Understanding the Economics of Cyber Security

1
Understanding the Economics of Cyber Security

• Shari Lawrence Pfleeger
• pfleeger_at_rand.org

2
Overview

• Whats the problem?
• Some of the key issues
• The (very) short history of cyber security
  economics
• Example The economics of trust
• So what does this mean for your students?

3
Whats the Problem?
What are the threats?
Is the threat from insiders or outsiders?
Are the actors malicious or just careless?
Are there controls or ways to mitigate the
threats?
How do we compare these risks with other business
risks?
4
What Are the Threats?
5
(No Transcript)
6
(No Transcript)
7
(No Transcript)
8
Insiders or Outsiders?
9
Malicious or Careless?
10
How Do We Tell Them Apart?
11
(No Transcript)
12
(No Transcript)
13
(No Transcript)
14
Controls or Mitigation Strategies?
15
But Some Controls Are Just Not Practical
16
Individual Controls
17
Security Processes
18
National Awareness
19
Local Awareness
20
How to Compare with Other Business Risks and
Needs?

• Fixed resources, many ways to use them.
• Example Buy an intrusion detection system or
  upgrade all operating systems or just put money
  in the bank?
• Embedded in organizational, corporate, agency
  policies and constrained by laws.
• Example Who is responsible for making it right
  when a credit card charge is not yours?
• Not just driven by technological capabilities.
• Example Security as an investment or as a market
  differentiator.
• Comparison may be more than just dollars and
  sense.
• Example Public health and safety issues mean
  that cyber security is more than just a corporate
  investment.

21
Key Issues in Cyber Security Economics

• Data quality
• Appropriate models to support decision-making
• Understanding the context technology, business,
  business sector, nation, world
• Comparing security risks to other business risks
• Incentives for implementing security
• Security metrics What do we mean by more
  secure and less secure?

22
The (Very) Short History of Cyber Security
Economics

• First workshop in 1999.
• Mostly stove-piped investigations little
  cross-disciplinary interactions.
• Little understanding of major business and policy
  issues.
• Build it and they will come doesnt work.

23
Economics of Cyber Security Project

• RAND is heading a large project funded by DHS
  through the I3P.
• Project is taking an interdisciplinary look at
  the economics of information infrastructure
  protection.
• Involves
• Economics
• Technology
• Sociology (organizations, cultures, behaviors)
• Decision science
• Engineering
• Management
• And more

24
Why Is This Problem So Hard?

• Its difficult to gather good data
• Reluctance of groups to supply data
• Poor (if any) definitions of data categories
• Need for representative data
• Interrelationships not clear
• Short- and long-term effects differ
• Example Stock prices
• Poor visibility into decision-making processes

25
Whats the Status?

• Five Workshops on the Economics of Information
  Security
• University of California - Berkeley, 2002
• University of Maryland, 2003
• University of Minnesota, 2004
• Harvard University, 2005
• Cambridge University, UK, June 2006
• Workshop on the Economics of Securing the
  Information Infrastructure, DC, October 23-24,
  2006
• Special issues January/February 2005
• May/June 2007
• Past focus usually on individual applications or
  on enterprises, not on national issues

26
Relevant Books The Short (Complete) List
27
Nascent Efforts

• OECD Measuring the Information Economy
• Contact Andrew Wyckoff (Andrew.Wyckoff_at_oecd.org)
  
• US Department of Commerce Economic Security
  Working Group
• Contact Daniel Hurley (Dhurley_at_ntia.doc.gov)
• I3P Project May 2005 to June 2007
• Contact Doug Maughan (Douglas.Maughan_at_dhs.gov)
• Business Rationale project proposed for April
  2007 to March 2009
• Contact Barry Horowitz (Barrymhorowitz_at_virginia.e
  du )

28
Example The Economics of Trust
29
The Two Sides of Trust

• People and organizations have two
  characteristics
• Being trustworthy engendering the trust of
  someone or something else
• Being trustful willing to trust another person
  or organization

30
Trust is a Positional Good

• A positional good is a characteristic such that
  one person or organization can be placed above
  others in a ranking of values.
• The trust earned by a given action or set of
  actions is context dependent its value can
  depend on how that action compares with the
  actions of others in a similar circumstance.

31
Trust Enhances Economic Benefit

• People are willing to pay more for goods and
  services they trust.
• Payoffs depend not only on players actions but
  also on their intentions. (Rabin 1993)
• The intention is determined both from what
  players do and from what they can do but do not.

32
Actions Reflect Norms and Trust

• Civil societys norms are conveyed through
  interpersonal interactions.
• Norms can act to deter a player from taking an
  unpopular, unethical or even illegal action.
• Jargon is related to normative group
  expectations.
• Shared meanings, specialized terminology, and the
  consonance of assumptions underlying group
  discussions can lead to familiarity and trust
  among team members. (Gui 2005)

33
Characteristics That Affect Trust

• Effect can be whether and how we trust a person,
  good or service.
• Baker (1987) and Jones (1996) suggest that trust
  is a personality trait.
• Baier (1986) and Gambetta (1988) claim that there
  is an element of probability involved.
• Interpersonal relationships create and enhance
  trust 
• A trusting move induces trustworthiness through
  an endogenous modification of someones
  preference structure. A single act of genuine
  trust may provide additional reasons to behave
  trustworthily. (Pelligra 2005)

34
Esteem Can Be Tied to Trust

• A corporate Chief Security Officer interviewed by
  RAND researchers noted that he is motivated by
  wanting his customers to take him seriously when
  he asks them to trust his companys products.
• His esteem is bound to their perception of his
  products (and companys) trustworthiness.

35
The Role of Self-Interest

• Traits displayed by the party to be trusted are
  determined by self-interest the desire to be
  admired by others. As trust become more valued,
  it grows. (Pettit 1995)
• Following the norm of trust has an effect on
  both the beliefs and the norms of others. It
  creates a virtuous circle if we act as if we
  expect the best from the others, they will often
  behave better as a result. (Baron, 1998).
• The need to be thought well of by others called
  therapeutic trust.
• One of the reasons for As willingness to risk
  the loss of his money is a belief that this may
  induce B to act more honourably than he
  originally intended. (Horsburgh 1960)

36
Trust and Interpersonal Relationships

• Good relationships inside an organization
• Can reduce both the time and the cost of a
  transaction.
• Example Less stringent technical solutions are
  needed when the organizations members know and
  trust each other.
• Good relationships outside the organization
• Can encourage strong economic performance by
  providing material and emotional support for
  starting entrepreneurial initiatives. (Allen
  2000)
• Trust can lead to faster economic growth (Zak and
  Knack 2001).
• Interpersonal relationships can become channels
  for sharing and transmitting economically
  valuable information (Topa 2001).

37
History is Necessary for Gaining Trust

• A history of competence, reliability, and even
  credentials (i.e. legitimating accoutrement) is
  necessary for gaining trust in organizations.
  (McAllister 1995)
• Recognition of these qualities typically precedes
  strong interpersonal relationships.
• In addition to trusting in peoples abilities,
  trust in other workers intentions led to better
  organizational performance by improving knowledge
  exchange, involvement, and communication of tacit
  operating procedures. (Jones and George 1998)

38
Legitimacy is a Form of Trust

• Legitimacy can determine how firms interact with
  one another.
• One of the largest challenges associated with
  being a new firm in a new industry is a lack of
  legitimacy. (Aldrich and Fiol 1994)
• Legitimacy can affect the terms of exchange in
  bargaining situations.
• Regulators and the media are much more likely to
  confer legitimacy on firms that fit the common
  image of organizations in their field, so firms
  tend to behave alike. (Deephouse 1996)
• In cyber security, legitimacy is signaled by
  association with membership groups such as the
  IEEE, or through credentialing systems such as
  the CISSP, and by conforming to various maturity
  models.

39
So What Does This Mean For Your Students?
40
Teach Security as Part of Software Engineering
41
Take Advantage of Educational Tools

• Example CyberCiege from the Naval Postgraduate
  School
• http//cisr.nps.edu/cyberciege/index.htm

42
Use Books That Address the Problem
Plus new Prentice Hall Series on the Economics of
Cyber Security
43
Use Readings from Relevant Journals

• IEEE Security and Privacy special issue on
  Managing Operational Security, May/June 2007
• IEEE Security and Privacy special issue on the
  Economics of Information Security, Jan/Feb 2005
• Computers and Security, Communications of the
  ACM, IEEE Software, IEEE Spectrum, etc.
• Journals from business, policy, social science

44
Give Your Students the Big Picture
45
References (1 of 2)

• Allen, W. David, 2000. Social Networks and
  Self-Employment, Journal of Socio-Economics, 29,
  pp. 487-501.
• Aldrich, Howard E. and C. Marlene Fiol, 1994.
  Fools Rush in? The Institutional Context of
  Industry Creation, The Academy of Management
  Review, 19(4), pp. 645-670.
• Baier, Annette, 1986. Trust and Antitrust,
  Ethics, 96, pp. 231-260.
• Baker, James, 1987. Trust and Rationality,
  Pacific Philosophical Quarterly, 68, pp. 1-13.
• Baron, Jonathan, 1998. Trust Beliefs and
  Morality, in Avner Ben-Ner and Louis Putterman
  (eds.), 1998. Economics, Values and Organisation,
  Cambridge University Press, Cambridge, UK.
• Deephouse, David L. , 1996. Does Isomorphism
  Legitimate? Academy of Management Journal,
  39(4).
• Gambetta, Diego (ed.), 1988. Trust Making or
  Breaking Cooperative Relations, Basil Blackwell,
  Oxford, UK.
• Gui, Benedetto, 2005. From Transactions to
  Encounters The Joint Generation of Relational
  Goods and Conventional Values, in Gui and Sugden
  (2005), pp. 23-51.
• Gui, Benedetto and Robert Sugden (eds.), 2005.
  Economics and Social Interaction Accounting for
  Interpersonal Relations, Cambridge University
  Press, Cambridge, UK.
• Gui, Benedetto and Robert Sugden, 2005. Why
  Interpersonal Relations Matter for Economics, in
  Gui and Sugden (2005), pp. 1-22.
• Horsburgh, H. J. N., 1960. The Ethics of Trust,
  Philosophical Quarterly, 10, pp. 343-354.

46
References (2 of 2)

• Jones, Karen, 1996. Trust as an Affective
  Attitude, Ethics, 107, pp. 4-25.
• Jones, G.R. and J.M. George, 1998. The
  Experience and Evolution of Trust Implications
  for Cooperation and Teamwork, The Academy of
  Management Review, 23(3), pp. 531.
• McAllister, Daniel J., 1995. Affect- and
  Cognition-Based Trust as Foundations for
  Interpersonal Cooperation in Organizations
  Academy of Management Journal. 38(1), Briarcliff
  Manor, pg. 24, 36 pgs.
• Pelligra, Vittorio, 2005. Under Trusting Eyes
  The Responsive Nature of Trust, in Gui and
  Sugden 2005, pp. 105-124.
• Pettit, Philip, 1995. The Cunning of Trust,
  Philosophy and Public Affairs, 24(3), pp.
  202-225.
• Rabin, Matthew, 1993. Incorporating Fairness
  Into Game Theory and Economics, American
  Economic Review, 83(5), pp. 1281-1302.
• Topa, Giorgio, 2001. Social Interactions, Local
  Spillovers and Unemployment, Review of Economic
  Studies, 68(2), pp. 261-295.
• Zak, Paul J. and Stephen Knack, 2001. Trust and
  Growth, Economic Journal, 111, pp. 295-321.