Search and Find
Service
Preface
5
List of Contributors
7
Contents
10
Chapter 1 Introduction and Overview
17
1.1 Introduction
17
1.2 The Economics of Information Security and Privacy
18
1.3 Overview of the Book’s Contributions
19
Chapter 2 The Price of Uncertainty in Security Games
24
2.1 Introduction
25
2.2 Decision Theoretic Model
27
2.2.1 Basic Model
27
2.2.2 Player Behavior
28
2.2.3 Information Conditions
29
2.2.4 Remarks on Basic Results
30
2.2.5 Outlook on Further Analyses
31
2.3 Price of Uncertainty Metrics
31
2.3.1 The Price of Uncertainty
31
2.3.2 Three Metrics for the Price of Uncertainty
31
2.3.3 Discussion of the Definitions
32
2.3.3.1 The Difference Metric
32
2.3.3.2 The Payoff-Ratio Metric
32
2.3.3.3 The Cost-Ratio Metric
33
2.4 Analysis
33
2.4.1 Best Shot Game
33
2.4.1.1 The Best Shot Difference Metric:
34
Observations.
34
2.4.1.2 The Best Shot Payoff-Ratio Metric
35
Observations.
35
2.4.1.3 The Best Shot Cost-Ratio Metric
36
Observations.
36
2.4.2 Weakest Link Game
36
2.4.2.1 The Weakest Link Difference Metric:
37
Observations.
38
2.4.2.2 The Weakest Link Payoff-Ratio MetricWPoU2(
39
Observations.
40
2.4.2.3 The Weakest Link Cost-Ratio MetricWPoU3(
40
Observations.
40
2.4.3 Total Effort Game
41
2.4.3.1 The Total Effort Difference Metric:
41
Observations.
42
2.4.3.2 The Total Effort Payoff-Ratio Metric:
42
Observations.
43
2.4.3.3 The Total Effort Cost-Ratio Metric:
43
Observations.
43
2.5 Conclusions
44
References
46
Chapter 3 Nobody Sells Gold for the Price of Silver:Dishonesty, Uncertainty and the UndergroundEconomy
48
3.1 Introduction
49
3.2 Related Work
51
3.2.1 Studies of the Underground Economy
51
3.2.2 Economics of Security and of the Underground Economy
52
3.2.3 Economics Background
53
3.2.3.1 Asymmetric Information: The Market for Lemons
53
3.2.3.2 The Theory of the Firm
54
3.3 The Underground Economy is a Market for Lemons
55
3.3.1 The Types of Goods and Services Offered for Sale on the Underground Economy
55
3.3.1.1 Goods
55
3.3.1.2 Services
56
3.3.2 Is this a Market for Lemons?
56
3.3.2.1 Asymmetry of Information
56
3.3.2.2 No Credible Disclosure
57
3.3.2.3 Continuum of Seller Quality or Low Seller Quality
57
3.3.2.4 Lack of Quality Assurance or Regulation
58
3.3.2.5 Summary
59
3.4 Analysis and Implications
59
3.4.1 Countermeasures Ought to be Easy: Lemonizing the Market
59
3.4.2 The Ripper Tax
60
3.4.3 Formation of Firms and Alliances
60
3.4.4 A Two-Tier Underground Economy
61
3.4.5 What Can We Estimate From Activity on IRC Markets?
62
3.4.5.1 What Can We Say about Participants in a Lemon Market?
62
3.4.5.2 Activity Does not Imply Dollars
63
3.4.5.3 Activity Does Imply Competition
64
3.4.5.4 What Can We Say About the Goods Offered in a Lemon Market?
64
3.4.6 Who are We Fighting? What are We Trying to Accomplish?
64
3.5 Conclusion
65
References
67
Chapter 4 Security Economics and Critical NationalInfrastructure
69
4.1 Introduction
70
4.2 Critical Infrastructure: Externalities of Correlated Failure
71
4.3 Regulatory Approaches
73
4.4 Security or Reliability?
74
4.5 Cross-Industry Differences
75
4.6 Certification and Lifecycle Management
75
4.7 The Roadmap
77
4.8 Conclusions
78
References
79
Chapter 5 Internet Multi-Homing Problems:Explanations from Economics
81
5.1 Introduction
81
5.2 How Internet RoutingWorks
82
5.3 The ‘Global Routing Table’
83
5.4 IPv6
85
5.4.1 SHIM6
87
5.4.2 The Lack of Incentives for SHIM6 Deployment
87
5.4.3 Cooperating ISPs
88
5.5 Discouraging Growth in the Global Routing Table
89
5.6 Related Work on the Economics of Protocols
90
5.7 Conclusions
91
References
92
Chapter 6 Modeling the Security Ecosystem- The Dynamics of (In)Security
93
6.1 Introduction
93
6.2 Related Work
94
6.3 Methodology
95
6.4 Vulnerability Lifecycle
96
6.4.1 Risk Exposure Times
100
6.5 The Security Ecosystem
101
6.5.1 Major Players
101
6.5.1.1 Discoverer
102
6.5.1.2 Vulnerability Markets
103
6.5.1.3 Criminal
105
6.5.1.4 Vendor
105
6.5.1.5 Security Information Provider (SIP)
105
6.5.1.6 Public
106
6.5.2 Processes of the Security Ecosystem
106
6.5.2.1 Path (A) and Path (B)
106
6.5.2.2 Path (C)
107
6.5.2.3 Path (D) and Path (E)
108
6.5.3 The Disclosure Debate
108
6.6 The Dynamics of (In)Security
109
6.6.1 Discovery Dynamics
111
6.6.2 Exploit Availability Dynamics
112
6.6.3 Patch Availability Dynamics
114
6.6.4 (In)security Dynamics
115
6.6.4.1 The Gap of Insecurity
115
Limitations
118
6.7 Conclusion
118
References
119
Chapter 7 Modeling the Economic Incentives of DDoSAttacks: Femtocell Case Study *
121
7.1 Introduction
121
7.2 Background and Related Work
122
7.3 The Model
123
7.4 Application of the Model
126
7.4.1 Data Collection
126
7.4.1.1 Extortion Revenue
126
7.4.1.2 Cost of Hiring the DDoS Attack Service
127
7.4.2 Regression Analysis for the Cost Function
127
7.4.3 Use of the Model to Estimate the Economic Incentives for Launching DDoS Attacks
129
7.4.3.1 Simulation 1
130
7.4.3.2 Simulation 2
130
7.4.3.3 Simulation 3
131
7.5 Conclusion
132
References
133
Chapter 8 The Privacy Jungle:On the Market for Data Protection in SocialNetworks
134
8.1 Introduction
135
8.2 Related Work
136
8.3 Survey Methodology
137
8.3.1 Selection of Sites
137
8.3.1.1 General-Purpose Sites
137
8.3.1.2 Niche Sites
138
8.3.2 Evaluation Methodology
139
8.3.2.1 Data Collection
139
8.3.2.2 Data Provided During Signup
141
8.3.2.3 Technical Set-up
141
8.4 Data
141
8.4.1 Market Dynamics
142
8.4.1.1 Network Size
142
8.4.1.2 Site Popularity: Traffic Data
142
8.4.1.3 Geographical Distribution: American Dominance
143
8.4.1.4 Site Evolution
143
8.4.1.5 Multilingualism
144
8.4.1.6 Competition
144
8.4.1.7 Business Model
145
8.4.2 Promotional Methods
145
8.4.2.1 Promotion of Social Interaction
145
8.4.2.2 Promotion via Network Effects
145
8.4.2.3 Promotion of Functionality
146
8.4.2.4 Promotion of Privacy
147
8.4.3 Presentation of Terms of Use and Privacy Policy
148
8.4.3.1 Privacy Policy Acknowledgment
149
8.4.3.2 Privacy Policy Review
149
8.4.4 Data Collected During Sign-up
150
8.4.4.1 Over-Collection of Demographic Data
151
8.4.4.2 Requirement of Real Names
151
8.4.4.3 Requirement of Email Addresses
152
8.4.5 Privacy Controls
152
8.4.5.1 Profile Visibility Options
153
8.4.5.2 Fine-Grained Controls
153
8.4.5.3 Permissive Defaults
154
8.4.5.4 User Interface Problems
155
8.4.6 Security Measures
156
8.4.6.1 Use of TLS Encryption and Authentication
156
8.4.6.2 Phishing Prevention
157
8.4.6.3 Online Safety Guidance & Abuse Reporting
157
8.4.7 Privacy Policies
158
8.4.7.1 Technical Accessibility
158
8.4.7.2 Length
160
8.4.7.3 Legal Issues
160
8.4.7.4 Data Claims
161
8.4.7.5 Availability of P3P Policies
161
8.4.7.6 Self-Promotion within Privacy Policies
162
8.5 Data Analysis
163
8.5.1 Privacy vs. Functionality
163
8.5.2 Privacy vs. Site Age
164
8.5.3 Privacy vs. Size
165
8.5.4 Privacy vs. Growth Rate
166
8.5.5 Privacy Promotion and Claims vs. Actual Privacy Practices
166
8.6 Economic Models
167
8.6.1 The Privacy Communication Game
167
8.6.1.1 Reducing Privacy Salience
168
8.6.1.2 Discouraging Privacy Fundamentalists
169
8.6.1.3 Reducing Privacy Criticism
170
8.6.1.4 Evolution of Communication
171
8.6.2 The Effects of Lock-in
171
8.6.3 Privacy as a Lemons Market
172
8.6.4 Privacy Negotiations
173
8.7 Limitations
174
8.8 Conclusions
175
Acknowledgments
176
References
176
Chapter 9 The Policy Maker’s Anguish: RegulatingPersonal Data Behavior Between Paradoxes andDilemmas
181
9.1 Introduction
182
9.2 ExistingWork on the Privacy Paradox
183
9.3 Methodology
184
9.4 Paradoxes
186
9.4.1 The Privacy Paradox
187
9.4.2 The Control Paradox
187
9.4.3 The Responsibility Paradox
187
9.5 Dilemmas
189
9.5.1 The Cultural Dilemma
189
9.5.2 The Market Fragmentation Dilemma
190
9.5.3 The Public-Private Dilemma
190
9.6 Conclusion
191
References
192
9.7 Appendix
194
Chapter 10Valuating Privacy with Option Pricing Theory
198
10.1 Introduction
198
10.2 Related Work
200
10.2.1 Measurement of Anonymity and Unlinkability
200
10.2.2 Financial Methods in Information Security
202
10.3 From Financial to Privacy Options
202
10.4 Sources of Uncertainty
204
10.4.1 Micro Model: Timed Linkability Process
204
10.4.2 Macro Model: Population Development
206
10.5 Valuation of Privacy Options
212
10.6 Discussion of Results
213
10.7 Conclusions and Outlook
215
Acknowledgments
217
References
217
Chapter 11 Optimal Timing of Information SecurityInvestment: A Real Options Approach
221
11.1 Introduction
221
11.2 Optimum Investment Size: The Model of Gordon and Loeb
222
11.3 Optimal Timing of Information Security Investment
223
11.3.1 Dynamic Considerations
223
11.3.2 Literature Review
224
11.3.3 Formulation and Solution
225
11.3.4 Interpretation
228
11.4 The Optimal Solution: Numerical Illustrations
228
11.4.1 Remaining Vulnerability Case I
229
11.4.2 Remaining Vulnerability Case II
230
11.5 Concluding Remarks
231
11.5.1 Summary
231
11.5.2 Remaining Problems
231
11.5.2.1 Dynamics Formulation
231
11.5.2.2 Attackers’ Behavior Formulation
231
11.5.2.3 Empirical Analysis
232
References
232
Chapter 12 Competitive Cyber-Insuranceand Internet Security
239
12.1 Introduction
240
12.2 Model
241
12.2.1 Analysis
243
12.2.1.1 Nash Equilibrium
243
12.2.1.2 Social Optimum
244
Proposition 12.1.
244
12.3 Insurance Model
244
12.3.1 Insurance with Non-Contractible Security
245
Proposition 12.2.
246
12.3.2 Insurance with Contractible Security
246
12.3.2.1 Social Planner
246
12.3.2.2 Competitive Insurers
247
Proposition 12.3.
248
12.4 Conclusion
248
12.5 Appendix
249
References
256
Chapter 13 Potential Rating Indicators for Cyberinsurance:An Exploratory Qualitative Study
258
13.1 Introduction
258
13.2 Background
260
13.3 Research Problem and Contribution
261
13.4 Research Method
262
13.4.1 1. Step: Preparation, Constructs
262
13.4.1.1 Exposure and Quality
263
13.4.1.2 Loss Centre
263
13.4.1.3 Layer Model
264
13.4.1.4 The Resulting Questionnaire
265
13.4.2 2. Step: Selection of Experts
266
13.4.3 3. Step: Generation of Statements
267
13.4.4 4. Step: Interpretation and Consolidation of Statements
268
13.4.5 5. Step: Reducing the Resulting List of Indicators
270
13.4.6 6. Step: Ranking Indicators
271
13.5 Results
272
13.6 Limitations
276
13.7 Related Work
277
13.8 Conclusions and Outlook
277
13.9 Appendix
279
13.9.1 First-party loss exposure indicators
279
13.9.2 Third-party loss exposure indicators
281
13.9.3 Indicators for the quality of IT risk management
284
References
286
Chapter 14 The Risk of Risk AnalysisAnd its Relation to the Economics of InsiderThreats
288
14.1 Introduction
288
14.2 Insiders, Outsiders, and Their Threats
290
14.2.1 Insider Threats That Do Not Represent a Violation of Trust
292
14.2.2 Insider Threats That Do Represent a Violation of Trust
292
“Simple” insider threat:
292
High profile (or charismatic) insider threat:
292
14.3 Building up Trust and Risk
293
14.3.1 Simple Trust, Low Risk
294
14.3.2 Medium Trust, Elevated Risk
295
14.3.3 Complex Trust, Even More Complex Risk
295
14.4 Policies and Compliance
297
14.4.1 Enforcing Simple Trust Relationships
298
14.4.2 Managing Complex Trust-Risk Relationship
299
14.4.3 Simple vs. Complex
301
14.5 Organizational and Insider Goals
301
14.5.1 Organizations
301
14.5.2 Insiders
302
14.6 The Risk of Risk Analysis
302
14.6.1 Plotting the Value Function
303
14.6.2 The Benefit of Obscurity
305
14.7 Strategies to Change Motivation Rather than Prevent Bad Insider Actions
305
14.8 Conclusion
306
14.8.1 Probability of Policies Being Successful in Blocking High-Level Insider Threats
307
References
307
Chapter 15 Competition, Speculative Risks, and IT SecurityOutsourcing
309
15.1 Introduction
310
15.2 Literature Review
312
15.3 Model Description
314
15.4 Model Analysis
317
15.4.1 Impact of Competitive Risk Environment on Firm’s Outsourcing Decisions
319
Proposition 15.1.
319
15.4.2 Impact of MSSP Characteristics on Firms’ Outsourcing Decisions
321
Proposition 15.2.
321
15.4.3 Impact of Breach Characteristics on Firms’ Outsourcing Decisions
323
Proposition 15.3.
323
15.5 Conclusion
324
Appendix
325
References
326
All prices incl. VAT