Economics of Information Security and Privacy

The Workshop on the Economics of Information Security (WEIS) is the leading forum for interdisciplinary research and scholarship on information security and privacy, combining ideas, techniques, and expertise from the fields of economics, social science, business, law, policy, and computer science.

In the realm of information security, lack of information about other users' incentives in a network can lead to inefficient security choices and reductions in individuals' payoffs. We propose, contrast and compare three metrics for measuring the price of uncertainty due to the departure from the payoff-optimal security outcomes under complete information. Per the analogy with other efficiency metrics, such as the price of anarchy, we define the price of uncertainty as the maximum discrepancy in expected payoff in a complete information environment versus the payoff in an incomplete information environment. We consider difference, payoffratio, and cost-ratio metrics as canonical nontrivial measurements of the price of uncertainty. We conduct an algebraic, numerical, and graphical analysis of these metrics applied to different well-studied security scenarios proposed in prior work (i.e., best shot, weakest-link, and total effort). In these scenarios, we study how a fully rational expert agent could utilize the metrics to decide whether to gather information about the economic incentives of multiple nearsighted and naïve agents. We find substantial differences between the various metrics and evaluate the appropriateness for security choices in networked systems.

The underground economy has attracted a lot of attention recently as a key component of cybercrime. In particular the IRC markets for stolen identities, phishing kits, botnets, and cybercrime related services have been extensively studied. It is suggested that sophisticated underground markets show great specialization and maturity. There are complex divisions of labor and service offerings for every need. Stolen credentials are traded in bulk for pennies on the dollar. It is suggested that large sums move on these markets.

We argue that this makes very little sense. Using basic arguments from economics we show that the IRC markets studied represent classic examples of lemon markets. The ever-present rippers who cheat other participants ensure that the market cannot operate effectively. Their presence represents a tax on every transaction conducted in the market. Those who form gangs and alliances avoid this tax, enjoy a lower cost basis and higher profit. This suggests a two tier underground economy where organization is the route to profit. The IRC markets appear to be the lower tier, and are occupied by those without skills or alliances, newcomers, and those who seek to cheat them. The goods offered for sale there are those that are easy to acquire, but hard to monetize. We find that estimates of the size of the IRC markets are greatly exaggerated. Finally, we find that defenders recruit their own opponents by publicizing exaggerated estimates of the rewards of cybercrime. Those so recruited inhabit the lower tier; they produce very little profit, but contribute greatly to the externalities of cybercrime.

There has been considerable effort and expenditure since 9/11 on the protection of ‘Critical National Infrastructure’ against online attack. This is commonly interpreted to mean preventing online sabotage against utilities such as electricity,oil and gas, water, and sewage - including pipelines, refineries, generators, storage depots and transport facilities such as tankers and terminals. A consensus is emerging that the protection of such assets is more a matter of business models and regulation - in short, of security economics - than of technology. We describe the problems, and the state of play, in this paper. Industrial control systems operate in a different world from systems previously studied by security economists; we find the same issues (lock-in, externalities, asymmetric information and so on) but in different forms. Lock-in is physical, rather than based on network effects, while the most serious externalities result from correlated failure, whether from cascade failures, common-mode failures or simultaneous attacks. There is also an interesting natural experiment happening, in that the USA is regulating cyber security in the electric power industry, but not in oil and gas, while the UK is not regulating at all but rather encouraging industry’s own efforts. Some European governments are intervening, while others are leaving cybersecurity entirely to plant owners to worry about. We already note some perverse effects of the U.S. regulation regime as companies game the system, to the detriment of overall dependability.

Companies seeking to ensure that their Internet connection is resilient often purchase services from multiple providers. This leads them inexorably towards having their IP address range visible in the global routing table, increasing the resource usage of every Internet router. Since this is essentially ‘free’, yet impacts the cost and stability of every router in the world, this is a classic ‘tragedy of the commons’. There is little prospect of change in the IPv4 world, but there is a chance to fix the problem as IPv6 is rolled out. Unfortunately, SHIM6, the engineering solution chosen to solve this issue in IPv6, will only be effective if universally adopted, and there are no short-term incentives to prefer SHIM6 over a duplication of the IPv4 arrangements. Incentives could be artificially introduced by requiring payment for adding multi-homed address space to the global routing table — a naïve estimate of the actual cost being $77 000 per routing prefix. However, it would be almost impossible to ensure the substantial revenues involved are correctly redistributed to those bearing the costs.

The security of information technology and computer networks is effected by a wide variety of actors and processes which together make up a security ecosystem; here we examine this ecosystem, consolidating many aspects of security that have hitherto been discussed only separately. First, we analyze the roles of the major actors within this ecosystem and the processes they participate in, and the the paths vulnerability data take through the ecosystem and the impact of each of these on security risk. Then, based on a quantitative examination of 27,000 vulnerabilities disclosed over the past decade and taken from publicly available data sources, we quantify the systematic gap between exploit and patch availability. We provide the first examination of the impact and the risks associated with this gap on the ecosystem as a whole. Our analysis provides a metric for the success of the “responsible disclosure” process. We measure the prevalence of the commercial markets for vulnerability information and highlight the role of security information providers (SIP), which function as the “free press” of the ecosystem.

Many of the Internet security incidents are caused by agents which act moved by economic incentives. When that is the case, it is possible to model at tacker's incentives by applying economics principles and, if we can collect appropriate data, we can use the model to have a better understanding of the risk imposed by these threats. This paper presents a simple model that represents the economic incentives for launching DDoS attacks against a specific telecommunications service. In addition, some data has been collected in order to quantify some of the variables of the model. Finally, some simulations have been performed to have a better knowledge of the risk of suffering this kind of attacks and propose solutions to mitigate it.

We have conducted the first thorough analysis of the market for privacy practices and policies in online social networks. From an evaluation of 45 social networking sites using 260 criteria we find that many popular assumptions regarding privacy and social networking need to be revisited when considering the entire ecosystem instead of only a handful of well-known sites. Contrary to the common perception of an oligopolistic market, we find evidence of vigorous competition for new users. Despite observing many poor security practices, there is evidence that social network providers are making efforts to implement privacy enhancing technologies with substantial diversity in the amount of privacy control offered. However, privacy is rarely used as a selling point, even then only as auxiliary, nondecisive feature. Sites also failed to promote their existing privacy controls within the site. We similarly found great diversity in the length and content of formal privacy policies, but found an opposite promotional trend: though almost all policies are not accessible to ordinary users due to obfuscating legal jargon, they conspicuously vaunt the sites’ privacy practices. We conclude that the market for privacy in social networks is dysfunctional in that there is significant variation in sites’ privacy controls, data collection requirements, and legal privacy policies, but this is not effectively conveyed to users. Our empirical findings motivate us to introduce the novel model of a privacy communication game, where the economically rational choice for a site operator is to make privacy control available to evade criticism from privacy fundamentalists, while hiding the privacy control interface and privacy policy to maximize sign-up numbers and encourage data sharing from the pragmatic majority of users.

Regulators in Europe and elsewhere are paying great attention to identity, privacy and trust in online and converging environments. Appropriate regulation of identity in a ubiquitous information environment is seen as one of the major drivers of the future Internet economy. Regulation of personal identity data has come to the fore including mapping conducted on digital personhood by the OECD; work on human rights and profiling by the Council of Europe andmajor studies by the European Commission with regard to self-regulation in the privacy market, electronic identity technical interoperability and enhanced safety for young people. These domains overlap onto an increasingly complex model of regulation of individuals' identity management, online and offline. This chapter argues that policy makers struggle to deal with issues concerning electronic identity, due to the apparently irrational and unpredictable behavior of users when engaging in online interactions involving identity management. Building on empirical survey evidence from four EU countries, we examine the first aspect in detail – citizens' management of identity in a digital environment. We build on data from a large scale (n = 5,265) online survey of attitudes to electronic identity among young Europeans (France, Germany, Spain, UK) conducted in August 2008. The survey asked questions about perceptions and acceptance of risks, general motivations, attitudes and behaviors concerning electronic identity. Four behavioral paradoxes are identified in the analysis: a privacy paradox (to date well known), but also a control paradox, a responsibility paradox and an awareness paradox. The chapter then examines the paradoxes in relation of three main policy dilemmas framing the debate on digital identity. The paper concludes by arguing for an expanded identity debate spanning policy circles and the engineering community.

One of the key challenges in the information society is responsible handling of personal data. An often-cited reason why people fail to make rational decisions regarding their own informational privacy is the high uncertainty about future consequences of information disclosures today. This chapter builds an analogy to financial options and draws on principles of option pricing to account for this uncertainty in the valuation of privacy. For this purpose, the development of a data subject's personal attributes over time and the development of the attribute distribution in the population are modeled as two stochastic processes, which fit into the Binomial Option Pricing Model (BOPM). Possible applications of such valuation methods to guide decision support in future privacy-enhancing technologies (PETs) are sketched.

This chapter applies real options analytic framework to firms' investment activity in information security technology and then a dynamic analysis of information security investment is explored by extending Gordon-Loeb (2002). The current research provides how firms have to respond to immediate or remote threat numerically. It shows that although positive drift of threat causes both larger and later investment expenditure, negative drift causes immediate investment and lower investment expenditure. The efficiency of vulnerability reduction technology encourages firms to invest earlier and induces cost reduction. To know the form of vulnerability is important because the effect of high vulnerability on timing and amount of the investment expenditure is mixed.

In this paper we present the results of an exploratory qualitative study with experts. The aim of the study was the identification of potential rating variables which could be used to calculate a premium for Cyberinsurance coverages. For this purpose we have conducted semi-structured qualitative interviews with a sample of 36 experts from the DACH region. The gathered statements have been consolidated and further reduced to a subset of indicators which are available and difficult to manipulate. The reduced set of indicators has been presented again to the 36 experts in order to rank them according to their relative importance. In this paper we describe the results of this exploratory qualitative study and conclude by discussing implications of our findings for both research and practice.

Insider threats to organizational information security are widely viewed as an important concern, but little is understood as to the pattern of their occurrence. We outline an argument for explaining what originally surprised us: that many practitioners report that their organizations take basic steps to prevent insider attacks, but do not attempt to address more serious attacks. We suggest that an understanding of the true cost of additional policies to control insider threats, and the dynamic nature of potential insider threats together help explain why this observed behavior is economically rational. This conclusion also suggests that further work needs to be done to understand how better to change underlying motivations of insiders, rather than simply focus on controlling and monitoring their behavior.

Information security management is becoming a more critical and, simultaneously, a challenging function for many firms. Even though many security managers are skeptical about outsourcing of IT security, others have cited reasons that are used for outsourcing of traditional IT functions for why security outsourcing is likely to increase. Our research offers a novel explanation, based on competitive externalities associated with IT security, for firms' decisions to outsource IT security. We show that if competitive externalities are ignored, then a firm will outsource security if and only if the MSSP offers a quality (or a cost) advantage over in-house operations, which is consistent with the traditional explanation for security outsourcing. However, a higher quality is neither a prerequisite nor a guarantee for a firm to outsource security. The competitive risk environment and the nature of the security function outsourced, in addition to quality, determine firms' outsourcing decisions. If the reward from the competitor's breach is higher than the loss from own breach, then even if the likelihood of a breach is higher under the MSSP the expected benefit from the competitive demand externality may offset the loss from the higher likelihood of breaches, resulting in one or both firms outsourcing security. The incentive to outsource security monitoring is higher than that of infrastructure management because the MSSP can reduce the likelihood of breach on both firms and thus enhance the demand externality effect. The incentive to outsource security monitoring (infrastructure management) is higher (lower) if either the likelihood of breach on both firms is lower (higher) when security is outsourced or the benefit (relative to loss) from the externality is higher (lower). The benefit from the demand externality arising out of a security breach is higher when more of the customers that leave the breached firm switch to the non-breached firm.