Security Economics and European Policy Ross Anderson Rainer Böhme Richard Clayton Tyler Moore Computer Laboratory, University of Cambridge.

Slides:

Advertisements

Similar presentations

ASYCUDA Overview … a summary of the objectives of ASYCUDA implementation projects and features of the software for the Customs computer system.

Advertisements

Gender Perspectives in Introduction to Tariffs Gender Module #5 ITU Workshops on Sustainability in Telecommunication Through Gender & Social Equality.

EXPERIENCES OF OTHER COUNTRIES IN REGULATION OF PAYMENT CARDS SYSTEM This section reviews the regulatory experiences of other countries with respect to.

MS. PREMILA KUMAR CHIEF EXECUTIVE OFFICER CONSUMER COUNCIL OF FIJI.

Class 11: Information Systems Ethics and Crime MIS 2101: Management Information Systems Based on material from Information Systems Today: Managing in the.

1 No Silver Bullet : Inherent Limitations of Computer Security Technologies Jeffrey W. Humphries Texas A&M University.

Eneken Tikk // EST. Importance of Legal Framework  Law takes the principle of territoriality as point of departure;  Cyber security tools and targets.

1 Chapter 4 Politics and Law. 2 Learning Objectives To understand the importance of the political and legal environments in both the home and host countries.

Comprehensive Volume, 18 th Edition Chapter 7: The Legal Environment of International Trade.

Security, Privacy, and Ethics Online Computer Crimes.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

Security in By: Abdulelah Algosaibi Supervised by: Prof. Michael Rothstein Summer II 2010: CS 6/79995 Operating System Security.

The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.

January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.

Code of Conduct for Mobile Money Providers 6 November 2014 All material © GSMA The policy advocacy and regulatory work of the GSMA Mobile Money team.

Network security policy: best practices

Per Anders Eriksson

Security Economics and the Internal Market Ross Anderson, Rainer Böhme, Richard Clayton, Tyler Moore WEIS 2008, Dartmouth College 26 th June 2008.

Final Exam Part 1. Internet Regulation Internet regulation according to internet society states that it is about restricting or controlling certain pieces.

Cisco Confidential © 2011 Cisco and/or its affiliates. All rights reserved. 1 Cloud Computing and Intermediary Liability Issues Global Policy and Government.

Economics: Principles in Action

1 The Regulatory Approach to Fostering Investment David Halldearn Ofgem 28 September 2006.

Copyright © 2008 by West Legal Studies in Business A Division of Thomson Learning Chapter 7 The Legal Environment of International Trade Twomey Jennings.

General Awareness Training

Combating cyber-crime: the context Justice Canada March 2005.

C4- Social, Legal, and Ethical Issues in the Digital Firm

The case law of the CJEU in the gambling sector European Economic and Social Committee Hearing 6th September 2011 "On-line gambling - After the Green Paper.

Information Systems Security Computer System Life Cycle Security.

Security Awareness: Applying Practical Security in Your World Chapter 1: Introduction to Security.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Chapter 8 Technology and Auditing Systems: Hardware and Software Defenses.

Security Awareness Challenges of Securing Information No single simple solution to protecting computers and securing information Different types of attacks.

Moving Forward With the African Dialogue Cross-Border Principles By Mary Gurure Manager, Legal Services and Compliance COMESA Competition Commission Lilongwe,

Building Trust: Consumer Dispute Resolution (B2C) Louise Sylvan Consumers International.

1 User Policy (slides from Michael Ee and Julia Gideon)

Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.

Why do they die? Understanding why and how joint ventures die gives insight into how firms can make better use of them. Even though we focus on termination,

COPYRIGHT © 2011 South-Western/Cengage Learning. 1 Click your mouse anywhere on the screen to advance the text in each slide. After the starburst appears,

The Privacy Symposium – Summer 2008 Identity Theft Resource Center Jay Foley, Executive Director Presents: Privacy: Pre- and Post-Breach © Aug 2007.

E-Finance in India A Perspective Geneva October 24, 2001.

Yangon, Myanmar, November 2013 Cybersecurity-Related Standardization Initiatives in the EU and the U.S.: Lessons for Developing Countries Nir Kshetri.

Legitimate Vulnerability Markets By: Jeff Wheeler.

International Telecommunication Union Geneva, 9(pm)-10 February 2009 BEST PRACTICES FOR ORGANIZING NATIONAL CYBERSECURITY EFFORTS James Ennis US Department.

ITU CoE/ARB 11 th Annual Meeting of the Arab Network for Human Resources 16 – 18 December 2003; Khartoum - Sudan 1 The content is based on New OECD Guidelines.

1 The Challenges of Globalization of Criminal Investigations Countries need to: Enact sufficient laws to criminalize computer abuses; Commit adequate personnel.

The Internet of Things and Consumer Protection

The New EU Legislative Framework for Harmonisation Legislation for products Richard Lawson Deputy Director, Technical Regulations Sustainable Development.

EU activities against cyber crime Radomír Janský Unit - Fight against Organised Crime Directorate-General Justice, Freedom and Security (DG JLS) European.

Information Security Legislation Moving ahead Information Security 2001 Professional Information Security Association Sin Chung Kai Legislative Councillor.

Presentation Pro © 2001 by Prentice Hall, Inc. Economics: Principles in Action C H A P T E R 10 Money and Banking.

1 Integrated Site Security Project Denise Heagerty CERN 22 May 2007.

Botnets: Measurement, Detection, Disinfection and Defence Dr Giles Hogben ENISA.

EUROPEAN SECURITY POLICY A SNAPSHOT ON SURVEILLANCE AND PRIVACY DESSI WORKSHOP, CPH 24 JUNE 2014 Birgitte Kofod Olsen, Chair Danish Council for Digital.

The Development of Environmental Protection in Information Age: Using Information as a Regulatory Tool and Its Perspective -- the Overview of US Experience.

Network of Excellence - Christer Magnusson Economics of Security SN/NSD SecLab.

1 Web Technologies Website Publishing/Going Live! Copyright © Texas Education Agency, All rights reserved.

CHAPTER SIXTEEN The Right to Privacy and Other Protections from Employer Intrusions.

Appendix A: Designing an Acceptable Use Policy. Overview Analyzing Risks That Users Introduce Designing Security for Computer Use.

Information Security and Privacy in HRIS

A policy framework for an open and trusted Internet

MGMT 452 Corporate Social Responsibility

Cybersecurity in Belarus a general overview of support areas

Internet Governance: An Analysis from Developing country’s perspective

U.S. Department of Justice

Internet Interconnection

Cybersecurity: the consumer perspective

Overview of the Budapest Convention on Cybercrime (2001)

What is the purpose of a bank?

Managing Privacy Risk in Your Commercial Practices

Economics: Principles in Action

Presentation transcript:

Security Economics and European Policy Ross Anderson Rainer Böhme Richard Clayton Tyler Moore Computer Laboratory, University of Cambridge

Security Economics and European Policy  Information Asymmetries  Externalities  Liability Assignment  Lack of Diversity  Fragmentation of Legislation and Law Enforcement  Security Research and Legislation

Introduction Quick History Overview  1940s - 80s Cold War National Concerns Intelligence Agencies  1990s s Growing Internet popularity Paradigm shift toward companies

Introduction Quick History (cont)  Rise of a new organized crime Crimeware Hacking for profit instead of sport  Today Fraud Rings Hacking Rings

Information Asymmetries The Problem  Companies often under/over-estimate statistics  Security breaches are often stifled  Lack of standardized data gathering  Weakly defined policies Digital pollution International incongruency

Information Asymmetries Recommendations A comprehensive security-breach notification law Regulate the publication of robust loss statistics for electronic crime Collection and publication data about malicious traffic

Externalities The Problem  Who should pay? Software Vendors  Released software with security flaws  Users may compromise software security Owners  Large companies with the capability to handle and repair infected devices  Small companies or individuals to which such setbacks are costly

Externalities ISPs  Most capable position to improve security More likely to notice threats/attacks first Strong position of control  Total traffic control Ability to filter/deny services Quarantine infected machines  Least likely to change

Externalities Recommendations  ISPs will not change without incentive Introduce monetary penalties for slow response to malicious activity Promote consistent reporting mechanisms to notify ISPs Balance penalties to avoid knee jerk reactions Regulate ISP to allow for reconnection protocol at the expense of liability

Liability Assignment Software and System Liability  Whose responsible for updates? Often times, consumers are left to fend for themselves Most computers are bought with outdated software  Recommended enforcement of a standard default

Liability Assignment Patching  Necessary but time consuming and expensive Publication of a patch may reveal the vulnerability User dependent to update  Create incentives to improve releases Standardize disclosures Vendor liability for unpatched software

Liability Assignment Patching (cont)  Improve user uptake of patches Make patching more reliable Make patching easier/automated Separate feature from security Avoid undesirable restrictions (DRM) Avoid disruptions to customization Avoid burdensome processes Keep patches free

Liability Assignment Consumer Policy  Customers Generally targeted as liability dump Often left with little option or choice in resolution  Recommended procedures for the proper resolution of disputes between customers and service providers

Liability Assignment Consumer Policy (cont)  Suppliers Less likely to protect consumers in a monopolistic environment Often rely upon shrink-wrap contracts with take-it-or-leave-it terms (EULAs) Abuses  Spyware installations  Spam Spam Spam  Recommended sanctioning for abuses

Liability Assignment Consumer Policy (cont)  Online transactions Fragmented law  Current legislation does not entirely compensate  Varying interpretations from country to country Aspects currently favor suppliers  Recommended revisiting of consumer protection laws

Lack of Diversity Promoting Logical Diversity  Consumers and firms are slow to accept changes Software diversity Positive network externalities  Market domination encourages vulnerability (Cisco's Zetter 2005)  Recommended advisement when diversity has security implications

Lack of Diversity Promoting Physical Diversity in CNI  Critical National Infrastructure (CNI)  Internet Exchange Points (IXP) Very few IXPs for numerous ISPs Failure of one IXP affects thousands  Recommended research into IXP failures and work to regulate peering resilience

Fragmentation of Legislation and Law Enforcement Cybercrime  Cybercrime crosses boarders  Convention on Cybercrime (2001) 27 EU states signed, only 12 ratified presently  Recommended pressure upon the 15 remaining member states to ratify

Fragmentation of Legislation and Law Enforcement Law Enforcement Cooperation  Joint operations are available but limited Generally set up for physical crimes Operations are usually quid pro quo Mutual Legal Assistance Treaty (MLAT)  Recommended establishment of an EU-wide body to facilitate international cooperation

Security Research and Legislation The Problem  Certain laws currently prohibit some research methods Cryptography Engineering tools  Others question usage UK : “[An offense to] supply or offer to supply, believing that it is likely to be used to commit [an offense].”

Security Research and Legislation Recommendations  Champion the interests of information security Amend restrictions on research Defend against inadvertent stiflings Encourage security research and development