Economics, Security and Innovation

advertisement
Economics, Security and
Innovation
Massimo Felici
Security and Cloud Lab
Hewlett-Packard Laboratories
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Overview
Innovation in cyber security and privacy
•
Economics as driver for innovation
Micro perspectives
•
•
Economics of security in the cloud
Trust economics
Macro perspectives
•
•
Integrated framework for innovation management
Ongoing stakeholder consultation
Concluding remarks
Ongoing activities
2
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Economic drivers for innovation in
cyber security and privacy
Rationale
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Economics of Information Security
Impact and
severity of security
breaches are
getting bigger too
Increasing
spending in
information
security
The Economist, Defending the digital Frontier, Special Report on Cyber-Security, July 12th 2014
4
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Economic barriers to Information Security
Technical/Organisational
•
•
Information Asymmetries – One party to a transaction has better information than another one
Lack of diversity in platforms and networks
Economic impact of security
Impact
•
Liability dumping
Fragmentation of legislation and law enforcement
ENISA, Security Economics and the Internal Market, 2008
5
technologies (breaches)
Externalities – Effects (positive or negative) on third parties of economic transactions
Legal
•
•
Information security as
market differentiator
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Need for legal
cooperation
Transitioning Cyber Security Research into Practice
Valley of Death
Research
Some issues
•
Insufficient awareness of complexity
of cyber security tech transfer
•
A scattershot approach to R&D
•
Mismatch between market and
threat environment
Practice
D. Maughan, D. Balenson, U. Lindqvist, Z. Tudor, Crossing the “Valley of Death: Transitioning
Cybersecurity Research into Practice, IEEE Security & Privacy, March/April 2013
T.V. Benzel, S. Lipner, Crossing the Great Divide: Transferring Security Technology from Research to the
Market, IEEE Security & Privacy, March/April 2013
6
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Some success factors
•
Pervasive emphasis on technology
transition
•
Early involvement
•
Active engagements
•
Customer and market needs
•
Value creation
•
Innovation champions
•
Innovation teams
•
Organisational alignment
Economics and Security
Economics of Security in the Cloud
Micro perspectives of economics in
cyber security and privacy
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Cloud Economics
IDC forecasts worldwide public IT cloud services spending to reach
nearly $108 billion by 2017 as focus shifts from savings to innovation
Market
Economics
of
Security
IDC, Worldwide and Regional Public IT Cloud Services 2013–2017 Forecast, 2013
8
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
The Economist, Securing the Cloud, 2002
Cyber Security Economics
Data about cyber security threats and attacks are continuously update by surveys
and new information
Need to assess the effectiveness of implemented measures
Various studies (models) on economics of security
Comparing economic models of cyber security
•
•
•
•
•
•
Is the model complete?
Is the model consistent?
Is the model transparent?
Is the model accurate?
Is the model conservative?
Does the model provide insight?
S.L. Pfleeger, R. Rue,
Cybersecurity Economic Issues: Clearing the Path to Good Practice, IEEE Software, January/February 2008
9
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Economics of Security in the Cloud
What I learned from discussing such problem (ESC Workshop at IEEE CloudCom 2013)
What is the cloud?
•
•
Multiple deployment models and operational
scenarios
Often, lack of details in the models
What are cloud offerings?
•
•
Different business models/costs
Cloud offerings may look similar, but
(technical) details are important
How do we assess cloud ecosystems?
•
•
10
Who is the weakest link?
Economics/Security across cloud supply
chains
How do we address cloud governance?
•
•
Alternative governance models –
centralised, decentralised, delegation of
responsibility, third party certification
Difficult to assess governance models
Do we understand cost/benefit of
security investment?
•
•
Security metrics yet a problem
Assessing a moving target
Economics/Security Models
•
Often, written for the modellers not for the
users of such models
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Cloud Stewardship Economics
Acknowledgments: Simon Shiu, Yolanta Beres
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Previous work in Economics of Security
Trust economics and insurance perspectives
HP, Trust Economics: A systematic approach
to information security decision making [PDF]
12
Lloyd’s 360° Risk Insight Managing digital risk: trends,
issues and implications for business, 2010 [PDF]
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Cloud Stewardship Economics
(funded as collaborative research project by the UK Technology Strategy Board)
Partners: HP Labs, Universities of Aberdeen and Bath, IISP, Lloyds of London, Sapphire, Validsoft, Marmalade Box
Why cloud (ecosystem) – Cloud procurement/consumption/dependence has risks beyond
outsourcing:
• Services available and their trust and consumption are determined by the market (rather than bespoke agreements)
• All stakeholders are affected by the choices and actions of (all) other stakeholders
Why (information) stewardship – Information management in the cloud requires a broader
notion than security, specifically a theory for stewardship:
• Beyond security – Cloud stakeholders will be obliged to manage information on behalf of others and to trust/depend on others
to manage their information
• Their is also a dependence on the robustness, resilience and sustainability of the whole ecosystem
• A theory for stewardship must encompass/broaden our notions of assurance, trust, obligation, incentives, utility/preference,
hence economics!
Cloud Stewardship Economics is about:
• Exploring the concept of information stewardship in the context of cloud ecosystems
• Applying economic and mathematical modelling techniques to help stakeholders make strategy and policy decisions
13
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Two Modelling Approaches Used
System Modelling
(developed solely in HP Labs)
•
•
•
•
•
Capturing behaviour of the different entities of the system
Using real option and utility theory
Firms make service procurement choices based on preferences
Utility functions are used to match firms to service providers and aim is to maximize the utility
Developed in Gnosis modelling and simulation toolset
Rational Expectation Modelling
(developed in collaboration with economists at Business School of Aberdeen University)
•
•
•
•
14
Capturing market behaviour, such as the supply/demand nature
Firms make service procurement choices based on rational expectations of the market
The market has varying level of information asymmetry between suppliers and demanders
Prices are solved/derived so that market moves towards equilibrium
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
The Cloud Ecosystem Model
Main elements
•
•
•
Consumers (enterprises)
Cloud service providers
Cloud platform providers
Ecosystem evolves based on endogenous
and exogenous factors
•
•
15
Endogenous: participant behaviours,
reputation, satisfaction, etc.
Exogenous: ecosystem shocks (e.g. economy
downturn, regulation, etc.)
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
The Rational Expectation Modelling
Utility Theory
C, A, I outcomes (security and cost)
Breach Prevention, Assurance,
Business Performance
Ĉ, Â, and Î represent the decisionmaker’s targets for these outcomes
Utility function: U = ω1 f1 (C – Ĉ) + ω2 f2 (A – Â) + ω3 f3 (I – Î)
weights ωi (1 ≤ i ≤ 3 ) represent the
decision-maker’s preferences
between the component outcomes
functions fi (1 ≤ i ≤ 3) represent the
decision-maker’s tolerance for
variance from the targets
Expected value of the utility function as a mathematical system model which captures the structure of the
system in terms of its key components and which can be executed in order to simulate the behaviour of the
system in the presence of stochastic shocks
16
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Methodology
Approach
•
Observation
observation
observation
Empirical data
models
models
Models
•
developed different viewpoints on the future
resilience, winners & losers, sustainability, risks
of the cloud ecosystem
created models that illustrate these viewpoints
Engaging Stakeholders
•
Refinement
Deduction:
Cause &
Effect
•
•
real
-world
real
-world
Real-world
consequences
consequences
consequences
17
conclusions
Results
conclusions
Interpretation
•
•
Create different scenario driven simulations
around the models that show how ecosystem
would involve
Engage the stakeholders in our viewpoints and
models
Engage the stakeholders to verify the models
and assumptions
Broaden the notion of cloud information risks:
Federation/interdependency of outcomes,
Sustainability and Resilience
Promote modelling and scenario planning as a
risk analysis methodology
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Cloud Stewardship Economics
Scenario Planning / War gaming
Engaging the security profession
Scenario planning workshops based on
economic and system models of the cloud
ecosystem
Focus on visualization and interaction for
cloud stakeholder engagement
Simulations exploring consequences of:
•
•
•
18
Different consuming preferences
Information asymmetry
Robustness to ‘shocks’
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Visualising Simulation Data
The model (and results) are not
easily understood by non-modelers
• There are gigabytes of data to
analyze
• Difficult to engage the actual
stakeholders
Hence we built a visualization suite
to explore the model and
simulation results
19
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Global Ecosystem View
Entities are organised on a 3dimensional sphere
Two centres of gravity:
• Top represents cloud
service provision
• Bottom represents inhouse IT provision
Platforms organise around
top centre of gravity
Providers organise around
them, depending on the
platform they use
Consumer placement
depends on how much cloud
vs. in-house IT is consumed,
and provider placement
20
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Cloud Stewardship Workshops
Scenarios
•
•
•
•
SMEs and start ups rush to the cloud
Security/reputation ‘shocks’ affect the cloud ecosystem
Information asymmetry on risk affects market stability
Regulation and economic shocks change the winners and losers
Structured scenario planning approach based on rigorous modelling is effective
•
•
•
In promoting shared understanding of stewardship concerns
For initiating discussion between various stakeholders
Capturing various assumptions of the cloud ecosystem
Visualisation tool is very compelling way to
•
•
•
21
Make the models and their results accessible to wide range of audiences
Enable easy exploration of multiple assumptions and predictions
Stimulate further discussion
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Cloud Stewardship Economics
Outcomes
A series of workshops and empirical studies
A series of economic and system models to explore cloud stewardship risks
•
•
•
A real options model for/of cloud migration
Game theoretic models exploring the effects of public policy and insurance
Ecosystem models exploring assumptions and effects of information asymmetry, switching,
lock-in, robustness to shocks, and so on
A visualization tool for engaging stakeholders in the ecosystem models
Refined methodology for model-based scenario planning
22
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Innovation
Macro perspectives of economics in
cyber security and privacy
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
SecCord
Security and Trust Coordination
and Enhanced Collaboration
http://www.seccord.eu/
http://www.cspforum.eu/
Acknowledgments: Nick Wainwright, DharmKapletia
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Rationale
Engaging Stakeholders
Industry Role
• Defining/clarifying the role of industry in European R&D in cyber security and privacy
• Bringing innovation to market
• Deploying technological solutions enhancing cyber security and privacy
Research Directions
•
•
Increasing the impact of R&D in cyber security and privacy
Integrated Innovation Management Framework
25
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
An Innovation Problem
Technology Readiness vs. Innovation
How to reduce
risk?
How to improve
technology?
26
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
How to stimulate
market?
Innovation Pathways
R&D driven by market,
user and consumer needs
R&D delivering innovation
across application domains
27
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
R&D creating new markets
Complex R&D problems requiring
collaborative and strategic effort
Research Directions in Cyber Security and Privacy
Alignment between markets
and users and consumers’
needs
Unclear strategies for
investment and decision
making
Economics of R&D
Users and consumers’
dissatisfaction/mistrust
R&D solutions searching for
problems across domains
National and International
Legal Framework(s) for
innovation
Unclear market conditions
and coopetition among
stakeholders
International Cooperation
for innovation
Missed opportunities and
lack of innovation
28
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Small-scale solutions for
large-scale problems
Integrated Innovation Management Framework
Rationale
How can we increase the impact of publicly funded R&D in Cybersecurity?
What are the experiences of stakeholders in the cybersecurity ecosystem?
•
•
Including all groups and types of stakeholder
Across the end-to-end process (funding -> return on investment)
What is the health of the current innovation ecosystem?
Where can stakeholders make improvements to increase impact?
How can we increase the impact of publicly funded R&D in Cybersecurity?
Identified problems
•
•
•
•
29
Lack of a systematic review of R&D in cybersecurity
Lack of focus on impact assessment
No integrated strategic and operational view of R&D and innovation
Public-private collaborations involve complex interactions and are inadequate for deploying R&D outputs
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Integrated Framework for Investigation
Problem
Different factors
Dimensions
affecting impact
30
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Road Mapping Exercise
Engaging Stakeholders
Example
R&D Market and Policy
National Security Priorities
Market Incentives
Exploiting the Talent Base
Technology Transfer
Systems of Systems
Approach
Intellectual Property
Technology Readiness
Effective Prototyping
Deployment Process
Business Case
D. Kapletia, M. Felici, N. Wainwright, An Integrated Framework for Innovation Management in Cyber Security and Privacy.
In Cyber Security and Privacy, Springer-Verlag, CCIS 470, 2014. (To Appear)
31
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Preliminary Trends
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Sample Stakeholder Population
33
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
TECHNOLOGY READINESS AND MATURITY
Technology usages
Further support
mechanisms
34
Feedback from
end users
Economic incentives and investments
Metrics for
cyber security and
privacy
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Role of large
enterprises
TECHNOLOGY TRANSFER
Stakeholder collaboration
Integration on new
technologies
35
Commercialisation and process
Shared data
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Marketing
MARKET AND POLICY
Market and technology alignment
Conflicting views
on current publiclyfunded research
36
Effectiveness of
stakeholder
forums
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Market regulations
Role of
governments and
agencies
Concluding Remarks
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Concluding Remarks
Economics and Security
• Economics as driver for technology deployments, assessments and risk mitigation
strategies
• Combine economic and system models
• Clarify what models intend to capture
• Validate economic models with stakeholders
• Many (economic/security) models are written for specialists – difficult to
communicate and transfer them into practices
Innovation
• Alignment of technologies, economic incentives and markets
• Plan your innovation in terms of technology investments/deployments taking into
account economics, market opportunities and R&D strategies
38
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Economics, Security and Innovation
Security/Privacy metrics/models
yet unclear
Economics of security/privacy
even more complex
Innovation in cyber security and privacy without
understanding the economics of security/privacy
probably, a utopia
39
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Ongoing Activities
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
What's New in the Economics of Cybersecurity?
Special Issue
IEEE Security & Privacy
•
•
•
•
41
Final submissions due: 1 January 2015
Abstracts due by 1 December 2014 to the
guest editors
Publication date: September/October 2015
http://www.computer.org/portal/web/com
putingnow/spcfp5
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Cyber Security & Privacy R&D Impact in Europe
Survey
Take part in our survey
https://surveymonkey.com/s/cybersecurity-impact
42
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Download