter, windows firewall, etc)
Prior work
Bundling can suppress innovation (deter entry)
Unique features of security SW
Sometimes free substitutes à demand side effect of consumers not interested in paying for some features
Anti-spam filter in gmail, outlook express
XP is bundled with filter
Firefox!
Vendor costs of security updates à cost side effect of higher variable costs
Virus defs, spam arms race
Theory results:
Mixed bundling is optimal, relative to pure bundling or components
Model of firm producing two SW components
Choose innovation strategy
Pricing strategy
Fixed cost: development of quality level s
Variable costs – updates
Consumer model
Parameter X b/n 0 & 1
U(I) = s(1-x), U(II) = (1-s(1-X))
Some proportion r have a subtitute for I or II
Market Segmentation
1: pay for both
2-3: pay for 1, not the other
4: won’t pay for either
Optimization strategies
Pure component pricing
Pure bundling
Mixed bundling
Results
Mixed bundling is best if some consumers get a product for free
Random participation independent of customers preferences leads to different pricing
Data
Examined popular titles across utilities: price, salesrank, release date, rebate terms, customer ratings
Since there is no demand data
Previous: use sales rank
Now: sales rank + price info
Markup: Hausman (1994) use of Lerner index
Results
Cannibalization vs. market expansion
Q: How to infer r from data?
A: talking with a firm that has data on hidden prefs
Q: Why uniform distribution?
A: Tried normal, but the underlying idea is the 4 market segments: changing the distribution makes the segements non-symmetric
Huh. Can you use this model to show that free security software would actually reduce social utility from security consumption?
Q: what makes security SW different?
A: Variable mfr costs for updates
Q: that is just trying to capture whole market for monopoly
Q: Anti-trust and social utility calculations
A: Effects of bundling on entry and innovation has been studied à bad for society
We found that it can increase innovation à good
Regulating prices: change the market dynamic
(
Claim: DoS attacks have a lasting effect, beyond short run impact of no business
Possible explanations
Do they like alternative sites less?
Do users become locked-in to competing costs
BUT – question of preferences or switching costs?
Lost future revenue can be larger than attack-damage
Attack damage
Visits lost from 1-2 million
Data – every website visited by 2651 households from Dec 27 (199) to March 31, 2000
Treatment – people who tried to access a site during attack, and didn’t
Presence in treatment group is stochastically determined
Read
about this
Control
Different-in-difference: before/after, treat/control
Short run results - day 1: -3.9% for yahoo, -5% for amazon, etc
Switching costs – debate in field about whether switching costs are high or low online
Experiment: look at alternate site visited during attack
Q: does MSN benefit disproportionately?
Raw data says that visited site benefits more than others
Basic effect: Yahoo lost 6.2 million, but rivals only got 4.9 million -> 2.2 million switching costs
No sig effect from CNN – (NOTE – different from paper)
Probit: sig, pos effect of visiting other sites after yahoo
Segmentation
Effect not different b/n heavy and light users
BUT – heavy users are less likely to switch
Caveats: short-run, not available for a short time,
Q: lost vs. deferred sales
A: At the margin, there is some permanent switching, which indicates changed habits à lost sale
Q: Change the home page?
A: Little evidence
Q: Any info about marketing from firms trying to get visitors back?
A: PR, but no advertising
Q: Any evidence about whether the extortion prices are high enough?
A: Little
Bruce: extortion works, and they seem to be farming the field well (not repeated vig)
Hal: Similar to airline crashes
Two week effect on ticket sales, no effect on stock prices
C: BUT – airlines are insured
Q: What are the predictive powers? Will the next attack produce similar results?
A: Broadband is different
Computer crimes statute: 12 USC 1030
Access without authorization main aspect
(a)(5) – damage AND $5k loss or special harm
Sentencing – base level, add or subtract based on circumstances
Dollar amount of loss
Higher damage à greater incentive to plea bargain
Damage is highly variable in a single attack
Attacks that were personally invasive à not as much loss
Trivial damage for user accounts vs. huge damage for web page defacement
Victim has tremendous power to affect the prosecution and sentence
Some losses that shouldn’t be counted against defendant
Forensic investigation, worries about reputation
BUT – they are being counted
System of victims tallying damages
Little scrutiny of these damage reports
Non-pecuniary harm is hard to measure
Example: Attacker sees Solaris
Sun says that Solaris was a secret, viewing it = no secret à loss = full value of solaris
Defense says that no actual harm to Sun à no harms
Victim determines damage info by actions based on exogenous costs
C: insurance loss adjusters provide a balancing effect
- As insurance becomes more common, can leverage this
Q: What about stock value changes?
Hidden action attacks – inability of observation promotes certain features
Econ – moral hazard
Soln: contracts, side payments
On computer networks
Routers dropping packets
Free-riding on P2P networks
Problem w/ side payments
Assumed immutable network
Complex to implemenent
Social capital facilitates credible transactions
Threat of punishment w/ enforcement
Centralized: trusted, external mediator
Decentralized - social
Resource allocation mechs
Markets
Communitarian (i.e. Grameen) small group, cheap monitoring,
Embedded
in social network!!!!
Exploiting social capital to increase observation
Topology – limit transaction to a small group, repeated interactions
P2P can’t use mutual enforcement
No repeated interactions, not far-sighted nodes, can’t punish deviation
Build locality
Not sure
that trust is derived by network topology itself
Observability
through networks vs. identifiers
Too much flexibility is bad because it undercuts sales
Too little flexibility makes unhappy customers
[I had to get some work done during this talk]
DRM sets the cost of circumvention, but doesn’t protect it
Assumptions: content is free, but the ability to “render” it is protected
Business model: who sells the ability to render
Wholly owned subsidiary of vendors
Model:
Strength of protection e = cost of circumvention
K(e) = cost of protection
Price is constrained by the level of protection (if too expensive to attack à buy)
By reducing level of protection, reduces cost, but doesn’t hurt revenue (monopoly pricing)
DRM may increase profit and consumer welfare
Equal revenue, less DWL
Model holds for duopoly, oligopoly
Will vendors make the optimal choice to share a DRM system
Vendors want to raise price
Cost sharing and independent pricing – can we avoid collusion?
Technology itself gives vendors the opportunity to set a single price (preferred)
Claim: cost-sharing itself can be collusive
Increasing revenue share also increases the % of cost borne by firm
Demand-based cost-sharing is even worse
Many issues for any regulators to consider
Privacy!
Naked collusion can be decent for social welfare
Q: Root of assumption of non-mappable but breakable DRM?
A: Interested in non-detectable, cost-based approach
Email goes out ISP smart-hosts
Admin’d in a very ad-hoc fashion
Blacklists identify sources of spam
Ad-hoc and not authoritative
Utility of ISP is a fn of connectivity
Ability to send email to others
NOT ability to receive email from others
Implications of model
V is estimated à guard your reputation
Dictionary affects large ISP’s more (more clients who see them!)
Tit-for-tat blocking works
Data - Outgoing mail from UK ISP
82,000 customers, 25 million emails
378,000 MX servers BUT 240,000 only used once
Scale free distributions of outgoing emails
2601 sites > 100 customers sending to them à too many for complaint dept
Incoming email
14 days of incoming email, 55,6 million emails
66.5% categorized as spam
13,378 sending AS
Some sources send mainly spam, but a few a day that aren’t
Large volumes of spam accompanied by large valumes of good email
Fast response – variable behavior of ISP
Q: in retrospect, would you have written the RFC to use the bouncing message?
A: Implementation issues
Q: reputation systems?
A: yes, but attackable
Q: What is an acceptable amount of spam?
A: Econ approach says that spam sells goods à social welfare
100/week was bad in 1997, now get 100/day through the filters
Q: Sharing what is spam?
A: grouping filters create an incentive to subvert
them. Personal filters diminish this.
Fully secure software not likely
Although: 95% vulnerabilities can be handled with up-to-date patches
Disclosure of vulnerabilities (necessary to create patch)
Publicize immediately – transparency, incentives to patch fast, allow vulnerable firms to take intermediate steps
Vendor disclosure - secrecy
Hybrid
CERT sets 45 day grace period, OIS sets 30-day grace period
Security firms follow their own guidelines
Lack of a clear process creates chaos
Problems with some model assumptions
Hackers can’t find vulnerabilities before benign users
Vulnerable systems attacked instantly
No change in attack rate before and after disclosure
Subjective advantages
Transfer of risk
Manageability – constant transfers
Quantification
Social advantages
Incetnives to innovate – lower premiums
Incentives to implement
Insurance firms fund infosec research
Immature market
AIG has about 70% of market
Very low value
High risks
Why is it immature?
Liability is unsolved
New risks lack actual data
BUT – early satellites, etc get insurance
High probability of loss
BUT – can insure almost anything
Difficult to substantiate claims
Cyber-risks are accumulated risks
Concentration causes correlation
Liability & quality
Predicted in markets
Monopoly can reduce this
Argument: concentrated systems à clustered risk
Insurance model
Calculate premiums
Indemnity model
Individual risk model
Supply-side model
Expected-value + a safety loading
Need to minimize the probability of total firm ruin
Single-factor model (supply)
Vary correlation rho while keeping expected value constant
As correlation increases, move towards a bimodal distribution of losses
Second, smaller hump is ruinous
Two state model comparing insurance and no insurance model (demand)
Introduce risk-averse utility fn (CRRA)
Use utility function to calculate maximum premium
Results - Numerical calculation of maximum correlation as a fn of risk of loss and risk aversion
No problem for: high risk, high risk aversion
Problem for: small expected losses
Use alternate systems as a mechanism for diversity
There is always a minimum value for diversification below which it’s better to go with just one system
Market barrier for diversification
This is
a very cool result
“A trusted component or system is one which you can insure” – Ross Anderson (1994)
Q: What about reinsurance?
A: Not too good for cyberinsurance, since correlation of risk is global—can’t diversify out of it.
Q: What about catastrophe bonds?
A: Not sure, but it is illiquid and low-volume market
Discussion of the history of problem
Problem – security
Isn’t just a technical problem
Security is a market failure
Imperfect information
Externalities
Risk management market solutions
Avoid the risk - unplug
Mitigate the risk – part of current security
Retain risk – self-insurance (gambling)
Transfer risk via outsourcing
Do it via insurance product
Problems with traditional insurance
Current cyber-insurance practices
Compare three products
Exclusions discussed
Their prior work – talk about an ideal world comparing welfare
Example – DOS attack of 2000
Calculate premium
Real world has issues
Adverse Selection à partial insurance
Soln: detailed questionnaire
Baseline security analysis
Moral Hazard
Policies have provisions to prevent this
Take-aways
Econ models can demonstrate increased social welfare
In practice, there are still issues
BUT – should still move in this direction
Q: Any data on payouts?
A: Insurance companies are very closely guarded, as a trade secret, since it
Ross: Llyoyd’s insured in 1980s for very low premium, no payouts. One attack in early 90s, just double premium
Tighter integration w/ supply chain à greater risk from cyber events
Role of market adoption in security
Reseach question – how do firms mak investment decisions
Big companies vs. small companies
Method – start with host company, move up supply chain
Ask about security practices
Look at tightness of supply chain
Results
Baseline of input from trusted colleagues, external consultants, trade mags
Infosec manager first from cost, then from exposure
Risk analysis from probabilities is pretty nebulous
Varying dependence on information infrastructure vs. phone/fax/fedex
Large firm: high volume plants have pre-loaded pipeline, low volume plants not as much
Very little infosec problems
Probably too low – if no viruses at all, are they over-invested?
Take-aways
It’s my paper! Read it! Cite it!
We show through an experiment that consumers are capable of registering privacy concerns even when the harms from information sharing are not entirely obvious.
Want to know what determines how much data is worth to people, and why
Problems with data-collection studies
Selection bias
Unverifiable
Approach: introduce reward and cost
Hypothesis – further people are from mean à more demand for private info
Don’t use identifiers, since that’s just a decision to give or not
Experiment
Put people around table
Second price auction for weight, age, GPA
Collected data from all people
Data collected in survey
Sanity check to make sure people understand reverse 2nd price auctions
Perception of deviance
Familiarity with people in the room
Simulated, how much would you want, etc
Results
General u-shape for actual weight
BUT – perception of weight is more of a linear relation
Deviation from mean isn’t quite right – it’s the desirable properties of the data.
Gender
Men have slightly higher prices in single sex, women in mixed
BUT – gender itself isn’t sig
Privacy is correlated with price in bid
Observations
Auctions are cheap
Normalization is key – use BMI, not weight
International comparisons
Summary
Not just obvious!
Possible to get data
Quality != security
Security breaches are expensive, but not clear that there is strong incentives
Anecdotal à firefox
In non-SW industry, vendors lose value with flawed product
BUT – no direct liability, frequent vulnerability announcement,
Data – popular press of data vulnerabilities & CERT
Exclude: non-daily, duplicates, etc
Note “serious”
Note effect of vulnerability
Classify
148 data points on 18 firms
Event study: look for deviations from predicted returns
Results
Abnormal returns are negative and sig for 2 days after event
Regression: non-availability of the patch is important
DoS is bad
Serious is bad
Does not matter whether firm itself discovered the vulnerability
Q: Is R-squared high enough?
R-squared should be horrible
A: Yes, for these studies.
Q: If the effect of a vulnerability is real, then many vulnerabilities gets rid of value?
A: But there are other things that effect stock value.
Q: What about rivals? Should their stock go up?
A: Hard to identitify rivals.
(CMU)
Consumers care about privacy
Privacy defined as inappropriate use of data
Regimes of privacy: caveat emptor, mandatory standards, seal-of-approval
Model – game theory with asymmetric info
Monopolistic retailer with costs of maintaining privacy (infosec, opportunity cost)
Has to choose a price
Has to protect privacy or not
Seal: join seal program, pay membership, violators incur cost M with prob alpha
Can separate low-protection cost retailer from high protection if cost is high enough
L-type agents charge lower cost
Seperating equilibrium
Caveat emptor – pooling equilibrium – lemons market
Mandatory standards
Different type of retailers charge different prices b/c of different costs
What is the motivation for stage one, with competing firms having different costs of protection?
Conclusions
Seals can lead to equilibrium
Future directions
P3P to lower costs
Signaling with branding
Open with example
Risk vs. uncertainty
Risk – possible random outcomes with known probabilities
Uncertainties – known events, unknown certainties
Ignorance – nothing known
While expected utility models assume probabilities exist, real world may be too complex
Ambiguity & utility max
Expected utility of lottery has to be higher than fixed amount
Is privacy a risk or an ambiguity?
Information asymmetry: from owner about info, and collector about its value
Reversed asymmetry as time passes
Models of privacy decision-making should be based on incomplete information
Identification of other identities, intentional barriers, etc
Question: how is individual decision-making affected by ambiguity and risk
Data – based on survey of CMU students
Basic WTA prices follows S curve
WTA is higher than expected loss
Highest value of SSN
Also indicates financial harms
Conclusions
Interesting implications on experimental design
Marketers can use instruments t get personal information
IT increases data collection / storage / mining ability
Policy models to protect privacy – self reg, gov reg, 3rd party, markets
Framework: Approaches to privacy must deal with
Decision-making – who decides
Negotiation – How is agreement reach
Bundling – question of resale and reuse
Enforcement – prevention, punishment, transparency,
Go through each mode, apply framework
Self-regulation: privacy policies
Decision: No incentives for good policies
Negotiation: bad signal
Enforcement: consumer reputation is not as important as B2B
Gov Regulation: gov handles all three aspects
Decision: gov is NOT a disinterested third party
Third party regulation – replace gov’t with other party
Seals get captured, lose value
Markets – central authority
Decision-making – people can still make bad decisions
Without
good negotiation and enforcement, information markets are the same as
self-regulation
Other issues – institutionalization
Friction of implementing system, entrenched status quo
Ambiguity makes policies bad
Ultimately, need enforcement
Regulation is the best interim model
Research agenda
Important approach – framework examining decisions, negotiation, enforcement
Surveys aren’t great for getting value of privacy
Individuals face uncertainty for benefits, harms
Goal – construct utility curve for privacy decisions
Experiment
Goal is to get the most fake money – maximize good things, minimize bad things
Payoff matrix reflects possibilities of harm and benefit
Experiment 1 – find a job on resume
Known
probabilities of harms, losses
Rewards based on rank in a distribution
Chance to buy insurance
Result à cheaper insurance was purchased more than expensive insurance
“Legislation
introduced” à
they trusted the legislation
Moving towards an automated environment – internet use
Conditions of malicious activity, law enforcement,
Use
dropped with increase in activity, even with law enforcement
C: Survey data has been consistent.
C: People are perplexed by difference between attitude and behavior, but this is actually common psychology
- i.e. weight loss, etc.
A: Ok, but we still want to get the value. Elasticity of demand, etc
Encryption gives protection but they have to infer
How
much??
Q: If game only privileges
Q: Privacy as a principle-agent problem. Hard to determine source of harm, pinpoint that. Can’t trace the source to either
Ann and Joan then have a famous debate.
Focus of exisiting research
Vendor decisions
Coordinator – disclosure politices, market for vulnerabilities
User’s decision to patch
Motives for public disclosure
Signaling abilities
Warning other users
Putting pressure on the vendor
à
Benign users are minimizing expected loss
Build model of white hats and black hats, choosing whether or not to disclose
Result: Can produce a mixed equilibrium with benign actors disclosing with some prob
Early results: Full disclosure occurs more often as
Buuds are easier to discover
Less myopic
More Blackhats
Harder to develop and exploit on disclosed info
BUT – pop size is ambiguous
Social welfare analysis
Any patch released will be reversed engineered, and generate social threat
Response to Eric Rescorla’s WEIS2004 paper
Social value to hunt for vulnerabilities
Motivate vendors
More secure software
Find them before bad guys
Rescorla: use reliability growth model on ICAT data
No evidence that number of vulnerabilities is decreasing
Pool is large enough that bad guys finding things before good guys is small
Users don’t patch
Concl: vuln hunting doesn’t increase product quality
Problems of ICAT data
Birth date inaccurate because of earlier versions
Death date may be flawed
Not comprehensive
Better data: use CVS to obtain OpenBSD 2.2 data set
CVS keeps exact date of entry to code creation
Security-focused development team
à 44 vulns in 30 month period
39 came from before v2.2
Analysis – look for a good fit
Discrete SR model
Yamada S
Not conclusive, since can fit a model that doesn’t indicate
Problem: independent rediscovery of the same bug
Often credit multiple people for finding bug
Around 90 days b/n discovery & disclosure à undercount
Data – reporters & interviews of MS announcements
2002-2004 – 7.69% of credited discoveries have 2 independent discoverers
Future work
Need to know the number of people hunting vulns
Want the effort, not the number – use the effort per searcher, get a distribution for hours/vuln discovered, map up to # vulns
Lack of systematic policy for disclosure
CERT has no strong justification for their 45 day model
Need good data
Test if early disclosure leads to bigger patch
Analytic model
Vendors: cost of patching
Customer loss from attack, and internalize some of that cost
Also – severity, open source, etc
Data from SecurityFocus or CERT
Time, vendeor info, vulnerability info
1280 observations, 255 unique vendors
CERT gives 45 days, SecurityFocus had intant disclosure
Early disclosure – before CERT’s 45 days
Biggest problem
is keeping this data secret – this could overwhelm the policy?!?!
Identifiers tend to post info to SF after vendors patch
Results of patching time
CERT has a big impact for early disclosure, SF and public less so
Instant disclosure
Source
Impact of disclosure on patching time
Vendors are 57% faster with disclosure
CERT, F/OSS is faster, after 9/11 vendors are faster
Firm size, etc doesn’t have a strong effect
Impact of disclosure window
56% faster when disclosure is 0 vs. positive time
Avg disclosure time – 20 days
à linear model, can show 2.8%/day
These notes were transcribed by Allan Friedman, in real time at the workshop. Notes were taken in MS Word, so I apologize for the wacky html. Feel free to contact me for more info.
It is possible (or even likely) that I may have misunderstood some of these presentations, or missed an important point. All italic comments are personal notes, and should not be attributed to the speaker. It goes without saying that curious readers should read the actual papers; those interested should contact the authors. I missed a few presentations, and will highlight where I sketch in rough notes from the actual papers.