This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
security_economics [2017/06/27 02:17] fabio.massacci@unitn.it [The Work Averse Attacker Model] |
security_economics [2018/11/26 00:38] fabio.massacci@unitn.it |
||
---|---|---|---|
Line 5: | Line 5: | ||
+ | * On the fairness of seucirty taxes in presence on interdependence | ||
+ | * Estimating quantitative likelihood | ||
* Cyber-Insurance: good for your company, bad for your country? | * Cyber-Insurance: good for your company, bad for your country? | ||
- | * The Work Averse Attacker Model | + | * The Work Averse Attacker Model (A different way to consider attackers) |
* Black markets actually work! | * Black markets actually work! | ||
* Risk vs Rule base regulation: what is the best way to regulate? | * Risk vs Rule base regulation: what is the best way to regulate? | ||
Line 13: | Line 15: | ||
See also our section on [[vulnerability_discovery_models|Finding and Assessing Vulnerabilities]] in particular if you are interesting in understanding what's the risk reduction for different types of vulnerabilities and [[malware_analysis|Malware Analysis]]. | See also our section on [[vulnerability_discovery_models|Finding and Assessing Vulnerabilities]] in particular if you are interesting in understanding what's the risk reduction for different types of vulnerabilities and [[malware_analysis|Malware Analysis]]. | ||
+ | |||
+ | ==== Beyond 1-5 Risk Matrices: estimating quantitative attack success likelihood from data === | ||
+ | |||
+ | Several definitions of risk exist (probability and impact, uncertainty and expected consequence, etc.) but at the end of the day they all ultimately collapse to the intuitive relation | ||
+ | |||
+ | * //Risk = Impact · Likelihood// | ||
+ | |||
+ | For a company, impact is easy to calculate as data about one's own asset is routinely collected. Likelihood is stillthe holy grail. So, both ISO/27001 and NIST 800-30 standards suggest the use of risk matrices as a tool to support such decisions. So you get a 5x5 risk matrix, where the interaction between the rare, frequent, ..., certain likelihood levels and the minor, severe, ..., critical consequence levels results in a final 5-level risk evaluation from low to high. This is pretty rough and well known to be full of errors. | ||
+ | |||
+ | In our {{allodi-risa-17.pdf|Risk Analysis paper}}. | ||
+ | |||
==== Cyber-Insurance: good for your company, bad for your country? ==== | ==== Cyber-Insurance: good for your company, bad for your country? ==== | ||
Line 59: | Line 72: | ||
If you like to have an idea of the model this other picture shows you the Change in the number of attacked systems for two attacks against different systems Δ = T days apart ({{:research_activities:economics:model_extended2.pdf|PDF}}). | If you like to have an idea of the model this other picture shows you the Change in the number of attacked systems for two attacks against different systems Δ = T days apart ({{:research_activities:economics:model_extended2.pdf|PDF}}). | ||
- | If you are interested in knowing whether we could use this insight for actual predictions please look at our [[https://securitylab.disi.unitn.it/doku.php?id=vulnerability_discovery_models|vulnerability section]] where we report our work on risk reduction that made its way to the CVSS (COmmon Vulnerability Scoring System) v3 world standard. | + | If you are interested in knowing whether we could use this insight for actual predictions please look at our [[https://securitylab.disi.unitn.it/doku.php?id=vulnerability_discovery_models|vulnerability section]] where we report our work on risk reduction that made its way to the CVSS (Common Vulnerability Scoring System) v3 world standard. |
Line 66: | Line 79: | ||
Traditionally, security and economics functionalities in IT fnancial services and protocols (FinTech) have been perceived as separate objectives. In {{https://drive.google.com/file/d/0By02ZB0MmV0ZeUM5clBBUHdNdms/view?usp=sharing|our new paper}} in {{https://www.cl.cam.ac.uk/events/spw2017/|SPW 2017}} We argue that keeping them separate is a bad idea for FinTech Decentralized Autonomous Organizations (DAOs). In fact, security and economics are one for DAOs: we show that the failure of a security property, e.g. anonymity, can destroy a DAOs because economic attacks can be tailgated to security attacks. This is illustrated by the examples of TheDAO (built on the Ethereum platform) and the DAOed version of a Futures Exchange. We claim that **security and economics vulnerabilities**, which we named **seconomics vulnerabilities**, are indeed **new beasts to be reckoned with**. | Traditionally, security and economics functionalities in IT fnancial services and protocols (FinTech) have been perceived as separate objectives. In {{https://drive.google.com/file/d/0By02ZB0MmV0ZeUM5clBBUHdNdms/view?usp=sharing|our new paper}} in {{https://www.cl.cam.ac.uk/events/spw2017/|SPW 2017}} We argue that keeping them separate is a bad idea for FinTech Decentralized Autonomous Organizations (DAOs). In fact, security and economics are one for DAOs: we show that the failure of a security property, e.g. anonymity, can destroy a DAOs because economic attacks can be tailgated to security attacks. This is illustrated by the examples of TheDAO (built on the Ethereum platform) and the DAOed version of a Futures Exchange. We claim that **security and economics vulnerabilities**, which we named **seconomics vulnerabilities**, are indeed **new beasts to be reckoned with**. | ||
- | Our observation is that the //money loss// comes **//indirectly//** from a //security vulnerability// in a //normal// case. When your computer gets infected with a malware you don't immediately lose your money. Only when the hacker finds very complicated ways to monetize your assets then you suffer from the loss. In other words, | + | Our observation is that, in a //normal// case, monetary losses come //indirectly// from security vulnerabilities. When your computer gets infected with a malware you don't immediately lose your money. Only when the hacker finds very complicated ways to monetize your assets then you suffer from the loss. In other words, |
- | + | * security vulnerability ≠ money loss | |
- | security vulnerability ≠ money loss | + | However, it is different for //Decentralised Autonomous Organisation (DAO)// in which the organisation is basically a software running whose information populated on a distributed ledger platform and whose rules are all implemented with the smart contracts (e.g. TheDAO on the Ethereum network). |
- | + | ||
- | However, it is different for //Decentralised Autonomous Organisation (DAO)// in which the organisation is basically a software running that has the information populated on the distributed ledger platform and the rules are all implemented with the smart contracts (e.g. TheDAO on the Ethereum network). | + | |
- | + | ||
- | Our first claim, which follows the DAO definition, is that: | + | |
- | + | ||
- | code = company (A) | + | |
- | + | ||
- | And typically organisations are vectors for money, hence, | + | |
- | + | ||
- | company = money (B) | + | |
- | + | ||
- | Then, from (A) and (B), it follows immediately that, | + | |
- | + | ||
- | code = company = money | + | |
- | + | ||
- | As a result in this case money loss comes **//directly//** from a security vulnerability, i.e. | + | |
- | security vulnerability = money loss | + | ^ ^ ^ ^ |
+ | | Our first claim, which follows the DAO definition, is that | (A) | code = company| | ||
+ | | And typically organisations are vectors for contracts and financial transactions (Tirole) | (B) | company = monetary transactions| | ||
+ | | Then, from (A) and (B), it follows immediately that | (C) | code = monetary transactions | | ||
+ | | As a result in this case money loss comes //directly// from a security vulnerability, i.e. | | security vulnerability = monetary loss | | ||
Then we would certainly wonder //"When we face a loss in a DAO, can we undo the damages?"// Unfortunately, the answer is that **there is no possible technical fix for the DAO**, as the thing that happened is the balkanization of the Ethereum network. | Then we would certainly wonder //"When we face a loss in a DAO, can we undo the damages?"// Unfortunately, the answer is that **there is no possible technical fix for the DAO**, as the thing that happened is the balkanization of the Ethereum network. | ||
Line 206: | Line 207: | ||
===== People ===== | ===== People ===== | ||
- | The following is a list a people that has been involved in the project at some point in time. | + | The following is a list a people who have been involved in the project |
- | * Luca Allodi (TU Eindhoven) | + | * [[http://www.win.tue.nl/~lallodi/|Luca Allodi]] (TU Eindhoven) |
+ | * Martina De Gramatica | ||
* [[http://www.massacci.org|Fabio Massacci]] | * [[http://www.massacci.org|Fabio Massacci]] | ||
- | * Martina De Gramatica\ | + | * [[https://sites.google.com/g.unitn.it/namnc/home|Chan Nam Ngo]] |
- | * Woohyun Shim (now at KAP) | + | * [[https://www.researchgate.net/profile/Woohyun_Shim3|Woohyun Shim]] (now at KIPA) |
- | * Julian Williams (Visiting from Durham University) | + | * [[https://www.dur.ac.uk/research/directory/staff/?id=12374|Julian Williams]] (Visiting from Durham University) |
===== Projects ===== | ===== Projects ===== | ||
Line 223: | Line 225: | ||
===== Publications ===== | ===== Publications ===== | ||
+ | * L. Allodi, F. Massacci. **Security Events and Vulnerability Data for Cyber Security Risk Estimation.** To appear in //Risk Analysis// (Special Issue on Risk Analysis and Big Data), 2017.{{http://onlinelibrary.wiley.com/resolve/doi?DOI=10.1111/risa.12864|PDF at Publisher}}, {{http://www.win.tue.nl/~lallodi/allodi-risa-17.pdf|Authors' draft}} | ||
* F. Massacci, C.N. Ngo, J. Nie, D. Venturi, J. Williams. **The seconomics (security-economics) vulnerabilities of Decentralized Autonomous Organizations**. To appear in //Security Protocols Workshop (SPW)// 2017. {{https://drive.google.com/file/d/0By02ZB0MmV0ZeUM5clBBUHdNdms/view?usp=sharing|Author's Draft PDF}} | * F. Massacci, C.N. Ngo, J. Nie, D. Venturi, J. Williams. **The seconomics (security-economics) vulnerabilities of Decentralized Autonomous Organizations**. To appear in //Security Protocols Workshop (SPW)// 2017. {{https://drive.google.com/file/d/0By02ZB0MmV0ZeUM5clBBUHdNdms/view?usp=sharing|Author's Draft PDF}} | ||
* L. Allodi, F. Massacci, J. Williams. **The Work Averse Attacker Model.** In //Workshop on Economics of Information Security (WEIS)//, 2017. {{http://weis2017.econinfosec.org/wp-content/uploads/sites/3/2017/05/WEIS_2017_paper_13.pdf|PDF}} | * L. Allodi, F. Massacci, J. Williams. **The Work Averse Attacker Model.** In //Workshop on Economics of Information Security (WEIS)//, 2017. {{http://weis2017.econinfosec.org/wp-content/uploads/sites/3/2017/05/WEIS_2017_paper_13.pdf|PDF}} |