E-Book, Englisch, 320 Seiten
Moore / Pym / Ioannidis Economics of Information Security and Privacy
1. Auflage 2010
ISBN: 978-1-4419-6967-5
Verlag: Springer
Format: PDF
Kopierschutz: 1 - PDF Watermark
E-Book, Englisch, 320 Seiten
ISBN: 978-1-4419-6967-5
Verlag: Springer
Format: PDF
Kopierschutz: 1 - PDF Watermark
The Workshop on the Economics of Information Security (WEIS) is the leading forum for interdisciplinary research and scholarship on information security and privacy, combining ideas, techniques, and expertise from the fields of economics, social science, business, law, policy, and computer science. In 2009, WEIS was held in London, at UCL, a constituent college of the University of London. Economics of Information Security and Privacy includes chapters presented at WEIS 2009, having been carefully reviewed by a program committee composed of leading researchers. Topics covered include identity theft, modeling uncertainty`s effects, future directions in the economics of information security, economics of privacy, options, misaligned incentives in systems, cyber-insurance, and modeling security dynamics. Economics of Information Security and Privacy is designed for managers, policy makers, and researchers working in the related fields of economics of information security. Advanced-level students focusing on computer science, business management and economics will find this book valuable as a reference. TOC:Introduction and Overview.- The Iterated Weakest Link - A Model of Adaptive Security Investment.- The Price of Uncertainty in Security Games.- Nobody Sells Gold for the Price of Silver: Dishonesty, Uncertainty and the Underground Economy.- The Policy Maker`s Anguish: regulating personal data behaviour between paradoxes and dilemmas.- The Privacy Jungle: On the Market for Data Protection in Social Networks.- Valuating Privacy with Option Pricing Theory.- Security Economics and Critical National Infrastructure.- Internet Multi-Homing Problems: Explanations from Economics.- The Risk of Risk Analysis-And its relation to the Economics of Insider Threats.- Competitive Cyber-Insurance and Internet Security.- Potential Rating Indicators for Cyberinsurance: An Exploratory Qualitative Study.- Modeling the economic incentives of DDoS attacks: femtocell case study.- Modelling the Security Ecosystem- The Dynamics of (In)Security
Autoren/Hrsg.
Weitere Infos & Material
1;Preface;5
2;List of Contributors;7
3;Contents;10
4;Chapter 1 Introduction and Overview;17
4.1;1.1 Introduction;17
4.2;1.2 The Economics of Information Security and Privacy;18
4.3;1.3 Overview of the Book’s Contributions;19
5;Chapter 2 The Price of Uncertainty in Security Games;24
5.1;2.1 Introduction;25
5.2;2.2 Decision Theoretic Model;27
5.2.1;2.2.1 Basic Model;27
5.2.2;2.2.2 Player Behavior;28
5.2.3;2.2.3 Information Conditions;29
5.2.4;2.2.4 Remarks on Basic Results;30
5.2.5;2.2.5 Outlook on Further Analyses;31
5.3;2.3 Price of Uncertainty Metrics;31
5.3.1;2.3.1 The Price of Uncertainty;31
5.3.2;2.3.2 Three Metrics for the Price of Uncertainty;31
5.3.3;2.3.3 Discussion of the Definitions;32
5.3.3.1;2.3.3.1 The Difference Metric;32
5.3.3.2;2.3.3.2 The Payoff-Ratio Metric;32
5.3.3.3;2.3.3.3 The Cost-Ratio Metric;33
5.4;2.4 Analysis;33
5.4.1;2.4.1 Best Shot Game;33
5.4.1.1;2.4.1.1 The Best Shot Difference Metric:;34
5.4.1.1.1;Observations.;34
5.4.1.2;2.4.1.2 The Best Shot Payoff-Ratio Metric;35
5.4.1.2.1;Observations.;35
5.4.1.3;2.4.1.3 The Best Shot Cost-Ratio Metric;36
5.4.1.3.1;Observations.;36
5.4.2;2.4.2 Weakest Link Game;36
5.4.2.1;2.4.2.1 The Weakest Link Difference Metric:;37
5.4.2.1.1;Observations.;38
5.4.2.2;2.4.2.2 The Weakest Link Payoff-Ratio MetricWPoU2(;39
5.4.2.2.1;Observations.;40
5.4.2.3;2.4.2.3 The Weakest Link Cost-Ratio MetricWPoU3(;40
5.4.2.3.1;Observations.;40
5.4.3;2.4.3 Total Effort Game;41
5.4.3.1;2.4.3.1 The Total Effort Difference Metric:;41
5.4.3.1.1;Observations.;42
5.4.3.2;2.4.3.2 The Total Effort Payoff-Ratio Metric:;42
5.4.3.2.1;Observations.;43
5.4.3.3;2.4.3.3 The Total Effort Cost-Ratio Metric:;43
5.4.3.3.1;Observations.;43
5.5;2.5 Conclusions;44
5.6;References;46
6;Chapter 3 Nobody Sells Gold for the Price of Silver:Dishonesty, Uncertainty and the UndergroundEconomy;48
6.1;3.1 Introduction;49
6.2;3.2 Related Work;51
6.2.1;3.2.1 Studies of the Underground Economy;51
6.2.2;3.2.2 Economics of Security and of the Underground Economy;52
6.2.3;3.2.3 Economics Background;53
6.2.3.1;3.2.3.1 Asymmetric Information: The Market for Lemons;53
6.2.3.2;3.2.3.2 The Theory of the Firm;54
6.3;3.3 The Underground Economy is a Market for Lemons;55
6.3.1;3.3.1 The Types of Goods and Services Offered for Sale on the Underground Economy;55
6.3.1.1;3.3.1.1 Goods;55
6.3.1.2;3.3.1.2 Services;56
6.3.2;3.3.2 Is this a Market for Lemons?;56
6.3.2.1;3.3.2.1 Asymmetry of Information;56
6.3.2.2;3.3.2.2 No Credible Disclosure;57
6.3.2.3;3.3.2.3 Continuum of Seller Quality or Low Seller Quality;57
6.3.2.4;3.3.2.4 Lack of Quality Assurance or Regulation;58
6.3.2.5;3.3.2.5 Summary;59
6.4;3.4 Analysis and Implications;59
6.4.1;3.4.1 Countermeasures Ought to be Easy: Lemonizing the Market;59
6.4.2;3.4.2 The Ripper Tax;60
6.4.3;3.4.3 Formation of Firms and Alliances;60
6.4.4;3.4.4 A Two-Tier Underground Economy;61
6.4.5;3.4.5 What Can We Estimate From Activity on IRC Markets?;62
6.4.5.1;3.4.5.1 What Can We Say about Participants in a Lemon Market?;62
6.4.5.2;3.4.5.2 Activity Does not Imply Dollars;63
6.4.5.3;3.4.5.3 Activity Does Imply Competition;64
6.4.5.4;3.4.5.4 What Can We Say About the Goods Offered in a Lemon Market?;64
6.4.6;3.4.6 Who are We Fighting? What are We Trying to Accomplish?;64
6.5;3.5 Conclusion;65
6.6;References;67
7;Chapter 4 Security Economics and Critical NationalInfrastructure;69
7.1;4.1 Introduction;70
7.2;4.2 Critical Infrastructure: Externalities of Correlated Failure;71
7.3;4.3 Regulatory Approaches;73
7.4;4.4 Security or Reliability?;74
7.5;4.5 Cross-Industry Differences;75
7.6;4.6 Certification and Lifecycle Management;75
7.7;4.7 The Roadmap;77
7.8;4.8 Conclusions;78
7.9;References;79
8;Chapter 5 Internet Multi-Homing Problems:Explanations from Economics;81
8.1;5.1 Introduction;81
8.2;5.2 How Internet RoutingWorks;82
8.3;5.3 The ‘Global Routing Table’;83
8.4;5.4 IPv6;85
8.4.1;5.4.1 SHIM6;87
8.4.2;5.4.2 The Lack of Incentives for SHIM6 Deployment;87
8.4.3;5.4.3 Cooperating ISPs;88
8.5;5.5 Discouraging Growth in the Global Routing Table;89
8.6;5.6 Related Work on the Economics of Protocols;90
8.7;5.7 Conclusions;91
8.8;References;92
9;Chapter 6 Modeling the Security Ecosystem- The Dynamics of (In)Security;93
9.1;6.1 Introduction;93
9.2;6.2 Related Work;94
9.3;6.3 Methodology;95
9.4;6.4 Vulnerability Lifecycle;96
9.4.1;6.4.1 Risk Exposure Times;100
9.5;6.5 The Security Ecosystem;101
9.5.1;6.5.1 Major Players;101
9.5.1.1;6.5.1.1 Discoverer;102
9.5.1.2;6.5.1.2 Vulnerability Markets;103
9.5.1.3;6.5.1.3 Criminal;105
9.5.1.4;6.5.1.4 Vendor;105
9.5.1.5;6.5.1.5 Security Information Provider (SIP);105
9.5.1.6;6.5.1.6 Public;106
9.5.2;6.5.2 Processes of the Security Ecosystem;106
9.5.2.1;6.5.2.1 Path (A) and Path (B);106
9.5.2.2;6.5.2.2 Path (C);107
9.5.2.3;6.5.2.3 Path (D) and Path (E);108
9.5.3;6.5.3 The Disclosure Debate;108
9.6;6.6 The Dynamics of (In)Security;109
9.6.1;6.6.1 Discovery Dynamics;111
9.6.2;6.6.2 Exploit Availability Dynamics;112
9.6.3;6.6.3 Patch Availability Dynamics;114
9.6.4;6.6.4 (In)security Dynamics;115
9.6.4.1;6.6.4.1 The Gap of Insecurity;115
9.6.4.2;Limitations;118
9.7;6.7 Conclusion;118
9.8;References;119
10;Chapter 7 Modeling the Economic Incentives of DDoSAttacks: Femtocell Case Study *;121
10.1;7.1 Introduction;121
10.2;7.2 Background and Related Work;122
10.3;7.3 The Model;123
10.4;7.4 Application of the Model;126
10.4.1;7.4.1 Data Collection;126
10.4.1.1;7.4.1.1 Extortion Revenue;126
10.4.1.2;7.4.1.2 Cost of Hiring the DDoS Attack Service;127
10.4.2;7.4.2 Regression Analysis for the Cost Function;127
10.4.3;7.4.3 Use of the Model to Estimate the Economic Incentives for Launching DDoS Attacks;129
10.4.3.1;7.4.3.1 Simulation 1;130
10.4.3.2;7.4.3.2 Simulation 2;130
10.4.3.3;7.4.3.3 Simulation 3;131
10.5;7.5 Conclusion;132
10.6;References;133
11;Chapter 8 The Privacy Jungle:On the Market for Data Protection in SocialNetworks;134
11.1;8.1 Introduction;135
11.2;8.2 Related Work;136
11.3;8.3 Survey Methodology;137
11.3.1;8.3.1 Selection of Sites;137
11.3.1.1;8.3.1.1 General-Purpose Sites;137
11.3.1.2;8.3.1.2 Niche Sites;138
11.3.2;8.3.2 Evaluation Methodology;139
11.3.2.1;8.3.2.1 Data Collection;139
11.3.2.2;8.3.2.2 Data Provided During Signup;141
11.3.2.3;8.3.2.3 Technical Set-up;141
11.4;8.4 Data;141
11.4.1;8.4.1 Market Dynamics;142
11.4.1.1;8.4.1.1 Network Size;142
11.4.1.2;8.4.1.2 Site Popularity: Traffic Data;142
11.4.1.3;8.4.1.3 Geographical Distribution: American Dominance;143
11.4.1.4;8.4.1.4 Site Evolution;143
11.4.1.5;8.4.1.5 Multilingualism;144
11.4.1.6;8.4.1.6 Competition;144
11.4.1.7;8.4.1.7 Business Model;145
11.4.2;8.4.2 Promotional Methods;145
11.4.2.1;8.4.2.1 Promotion of Social Interaction;145
11.4.2.2;8.4.2.2 Promotion via Network Effects;145
11.4.2.3;8.4.2.3 Promotion of Functionality;146
11.4.2.4;8.4.2.4 Promotion of Privacy;147
11.4.3;8.4.3 Presentation of Terms of Use and Privacy Policy;148
11.4.3.1;8.4.3.1 Privacy Policy Acknowledgment;149
11.4.3.2;8.4.3.2 Privacy Policy Review;149
11.4.4;8.4.4 Data Collected During Sign-up;150
11.4.4.1;8.4.4.1 Over-Collection of Demographic Data;151
11.4.4.2;8.4.4.2 Requirement of Real Names;151
11.4.4.3;8.4.4.3 Requirement of Email Addresses;152
11.4.5;8.4.5 Privacy Controls;152
11.4.5.1;8.4.5.1 Profile Visibility Options;153
11.4.5.2;8.4.5.2 Fine-Grained Controls;153
11.4.5.3;8.4.5.3 Permissive Defaults;154
11.4.5.4;8.4.5.4 User Interface Problems;155
11.4.6;8.4.6 Security Measures;156
11.4.6.1;8.4.6.1 Use of TLS Encryption and Authentication;156
11.4.6.2;8.4.6.2 Phishing Prevention;157
11.4.6.3;8.4.6.3 Online Safety Guidance & Abuse Reporting;157
11.4.7;8.4.7 Privacy Policies;158
11.4.7.1;8.4.7.1 Technical Accessibility;158
11.4.7.2;8.4.7.2 Length;160
11.4.7.3;8.4.7.3 Legal Issues;160
11.4.7.4;8.4.7.4 Data Claims;161
11.4.7.5;8.4.7.5 Availability of P3P Policies;161
11.4.7.6;8.4.7.6 Self-Promotion within Privacy Policies;162
11.5;8.5 Data Analysis;163
11.5.1;8.5.1 Privacy vs. Functionality;163
11.5.2;8.5.2 Privacy vs. Site Age;164
11.5.3;8.5.3 Privacy vs. Size;165
11.5.4;8.5.4 Privacy vs. Growth Rate;166
11.5.5;8.5.5 Privacy Promotion and Claims vs. Actual Privacy Practices;166
11.6;8.6 Economic Models;167
11.6.1;8.6.1 The Privacy Communication Game;167
11.6.1.1;8.6.1.1 Reducing Privacy Salience;168
11.6.1.2;8.6.1.2 Discouraging Privacy Fundamentalists;169
11.6.1.3;8.6.1.3 Reducing Privacy Criticism;170
11.6.1.4;8.6.1.4 Evolution of Communication;171
11.6.2;8.6.2 The Effects of Lock-in;171
11.6.3;8.6.3 Privacy as a Lemons Market;172
11.6.4;8.6.4 Privacy Negotiations;173
11.7;8.7 Limitations;174
11.8;8.8 Conclusions;175
11.9;Acknowledgments;176
11.10;References;176
12;Chapter 9 The Policy Maker’s Anguish: RegulatingPersonal Data Behavior Between Paradoxes andDilemmas;181
12.1;9.1 Introduction;182
12.2;9.2 ExistingWork on the Privacy Paradox;183
12.3;9.3 Methodology;184
12.4;9.4 Paradoxes;186
12.4.1;9.4.1 The Privacy Paradox;187
12.4.2;9.4.2 The Control Paradox;187
12.4.3;9.4.3 The Responsibility Paradox;187
12.5;9.5 Dilemmas;189
12.5.1;9.5.1 The Cultural Dilemma;189
12.5.2;9.5.2 The Market Fragmentation Dilemma;190
12.5.3;9.5.3 The Public-Private Dilemma;190
12.6;9.6 Conclusion;191
12.7;References;192
12.8;9.7 Appendix;194
13;Chapter 10Valuating Privacy with Option Pricing Theory;198
13.1;10.1 Introduction;198
13.2;10.2 Related Work;200
13.2.1;10.2.1 Measurement of Anonymity and Unlinkability;200
13.2.2;10.2.2 Financial Methods in Information Security;202
13.3;10.3 From Financial to Privacy Options;202
13.4;10.4 Sources of Uncertainty;204
13.4.1;10.4.1 Micro Model: Timed Linkability Process;204
13.4.2;10.4.2 Macro Model: Population Development;206
13.5;10.5 Valuation of Privacy Options;212
13.6;10.6 Discussion of Results;213
13.7;10.7 Conclusions and Outlook;215
13.8;Acknowledgments;217
13.9;References;217
14;Chapter 11 Optimal Timing of Information SecurityInvestment: A Real Options Approach;221
14.1;11.1 Introduction;221
14.2;11.2 Optimum Investment Size: The Model of Gordon and Loeb;222
14.3;11.3 Optimal Timing of Information Security Investment;223
14.3.1;11.3.1 Dynamic Considerations;223
14.3.2;11.3.2 Literature Review;224
14.3.3;11.3.3 Formulation and Solution;225
14.3.4;11.3.4 Interpretation;228
14.4;11.4 The Optimal Solution: Numerical Illustrations;228
14.4.1;11.4.1 Remaining Vulnerability Case I;229
14.4.2;11.4.2 Remaining Vulnerability Case II;230
14.5;11.5 Concluding Remarks;231
14.5.1;11.5.1 Summary;231
14.5.2;11.5.2 Remaining Problems;231
14.5.2.1;11.5.2.1 Dynamics Formulation;231
14.5.2.2;11.5.2.2 Attackers’ Behavior Formulation;231
14.5.2.3;11.5.2.3 Empirical Analysis;232
14.6;References;232
15;Chapter 12 Competitive Cyber-Insuranceand Internet Security;239
15.1;12.1 Introduction;240
15.2;12.2 Model;241
15.2.1;12.2.1 Analysis;243
15.2.1.1;12.2.1.1 Nash Equilibrium;243
15.2.1.2;12.2.1.2 Social Optimum;244
15.2.1.3;Proposition 12.1.;244
15.3;12.3 Insurance Model;244
15.3.1;12.3.1 Insurance with Non-Contractible Security;245
15.3.1.1;Proposition 12.2.;246
15.3.2;12.3.2 Insurance with Contractible Security;246
15.3.2.1;12.3.2.1 Social Planner;246
15.3.2.2;12.3.2.2 Competitive Insurers;247
15.3.2.3;Proposition 12.3.;248
15.4;12.4 Conclusion;248
15.5;12.5 Appendix;249
15.6;References;256
16;Chapter 13 Potential Rating Indicators for Cyberinsurance:An Exploratory Qualitative Study;258
16.1;13.1 Introduction;258
16.2;13.2 Background;260
16.3;13.3 Research Problem and Contribution;261
16.4;13.4 Research Method;262
16.4.1;13.4.1 1. Step: Preparation, Constructs;262
16.4.1.1;13.4.1.1 Exposure and Quality;263
16.4.1.2;13.4.1.2 Loss Centre;263
16.4.1.3;13.4.1.3 Layer Model;264
16.4.1.4;13.4.1.4 The Resulting Questionnaire;265
16.4.2;13.4.2 2. Step: Selection of Experts;266
16.4.3;13.4.3 3. Step: Generation of Statements;267
16.4.4;13.4.4 4. Step: Interpretation and Consolidation of Statements;268
16.4.5;13.4.5 5. Step: Reducing the Resulting List of Indicators;270
16.4.6;13.4.6 6. Step: Ranking Indicators;271
16.5;13.5 Results;272
16.6;13.6 Limitations;276
16.7;13.7 Related Work;277
16.8;13.8 Conclusions and Outlook;277
16.9;13.9 Appendix;279
16.9.1;13.9.1 First-party loss exposure indicators;279
16.9.2;13.9.2 Third-party loss exposure indicators;281
16.9.3;13.9.3 Indicators for the quality of IT risk management;284
16.10;References;286
17;Chapter 14 The Risk of Risk AnalysisAnd its Relation to the Economics of InsiderThreats;288
17.1;14.1 Introduction;288
17.2;14.2 Insiders, Outsiders, and Their Threats;290
17.2.1;14.2.1 Insider Threats That Do Not Represent a Violation of Trust;292
17.2.2;14.2.2 Insider Threats That Do Represent a Violation of Trust;292
17.2.2.1;“Simple” insider threat:;292
17.2.2.2;High profile (or charismatic) insider threat:;292
17.3;14.3 Building up Trust and Risk;293
17.3.1;14.3.1 Simple Trust, Low Risk;294
17.3.2;14.3.2 Medium Trust, Elevated Risk;295
17.3.3;14.3.3 Complex Trust, Even More Complex Risk;295
17.4;14.4 Policies and Compliance;297
17.4.1;14.4.1 Enforcing Simple Trust Relationships;298
17.4.2;14.4.2 Managing Complex Trust-Risk Relationship;299
17.4.3;14.4.3 Simple vs. Complex;301
17.5;14.5 Organizational and Insider Goals;301
17.5.1;14.5.1 Organizations;301
17.5.2;14.5.2 Insiders;302
17.6;14.6 The Risk of Risk Analysis;302
17.6.1;14.6.1 Plotting the Value Function;303
17.6.2;14.6.2 The Benefit of Obscurity;305
17.7;14.7 Strategies to Change Motivation Rather than Prevent Bad Insider Actions;305
17.8;14.8 Conclusion;306
17.8.1;14.8.1 Probability of Policies Being Successful in Blocking High-Level Insider Threats;307
17.9;References;307
18;Chapter 15 Competition, Speculative Risks, and IT SecurityOutsourcing;309
18.1;15.1 Introduction;310
18.2;15.2 Literature Review;312
18.3;15.3 Model Description;314
18.4;15.4 Model Analysis;317
18.4.1;15.4.1 Impact of Competitive Risk Environment on Firm’s Outsourcing Decisions;319
18.4.1.1;Proposition 15.1.;319
18.4.2;15.4.2 Impact of MSSP Characteristics on Firms’ Outsourcing Decisions;321
18.4.2.1;Proposition 15.2.;321
18.4.3;15.4.3 Impact of Breach Characteristics on Firms’ Outsourcing Decisions;323
18.4.3.1;Proposition 15.3.;323
18.5;15.5 Conclusion;324
18.6;Appendix;325
18.7;References;326
