User Tools
security_economics
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
security_economics [2017/06/27 02:19] fabio.massacci@unitn.it |
security_economics [2021/01/29 10:58] (current) |
||
|---|---|---|---|
| Line 5: | Line 5: | ||
| + | * On the fairness of seucirty taxes in presence on interdependence | ||
| + | * Estimating quantitative likelihood | ||
| * Cyber-Insurance: good for your company, bad for your country? | * Cyber-Insurance: good for your company, bad for your country? | ||
| - | * The Work Averse Attacker Model | + | * The Work Averse Attacker Model (A different way to consider attackers) |
| * Black markets actually work! | * Black markets actually work! | ||
| * Risk vs Rule base regulation: what is the best way to regulate? | * Risk vs Rule base regulation: what is the best way to regulate? | ||
| Line 14: | Line 16: | ||
| See also our section on [[vulnerability_discovery_models|Finding and Assessing Vulnerabilities]] in particular if you are interesting in understanding what's the risk reduction for different types of vulnerabilities and [[malware_analysis|Malware Analysis]]. | See also our section on [[vulnerability_discovery_models|Finding and Assessing Vulnerabilities]] in particular if you are interesting in understanding what's the risk reduction for different types of vulnerabilities and [[malware_analysis|Malware Analysis]]. | ||
| + | ==== Beyond 1-5 Risk Matrices: estimating quantitative attack success likelihood from data === | ||
| + | |||
| + | Several definitions of risk exist (probability and impact, uncertainty and expected consequence, etc.) but at the end of the day they all ultimately collapse to the intuitive relation | ||
| + | |||
| + | * //Risk = Impact · Likelihood// | ||
| + | |||
| + | For a company, impact is easy to calculate as data about one's own asset is routinely collected. Likelihood is stillthe holy grail. So, both ISO/27001 and NIST 800-30 standards suggest the use of risk matrices as a tool to support such decisions. So you get a 5x5 risk matrix, where the interaction between the rare, frequent, ..., certain likelihood levels and the minor, severe, ..., critical consequence levels results in a final 5-level risk evaluation from low to high. This is pretty rough and well known to be full of errors. | ||
| + | |||
| + | In our {{allodi-risa-17.pdf|Risk Analysis paper}} we show that it is possible to compute a quantitative estimation of the success of attack likelihood. Our measure is generated by technical data that all medium-large organizations already have in their infrastructure: vulnerability assessment tools are mandated to most firms processing credit cards, and periodic auditing for compliance requires VA reports to be handed to the assessor. Similarly, IDS and Firewall technologies are widely adopted. | ||
| + | |||
| + | This data is currently often used in an unstructured way to either generate automatic reports on vulnerability severity, or to try to traceback known incidents. Our methodology proposes to correlate this data to measure on one side the exposure of a system to potential attacks, and on the other the opportunities that a successful attack has to breach a vulnerable system and escalate to the infrastructure. By enabling users in performing objective estimations of risk, our methodology makes a step forward toward the establishment of comparable measures for security | ||
| ==== Cyber-Insurance: good for your company, bad for your country? ==== | ==== Cyber-Insurance: good for your company, bad for your country? ==== | ||
| Line 59: | Line 72: | ||
| If you like to have an idea of the model this other picture shows you the Change in the number of attacked systems for two attacks against different systems Δ = T days apart ({{:research_activities:economics:model_extended2.pdf|PDF}}). | If you like to have an idea of the model this other picture shows you the Change in the number of attacked systems for two attacks against different systems Δ = T days apart ({{:research_activities:economics:model_extended2.pdf|PDF}}). | ||
| - | If you are interested in knowing whether we could use this insight for actual predictions please look at our [[https://securitylab.disi.unitn.it/doku.php?id=vulnerability_discovery_models|vulnerability section]] where we report our work on risk reduction that made its way to the CVSS (COmmon Vulnerability Scoring System) v3 world standard. | + | If you are interested in knowing whether we could use this insight for actual predictions please look at our [[https://securitylab.disi.unitn.it/doku.php?id=vulnerability_discovery_models|vulnerability section]] where we report our work on risk reduction that made its way to the CVSS (Common Vulnerability Scoring System) v3 world standard. |
| Line 66: | Line 79: | ||
| Traditionally, security and economics functionalities in IT fnancial services and protocols (FinTech) have been perceived as separate objectives. In {{https://drive.google.com/file/d/0By02ZB0MmV0ZeUM5clBBUHdNdms/view?usp=sharing|our new paper}} in {{https://www.cl.cam.ac.uk/events/spw2017/|SPW 2017}} We argue that keeping them separate is a bad idea for FinTech Decentralized Autonomous Organizations (DAOs). In fact, security and economics are one for DAOs: we show that the failure of a security property, e.g. anonymity, can destroy a DAOs because economic attacks can be tailgated to security attacks. This is illustrated by the examples of TheDAO (built on the Ethereum platform) and the DAOed version of a Futures Exchange. We claim that **security and economics vulnerabilities**, which we named **seconomics vulnerabilities**, are indeed **new beasts to be reckoned with**. | Traditionally, security and economics functionalities in IT fnancial services and protocols (FinTech) have been perceived as separate objectives. In {{https://drive.google.com/file/d/0By02ZB0MmV0ZeUM5clBBUHdNdms/view?usp=sharing|our new paper}} in {{https://www.cl.cam.ac.uk/events/spw2017/|SPW 2017}} We argue that keeping them separate is a bad idea for FinTech Decentralized Autonomous Organizations (DAOs). In fact, security and economics are one for DAOs: we show that the failure of a security property, e.g. anonymity, can destroy a DAOs because economic attacks can be tailgated to security attacks. This is illustrated by the examples of TheDAO (built on the Ethereum platform) and the DAOed version of a Futures Exchange. We claim that **security and economics vulnerabilities**, which we named **seconomics vulnerabilities**, are indeed **new beasts to be reckoned with**. | ||
| - | Our observation is that the //money loss// comes **//indirectly//** from a //security vulnerability// in a //normal// case. When your computer gets infected with a malware you don't immediately lose your money. Only when the hacker finds very complicated ways to monetize your assets then you suffer from the loss. In other words, | + | Our observation is that, in a //normal// case, monetary losses come //indirectly// from security vulnerabilities. When your computer gets infected with a malware you don't immediately lose your money. Only when the hacker finds very complicated ways to monetize your assets then you suffer from the loss. In other words, |
| * security vulnerability ≠ money loss | * security vulnerability ≠ money loss | ||
| - | However, it is different for //Decentralised Autonomous Organisation (DAO)// in which the organisation is basically a software running that has the information populated on the distributed ledger platform and the rules are all implemented with the smart contracts (e.g. TheDAO on the Ethereum network). | + | However, it is different for //Decentralised Autonomous Organisation (DAO)// in which the organisation is basically a software running whose information populated on a distributed ledger platform and whose rules are all implemented with the smart contracts (e.g. TheDAO on the Ethereum network). |
| - | + | ||
| - | Our first claim, which follows the DAO definition, is that: | + | ^ ^ ^ ^ |
| - | * code = company (A) | + | | Our first claim, which follows the DAO definition, is that | (A) | code = company| |
| - | And typically organisations are vectors for money, hence, | + | | And typically organisations are vectors for contracts and financial transactions (Tirole) | (B) | company = monetary transactions| |
| - | * company = money (B) | + | | Then, from (A) and (B), it follows immediately that | (C) | code = monetary transactions | |
| - | Then, from (A) and (B), it follows immediately that, | + | | As a result in this case money loss comes //directly// from a security vulnerability, i.e. | | security vulnerability = monetary loss | |
| - | * code = company = money | + | |
| - | + | ||
| - | As a result in this case money loss comes //directly// from a security vulnerability, i.e. | + | |
| - | * security vulnerability = money loss | + | |
| Then we would certainly wonder //"When we face a loss in a DAO, can we undo the damages?"// Unfortunately, the answer is that **there is no possible technical fix for the DAO**, as the thing that happened is the balkanization of the Ethereum network. | Then we would certainly wonder //"When we face a loss in a DAO, can we undo the damages?"// Unfortunately, the answer is that **there is no possible technical fix for the DAO**, as the thing that happened is the balkanization of the Ethereum network. | ||
| Line 198: | Line 207: | ||
| ===== People ===== | ===== People ===== | ||
| - | The following is a list a people that has been involved in the project at some point in time. | + | The following is a list a people who have been involved in the project |
| - | * Luca Allodi (TU Eindhoven) | + | * [[http://www.win.tue.nl/~lallodi/|Luca Allodi]] (TU Eindhoven) |
| + | * Martina De Gramatica | ||
| * [[http://www.massacci.org|Fabio Massacci]] | * [[http://www.massacci.org|Fabio Massacci]] | ||
| - | * Martina De Gramatica\ | + | * [[https://sites.google.com/g.unitn.it/namnc/home|Chan Nam Ngo]] |
| - | * Woohyun Shim (now at KAP) | + | * [[https://www.researchgate.net/profile/Woohyun_Shim3|Woohyun Shim]] (now at KIPA) |
| - | * Julian Williams (Visiting from Durham University) | + | * [[https://www.dur.ac.uk/research/directory/staff/?id=12374|Julian Williams]] (Visiting from Durham University) |
| ===== Projects ===== | ===== Projects ===== | ||
| Line 215: | Line 225: | ||
| ===== Publications ===== | ===== Publications ===== | ||
| + | * L. Allodi, F. Massacci. **Security Events and Vulnerability Data for Cyber Security Risk Estimation.** To appear in //Risk Analysis// (Special Issue on Risk Analysis and Big Data), 2017.{{http://onlinelibrary.wiley.com/resolve/doi?DOI=10.1111/risa.12864|PDF at Publisher}}, {{http://www.win.tue.nl/~lallodi/allodi-risa-17.pdf|Authors' draft}} | ||
| * F. Massacci, C.N. Ngo, J. Nie, D. Venturi, J. Williams. **The seconomics (security-economics) vulnerabilities of Decentralized Autonomous Organizations**. To appear in //Security Protocols Workshop (SPW)// 2017. {{https://drive.google.com/file/d/0By02ZB0MmV0ZeUM5clBBUHdNdms/view?usp=sharing|Author's Draft PDF}} | * F. Massacci, C.N. Ngo, J. Nie, D. Venturi, J. Williams. **The seconomics (security-economics) vulnerabilities of Decentralized Autonomous Organizations**. To appear in //Security Protocols Workshop (SPW)// 2017. {{https://drive.google.com/file/d/0By02ZB0MmV0ZeUM5clBBUHdNdms/view?usp=sharing|Author's Draft PDF}} | ||
| * L. Allodi, F. Massacci, J. Williams. **The Work Averse Attacker Model.** In //Workshop on Economics of Information Security (WEIS)//, 2017. {{http://weis2017.econinfosec.org/wp-content/uploads/sites/3/2017/05/WEIS_2017_paper_13.pdf|PDF}} | * L. Allodi, F. Massacci, J. Williams. **The Work Averse Attacker Model.** In //Workshop on Economics of Information Security (WEIS)//, 2017. {{http://weis2017.econinfosec.org/wp-content/uploads/sites/3/2017/05/WEIS_2017_paper_13.pdf|PDF}} | ||
security_economics.1498522778.txt.gz · Last modified: 2021/01/29 10:58 (external edit)
Page Tools
