Presentation is loading. Please wait.

Presentation is loading. Please wait.

2009-11-05 - Network of Excellence - Christer Magnusson Economics of Security SN/NSD SecLab.

Published byAmi Page Modified over 8 years ago

Similar presentations

Presentation on theme: "2009-11-05 - Network of Excellence - Christer Magnusson Economics of Security SN/NSD SecLab."— Presentation transcript:

1 2009-11-05 - Network of Excellence - Christer Magnusson cmagnus@dsv.su.se Economics of Security SN/NSD SecLab

2 2009-11-05 SecLab What is a ”Network of Excellence”? An introduction to ”Economics of Security” The ENISA Report SEConomics Q&A Workshop − Agenda − NoE − Economics of Security − ENISA − SEConomics − Q&A − Workshop Economics of Security - Network of Excellence - 1 Agenda

3 2009-11-05 The objective is to establish a Network of Excellence (NoE) in “Economics of Security” addressing cost effectiveness and market compliance of security solutions. The NoE should overcome fragmentation, remove barriers to integration, emphasize on excellence, and raise the research strength. It should consolidate existing research in security. The NoE is an “Objective” within FP7’s ICT-2009.1.4: Trustworthy ICT, area “iii” in section “d”, Networking, Coordination and Support, aimed for NoE. Economics of Security - Network of Excellence - 2 Network of Excellence − Agenda − NoE − Economics of Security − ENISA − SEConomics − Q&A − Workshop SecLab

4 2009-11-05 The NoE supports a Joint Programme of Activities (JPA) implemented by a number of research institutes and universities integrating their security teams’ research activities in the framework of longer term cooperation. The industry participate in the form of Committees or as Parterns (SME). SecLab Economics of Security - Network of Excellence - 2 Network of Excellence (cont.) − Agenda − NoE − Economics of Security − ENISA − SEConomics − Q&A − Workshop

5 2009-11-05 The Network of Excellence (NoE) consists of 12 universities, research institutions and SMEs in nine countries: Austria, England, Finland, Germany, Greece, The Netherlands, Norway, Spain, and Sweden. SEConomics advisory board consists of: The Confederation of Swedish Enterprise, Ericsson, NASDAQ OMX, Nordea, Philips, SOK, Swedbank, TeliaSonera, Bavarian Cluster for IT- Security, the Volvo Group, BBVA, and Roseta Security. SecLab Economics of Security - Network of Excellence - 2 Network of Excellence (cont.) − Agenda − NoE − Economics of Security − ENISA − SEConomics − Q&A − Workshop

6 2009-11-05 The deadline for the call was 26th October 2009. The partners’ total contribution to the NoE is estimated at €3,712,000. The cost that will be reclaimed from network funding is €2,961,811. SEConomics’ strong Advisory Board is completely funded by the members in the board. Duration time is 36 months. SecLab Economics of Security - Network of Excellence - 2 Network of Excellence (cont.) − Agenda − NoE − Economics of Security − ENISA − SEConomics − Q&A − Workshop

7 2009-11-05 3 Economics of Security Paradigm shift The Tragedy of the Commons Liability Externalities A Lemons Market SecLab Economics of Security - Network of Excellence - − Agenda − NoE − Economics of Security − ENISA − SEConomics − Q&A − Workshop

8 2009-11-05 “Research in the field of cyber security is undergoing a major paradigm shift. More and more researchers are adopting economic approaches to study cyber security, shifting emphasis away from technological causes and solutions. […]…more attention to security does not equal better security decisions as long as economic incentives are ignored.” Organisation de Coopération et de Développement Économiques Organisation for Economic Co-operation and Development 29-May-2008. 3.1 Paradigm shift SecLab Economics of Security - Network of Excellence - − Agenda − NoE − Economics of Security − ENISA − SEConomics − Q&A − Workshop

9 2009-11-05 Information insecurity is at least as much due to perverse incentives. Many of the problems can be explained more clearly and convincingly using the language of microeconomics: network externalities, asymmetric information, moral hazard, adverse selection, liability dumping and the tragedy of the commons.” Ross Anderson, Why Information Security is Hard - An Economic Perspective, University of Cambridge Computer Laboratory, JJ Thomson Avenue, Cambridge CB3 0FD, UK 3.1 Paradigm shift (cont.) SecLab Economics of Security - Network of Excellence - − Agenda − NoE − Economics of Security − ENISA − SEConomics − Q&A − Workshop

10 2009-11-05 “…the management of information security is a much deeper and more political problem than is usually realized; solutions are likely to be subtle and partial, while many simplistic technical approaches are bound to fail. The time has come for engineers, economists, lawyers and policymakers to try to forge common approaches.” Ross Anderson, Why Information Security is Hard - An Economic Perspective, University of Cambridge Computer Laboratory, JJ Thomson Avenue, Cambridge CB3 0FD, UK 3.1 Paradigm shift (cont.) SecLab Economics of Security - Network of Excellence - − Agenda − NoE − Economics of Security − ENISA − SEConomics − Q&A − Workshop

11 2009-11-05 “While individual computer users might be happy to spend $100 on anti-virus software to protect themselves against attack, they are unlikely to spend even $1 on software to prevent their machines being used to attack Amazon or Microsoft”. Ross Anderson, Why Information Security is Hard - An Economic Perspective, University of Cambridge Computer Laboratory, JJ Thomson Avenue, Cambridge CB3 0FD, UK This is an example of what economists refer to as the `Tragedy of the Commons” SecLab Economics of Security - Network of Excellence - 3.2 The Tragedy of the Commons − Agenda − NoE − Economics of Security − ENISA − SEConomics − Q&A − Workshop

12 2009-11-05 A “…fundamental principles of the economic analysis of liability: it should be assigned to the party that can do the best job of managing risk.” “A typical security analysis involves identifying weak points in a system and indicating who might be in a position to fix them. But security analysts should go one step further and examine the incentives of those responsible for the system. Such an analysis could be used to assign liability so that those who are best positioned to control the risks have appropriate incentives to do so.” H Varian, \Managing Online Security Risks", Economic Science Column, The New York Times, June 1, 2000, http://www.nytimes.com/library/financial/columns/060100econ-scene.html SecLab Economics of Security - Network of Excellence - 3.3 Liability − Agenda − NoE − Economics of Security − ENISA − SEConomics − Q&A − Workshop

13 2009-11-05 1.No externalities. This concerns instances in which a market player, be it an individual user or an organisation, correctly assesses security risks, bears all the costs of protecting against security threats (including those associated with these risks) and adopts appropriate counter measures. 2.Externalities that are borne by agents in the value net that can manage them. For example, the incentives of financial service providers are such that in many cases they compensate customers for the damage they suffer from online fraud Organisation de Coopération et de Développement Économiques Organisation for Economic Co-operation and Development 29-May-2008. SecLab Economics of Security - Network of Excellence - 3.4 Externalities − Agenda − NoE − Economics of Security − ENISA − SEConomics − Q&A − Workshop

14 2009-11-05 3.Externalities that are borne by agents who cannot manage them or by society at large. Unlike in scenario two, no other agents in the information and communication value net absorb the cost or, if they do, they are not in a position to influence these costs – i.e. influence the security tradeoffs of the agents generating the externality. The most poignant cases in this category are the externalities caused by lax security practices of end users – not limited to home users, but across the spectrum up to and including large organisations such as retailers or governmental institutions. Organisation de Coopération et de Développement Économiques Organisation for Economic Co-operation and Development 29-May-2008. SecLab Economics of Security - Network of Excellence - 3.4 Externalities (cont.) − Agenda − NoE − Economics of Security − ENISA − SEConomics − Q&A − Workshop

15 2009-11-05 Generally stated, a lemons equilibrium tends to emerge when one feature, such as price, is readily apparent, but the seller has private knowledge of other features, such as quality, which are not readily apparent (asymmetric information). If sellers can produce low quality goods that buyers cannot distinguish from high-quality goods, then it will not be possible for sellers of high-quality goods to compete with sellers of low-quality goods. As a consequence, lower-quality goods will tend to drive higher-quality goods from the market. See FRANK H. EASTERBROOK & DANIEL R. FISCHEL, THE ECONOMIC STRUCTURE OF CORPORATE LAW 280–83 (1991) (summarizing the lemons equilibrium and describing its application in the context of securities disclosures). SecLab Economics of Security - Network of Excellence - 3.5 A Lemons Market − Agenda − NoE − Economics of Security − ENISA − SEConomics − Q&A − Workshop

16 2009-11-05 4 ENISA SecLab Economics of Security - Network of Excellence - − Agenda − NoE − Economics of Security − ENISA − SEConomics − Q&A − Workshop Rekommendations: 1.We recommend that the EU introduce a comprehensive security-breach notification law. 2.We recommend that the Commission (or the European Central Bank) regulate to ensure the publication of robust loss statistics for electronic crime. 3.We recommend that ENISA collect and publish data about the quantity of spam and other bad traffic emitted by European ISPs.

17 2009-11-05 4 ENISA (cont.) SecLab Economics of Security - Network of Excellence - − Agenda − NoE − Economics of Security − ENISA − SEConomics − Q&A − Workshop 4.We recommend that the European Union introduce a statutory scale of damages against ISPs that do not respond promptly to requests for the removal of compromised machines, coupled with a right for users to have disconnected machines reconnected by assuming full liability. 5.We recommend that the EU develop and enforce standards for network-connected equipment to be secure by default.

18 2009-11-05 4 ENISA (cont.) SecLab Economics of Security - Network of Excellence - − Agenda − NoE − Economics of Security − ENISA − SEConomics − Q&A − Workshop 6.We recommend that the EU adopt a combination of early responsible vulnerability disclosure and vendor liability for unpatched software to speed the patch- development cycle. 7.We recommend security patches be offered for free, and that patches be kept separate from feature updates. 8.The European Union should harmonise procedures for the resolution of disputes between customers and payment service providers over electronic transactions.

19 2009-11-05 4 ENISA (cont.) SecLab Economics of Security - Network of Excellence - − Agenda − NoE − Economics of Security − ENISA − SEConomics − Q&A − Workshop 9.We recommend that the European Commission prepare a proposal for a Directive establishing a coherent regime of proportionate and effective sanctions against abusive online marketers. 10. ENISA should conduct research, coordinated with other affected stakeholders and the European Commission, to study what changes are needed to consumer-protection law as commerce moves online.

20 2009-11-05 4 ENISA (cont.) SecLab Economics of Security - Network of Excellence - − Agenda − NoE − Economics of Security − ENISA − SEConomics − Q&A − Workshop 11. We recommend that ENISA should advise the competition authorities whenever diversity has security implications. 12. We recommend that ENISA sponsor research to better understand the effects of IXP failures. We also recommend they work with telecomms regulators to insist on best practice in IXP peering resilience.

21 2009-11-05 4 ENISA (cont.) SecLab Economics of Security - Network of Excellence - − Agenda − NoE − Economics of Security − ENISA − SEConomics − Q&A − Workshop 13. We recommend that the European Commission put immediate pressure on the 15 Member States that have yet to ratify the Cybercrime Convention. 14.We recommend the establishment of an EU-wide body charged with facilitating international co-operation on cyber crime, using NATO as a model. 15. We recommend that ENISA champion the interests of the information security sector within the Commission to ensure that regulations introduced for other purposes do not inadvertently harm security researchers and firms.

22 2009-11-05 SEConomics will create a sustainable European Virtual Institute for Economics of Security. The institute will establish a long term European School of Economics of Security, to encourage best practice in the exploitation of economics of security. The courses and meetings will be open to security students, researchers and practitioners throughout Europe. 5 SEConomics SecLab Economics of Security - Network of Excellence - − Agenda − NoE − Economics of Security − ENISA − SEConomics − Q&A − Workshop

23 2009-11-05 To be able to increase security and trust in security products and services, we must understand the trade and industries business models as well as the societal context of these business models. This will provide us with an understanding of the cyber criminals “business model”. When we have understood the value chains and both the deliberate and accidental threats against them, we are able to create value through security products and services. 5 SEConomics (cont.) SecLab Economics of Security - Network of Excellence - − Agenda − NoE − Economics of Security − ENISA − SEConomics − Q&A − Workshop

24 2009-11-05 The EU “…is stimulating discussion between researchers and technology developers on the one hand and policymakers on the other towards a better understanding of the consequences of technology development for society and, conversely, of the relevance of societal demands in the selection of research priorities.” “The Security and Trust Research Activity and Its links to Policy”, ICT in FP7, European Commission Information Society and Media, Brussels 5 SEConomics (cont.) SecLab Economics of Security - Network of Excellence - − Agenda − NoE − Economics of Security − ENISA − SEConomics − Q&A − Workshop

25 2009-11-05 Due to SEConomics’ strong Advisory Board, the NoE will directly collaborate with the trade and industry to the benefit of Europe’s industrial competitiveness and societal needs. Together we will address cost effectiveness and market compliance of security solutions. We will open up for a dialogue with policymakers with the intent to contribute to the decisions process in ICT regulations. 5 SEConomics (cont.) SecLab Economics of Security - Network of Excellence - − Agenda − NoE − Economics of Security − ENISA − SEConomics − Q&A − Workshop

26 2009-11-05 6 Q&A SecLab Economics of Security - Network of Excellence - − Agenda − NoE − Economics of Security − ENISA − SEConomics − Q&A − Workshop

27 2009-11-05 7 Workshop SecLab Economics of Security - Network of Excellence - − Agenda − NoE − Economics of Security − ENISA − SEConomics − Q&A − Workshop “Externalities” – “Liability” – “Win-Win”? ICT regulations á la ENISA, or market mechanisms?

Download ppt "2009-11-05 - Network of Excellence - Christer Magnusson Economics of Security SN/NSD SecLab."

Similar presentations

EAC HIGHER EDUCATION POLICY

EAC HIGHER EDUCATION POLICY
What is Corporate Governance?

What is Corporate Governance?
FORESTUR: “Tailored training for professionals in the rural tourist sector” ES/06/B/F/PP-149544 VALORISATION & SUSTAINIBILITY PLAN Budapest, June 2007.

FORESTUR: “Tailored training for professionals in the rural tourist sector” ES/06/B/F/PP VALORISATION & SUSTAINIBILITY PLAN Budapest, June 2007.
Information and Communication Technologies (ICT) in the Seventh Framework Programme Support actions.

Information and Communication Technologies (ICT) in the Seventh Framework Programme Support actions.
NMP-NCP meeting - Brussels, 27 Jan 2005 Towards FP 7: Preliminary principles and orientations… Nicholas Hartley European Commission DG Research DG Research.

NMP-NCP meeting - Brussels, 27 Jan 2005 Towards FP 7: Preliminary principles and orientations… Nicholas Hartley European Commission DG Research DG Research.
South Africa’s S&T partnership with the European Union From FP4 to Horizon 2020 Daan du Toit Senior S&T Representative to the EU.

South Africa’s S&T partnership with the European Union From FP4 to Horizon 2020 Daan du Toit Senior S&T Representative to the EU.
Improving Cybersecurity Through Research & Innovation Dr. Steve Purser Head of Technical Competence Department European Network and Information Security.

Improving Cybersecurity Through Research & Innovation Dr. Steve Purser Head of Technical Competence Department European Network and Information Security.
Customs 2013 Programme Customs 2013 is a programme which gives the national customs administrations of the EU, together with the European Commission, the.

Customs 2013 Programme Customs 2013 is a programme which gives the national customs administrations of the EU, together with the European Commission, the.
Security Economics and European Policy Ross Anderson Rainer Böhme Richard Clayton Tyler Moore Computer Laboratory, University of Cambridge.

Security Economics and European Policy Ross Anderson Rainer Böhme Richard Clayton Tyler Moore Computer Laboratory, University of Cambridge.
Management Center Innsbruck | Presentation Delphi-Project | Learntec 2004.

Management Center Innsbruck | Presentation Delphi-Project | Learntec 2004.
Provisional FP7-ICT InfoDay, Torino, 11/12/2006 1 The ICT Theme in FP7 How to submit a proposal 2. The Funding schemes.

Provisional FP7-ICT InfoDay, Torino, 11/12/ The ICT Theme in FP7 How to submit a proposal 2. The Funding schemes.
Www.eaea.orgEuropean Association for the Education of Adults EAEA European AE Research – Look towards the future ERDI General Assembly, 2004.

Association for the Education of Adults EAEA European AE Research – Look towards the future ERDI General Assembly, 2004.
Security Economics and the Internal Market Ross Anderson, Rainer Böhme, Richard Clayton, Tyler Moore WEIS 2008, Dartmouth College 26 th June 2008.

Security Economics and the Internal Market Ross Anderson, Rainer Böhme, Richard Clayton, Tyler Moore WEIS 2008, Dartmouth College 26 th June 2008.
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
 Road Safety the European Union Policy Carla Hess European Commission, Directorate General for Mobility & Transport Road.

 Road Safety the European Union Policy Carla Hess European Commission, Directorate General for Mobility & Transport Road.
Horizon 2020 Secure Societies Security Research and Industry DG Enterprise and Industry 2013.

Horizon 2020 Secure Societies Security Research and Industry DG Enterprise and Industry 2013.
A Common Immigration Policy for Europe Principles, actions and tools June 2008.

A Common Immigration Policy for Europe Principles, actions and tools June 2008.
Giandonato CAGGIANO ENISA MANAGEMENT BOARD REPRESENTATIVE LEGAL ADVISER ON EUROPEAN AFFAIRS OF THE MINISTRY OF COMMUNICATIONS U. OF ROMA TRE LAW FACULTY.

Giandonato CAGGIANO ENISA MANAGEMENT BOARD REPRESENTATIVE LEGAL ADVISER ON EUROPEAN AFFAIRS OF THE MINISTRY OF COMMUNICATIONS U. OF ROMA TRE LAW FACULTY.
European Commission Enterprise and Industry Directorate-General An agenda for a sustainable and competitive European tourism Dia Mundial del Turismo Jerez.

European Commission Enterprise and Industry Directorate-General An agenda for a sustainable and competitive European tourism Dia Mundial del Turismo Jerez.
5BUS0253 FS 2 week 1 Financial Statements 2 Lecture 1.

5BUS0253 FS 2 week 1 Financial Statements 2 Lecture 1.

Similar presentations

Ads by Google