WEIS 2005

4th Workshop on the Economics of Information Security

 

June 1-3, 2005

Kennedy School of Government, Harvard University

Cambridge, MA, USA

 

(Papers and slides are here)

(About these notes)

 

Investment in Security (Larry Gordon) 1

James R. Conrad, "Analyzing the Risks of Information Security Investments with Monte-Carlo Simulations "  1

Pei-yu Chen, Gaurav Kataria and Ramayya Krishnan, "Software Diversity for Information Security". 2

Anindya Ghose, Arun Sundararajan, "Pricing Security Software: Theory and Evidence". 3

Responses to Security Failure (Stuart Schechter) 4

Avi Goldfarb, "Why do denial of service attacks reduce future visits? Switching costs vs. changing preferences "  4

Jennifer S. Granick, "Faking It: Criminal Sanctions and the Cost of Computer Intrustions". 4

Tyler Moore, "Countering Hidden-Action Attacks on Networked Systems". 5

DRM & Spam (Ross Anderson) 5

Dirk Bergemann, Thomas Eisenbach, Joan Feigenbaum, Scott Shenkerx, "Flexibility as an Instrument in Digital Rights Management"  5

Yooki Park and Suzanne Scotchmer, "Digital Rights Management and the Pricing of Digital Products". 5

Andrei Serjantov and Richard Clayton, "Modeling Incentives for Email Blocking Strategies". 6

Incentive Modeling (Rahul Telang) 7

Jay Pil Choi, Chaim Fershtman, and Neil Gandal, "Internet Security, Vulnerability Disclosure, and Software Provision"  7

Byung Cho Kim, Pei-Yu Chen, and Tridas Mukhopadhyay, "An Economic Analysis of Software Market with Risk-Sharing Contract"  7

Hasan Cavusoglu, Huseyin Cavusoglu and Srinivasan Raghunathan "Emerging Issues in Responsible Vulnerability Disclosure"  7

Insurance ( Marty Loeb ) 7

Rainer Böhme, "Cyber-Insurance Revisited". 7

Jay P. Kesan, Ruperto P. Majuca, William J. Yurcik, " Cyber-insurance As A Market-Based Solution To The Problem Of Cybersecurity"  8

Hulisi Ogut, Nirup Menon, Srinivasan Raghunathan, "Cyber Insurance and IT Security Investment: Impact of Interdependent Risk "  9

Experiments & Field Studies (Alessandro Acquisti ) 9

Scott Dynes, Hans Brechbuhl, Eric Johnson, Information Security in the Extended Enterprise: Some Initial Results From a Field Study of an Industrial Firm.. 9

Luc Wathieu and Allan Friedman, "An empirical approach to the valuing privacy valuation". 9

Bernardo A. Huberman, Eytan Adar and Leslie R. Fine, "Valuating Privacy". 9

Rahul Telang, and Sunil Wattal,"Impact of Software Vulnerability Announcements on the Market Value of Software Vendors – an Empirical Investigation". 10

   Privacy (Jean Camp)

Zhulei Tang, Yu (Jeffrey) Hu, Michael D. Smith, "Protecting Online Privacy: Self-Regulation, Mandatory Standards, or Caveat Emptor"  10

Alessandro Acquisti, and Jens Grossklags, "Uncertainty, Ambiguity and Privacy". 10

Rachel Greenstadt and Michael D. Smith, "Protecting Personal Information: Obstacles and Directions. 11

David Baumer, Julia Earp, and J.C. Poindexter, "Quantifying Privacy Choices with Experimental Economics"  11

  Vulnerabilities (Huseyin Cavusoglu) 12

Dmitri Nizovtsev, and Marie Thursby, "Economic Analysis of Incentives to Disclose Software Vulnerabilities"  12

Andy Ozment, "The Likelihood of Vulnerability Rediscovery and the Social Utility of Vulnerability Hunting"  12

Ashish Arora, Ramayya Krishnan, Rahul Telang, Yubao Yang, "An Empirical Analysis of Vendor Response to Disclosure Policy"  13

 

Investment in Security (Larry Gordon)

James R. Conrad, "Analyzing the Risks of Information Security Investments with Monte-Carlo Simulations "

(from Idaho CS)

Investment as a function of expert models that have uncertainty

Monte Carlo simulations use distributions, iterate many times

Expand existing model (Longstaff)

            Vary the intrusion rates (original at 2/year)

            New: 20% chance of increase to 10/year

Model specs

            Poisson distr

            Output: benefit/cost ratio

Results – appears to be two overlapping poisson, fairly simple

Don’t want to average the values, since it hides details

Experts are relieved to disclose uncertainty       

MC techniques are useful

Understand extreme events

Q: using more complexity?

A: Apply it to graphical models – use lower level, capture at network topology

            Tik-rant

 

Pei-yu Chen, Gaurav Kataria and Ramayya Krishnan, "Software Diversity for Information Security"

(CMU)

Diversity not new to security

            Correlation failure

Promoting diversity inside a single firm/entity

How to introduce diversity?

            Choose a different product

            Different builds with different components (Mime handler in email clients)

            Sensor nets with small enough OS that multiple OS in ROM

Diversity modeled as % of SW in a duopoly system

Correlated failure – beta-binomial distribution (Dependent bernouilli)

Loss of attack is downtime à measure mean time to recover

Security investment tradeoffs

Model of correlated failures

            Prob that a fraction will fail

            Expected attack

            Correlation

Costs

            IT modeled as service queue (contrained)

            Time to go back as M/G/1 queue

                        M: poisson attack

                        G: service time – increasing in number of nodes

                                    Service capacity is a fn of capability and %

                        1: [missed]

Attacks are a poisson process, with arrival assuming economies of scale

Computation using P-K mean formula

Results

            Curvilinear relationship with diversity: better to have diversity, than all with the most vulnerable SW

            Diversity is good, even when

Future works

            Game theory: each agent decides which to choose

                        à draw from ABM!

RIchard: Economies of scale in having a one-system shops (non-homogenous queue)

A: …

C: Cost of service might be the same for either software

Bruce: Added complexity is the number of choices to make

C: Interoperability costs

Q:  Economies of scale in types of attacks (old attacks are easier to solve)

Susan: What is the right metric of diversity?

A: Collecting lists of real-world products, libraries, etc

            Can use the vulnerabilities to determine shared code base

A: define diversity as shared vulnerability

 

 

Anindya Ghose, Arun Sundararajan, "Pricing Security Software: Theory and Evidence"

Horizontally bundling SW components to build theory

Gather panel data of SW demand and pricing

Data from amazon & buy.com (direct consumer purchases)

Hidden market for security (gmail spam filter, windows firewall, etc)

Prior work

            Bundling can suppress innovation (deter entry)

Unique features of security SW

            Sometimes free substitutes à demand side effect of consumers not interested in paying for some features

                        Anti-spam filter in gmail, outlook express

                        XP is bundled with filter

                        Firefox!

            Vendor costs of security updates à cost side effect of higher variable costs

                        Virus defs, spam arms race

Theory results:

Mixed bundling is optimal, relative to pure bundling or components

Model of firm producing two SW components

            Choose innovation strategy

            Pricing strategy

            Fixed cost: development of quality level s

            Variable costs – updates

Consumer model

            Parameter X b/n 0 & 1

            U(I) = s(1-x), U(II) = (1-s(1-X))

            Some proportion r have a subtitute for I or II

Market Segmentation

            1: pay for both

            2-3: pay for 1, not the other

            4: won’t pay for either

Optimization strategies

            Pure component pricing

            Pure bundling

            Mixed bundling

Results

Mixed bundling is best if some consumers get a product for free

                        Random participation independent of customers preferences leads to different pricing

Data

            Examined popular titles across utilities: price, salesrank, release date, rebate terms, customer ratings

Since there is no demand data

            Previous: use sales rank

            Now: sales rank + price info

            Markup: Hausman (1994) use of Lerner index

Results

            Cannibalization vs. market expansion

 

Q: How to infer r from data?

A: talking with a firm that has data on hidden prefs

Q: Why uniform distribution?

A: Tried normal, but the underlying idea is the 4 market segments: changing the distribution makes the segements non-symmetric

Huh. Can you use this model to show that free security software would actually reduce social utility from security consumption?

Q: what makes security SW different?

A: Variable mfr costs for updates

            Q: that is just trying to capture whole market for monopoly

Q: Anti-trust and social utility calculations

A: Effects of bundling on entry and innovation has been studied à bad for society

            We found that it can increase innovation à good

            Regulating prices: change the market dynamic

Responses to Security Failure (Stuart Schechter)

Avi Goldfarb, "Why do denial of service attacks reduce future visits? Switching costs vs. changing preferences "

(Toronto)

Claim: DoS attacks have a lasting effect, beyond short run impact of no business

            Possible explanations

                        Do they like alternative sites less?

                        Do users become locked-in to competing costs

                        BUT – question of preferences or switching costs?

Lost future revenue can be larger than attack-damage

Attack damage

            Visits lost from 1-2 million

Data – every website visited by 2651 households from Dec 27 (199) to March 31, 2000

            Treatment – people who tried to access a site during attack, and didn’t

                        Presence in treatment group is stochastically determined

                                    Read about this

                       

            Control

            Different-in-difference: before/after, treat/control

Short run results - day 1: -3.9% for yahoo,  -5% for amazon, etc

Switching costs – debate in field about whether switching costs are high or low online

            Experiment: look at alternate site visited during attack

                        Q: does MSN benefit disproportionately?

            Raw data says that visited site benefits more than others

            Basic effect: Yahoo lost 6.2 million, but rivals only got 4.9 million -> 2.2 million switching costs

            No sig effect from CNN – (NOTE – different from paper)

Probit: sig, pos effect of visiting other sites after yahoo

Segmentation

            Effect not different b/n heavy and light users

            BUT – heavy users are less likely to switch

Caveats: short-run, not available for a short time,

Q: lost vs. deferred sales

A: At the margin, there is some permanent switching, which indicates changed habits à lost sale

Q: Change the home page?

A: Little evidence

Q: Any info about marketing from firms trying to get visitors back?

A: PR, but no advertising

Q: Any evidence about whether the extortion prices are high enough?

A: Little

            Bruce: extortion works, and they seem to be farming the field well (not repeated vig)

Hal: Similar to airline crashes

            Two week effect on ticket sales, no effect on stock prices

            C: BUT – airlines are insured

Q: What are the predictive powers?  Will the next attack produce similar results?

A: Broadband is different

Jennifer S. Granick, "Faking It: Criminal Sanctions and the Cost of Computer Intrustions"

Computer crimes statute: 12 USC 1030

            Access without authorization main aspect

            (a)(5) – damage AND $5k loss or special harm

Sentencing – base level, add or subtract based on circumstances

            Dollar amount of loss

            Higher damage à greater incentive to plea bargain

Damage is highly variable in a single attack

Attacks that were personally invasive à not as much loss

            Trivial damage for user accounts vs. huge damage for web page defacement

Victim has tremendous power to affect the prosecution and sentence

Some losses that shouldn’t be counted against defendant

            Forensic investigation, worries about reputation

            BUT – they are being counted

                        System of victims tallying damages

                        Little scrutiny of these damage reports

Non-pecuniary harm is hard to measure

Example: Attacker sees Solaris

            Sun says that Solaris was a secret, viewing it = no secret à loss = full value of solaris

            Defense says that no actual harm to Sun à no harms

Victim determines damage info by actions based on exogenous costs

C: insurance loss adjusters provide a balancing effect

-         As insurance becomes more common, can leverage this

Q: What about stock value changes?

Tyler Moore, "Countering Hidden-Action Attacks on Networked Systems"

Hidden action attacks – inability of observation promotes certain features

            Econ – moral hazard

            Soln: contracts, side payments

On computer networks

            Routers dropping packets

            Free-riding on P2P networks

Problem w/ side payments

            Assumed immutable network

            Complex to implemenent

Social capital facilitates credible transactions

            Threat of punishment w/ enforcement

                        Centralized: trusted, external mediator

                        Decentralized - social

            Resource allocation mechs

                        Markets

                        Communitarian (i.e. Grameen) small group, cheap monitoring,

                                    Embedded in social network!!!!

Exploiting social capital to increase observation

            Topology – limit transaction to a small group, repeated interactions

P2P can’t use mutual enforcement

            No repeated interactions, not far-sighted nodes, can’t punish deviation

Build locality

 

Problem – social capital rests on multiple uses of a given channel

            Not sure that trust is derived by network topology itself

            Observability through networks vs. identifiers

DRM & Spam (Ross Anderson)

Dirk Bergemann, Thomas Eisenbach, Joan Feigenbaum, Scott Shenkerx, "Flexibility as an Instrument in Digital Rights Management"

Too much flexibility is bad because it undercuts sales

Too little flexibility makes unhappy customers

[I had to get some work done during this talk]

Yooki Park and Suzanne Scotchmer, "Digital Rights Management and the Pricing of Digital Products"

DRM sets the cost of circumvention, but doesn’t protect it

Assumptions: content is free, but the ability to “render” it is protected

            Business model: who sells the ability to render

                        Wholly owned subsidiary of vendors

Model:

            Strength of protection e = cost of circumvention

            K(e) = cost of protection

            Price is constrained by the level of protection (if too expensive to attack à buy)

By reducing level of protection, reduces cost, but doesn’t hurt revenue (monopoly pricing)

DRM may increase profit and consumer welfare

            Equal revenue, less DWL

Model holds for duopoly, oligopoly

Will vendors make the optimal choice to share a DRM system

            Vendors want to raise price

Cost sharing and independent pricing – can we avoid collusion?

            Technology itself gives vendors the opportunity to set a single price (preferred)

            Claim: cost-sharing itself can be collusive

                        Increasing revenue share also increases the % of cost borne by firm

                        Demand-based cost-sharing is even worse

Many issues for any regulators to consider

            Privacy!

            Naked collusion can be decent for social welfare

Q: Root of assumption of non-mappable but breakable DRM?

A: Interested in non-detectable, cost-based approach

Andrei Serjantov and Richard Clayton, "Modeling Incentives for Email Blocking Strategies"

Email goes out ISP smart-hosts

            Admin’d in a very ad-hoc fashion

Blacklists identify sources of spam

            Ad-hoc and not authoritative

Utility of ISP is a fn of connectivity

            Ability to send email to others

            NOT ability to receive email from others

Implications of model

            V is estimated à guard your reputation

            Dictionary affects large ISP’s more (more clients who see them!)

            Tit-for-tat blocking works

Data - Outgoing mail from UK ISP

            82,000 customers, 25 million emails

            378,000 MX servers BUT 240,000 only used once

            Scale free distributions of outgoing emails

            2601 sites > 100 customers sending to them à too many for complaint dept

Incoming email

            14 days of incoming email, 55,6 million emails

            66.5% categorized as spam

            13,378 sending AS

            Some sources send mainly spam, but a few a day that aren’t

            Large volumes of spam accompanied by large valumes of good email

            Fast response – variable behavior of ISP

Q: in retrospect, would you have written the RFC to use the bouncing message?

A: Implementation issues

Q: reputation systems?

A: yes, but attackable

Q: What is an acceptable amount of spam?

A: Econ approach says that spam sells goods à social welfare

            100/week was bad in 1997, now get 100/day through the filters

Q: Sharing what is spam?

A: grouping filters create an incentive to subvert them.  Personal filters diminish this.

Incentive Modeling (Rahul Telang)

Jay Pil Choi, Chaim Fershtman, and Neil Gandal, "Internet Security, Vulnerability Disclosure, and Software Provision"

Byung Cho Kim, Pei-Yu Chen, and Tridas Mukhopadhyay, "An Economic Analysis of Software Market with Risk-Sharing Contract"

Hasan Cavusoglu, Huseyin Cavusoglu and Srinivasan Raghunathan "Emerging Issues in Responsible Vulnerability Disclosure"

Fully secure software not likely

Although: 95% vulnerabilities can be handled with up-to-date patches

Disclosure of vulnerabilities (necessary to create patch)

            Publicize immediately – transparency, incentives to patch fast, allow vulnerable firms to take intermediate steps

            Vendor disclosure - secrecy

            Hybrid

                        CERT sets 45 day grace period, OIS sets 30-day grace period

                        Security firms follow their own guidelines

Lack of a clear process creates chaos

Problems with some model assumptions

            Hackers can’t find vulnerabilities before benign users

            Vulnerable systems attacked instantly

            No change in attack rate before and after disclosure     

Insurance ( Marty Loeb )

Rainer Böhme, "Cyber-Insurance Revisited"

Subjective advantages

            Transfer of risk

            Manageability – constant transfers

            Quantification

Social advantages

            Incetnives to innovate – lower premiums

            Incentives to implement

            Insurance firms fund infosec research

Immature market

            AIG has about 70% of market

            Very low value

            High risks

Why is it immature?

            Liability is unsolved

            New risks lack actual data

                        BUT – early satellites, etc get insurance

            High probability of loss

                        BUT – can insure almost anything

            Difficult to substantiate claims

Cyber-risks are accumulated risks

            Concentration causes correlation

Liability & quality

            Predicted in markets

            Monopoly can reduce this

Argument: concentrated systems à clustered risk

Insurance model

            Calculate premiums

            Indemnity model

            Individual risk model

Supply-side model

            Expected-value + a safety loading

            Need to minimize the probability of total firm ruin

Single-factor model (supply)

            Vary correlation rho while keeping expected value constant

            As correlation increases, move towards a bimodal distribution of losses

                        Second, smaller hump is ruinous

Two state model comparing insurance and no insurance model (demand)

            Introduce risk-averse utility fn (CRRA)

            Use utility function to calculate maximum premium

Results - Numerical calculation of maximum correlation as a fn of risk of loss and risk aversion

            No problem for: high risk, high risk aversion

            Problem for: small expected losses

Use alternate systems as a mechanism for diversity

            There is always a minimum value for diversification below which it’s better to go with just one system

            Market barrier for diversification

            This is a very cool result

“A trusted component or system is one which you can insure” – Ross Anderson (1994)

Q: What about reinsurance?

A: Not too good for cyberinsurance, since correlation of risk is global—can’t diversify out of it.

Q: What about catastrophe bonds?

A: Not sure, but it is illiquid and low-volume market

Jay P. Kesan, Ruperto P. Majuca, William J. Yurcik, " Cyber-insurance As A Market-Based Solution To The Problem Of Cybersecurity"

Discussion of the history of problem

Problem – security

            Isn’t just a technical problem

Security is a market failure

            Imperfect information

            Externalities

Risk management market solutions

            Avoid the risk - unplug

            Mitigate the risk – part of current security

            Retain risk – self-insurance (gambling)

             Transfer risk via outsourcing

            Do it via insurance product

Problems with traditional insurance

Current cyber-insurance practices

            Compare three products

            Exclusions discussed

Their prior work – talk about an ideal world comparing welfare

Example – DOS attack of 2000

Calculate premium

Real world has issues

            Adverse Selection à partial insurance

                        Soln: detailed questionnaire

                        Baseline security analysis

            Moral Hazard

                        Policies have provisions to prevent this

Take-aways

            Econ models can demonstrate increased social welfare

            In practice, there are still issues

            BUT – should still move in this direction

Q: Any data on payouts?

A: Insurance companies are very closely guarded, as a trade secret, since it

Ross: Llyoyd’s insured in 1980s for very low premium, no payouts.  One attack in early 90s, just double premium

 

Hulisi Ogut, Nirup Menon, Srinivasan Raghunathan, "Cyber Insurance and IT Security Investment: Impact of Interdependent Risk "

 

 

Experiments & Field Studies (Alessandro Acquisti )

Scott Dynes, Hans Brechbuhl, Eric Johnson, Information Security in the Extended Enterprise: Some Initial Results From a Field Study of an Industrial Firm

Tighter integration w/ supply chain à greater risk from cyber events

Role of market adoption in security

Reseach question – how do firms mak investment decisions

            Big companies vs. small companies

Method – start with host company, move up supply chain

            Ask about security practices

            Look at tightness of supply chain

Results

            Baseline of input from trusted colleagues, external consultants, trade mags

            Infosec manager first from cost, then from exposure

            Risk analysis from probabilities is pretty nebulous

            Varying dependence on information infrastructure vs. phone/fax/fedex

            Large firm: high volume plants have pre-loaded pipeline, low volume plants not as much

            Very little infosec problems

                        Probably too low – if no viruses at all, are they over-invested?

Take-aways

           

Luc Wathieu and Allan Friedman, "An empirical approach to the valuing privacy valuation"

It’s my paper!  Read it! Cite it!

We show through an experiment that consumers are capable of registering privacy concerns even when the harms from information sharing are not entirely obvious.

Bernardo A. Huberman, Eytan Adar and Leslie R. Fine, "Valuating Privacy"

Want to know what determines how much data is worth to people, and why

Problems with data-collection studies

            Selection bias

            Unverifiable

Approach: introduce reward and cost

Hypothesis – further people are from mean à more demand for private info

            Don’t use identifiers, since that’s just a decision to give or not

Experiment

            Put people around table

            Second price auction for weight, age, GPA

            Collected data from all people

Data collected in survey

            Sanity check to make sure people understand reverse 2nd price auctions

            Perception of deviance

            Familiarity with people in the room

            Simulated, how much would you want, etc

Results

            General u-shape for actual weight

            BUT – perception of weight is more of a linear relation

            Deviation from mean isn’t quite right – it’s the desirable properties of the data.

            Gender

                        Men have slightly higher prices in single sex, women in mixed

                        BUT – gender itself isn’t sig

            Privacy is correlated with price in bid

Observations

            Auctions are cheap

            Normalization is key – use BMI, not weight

            International comparisons

Summary

            Not just obvious!

            Possible to get data

 Rahul Telang, and Sunil Wattal,"Impact of Software Vulnerability Announcements on the Market Value of Software Vendors – an Empirical Investigation"

Quality != security

Security breaches are expensive, but not clear that there is strong incentives

            Anecdotal à firefox

In non-SW industry, vendors lose value with flawed product

            BUT – no direct liability, frequent vulnerability announcement,

Data – popular press of data vulnerabilities & CERT

            Exclude: non-daily, duplicates, etc

            Note “serious”

            Note effect of vulnerability

            Classify

148 data points on 18 firms

Event study: look for deviations from predicted returns

Results

            Abnormal returns are negative and sig for 2 days after event

            Regression: non-availability of the patch is important

                        DoS is bad

                        Serious is bad

                        Does not matter whether firm itself discovered the vulnerability

Q: Is R-squared high enough?  R-squared should be horrible

A: Yes, for these studies.

Q: If the effect of a vulnerability is real, then many vulnerabilities gets rid of value?

A: But there are other things that effect stock value.

Q: What about rivals?  Should their stock go up?

A: Hard to identitify rivals. 

 

Privacy ( Jean Camp)

Zhulei Tang, Yu (Jeffrey) Hu, Michael D. Smith, "Protecting Online Privacy: Self-Regulation, Mandatory Standards, or Caveat Emptor"

(CMU)

Consumers care about privacy

            Privacy defined as inappropriate use of data

Regimes of privacy: caveat emptor, mandatory standards, seal-of-approval

Model – game theory with asymmetric info

            Monopolistic retailer with costs of maintaining privacy (infosec, opportunity cost)

            Has to choose a price

                        Has to protect privacy or not

Seal: join seal program, pay membership, violators incur cost M with prob alpha

            Can separate low-protection cost retailer from high protection if cost is high enough

            L-type agents charge lower cost

            Seperating equilibrium

Caveat emptor – pooling equilibrium – lemons market

Mandatory standards

            Different type of retailers charge different prices b/c of different costs

What is the motivation for stage one, with competing firms having different costs of protection?

Conclusions

            Seals can lead to equilibrium

Future directions

            P3P to lower costs

            Signaling with branding

Alessandro Acquisti, and Jens Grossklags, "Uncertainty, Ambiguity and Privacy"

Open with example

Risk vs. uncertainty

            Risk – possible random outcomes with known probabilities

            Uncertainties – known events, unknown certainties

            Ignorance – nothing known

While expected utility models assume probabilities exist, real world may be too complex

Ambiguity & utility max

            Expected utility of lottery has to be higher than fixed amount

Is privacy a risk or an ambiguity?

            Information asymmetry: from owner about info, and collector about its value

            Reversed asymmetry as time passes

Models of privacy decision-making should be based on incomplete information

            Identification of other identities, intentional barriers, etc

Question: how is individual decision-making affected by ambiguity and risk

Data – based on survey of CMU students

Basic WTA prices follows S curve

People aren’t worried about fantasies à clearly an economic  utility-driven model

WTA is higher than expected loss

Highest value of SSN

            Also indicates financial harms

Is this motivated by expected market value, or actual valuation

Conclusions

            Interesting implications on experimental design

            Marketers can use instruments t get personal information

Rachel Greenstadt and Michael D. Smith, "Protecting Personal Information: Obstacles and Directions

IT increases data collection / storage / mining ability

Policy models to protect privacy – self reg, gov reg, 3rd party, markets

Framework: Approaches to privacy must deal with

            Decision-making – who decides

            Negotiation – How is agreement reach

                        Bundling – question of resale and reuse

            Enforcement – prevention, punishment, transparency,

Go through each mode, apply framework

Self-regulation: privacy policies

            Decision: No incentives for good policies

            Negotiation: bad signal

            Enforcement: consumer reputation is not as important as B2B

Gov Regulation: gov handles all three aspects

            Decision: gov is NOT a disinterested third party

Third party regulation – replace gov’t with other party

            Seals get captured, lose value

Markets – central authority

            Decision-making – people can still make bad decisions

            Without good negotiation and enforcement, information markets are the same as self-regulation

Other issues – institutionalization

            Friction of implementing system, entrenched status quo

            Ambiguity makes policies bad

Ultimately, need enforcement

Regulation is the best interim model

Research agenda

Important approach – framework examining decisions, negotiation, enforcement

David Baumer, Julia Earp, and J.C. Poindexter, "Quantifying Privacy Choices with Experimental Economics"

Surveys aren’t great for getting value of privacy

Individuals face uncertainty for benefits, harms

Goal – construct utility curve for privacy decisions

Experiment

            Goal is to get the most fake money – maximize good things, minimize bad things

Payoff matrix reflects possibilities of harm and benefit

Experiment 1 – find a job on resume

            Known probabilities of harms, losses

            Rewards based on rank in a distribution

            Chance to buy insurance

                        Result à cheaper insurance was purchased more than expensive insurance

            “Legislation introduced” à they trusted the legislation

Moving towards an automated environment – internet use

            Conditions of malicious activity, law enforcement,

            Use dropped with increase in activity, even with law enforcement

C: Survey data has been consistent.

C: People are perplexed by difference between attitude and behavior, but this is actually common psychology

            - i.e. weight loss, etc.

A: Ok, but we still want to get the value.  Elasticity of demand, etc

            Encryption gives protection but they have to infer

            How much??

Q: If game only privileges

Q: Privacy as a principle-agent problem.  Hard to determine source of harm, pinpoint that.  Can’t trace the source to either

Ann and Joan then have a famous debate.

 

 Vulnerabilities (Huseyin Cavusoglu)

Dmitri Nizovtsev, and Marie Thursby, "Economic Analysis of Incentives to Disclose Software Vulnerabilities"

Focus of exisiting research

            Vendor decisions

            Coordinator – disclosure politices, market for vulnerabilities

            User’s decision to patch

Motives for public disclosure

            Signaling abilities

            Warning other users

            Putting pressure on the vendor

            à Benign users are minimizing expected loss

Build model of white hats and black hats, choosing whether or not to disclose

Result: Can produce a mixed equilibrium with benign actors disclosing with some prob

Early results: Full disclosure occurs more often as

            Buuds are easier to discover

            Less myopic

            More Blackhats

            Harder to develop and exploit on disclosed info

            BUT – pop size is ambiguous

Social welfare analysis

Andy Ozment, "The Likelihood of Vulnerability Rediscovery and the Social Utility of Vulnerability Hunting"

Any patch released will be reversed engineered, and generate social threat

Response to Eric Rescorla’s WEIS2004 paper

Social value to hunt for vulnerabilities

            Motivate vendors

            More secure software

            Find them before bad guys

Rescorla: use reliability growth model on ICAT data

            No evidence that number of vulnerabilities is decreasing

            Pool is large enough that bad guys finding things before good guys is small

            Users don’t patch

Concl: vuln hunting doesn’t increase product quality

Problems of ICAT data

            Birth date inaccurate because of earlier versions

            Death date may be flawed

            Not comprehensive

Better data: use CVS to obtain OpenBSD 2.2 data set

            CVS keeps exact date of entry to code creation

            Security-focused development team

            à 44 vulns in 30 month period

                        39 came from before v2.2

Analysis – look for a good fit

            Discrete SR model

            Yamada S

            Not conclusive, since can fit a model that doesn’t indicate

Problem: independent rediscovery of the same bug

            Often credit multiple people for finding bug

                        Around 90 days b/n discovery & disclosure à undercount

Data – reporters & interviews of MS announcements

            2002-2004 – 7.69% of credited discoveries have 2 independent discoverers

Future work

            Need to know the number of people hunting vulns

                        Want the effort, not the number – use the effort per searcher, get a distribution for hours/vuln discovered, map up to # vulns

 

Ashish Arora, Ramayya Krishnan, Rahul Telang, Yubao Yang, "An Empirical Analysis of Vendor Response to Disclosure Policy"

Lack of systematic policy for disclosure

            CERT has no strong justification for their 45 day model

            Need good data

Test if early disclosure leads to bigger patch

Analytic model

            Vendors: cost of patching

            Customer loss from attack, and internalize some of that cost

            Also – severity, open source, etc

Data from SecurityFocus or CERT

            Time, vendeor info, vulnerability info

            1280 observations, 255 unique vendors

            CERT gives 45 days, SecurityFocus had intant disclosure

Early disclosure – before CERT’s 45 days       

Biggest problem is keeping this data secretthis could overwhelm the policy?!?!

            Identifiers tend to post info to SF after vendors patch

Results of patching time

            CERT has a big impact for early disclosure, SF and public less so

            Instant disclosure

            Source

Impact of disclosure on patching time

            Vendors are 57% faster with disclosure

            CERT, F/OSS is faster, after 9/11 vendors are faster

            Firm size, etc doesn’t have a strong effect

Impact of disclosure window

            56% faster when disclosure is 0 vs. positive time

            Avg disclosure time – 20 days

                        à linear model, can show 2.8%/day

 

 

About these notes

These notes were transcribed by Allan Friedman, in real time at the workshop. Notes were taken in MS Word, so I apologize for the wacky html. Feel free to contact me for more info.

 

It is possible (or even likely) that I may have misunderstood some of these presentations, or missed an important point.  All italic comments are personal notes, and should not be attributed to the speaker.  It goes without saying that curious readers should read the actual papers; those interested should contact the authors.  I missed a few presentations, and will highlight where I sketch in rough notes from the actual papers.