Cyber-crime Science = Crime Science + Information Security

The Economics of Security
[And08a] R. J. Anderson, R. Boehme, R. Clayton, and T. Moore. Security economics
and the internal market. Technical report, ENISA - the European Network and
Information Security Agency, Jan 2008. http://www.enisa.europa.eu/act/sr/reports/econsec/economics-sec
Market failure
 Asymmetric information
 Perverse Incentives
» Tragedy of the Commons
 Externalities
 Liability assignment
 Lack of diversity
 Fragmentation of legislation
5
Cyber-crime Science
Asymmetric information
 One party knows more than another,
hence the bad drives out the good
6
Cyber-crime Science
Security example
 SW vendors make claims about security
but buyers have no reason to trust them
» Few buy “secure” version of system [And06a] p. 612
7
Cyber-crime Science
Perverse incentives
 Incentive with unintended result
» Researchers pay for bone fragments hence the locals
smash up large finds
» Remedy?
 Taking risk when the costs will be borne
by others
» E.g. driving carelessly with well insured car
» Speed limit enforcement
9
Cyber-crime Science
Security examples
 Bank card fraud
» UK banks not liable leading to more fraud (why?)
» US banks are liable leading to less fraud
 Anti-virus product purchase
» Consumers will not spend money to protect their PC
(why?)
» Remedies?
[And06a] R. J. Anderson and T. Moore. The economics of information security.
Science, 314(5799):610-613, Oct 2006. http://dx.doi.org/10.1126/science.1130992
[And94a] R. J. Anderson. Why cryptosystems fail. Commun. ACM, 37(11):32-40, Nov
1994. http://dx.doi.org/10.1145/188280.188291
10
Cyber-crime Science
Tragedy of the Commons
 Self-interest depletes common good
 Remedy?
11
Cyber-crime Science
Security Examples
 Phishing
» Growth in SPAM
& phishing (so?)
» Often reported
cost of phishing
inaccurate (why?)
Population
Wealth
[Her08] C. Herley and D. Florêncio. A profitless endeavor: phishing as tragedy of the
commons. In Workshop on New security paradigms (NSPW), pages 59-70, Lake
Tahoe, California, USA, Sep 2008. ACM. http://dx.doi.org/10.1145/1595676.1595686
12
[Flo11b] D. Florêncio and G. Herley. Sex, lies and cyber-crime surveys. Technical
report MSR-TR-2011-75, Microsoft Research, Jun 2011.
http://research.microsoft.com/apps/pubs/default.aspx?id=149886
Cyber-crime Science
Externalities
 Caused by large external cost
 Control?
13
Cyber-crime Science
Security examples
 System reliability
» Program correctness depends on minimum effort (why?)
» Program testing depends on sum of efforts
» Fewer but better coders, more testers ([And06a] p611)
 Botnets
» Herder activity raises costs for users & ISPs (why?)
» More later
[Eet09] M. van Eeten and J. M. Bauer. Emerging threats to Internet security: Incentives,
externalities and policy implications. J. of Contingencies and Crisis Management,
17(4):221-232, Dec 2009. http://dx.doi.org/10.1111/j.1468-5973.2009.00592.x
14
Cyber-crime Science
Network Externalities
 More users makes it more useful up to a
point when congestion happens
15
Cyber-crime Science
Security examples
 Digital “pollution”
» An infected PC because it harms others on the net
» Quarantine ([And08a] p51)
» An ISP with many infected customers (why?)
» Blacklist
16
Cyber-crime Science
Liability assignment
 Liability should be assigned to the party
that can best manage the risk
» Buyer or vendor?
» Patient strategy ([And08a] p59)
[And01b] R. J. Anderson. Why information security is Hard-An economic perspective. In
17th Annual Computer Security Applications Conf. (ACSAC), pages 358-365, New
Orleans, Louisiana, Dec 2001. IEEE. http://dx.doi.org/10.1109/ACSAC.2001.991552
17
Cyber-crime Science
Security examples
 Software liability
» The Customer shall be responsible
for securing all Means of Access
and any other means used by or
under the control of the Customer or
other holders, which may be applied
in order to use the Means of Access
on behalf of the Customer. Any
misuse of Means of Access or the
other means referred tot shall
therefore be at the Customer’s risk.
» Make vendors liable ([And08a] p
59)
19
Cyber-crime Science
Lack of diversity
 Absence of single point of failure (why?)
20
Cyber-crime Science
Security examples
 Monoculture
» Common architecture with common bugs
» Open standards
» Governments requiring MS formats
» City of Munich uses Linux ([And08a] p 71)
21
Cyber-crime Science
Fragmentation of legislation
22
Cyber-crime Science
Security examples
 Few cyber criminals are ever caught
(why?)
 Joint operations and Mutual Legal
Assistance Treaties ([And08a] p81)
 Cyber-security co-operation (NATO model)
23
Cyber-crime Science
Conclusions
 Openness about incidents
 Incentives for the ISPs
 Liability for the vendors
 Responsibility for the users
35
Cyber-crime Science