Economics of Information Security and Privacy (eBook)

Preface 5
List of Contributors 7
Contents 10
Chapter 1 Introduction and Overview 17
1.1 Introduction 17
1.2 The Economics of Information Security and Privacy 18
1.3 Overview of the Book’s Contributions 19
Chapter 2 The Price of Uncertainty in Security Games 24
2.1 Introduction 25
2.2 Decision Theoretic Model 27
2.2.1 Basic Model 27
2.2.2 Player Behavior 28
2.2.3 Information Conditions 29
2.2.4 Remarks on Basic Results 30
2.2.5 Outlook on Further Analyses 31
2.3 Price of Uncertainty Metrics 31
2.3.1 The Price of Uncertainty 31
2.3.2 Three Metrics for the Price of Uncertainty 31
2.3.3 Discussion of the Definitions 32
2.3.3.1 The Difference Metric 32
2.3.3.2 The Payoff-Ratio Metric 32
2.3.3.3 The Cost-Ratio Metric 33
2.4 Analysis 33
2.4.1 Best Shot Game 33
2.4.1.1 The Best Shot Difference Metric: 34
Observations. 34
2.4.1.2 The Best Shot Payoff-Ratio Metric 35
Observations. 35
2.4.1.3 The Best Shot Cost-Ratio Metric 36
Observations. 36
2.4.2 Weakest Link Game 36
2.4.2.1 The Weakest Link Difference Metric: 37
Observations. 38
2.4.2.2 The Weakest Link Payoff-Ratio MetricWPoU2( 39
Observations. 40
2.4.2.3 The Weakest Link Cost-Ratio MetricWPoU3( 40
Observations. 40
2.4.3 Total Effort Game 41
2.4.3.1 The Total Effort Difference Metric: 41
Observations. 42
2.4.3.2 The Total Effort Payoff-Ratio Metric: 42
Observations. 43
2.4.3.3 The Total Effort Cost-Ratio Metric: 43
Observations. 43
2.5 Conclusions 44
References 46
Chapter 3 Nobody Sells Gold for the Price of Silver:Dishonesty, Uncertainty and the UndergroundEconomy 48
3.1 Introduction 49
3.2 Related Work 51
3.2.1 Studies of the Underground Economy 51
3.2.2 Economics of Security and of the Underground Economy 52
3.2.3 Economics Background 53
3.2.3.1 Asymmetric Information: The Market for Lemons 53
3.2.3.2 The Theory of the Firm 54
3.3 The Underground Economy is a Market for Lemons 55
3.3.1 The Types of Goods and Services Offered for Sale on the Underground Economy 55
3.3.1.1 Goods 55
3.3.1.2 Services 56
3.3.2 Is this a Market for Lemons? 56
3.3.2.1 Asymmetry of Information 56
3.3.2.2 No Credible Disclosure 57
3.3.2.3 Continuum of Seller Quality or Low Seller Quality 57
3.3.2.4 Lack of Quality Assurance or Regulation 58
3.3.2.5 Summary 59
3.4 Analysis and Implications 59
3.4.1 Countermeasures Ought to be Easy: Lemonizing the Market 59
3.4.2 The Ripper Tax 60
3.4.3 Formation of Firms and Alliances 60
3.4.4 A Two-Tier Underground Economy 61
3.4.5 What Can We Estimate From Activity on IRC Markets? 62
3.4.5.1 What Can We Say about Participants in a Lemon Market? 62
3.4.5.2 Activity Does not Imply Dollars 63
3.4.5.3 Activity Does Imply Competition 64
3.4.5.4 What Can We Say About the Goods Offered in a Lemon Market? 64
3.4.6 Who are We Fighting? What are We Trying to Accomplish? 64
3.5 Conclusion 65
References 67
Chapter 4 Security Economics and Critical NationalInfrastructure 69
4.1 Introduction 70
4.2 Critical Infrastructure: Externalities of Correlated Failure 71
4.3 Regulatory Approaches 73
4.4 Security or Reliability? 74
4.5 Cross-Industry Differences 75
4.6 Certification and Lifecycle Management 75
4.7 The Roadmap 77
4.8 Conclusions 78
References 79
Chapter 5 Internet Multi-Homing Problems:Explanations from Economics 81
5.1 Introduction 81
5.2 How Internet RoutingWorks 82
5.3 The ‘Global Routing Table’ 83
5.4 IPv6 85
5.4.1 SHIM6 87
5.4.2 The Lack of Incentives for SHIM6 Deployment 87
5.4.3 Cooperating ISPs 88
5.5 Discouraging Growth in the Global Routing Table 89
5.6 Related Work on the Economics of Protocols 90
5.7 Conclusions 91
References 92
Chapter 6 Modeling the Security Ecosystem- The Dynamics of (In)Security 93
6.1 Introduction 93
6.2 Related Work 94
6.3 Methodology 95
6.4 Vulnerability Lifecycle 96
6.4.1 Risk Exposure Times 100
6.5 The Security Ecosystem 101
6.5.1 Major Players 101
6.5.1.1 Discoverer 102
6.5.1.2 Vulnerability Markets 103
6.5.1.3 Criminal 105
6.5.1.4 Vendor 105
6.5.1.5 Security Information Provider (SIP) 105
6.5.1.6 Public 106
6.5.2 Processes of the Security Ecosystem 106
6.5.2.1 Path (A) and Path (B) 106
6.5.2.2 Path (C) 107
6.5.2.3 Path (D) and Path (E) 108
6.5.3 The Disclosure Debate 108
6.6 The Dynamics of (In)Security 109
6.6.1 Discovery Dynamics 111
6.6.2 Exploit Availability Dynamics 112
6.6.3 Patch Availability Dynamics 114
6.6.4 (In)security Dynamics 115
6.6.4.1 The Gap of Insecurity 115
Limitations 118
6.7 Conclusion 118
References 119
Chapter 7 Modeling the Economic Incentives of DDoSAttacks: Femtocell Case Study * 121
7.1 Introduction 121
7.2 Background and Related Work 122
7.3 The Model 123
7.4 Application of the Model 126
7.4.1 Data Collection 126
7.4.1.1 Extortion Revenue 126
7.4.1.2 Cost of Hiring the DDoS Attack Service 127
7.4.2 Regression Analysis for the Cost Function 127
7.4.3 Use of the Model to Estimate the Economic Incentives for Launching DDoS Attacks 129
7.4.3.1 Simulation 1 130
7.4.3.2 Simulation 2 130
7.4.3.3 Simulation 3 131
7.5 Conclusion 132
References 133
Chapter 8 The Privacy Jungle:On the Market for Data Protection in SocialNetworks 134
8.1 Introduction 135
8.2 Related Work 136
8.3 Survey Methodology 137
8.3.1 Selection of Sites 137
8.3.1.1 General-Purpose Sites 137
8.3.1.2 Niche Sites 138
8.3.2 Evaluation Methodology 139
8.3.2.1 Data Collection 139
8.3.2.2 Data Provided During Signup 141
8.3.2.3 Technical Set-up 141
8.4 Data 141
8.4.1 Market Dynamics 142
8.4.1.1 Network Size 142
8.4.1.2 Site Popularity: Traffic Data 142
8.4.1.3 Geographical Distribution: American Dominance 143
8.4.1.4 Site Evolution 143
8.4.1.5 Multilingualism 144
8.4.1.6 Competition 144
8.4.1.7 Business Model 145
8.4.2 Promotional Methods 145
8.4.2.1 Promotion of Social Interaction 145
8.4.2.2 Promotion via Network Effects 145
8.4.2.3 Promotion of Functionality 146
8.4.2.4 Promotion of Privacy 147
8.4.3 Presentation of Terms of Use and Privacy Policy 148
8.4.3.1 Privacy Policy Acknowledgment 149
8.4.3.2 Privacy Policy Review 149
8.4.4 Data Collected During Sign-up 150
8.4.4.1 Over-Collection of Demographic Data 151
8.4.4.2 Requirement of Real Names 151
8.4.4.3 Requirement of Email Addresses 152
8.4.5 Privacy Controls 152
8.4.5.1 Profile Visibility Options 153
8.4.5.2 Fine-Grained Controls 153
8.4.5.3 Permissive Defaults 154
8.4.5.4 User Interface Problems 155
8.4.6 Security Measures 156
8.4.6.1 Use of TLS Encryption and Authentication 156
8.4.6.2 Phishing Prevention 157
8.4.6.3 Online Safety Guidance & Abuse Reporting
8.4.7 Privacy Policies 158
8.4.7.1 Technical Accessibility 158
8.4.7.2 Length 160
8.4.7.3 Legal Issues 160
8.4.7.4 Data Claims 161
8.4.7.5 Availability of P3P Policies 161
8.4.7.6 Self-Promotion within Privacy Policies 162
8.5 Data Analysis 163
8.5.1 Privacy vs. Functionality 163
8.5.2 Privacy vs. Site Age 164
8.5.3 Privacy vs. Size 165
8.5.4 Privacy vs. Growth Rate 166
8.5.5 Privacy Promotion and Claims vs. Actual Privacy Practices 166
8.6 Economic Models 167
8.6.1 The Privacy Communication Game 167
8.6.1.1 Reducing Privacy Salience 168
8.6.1.2 Discouraging Privacy Fundamentalists 169
8.6.1.3 Reducing Privacy Criticism 170
8.6.1.4 Evolution of Communication 171
8.6.2 The Effects of Lock-in 171
8.6.3 Privacy as a Lemons Market 172
8.6.4 Privacy Negotiations 173
8.7 Limitations 174
8.8 Conclusions 175
Acknowledgments 176
References 176
Chapter 9 The Policy Maker’s Anguish: RegulatingPersonal Data Behavior Between Paradoxes andDilemmas 181
9.1 Introduction 182
9.2 ExistingWork on the Privacy Paradox 183
9.3 Methodology 184
9.4 Paradoxes 186
9.4.1 The Privacy Paradox 187
9.4.2 The Control Paradox 187
9.4.3 The Responsibility Paradox 187
9.5 Dilemmas 189
9.5.1 The Cultural Dilemma 189
9.5.2 The Market Fragmentation Dilemma 190
9.5.3 The Public-Private Dilemma 190
9.6 Conclusion 191
References 192
9.7 Appendix 194
Chapter 10Valuating Privacy with Option Pricing Theory 198
10.1 Introduction 198
10.2 Related Work 200
10.2.1 Measurement of Anonymity and Unlinkability 200
10.2.2 Financial Methods in Information Security 202
10.3 From Financial to Privacy Options 202
10.4 Sources of Uncertainty 204
10.4.1 Micro Model: Timed Linkability Process 204
10.4.2 Macro Model: Population Development 206
10.5 Valuation of Privacy Options 212
10.6 Discussion of Results 213
10.7 Conclusions and Outlook 215
Acknowledgments 217
References 217
Chapter 11 Optimal Timing of Information SecurityInvestment: A Real Options Approach 221
11.1 Introduction 221
11.2 Optimum Investment Size: The Model of Gordon and Loeb 222
11.3 Optimal Timing of Information Security Investment 223
11.3.1 Dynamic Considerations 223
11.3.2 Literature Review 224
11.3.3 Formulation and Solution 225
11.3.4 Interpretation 228
11.4 The Optimal Solution: Numerical Illustrations 228
11.4.1 Remaining Vulnerability Case I 229
11.4.2 Remaining Vulnerability Case II 230
11.5 Concluding Remarks 231
11.5.1 Summary 231
11.5.2 Remaining Problems 231
11.5.2.1 Dynamics Formulation 231
11.5.2.2 Attackers’ Behavior Formulation 231
11.5.2.3 Empirical Analysis 232
References 232
Chapter 12 Competitive Cyber-Insuranceand Internet Security 239
12.1 Introduction 240
12.2 Model 241
12.2.1 Analysis 243
12.2.1.1 Nash Equilibrium 243
12.2.1.2 Social Optimum 244
Proposition 12.1. 244
12.3 Insurance Model 244
12.3.1 Insurance with Non-Contractible Security 245
Proposition 12.2. 246
12.3.2 Insurance with Contractible Security 246
12.3.2.1 Social Planner 246
12.3.2.2 Competitive Insurers 247
Proposition 12.3. 248
12.4 Conclusion 248
12.5 Appendix 249
References 256
Chapter 13 Potential Rating Indicators for Cyberinsurance:An Exploratory Qualitative Study 258
13.1 Introduction 258
13.2 Background 260
13.3 Research Problem and Contribution 261
13.4 Research Method 262
13.4.1 1. Step: Preparation, Constructs 262
13.4.1.1 Exposure and Quality 263
13.4.1.2 Loss Centre 263
13.4.1.3 Layer Model 264
13.4.1.4 The Resulting Questionnaire 265
13.4.2 2. Step: Selection of Experts 266
13.4.3 3. Step: Generation of Statements 267
13.4.4 4. Step: Interpretation and Consolidation of Statements 268
13.4.5 5. Step: Reducing the Resulting List of Indicators 270
13.4.6 6. Step: Ranking Indicators 271
13.5 Results 272
13.6 Limitations 276
13.7 Related Work 277
13.8 Conclusions and Outlook 277
13.9 Appendix 279
13.9.1 First-party loss exposure indicators 279
13.9.2 Third-party loss exposure indicators 281
13.9.3 Indicators for the quality of IT risk management 284
References 286
Chapter 14 The Risk of Risk AnalysisAnd its Relation to the Economics of InsiderThreats 288
14.1 Introduction 288
14.2 Insiders, Outsiders, and Their Threats 290
14.2.1 Insider Threats That Do Not Represent a Violation of Trust 292
14.2.2 Insider Threats That Do Represent a Violation of Trust 292
“Simple” insider threat: 292
High profile (or charismatic) insider threat: 292
14.3 Building up Trust and Risk 293
14.3.1 Simple Trust, Low Risk 294
14.3.2 Medium Trust, Elevated Risk 295
14.3.3 Complex Trust, Even More Complex Risk 295
14.4 Policies and Compliance 297
14.4.1 Enforcing Simple Trust Relationships 298
14.4.2 Managing Complex Trust-Risk Relationship 299
14.4.3 Simple vs. Complex 301
14.5 Organizational and Insider Goals 301
14.5.1 Organizations 301
14.5.2 Insiders 302
14.6 The Risk of Risk Analysis 302
14.6.1 Plotting the Value Function 303
14.6.2 The Benefit of Obscurity 305
14.7 Strategies to Change Motivation Rather than Prevent Bad Insider Actions 305
14.8 Conclusion 306
14.8.1 Probability of Policies Being Successful in Blocking High-Level Insider Threats 307
References 307
Chapter 15 Competition, Speculative Risks, and IT SecurityOutsourcing 309
15.1 Introduction 310
15.2 Literature Review 312
15.3 Model Description 314
15.4 Model Analysis 317
15.4.1 Impact of Competitive Risk Environment on Firm’s Outsourcing Decisions 319
Proposition 15.1. 319
15.4.2 Impact of MSSP Characteristics on Firms’ Outsourcing Decisions 321
Proposition 15.2. 321
15.4.3 Impact of Breach Characteristics on Firms’ Outsourcing Decisions 323
Proposition 15.3. 323
15.5 Conclusion 324
Appendix 325
References 326