User Tools
security_economics
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
security_economics [2017/06/27 02:12] fabio.massacci@unitn.it [Themes] |
security_economics [2021/01/29 10:58] (current) |
||
|---|---|---|---|
| Line 5: | Line 5: | ||
| + | * On the fairness of seucirty taxes in presence on interdependence | ||
| + | * Estimating quantitative likelihood | ||
| * Cyber-Insurance: good for your company, bad for your country? | * Cyber-Insurance: good for your company, bad for your country? | ||
| - | * The Work Averse Attacker Model | + | * The Work Averse Attacker Model (A different way to consider attackers) |
| * Black markets actually work! | * Black markets actually work! | ||
| * Risk vs Rule base regulation: what is the best way to regulate? | * Risk vs Rule base regulation: what is the best way to regulate? | ||
| Line 14: | Line 16: | ||
| See also our section on [[vulnerability_discovery_models|Finding and Assessing Vulnerabilities]] in particular if you are interesting in understanding what's the risk reduction for different types of vulnerabilities and [[malware_analysis|Malware Analysis]]. | See also our section on [[vulnerability_discovery_models|Finding and Assessing Vulnerabilities]] in particular if you are interesting in understanding what's the risk reduction for different types of vulnerabilities and [[malware_analysis|Malware Analysis]]. | ||
| - | ==== Cyber-Insurance: good for your company, bad for your country? ==== | + | ==== Beyond 1-5 Risk Matrices: estimating quantitative attack success likelihood from data === |
| - | Our {{:research_activities:economics:aer-cyberinsurance.pdf|Cyber-insurance paper}} at the [[http://weis2017.econinfosec.org/|Workshop on Economics of Security 2017]] shows that in spite of what Bruce Schenider and the US Congress think, cyber-insurance might be a bad idea. | + | Several definitions of risk exist (probability and impact, uncertainty and expected consequence, etc.) but at the end of the day they all ultimately collapse to the intuitive relation |
| - | 'Cyberinsurance' is a broad industry term indicating a corporate liability insurance covering damages due to security breaches of the IT corporate infrastructure. | + | * //Risk = Impact · Likelihood// |
| - | It is a booming market that raises significant expectations: several policy makers (e.g. the UK Paymaster General and the US Senate Committee on Security), and several cyber experts (e.g. Bruce Schneier) have heralded it as a mechanism for efficiently valuing the cost of cyber attacks and to act as an effective substitute government action. Whilst the effect of purchasing insurance on the behavior of individuals or firms has been studied for more than four decades, the unique, adaptOur work was motivated by the need to estimate the security effort of consuming | + | For a company, impact is easy to calculate as data about one's own asset is routinely collected. Likelihood is stillthe holy grail. So, both ISO/27001 and NIST 800-30 standards suggest the use of risk matrices as a tool to support such decisions. So you get a 5x5 risk matrix, where the interaction between the rare, frequent, ..., certain likelihood levels and the minor, severe, ..., critical consequence levels results in a final 5-level risk evaluation from low to high. This is pretty rough and well known to be full of errors. |
| - | FOSS components within a proprietary software supply chain of a large European | + | |
| - | software vendor. | + | |
| - | To this extent we have identified three different cost models: centralized (the | + | In our {{allodi-risa-17.pdf|Risk Analysis paper}} we show that it is possible to compute a quantitative estimation of the success of attack likelihood. Our measure is generated by technical data that all medium-large organizations already have in their infrastructure: vulnerability assessment tools are mandated to most firms processing credit cards, and periodic auditing for compliance requires VA reports to be handed to the assessor. Similarly, IDS and Firewall technologies are widely adopted. |
| - | company checks each component and propagates changes to the different product | + | |
| - | groups), distributed (each product group is in charge of evaluating and fixing | + | This data is currently often used in an unstructured way to either generate automatic reports on vulnerability severity, or to try to traceback known incidents. Our methodology proposes to correlate this data to measure on one side the exposure of a system to potential attacks, and on the other the opportunities that a successful attack has to breach a vulnerable system and escalate to the infrastructure. By enabling users in performing objective estimations of risk, our methodology makes a step forward toward the establishment of comparable measures for security |
| - | its consumed FOSS components), and hybrid (only the least used components are | + | ==== Cyber-Insurance: good for your company, bad for your country? ==== |
| - | checked individually by each development team). Our work was motivated by the need to estimate the security effort of consuming | + | |
| - | FOSS components within a proprietary software supply chain of a large European | + | Our {{:research_activities:economics:aer-cyberinsurance.pdf|Cyber-insurance paper}} at the [[http://weis2017.econinfosec.org/|Workshop on Economics of Security 2017]] shows that in spite of what Bruce Schenider and the US Congress think, cyber-insurance might be a bad idea. |
| - | software vendor. | + | |
| - | To this extent we have identified three different cost models: centralized (the | + | 'Cyberinsurance' is a broad industry term indicating a corporate liability insurance covering damages due to security breaches of the IT corporate infrastructure. It is a booming market that raises significant expectations: several policy makers (e.g. the UK Paymaster General and the US Senate Committee on Security), and several cyber experts (e.g. Bruce Schneier) have heralded it as a mechanism for efficiently valuing the cost of cyber attacks and to act as an effective substitute government action. Whilst the effect of purchasing insurance on the behavior of individuals or firms has been studied for more than four decades, the unique, adaptive feature of cyberinsurance have not been studied. |
| - | company checks each component and propagates changes to the different product | + | |
| - | groups), distributed (each product group is in charge of evaluating and fixing | + | |
| - | its consumed FOSS components), and hybrid (only the least used components are | + | |
| - | checked individually by each development team). ive characteristics of cyber attacks make past findings not necessarily applicable. | + | |
| In our paper we show a very general model of heterogeneous firms, making risk averse decisions facing losses from cyber attacks conducted by strategic adversaries in a Cournot competition. There are essentially no assumtpions, except that attackers are wishing to make money, if opportunity arise and will not be very particular on the intended victims. | In our paper we show a very general model of heterogeneous firms, making risk averse decisions facing losses from cyber attacks conducted by strategic adversaries in a Cournot competition. There are essentially no assumtpions, except that attackers are wishing to make money, if opportunity arise and will not be very particular on the intended victims. | ||
| Line 75: | Line 70: | ||
| can be determined by the timing of first appearance of the attack in the WINE database. | can be determined by the timing of first appearance of the attack in the WINE database. | ||
| - | If you like to have an idea of the model this other picture shows you the Change in the number of attacked systems for two attacks against different systems Δ = T days apart ({{:research_activities:economics:model_extended2.pdf|PDF}}) | + | If you like to have an idea of the model this other picture shows you the Change in the number of attacked systems for two attacks against different systems Δ = T days apart ({{:research_activities:economics:model_extended2.pdf|PDF}}). |
| + | |||
| + | If you are interested in knowing whether we could use this insight for actual predictions please look at our [[https://securitylab.disi.unitn.it/doku.php?id=vulnerability_discovery_models|vulnerability section]] where we report our work on risk reduction that made its way to the CVSS (Common Vulnerability Scoring System) v3 world standard. | ||
| ==== The seconomics (security-economics) vulnerabilities of Decentralized Autonomous Organizations ==== | ==== The seconomics (security-economics) vulnerabilities of Decentralized Autonomous Organizations ==== | ||
| Line 81: | Line 79: | ||
| Traditionally, security and economics functionalities in IT fnancial services and protocols (FinTech) have been perceived as separate objectives. In {{https://drive.google.com/file/d/0By02ZB0MmV0ZeUM5clBBUHdNdms/view?usp=sharing|our new paper}} in {{https://www.cl.cam.ac.uk/events/spw2017/|SPW 2017}} We argue that keeping them separate is a bad idea for FinTech Decentralized Autonomous Organizations (DAOs). In fact, security and economics are one for DAOs: we show that the failure of a security property, e.g. anonymity, can destroy a DAOs because economic attacks can be tailgated to security attacks. This is illustrated by the examples of TheDAO (built on the Ethereum platform) and the DAOed version of a Futures Exchange. We claim that **security and economics vulnerabilities**, which we named **seconomics vulnerabilities**, are indeed **new beasts to be reckoned with**. | Traditionally, security and economics functionalities in IT fnancial services and protocols (FinTech) have been perceived as separate objectives. In {{https://drive.google.com/file/d/0By02ZB0MmV0ZeUM5clBBUHdNdms/view?usp=sharing|our new paper}} in {{https://www.cl.cam.ac.uk/events/spw2017/|SPW 2017}} We argue that keeping them separate is a bad idea for FinTech Decentralized Autonomous Organizations (DAOs). In fact, security and economics are one for DAOs: we show that the failure of a security property, e.g. anonymity, can destroy a DAOs because economic attacks can be tailgated to security attacks. This is illustrated by the examples of TheDAO (built on the Ethereum platform) and the DAOed version of a Futures Exchange. We claim that **security and economics vulnerabilities**, which we named **seconomics vulnerabilities**, are indeed **new beasts to be reckoned with**. | ||
| - | Our observation is that the //money loss// comes **//indirectly//** from a //security vulnerability// in a //normal// case. When your computer gets infected with a malware you don't immediately lose your money. Only when the hacker finds very complicated ways to monetize your assets then you suffer from the loss. In other words, | + | Our observation is that, in a //normal// case, monetary losses come //indirectly// from security vulnerabilities. When your computer gets infected with a malware you don't immediately lose your money. Only when the hacker finds very complicated ways to monetize your assets then you suffer from the loss. In other words, |
| + | * security vulnerability ≠ money loss | ||
| + | However, it is different for //Decentralised Autonomous Organisation (DAO)// in which the organisation is basically a software running whose information populated on a distributed ledger platform and whose rules are all implemented with the smart contracts (e.g. TheDAO on the Ethereum network). | ||
| - | security vulnerability ≠ money loss | + | ^ ^ ^ ^ |
| - | + | | Our first claim, which follows the DAO definition, is that | (A) | code = company| | |
| - | However, it is different for //Decentralised Autonomous Organisation (DAO)// in which the organisation is basically a software running that has the information populated on the distributed ledger platform and the rules are all implemented with the smart contracts (e.g. TheDAO on the Ethereum network). | + | | And typically organisations are vectors for contracts and financial transactions (Tirole) | (B) | company = monetary transactions| |
| - | + | | Then, from (A) and (B), it follows immediately that | (C) | code = monetary transactions | | |
| - | Our first claim, which follows the DAO definition, is that: | + | | As a result in this case money loss comes //directly// from a security vulnerability, i.e. | | security vulnerability = monetary loss | |
| - | + | ||
| - | code = company (A) | + | |
| - | + | ||
| - | And typically organisations are vectors for money, hence, | + | |
| - | + | ||
| - | company = money (B) | + | |
| - | + | ||
| - | Then, from (A) and (B), it follows immediately that, | + | |
| - | + | ||
| - | code = company = money | + | |
| - | + | ||
| - | As a result in this case money loss comes **//directly//** from a security vulnerability, i.e. | + | |
| - | + | ||
| - | security vulnerability = money loss | + | |
| Then we would certainly wonder //"When we face a loss in a DAO, can we undo the damages?"// Unfortunately, the answer is that **there is no possible technical fix for the DAO**, as the thing that happened is the balkanization of the Ethereum network. | Then we would certainly wonder //"When we face a loss in a DAO, can we undo the damages?"// Unfortunately, the answer is that **there is no possible technical fix for the DAO**, as the thing that happened is the balkanization of the Ethereum network. | ||
| In conclusion, for financial technology protocols, we always have to consider this kind of security economics vulnerabilities in which besides preserving the integrity or some other security properties we also need to consider the economics aspect of the application that we are trying to build because, for example, in TheDAO's case, **any kind of ex-post fix is impossible** (as we can see from the Ethereum network fork into the original Ethereum and the classic Etherum). | In conclusion, for financial technology protocols, we always have to consider this kind of security economics vulnerabilities in which besides preserving the integrity or some other security properties we also need to consider the economics aspect of the application that we are trying to build because, for example, in TheDAO's case, **any kind of ex-post fix is impossible** (as we can see from the Ethereum network fork into the original Ethereum and the classic Etherum). | ||
| + | |||
| ==== Malware Markets ==== | ==== Malware Markets ==== | ||
| Line 174: | Line 161: | ||
| and mitigation framework) would be subject | and mitigation framework) would be subject | ||
| to a risk-based regulatory framework. | to a risk-based regulatory framework. | ||
| - | |||
| Line 221: | Line 207: | ||
| ===== People ===== | ===== People ===== | ||
| - | The following is a list a people that has been involved in the project at some point in time. | + | The following is a list a people who have been involved in the project |
| - | * Luca Allodi (TU Eindhoven) | + | * [[http://www.win.tue.nl/~lallodi/|Luca Allodi]] (TU Eindhoven) |
| + | * Martina De Gramatica | ||
| * [[http://www.massacci.org|Fabio Massacci]] | * [[http://www.massacci.org|Fabio Massacci]] | ||
| - | * Martina De Gramatica\ | + | * [[https://sites.google.com/g.unitn.it/namnc/home|Chan Nam Ngo]] |
| - | * Woohyun Shim (now at KAP) | + | * [[https://www.researchgate.net/profile/Woohyun_Shim3|Woohyun Shim]] (now at KIPA) |
| - | * Julian Williams (Visiting from Durham University) | + | * [[https://www.dur.ac.uk/research/directory/staff/?id=12374|Julian Williams]] (Visiting from Durham University) |
| ===== Projects ===== | ===== Projects ===== | ||
| Line 238: | Line 225: | ||
| ===== Publications ===== | ===== Publications ===== | ||
| + | * L. Allodi, F. Massacci. **Security Events and Vulnerability Data for Cyber Security Risk Estimation.** To appear in //Risk Analysis// (Special Issue on Risk Analysis and Big Data), 2017.{{http://onlinelibrary.wiley.com/resolve/doi?DOI=10.1111/risa.12864|PDF at Publisher}}, {{http://www.win.tue.nl/~lallodi/allodi-risa-17.pdf|Authors' draft}} | ||
| * F. Massacci, C.N. Ngo, J. Nie, D. Venturi, J. Williams. **The seconomics (security-economics) vulnerabilities of Decentralized Autonomous Organizations**. To appear in //Security Protocols Workshop (SPW)// 2017. {{https://drive.google.com/file/d/0By02ZB0MmV0ZeUM5clBBUHdNdms/view?usp=sharing|Author's Draft PDF}} | * F. Massacci, C.N. Ngo, J. Nie, D. Venturi, J. Williams. **The seconomics (security-economics) vulnerabilities of Decentralized Autonomous Organizations**. To appear in //Security Protocols Workshop (SPW)// 2017. {{https://drive.google.com/file/d/0By02ZB0MmV0ZeUM5clBBUHdNdms/view?usp=sharing|Author's Draft PDF}} | ||
| * L. Allodi, F. Massacci, J. Williams. **The Work Averse Attacker Model.** In //Workshop on Economics of Information Security (WEIS)//, 2017. {{http://weis2017.econinfosec.org/wp-content/uploads/sites/3/2017/05/WEIS_2017_paper_13.pdf|PDF}} | * L. Allodi, F. Massacci, J. Williams. **The Work Averse Attacker Model.** In //Workshop on Economics of Information Security (WEIS)//, 2017. {{http://weis2017.econinfosec.org/wp-content/uploads/sites/3/2017/05/WEIS_2017_paper_13.pdf|PDF}} | ||
security_economics.1498522365.txt.gz · Last modified: 2021/01/29 10:58 (external edit)
Page Tools
