Economics of Information Security and Privacy

Preface

List of Contributors

Contents

Chapter 1 Introduction and Overview

1.1 Introduction

1.2 The Economics of Information Security and Privacy

1.3 Overview of the Book’s Contributions

Chapter 2 The Price of Uncertainty in Security Games

2.1 Introduction

2.2 Decision Theoretic Model

2.2.1 Basic Model

2.2.2 Player Behavior

2.2.3 Information Conditions

2.2.4 Remarks on Basic Results

2.2.5 Outlook on Further Analyses

2.3 Price of Uncertainty Metrics

2.3.1 The Price of Uncertainty

2.3.2 Three Metrics for the Price of Uncertainty

2.3.3 Discussion of the Definitions

2.3.3.1 The Difference Metric

2.3.3.2 The Payoff-Ratio Metric

2.3.3.3 The Cost-Ratio Metric

2.4 Analysis

2.4.1 Best Shot Game

2.4.1.1 The Best Shot Difference Metric:

Observations.

2.4.1.2 The Best Shot Payoff-Ratio Metric

Observations.

2.4.1.3 The Best Shot Cost-Ratio Metric

Observations.

2.4.2 Weakest Link Game

2.4.2.1 The Weakest Link Difference Metric:

Observations.

2.4.2.2 The Weakest Link Payoff-Ratio MetricWPoU2(

Observations.

2.4.2.3 The Weakest Link Cost-Ratio MetricWPoU3(

Observations.

2.4.3 Total Effort Game

2.4.3.1 The Total Effort Difference Metric:

Observations.

2.4.3.2 The Total Effort Payoff-Ratio Metric:

Observations.

2.4.3.3 The Total Effort Cost-Ratio Metric:

Observations.

2.5 Conclusions

References

Chapter 3 Nobody Sells Gold for the Price of Silver:Dishonesty, Uncertainty and the UndergroundEconomy

3.1 Introduction

3.2 Related Work

3.2.1 Studies of the Underground Economy

3.2.2 Economics of Security and of the Underground Economy

3.2.3 Economics Background

3.2.3.1 Asymmetric Information: The Market for Lemons

3.2.3.2 The Theory of the Firm

3.3 The Underground Economy is a Market for Lemons

3.3.1 The Types of Goods and Services Offered for Sale on the Underground Economy

3.3.1.1 Goods

3.3.1.2 Services

3.3.2 Is this a Market for Lemons?

3.3.2.1 Asymmetry of Information

3.3.2.2 No Credible Disclosure

3.3.2.3 Continuum of Seller Quality or Low Seller Quality

3.3.2.4 Lack of Quality Assurance or Regulation

3.3.2.5 Summary

3.4 Analysis and Implications

3.4.1 Countermeasures Ought to be Easy: Lemonizing the Market

3.4.2 The Ripper Tax

3.4.3 Formation of Firms and Alliances

3.4.4 A Two-Tier Underground Economy

3.4.5 What Can We Estimate From Activity on IRC Markets?

3.4.5.1 What Can We Say about Participants in a Lemon Market?

3.4.5.2 Activity Does not Imply Dollars

3.4.5.3 Activity Does Imply Competition

3.4.5.4 What Can We Say About the Goods Offered in a Lemon Market?

3.4.6 Who are We Fighting? What are We Trying to Accomplish?

3.5 Conclusion

References

Chapter 4 Security Economics and Critical NationalInfrastructure

4.1 Introduction

4.2 Critical Infrastructure: Externalities of Correlated Failure

4.3 Regulatory Approaches

4.4 Security or Reliability?

4.5 Cross-Industry Differences

4.6 Certification and Lifecycle Management

4.7 The Roadmap

4.8 Conclusions

References

Chapter 5 Internet Multi-Homing Problems:Explanations from Economics

5.1 Introduction

5.2 How Internet RoutingWorks

5.3 The ‘Global Routing Table’

5.4 IPv6

5.4.1 SHIM6

5.4.2 The Lack of Incentives for SHIM6 Deployment

5.4.3 Cooperating ISPs

5.5 Discouraging Growth in the Global Routing Table

5.6 Related Work on the Economics of Protocols

5.7 Conclusions

References

Chapter 6 Modeling the Security Ecosystem- The Dynamics of (In)Security

6.1 Introduction

6.2 Related Work

6.3 Methodology

6.4 Vulnerability Lifecycle

6.4.1 Risk Exposure Times

6.5 The Security Ecosystem

6.5.1 Major Players

6.5.1.1 Discoverer

6.5.1.2 Vulnerability Markets

6.5.1.3 Criminal

6.5.1.4 Vendor

6.5.1.5 Security Information Provider (SIP)

6.5.1.6 Public

6.5.2 Processes of the Security Ecosystem

6.5.2.1 Path (A) and Path (B)

6.5.2.2 Path (C)

6.5.2.3 Path (D) and Path (E)

6.5.3 The Disclosure Debate

6.6 The Dynamics of (In)Security

6.6.1 Discovery Dynamics

6.6.2 Exploit Availability Dynamics

6.6.3 Patch Availability Dynamics

6.6.4 (In)security Dynamics

6.6.4.1 The Gap of Insecurity

Limitations

6.7 Conclusion

References

Chapter 7 Modeling the Economic Incentives of DDoSAttacks: Femtocell Case Study *

7.1 Introduction

7.2 Background and Related Work

7.3 The Model

7.4 Application of the Model

7.4.1 Data Collection

7.4.1.1 Extortion Revenue

7.4.1.2 Cost of Hiring the DDoS Attack Service

7.4.2 Regression Analysis for the Cost Function

7.4.3 Use of the Model to Estimate the Economic Incentives for Launching DDoS Attacks

7.4.3.1 Simulation 1

7.4.3.2 Simulation 2

7.4.3.3 Simulation 3

7.5 Conclusion

References

Chapter 8 The Privacy Jungle:On the Market for Data Protection in SocialNetworks

8.1 Introduction

8.2 Related Work

8.3 Survey Methodology

8.3.1 Selection of Sites

8.3.1.1 General-Purpose Sites

8.3.1.2 Niche Sites

8.3.2 Evaluation Methodology

8.3.2.1 Data Collection

8.3.2.2 Data Provided During Signup

8.3.2.3 Technical Set-up

8.4 Data

8.4.1 Market Dynamics

8.4.1.1 Network Size

8.4.1.2 Site Popularity: Traffic Data

8.4.1.3 Geographical Distribution: American Dominance

8.4.1.4 Site Evolution

8.4.1.5 Multilingualism

8.4.1.6 Competition

8.4.1.7 Business Model

8.4.2 Promotional Methods

8.4.2.1 Promotion of Social Interaction

8.4.2.2 Promotion via Network Effects

8.4.2.3 Promotion of Functionality

8.4.2.4 Promotion of Privacy

8.4.3 Presentation of Terms of Use and Privacy Policy

8.4.3.1 Privacy Policy Acknowledgment

8.4.3.2 Privacy Policy Review

8.4.4 Data Collected During Sign-up

8.4.4.1 Over-Collection of Demographic Data

8.4.4.2 Requirement of Real Names

8.4.4.3 Requirement of Email Addresses

8.4.5 Privacy Controls

8.4.5.1 Profile Visibility Options

8.4.5.2 Fine-Grained Controls

8.4.5.3 Permissive Defaults

8.4.5.4 User Interface Problems

8.4.6 Security Measures

8.4.6.1 Use of TLS Encryption and Authentication

8.4.6.2 Phishing Prevention

8.4.6.3 Online Safety Guidance & Abuse Reporting

8.4.7 Privacy Policies

8.4.7.1 Technical Accessibility

8.4.7.2 Length

8.4.7.3 Legal Issues

8.4.7.4 Data Claims

8.4.7.5 Availability of P3P Policies

8.4.7.6 Self-Promotion within Privacy Policies

8.5 Data Analysis

8.5.1 Privacy vs. Functionality

8.5.2 Privacy vs. Site Age

8.5.3 Privacy vs. Size

8.5.4 Privacy vs. Growth Rate

8.5.5 Privacy Promotion and Claims vs. Actual Privacy Practices

8.6 Economic Models

8.6.1 The Privacy Communication Game

8.6.1.1 Reducing Privacy Salience

8.6.1.2 Discouraging Privacy Fundamentalists

8.6.1.3 Reducing Privacy Criticism

8.6.1.4 Evolution of Communication

8.6.2 The Effects of Lock-in

8.6.3 Privacy as a Lemons Market

8.6.4 Privacy Negotiations

8.7 Limitations

8.8 Conclusions

Acknowledgments

References

Chapter 9 The Policy Maker’s Anguish: RegulatingPersonal Data Behavior Between Paradoxes andDilemmas

9.1 Introduction

9.2 ExistingWork on the Privacy Paradox

9.3 Methodology

9.4 Paradoxes

9.4.1 The Privacy Paradox

9.4.2 The Control Paradox

9.4.3 The Responsibility Paradox

9.5 Dilemmas

9.5.1 The Cultural Dilemma

9.5.2 The Market Fragmentation Dilemma

9.5.3 The Public-Private Dilemma

9.6 Conclusion

References

9.7 Appendix

Chapter 10Valuating Privacy with Option Pricing Theory

10.1 Introduction

10.2 Related Work

10.2.1 Measurement of Anonymity and Unlinkability

10.2.2 Financial Methods in Information Security

10.3 From Financial to Privacy Options

10.4 Sources of Uncertainty

10.4.1 Micro Model: Timed Linkability Process

10.4.2 Macro Model: Population Development

10.5 Valuation of Privacy Options

10.6 Discussion of Results

10.7 Conclusions and Outlook

Acknowledgments

References

Chapter 11 Optimal Timing of Information SecurityInvestment: A Real Options Approach

11.1 Introduction

11.2 Optimum Investment Size: The Model of Gordon and Loeb

11.3 Optimal Timing of Information Security Investment

11.3.1 Dynamic Considerations

11.3.2 Literature Review

11.3.3 Formulation and Solution

11.3.4 Interpretation

11.4 The Optimal Solution: Numerical Illustrations

11.4.1 Remaining Vulnerability Case I

11.4.2 Remaining Vulnerability Case II

11.5 Concluding Remarks

11.5.1 Summary

11.5.2 Remaining Problems

11.5.2.1 Dynamics Formulation

11.5.2.2 Attackers’ Behavior Formulation

11.5.2.3 Empirical Analysis

References

Chapter 12 Competitive Cyber-Insuranceand Internet Security

12.1 Introduction

12.2 Model

12.2.1 Analysis

12.2.1.1 Nash Equilibrium

12.2.1.2 Social Optimum

Proposition 12.1.

12.3 Insurance Model

12.3.1 Insurance with Non-Contractible Security

Proposition 12.2.

12.3.2 Insurance with Contractible Security

12.3.2.1 Social Planner

12.3.2.2 Competitive Insurers

Proposition 12.3.

12.4 Conclusion

12.5 Appendix

References

Chapter 13 Potential Rating Indicators for Cyberinsurance:An Exploratory Qualitative Study

13.1 Introduction

13.2 Background

13.3 Research Problem and Contribution

13.4 Research Method

13.4.1 1. Step: Preparation, Constructs

13.4.1.1 Exposure and Quality

13.4.1.2 Loss Centre

13.4.1.3 Layer Model

13.4.1.4 The Resulting Questionnaire

13.4.2 2. Step: Selection of Experts

13.4.3 3. Step: Generation of Statements

13.4.4 4. Step: Interpretation and Consolidation of Statements

13.4.5 5. Step: Reducing the Resulting List of Indicators

13.4.6 6. Step: Ranking Indicators

13.5 Results

13.6 Limitations

13.7 Related Work

13.8 Conclusions and Outlook

13.9 Appendix

13.9.1 First-party loss exposure indicators

13.9.2 Third-party loss exposure indicators

13.9.3 Indicators for the quality of IT risk management

References

Chapter 14 The Risk of Risk AnalysisAnd its Relation to the Economics of InsiderThreats

14.1 Introduction

14.2 Insiders, Outsiders, and Their Threats

14.2.1 Insider Threats That Do Not Represent a Violation of Trust

14.2.2 Insider Threats That Do Represent a Violation of Trust

“Simple” insider threat:

High profile (or charismatic) insider threat:

14.3 Building up Trust and Risk

14.3.1 Simple Trust, Low Risk

14.3.2 Medium Trust, Elevated Risk

14.3.3 Complex Trust, Even More Complex Risk

14.4 Policies and Compliance

14.4.1 Enforcing Simple Trust Relationships

14.4.2 Managing Complex Trust-Risk Relationship

14.4.3 Simple vs. Complex

14.5 Organizational and Insider Goals

14.5.1 Organizations

14.5.2 Insiders

14.6 The Risk of Risk Analysis

14.6.1 Plotting the Value Function

14.6.2 The Benefit of Obscurity

14.7 Strategies to Change Motivation Rather than Prevent Bad Insider Actions

14.8 Conclusion

14.8.1 Probability of Policies Being Successful in Blocking High-Level Insider Threats

References

Chapter 15 Competition, Speculative Risks, and IT SecurityOutsourcing

15.1 Introduction

15.2 Literature Review

15.3 Model Description

15.4 Model Analysis

15.4.1 Impact of Competitive Risk Environment on Firm’s Outsourcing Decisions

Proposition 15.1.

15.4.2 Impact of MSSP Characteristics on Firms’ Outsourcing Decisions

Proposition 15.2.

15.4.3 Impact of Breach Characteristics on Firms’ Outsourcing Decisions

Proposition 15.3.

15.5 Conclusion

Appendix

References