Economics, Security and Innovation Massimo Felici Security and Cloud Lab Hewlett-Packard Laboratories © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Overview Innovation in cyber security and privacy • Economics as driver for innovation Micro perspectives • • Economics of security in the cloud Trust economics Macro perspectives • • Integrated framework for innovation management Ongoing stakeholder consultation Concluding remarks Ongoing activities 2 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Economic drivers for innovation in cyber security and privacy Rationale © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Economics of Information Security Impact and severity of security breaches are getting bigger too Increasing spending in information security The Economist, Defending the digital Frontier, Special Report on Cyber-Security, July 12th 2014 4 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Economic barriers to Information Security Technical/Organisational • • Information Asymmetries – One party to a transaction has better information than another one Lack of diversity in platforms and networks Economic impact of security Impact • Liability dumping Fragmentation of legislation and law enforcement ENISA, Security Economics and the Internal Market, 2008 5 technologies (breaches) Externalities – Effects (positive or negative) on third parties of economic transactions Legal • • Information security as market differentiator © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Need for legal cooperation Transitioning Cyber Security Research into Practice Valley of Death Research Some issues • Insufficient awareness of complexity of cyber security tech transfer • A scattershot approach to R&D • Mismatch between market and threat environment Practice D. Maughan, D. Balenson, U. Lindqvist, Z. Tudor, Crossing the “Valley of Death: Transitioning Cybersecurity Research into Practice, IEEE Security & Privacy, March/April 2013 T.V. Benzel, S. Lipner, Crossing the Great Divide: Transferring Security Technology from Research to the Market, IEEE Security & Privacy, March/April 2013 6 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Some success factors • Pervasive emphasis on technology transition • Early involvement • Active engagements • Customer and market needs • Value creation • Innovation champions • Innovation teams • Organisational alignment Economics and Security Economics of Security in the Cloud Micro perspectives of economics in cyber security and privacy © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Cloud Economics IDC forecasts worldwide public IT cloud services spending to reach nearly $108 billion by 2017 as focus shifts from savings to innovation Market Economics of Security IDC, Worldwide and Regional Public IT Cloud Services 2013–2017 Forecast, 2013 8 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The Economist, Securing the Cloud, 2002 Cyber Security Economics Data about cyber security threats and attacks are continuously update by surveys and new information Need to assess the effectiveness of implemented measures Various studies (models) on economics of security Comparing economic models of cyber security • • • • • • Is the model complete? Is the model consistent? Is the model transparent? Is the model accurate? Is the model conservative? Does the model provide insight? S.L. Pfleeger, R. Rue, Cybersecurity Economic Issues: Clearing the Path to Good Practice, IEEE Software, January/February 2008 9 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Economics of Security in the Cloud What I learned from discussing such problem (ESC Workshop at IEEE CloudCom 2013) What is the cloud? • • Multiple deployment models and operational scenarios Often, lack of details in the models What are cloud offerings? • • Different business models/costs Cloud offerings may look similar, but (technical) details are important How do we assess cloud ecosystems? • • 10 Who is the weakest link? Economics/Security across cloud supply chains How do we address cloud governance? • • Alternative governance models – centralised, decentralised, delegation of responsibility, third party certification Difficult to assess governance models Do we understand cost/benefit of security investment? • • Security metrics yet a problem Assessing a moving target Economics/Security Models • Often, written for the modellers not for the users of such models © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Cloud Stewardship Economics Acknowledgments: Simon Shiu, Yolanta Beres © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Previous work in Economics of Security Trust economics and insurance perspectives HP, Trust Economics: A systematic approach to information security decision making [PDF] 12 Lloyd’s 360° Risk Insight Managing digital risk: trends, issues and implications for business, 2010 [PDF] © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Cloud Stewardship Economics (funded as collaborative research project by the UK Technology Strategy Board) Partners: HP Labs, Universities of Aberdeen and Bath, IISP, Lloyds of London, Sapphire, Validsoft, Marmalade Box Why cloud (ecosystem) – Cloud procurement/consumption/dependence has risks beyond outsourcing: • Services available and their trust and consumption are determined by the market (rather than bespoke agreements) • All stakeholders are affected by the choices and actions of (all) other stakeholders Why (information) stewardship – Information management in the cloud requires a broader notion than security, specifically a theory for stewardship: • Beyond security – Cloud stakeholders will be obliged to manage information on behalf of others and to trust/depend on others to manage their information • Their is also a dependence on the robustness, resilience and sustainability of the whole ecosystem • A theory for stewardship must encompass/broaden our notions of assurance, trust, obligation, incentives, utility/preference, hence economics! Cloud Stewardship Economics is about: • Exploring the concept of information stewardship in the context of cloud ecosystems • Applying economic and mathematical modelling techniques to help stakeholders make strategy and policy decisions 13 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Two Modelling Approaches Used System Modelling (developed solely in HP Labs) • • • • • Capturing behaviour of the different entities of the system Using real option and utility theory Firms make service procurement choices based on preferences Utility functions are used to match firms to service providers and aim is to maximize the utility Developed in Gnosis modelling and simulation toolset Rational Expectation Modelling (developed in collaboration with economists at Business School of Aberdeen University) • • • • 14 Capturing market behaviour, such as the supply/demand nature Firms make service procurement choices based on rational expectations of the market The market has varying level of information asymmetry between suppliers and demanders Prices are solved/derived so that market moves towards equilibrium © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The Cloud Ecosystem Model Main elements • • • Consumers (enterprises) Cloud service providers Cloud platform providers Ecosystem evolves based on endogenous and exogenous factors • • 15 Endogenous: participant behaviours, reputation, satisfaction, etc. Exogenous: ecosystem shocks (e.g. economy downturn, regulation, etc.) © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The Rational Expectation Modelling Utility Theory C, A, I outcomes (security and cost) Breach Prevention, Assurance, Business Performance Ĉ, Â, and Î represent the decisionmaker’s targets for these outcomes Utility function: U = ω1 f1 (C – Ĉ) + ω2 f2 (A – Â) + ω3 f3 (I – Î) weights ωi (1 ≤ i ≤ 3 ) represent the decision-maker’s preferences between the component outcomes functions fi (1 ≤ i ≤ 3) represent the decision-maker’s tolerance for variance from the targets Expected value of the utility function as a mathematical system model which captures the structure of the system in terms of its key components and which can be executed in order to simulate the behaviour of the system in the presence of stochastic shocks 16 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Methodology Approach • Observation observation observation Empirical data models models Models • developed different viewpoints on the future resilience, winners & losers, sustainability, risks of the cloud ecosystem created models that illustrate these viewpoints Engaging Stakeholders • Refinement Deduction: Cause & Effect • • real -world real -world Real-world consequences consequences consequences 17 conclusions Results conclusions Interpretation • • Create different scenario driven simulations around the models that show how ecosystem would involve Engage the stakeholders in our viewpoints and models Engage the stakeholders to verify the models and assumptions Broaden the notion of cloud information risks: Federation/interdependency of outcomes, Sustainability and Resilience Promote modelling and scenario planning as a risk analysis methodology © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Cloud Stewardship Economics Scenario Planning / War gaming Engaging the security profession Scenario planning workshops based on economic and system models of the cloud ecosystem Focus on visualization and interaction for cloud stakeholder engagement Simulations exploring consequences of: • • • 18 Different consuming preferences Information asymmetry Robustness to ‘shocks’ © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Visualising Simulation Data The model (and results) are not easily understood by non-modelers • There are gigabytes of data to analyze • Difficult to engage the actual stakeholders Hence we built a visualization suite to explore the model and simulation results 19 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Global Ecosystem View Entities are organised on a 3dimensional sphere Two centres of gravity: • Top represents cloud service provision • Bottom represents inhouse IT provision Platforms organise around top centre of gravity Providers organise around them, depending on the platform they use Consumer placement depends on how much cloud vs. in-house IT is consumed, and provider placement 20 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Cloud Stewardship Workshops Scenarios • • • • SMEs and start ups rush to the cloud Security/reputation ‘shocks’ affect the cloud ecosystem Information asymmetry on risk affects market stability Regulation and economic shocks change the winners and losers Structured scenario planning approach based on rigorous modelling is effective • • • In promoting shared understanding of stewardship concerns For initiating discussion between various stakeholders Capturing various assumptions of the cloud ecosystem Visualisation tool is very compelling way to • • • 21 Make the models and their results accessible to wide range of audiences Enable easy exploration of multiple assumptions and predictions Stimulate further discussion © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Cloud Stewardship Economics Outcomes A series of workshops and empirical studies A series of economic and system models to explore cloud stewardship risks • • • A real options model for/of cloud migration Game theoretic models exploring the effects of public policy and insurance Ecosystem models exploring assumptions and effects of information asymmetry, switching, lock-in, robustness to shocks, and so on A visualization tool for engaging stakeholders in the ecosystem models Refined methodology for model-based scenario planning 22 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Innovation Macro perspectives of economics in cyber security and privacy © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. SecCord Security and Trust Coordination and Enhanced Collaboration http://www.seccord.eu/ http://www.cspforum.eu/ Acknowledgments: Nick Wainwright, DharmKapletia © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Rationale Engaging Stakeholders Industry Role • Defining/clarifying the role of industry in European R&D in cyber security and privacy • Bringing innovation to market • Deploying technological solutions enhancing cyber security and privacy Research Directions • • Increasing the impact of R&D in cyber security and privacy Integrated Innovation Management Framework 25 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. An Innovation Problem Technology Readiness vs. Innovation How to reduce risk? How to improve technology? 26 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. How to stimulate market? Innovation Pathways R&D driven by market, user and consumer needs R&D delivering innovation across application domains 27 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. R&D creating new markets Complex R&D problems requiring collaborative and strategic effort Research Directions in Cyber Security and Privacy Alignment between markets and users and consumers’ needs Unclear strategies for investment and decision making Economics of R&D Users and consumers’ dissatisfaction/mistrust R&D solutions searching for problems across domains National and International Legal Framework(s) for innovation Unclear market conditions and coopetition among stakeholders International Cooperation for innovation Missed opportunities and lack of innovation 28 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Small-scale solutions for large-scale problems Integrated Innovation Management Framework Rationale How can we increase the impact of publicly funded R&D in Cybersecurity? What are the experiences of stakeholders in the cybersecurity ecosystem? • • Including all groups and types of stakeholder Across the end-to-end process (funding -> return on investment) What is the health of the current innovation ecosystem? Where can stakeholders make improvements to increase impact? How can we increase the impact of publicly funded R&D in Cybersecurity? Identified problems • • • • 29 Lack of a systematic review of R&D in cybersecurity Lack of focus on impact assessment No integrated strategic and operational view of R&D and innovation Public-private collaborations involve complex interactions and are inadequate for deploying R&D outputs © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Integrated Framework for Investigation Problem Different factors Dimensions affecting impact 30 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Road Mapping Exercise Engaging Stakeholders Example R&D Market and Policy National Security Priorities Market Incentives Exploiting the Talent Base Technology Transfer Systems of Systems Approach Intellectual Property Technology Readiness Effective Prototyping Deployment Process Business Case D. Kapletia, M. Felici, N. Wainwright, An Integrated Framework for Innovation Management in Cyber Security and Privacy. In Cyber Security and Privacy, Springer-Verlag, CCIS 470, 2014. (To Appear) 31 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Preliminary Trends © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Sample Stakeholder Population 33 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. TECHNOLOGY READINESS AND MATURITY Technology usages Further support mechanisms 34 Feedback from end users Economic incentives and investments Metrics for cyber security and privacy © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Role of large enterprises TECHNOLOGY TRANSFER Stakeholder collaboration Integration on new technologies 35 Commercialisation and process Shared data © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Marketing MARKET AND POLICY Market and technology alignment Conflicting views on current publiclyfunded research 36 Effectiveness of stakeholder forums © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Market regulations Role of governments and agencies Concluding Remarks © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Concluding Remarks Economics and Security • Economics as driver for technology deployments, assessments and risk mitigation strategies • Combine economic and system models • Clarify what models intend to capture • Validate economic models with stakeholders • Many (economic/security) models are written for specialists – difficult to communicate and transfer them into practices Innovation • Alignment of technologies, economic incentives and markets • Plan your innovation in terms of technology investments/deployments taking into account economics, market opportunities and R&D strategies 38 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Economics, Security and Innovation Security/Privacy metrics/models yet unclear Economics of security/privacy even more complex Innovation in cyber security and privacy without understanding the economics of security/privacy probably, a utopia 39 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Ongoing Activities © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. What's New in the Economics of Cybersecurity? Special Issue IEEE Security & Privacy • • • • 41 Final submissions due: 1 January 2015 Abstracts due by 1 December 2014 to the guest editors Publication date: September/October 2015 http://www.computer.org/portal/web/com putingnow/spcfp5 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Cyber Security & Privacy R&D Impact in Europe Survey Take part in our survey https://surveymonkey.com/s/cybersecurity-impact 42 © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Thank you © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.