1. Interop Moscow© Stephen Cobb, 20061 of 14 Dataflation: The next big problem? Implications & examples “infoseconomics” Stephen Cobb, CISSP Author: Privacy for Business Adjunct Professor of Information Assurance, Norwich University Co-founder/developer Turntide (Symantec) anti-spam router Former Chief Security Executive STSN/iBahn Co-founder InfoSec Labs & ePrivacy Group Security Conference 23 June, 2006

2. Interop Moscow© Stephen Cobb, 20062 of 14 What am I talking about? Application of economic thinking to problems in information system security This is not new, for example:  WEIS, the annual Workshop on Economics and Information Security, has been held since 2002  See www.cobbassociates.com/help But information system security could benefit from more widespread application of economics We will consider examples in 3 areas

3. Interop Moscow© Stephen Cobb, 20063 of 14 Information system security may be seen as Products  I am sure you have seen many impressive security products here at Interop Moscow Practices  At this conference we have had numerous presentations and discussions about security practices Principles  The basis for crafting the right practices and choosing the right products. A good example? Winn Schwartau’s Time Based Security (presented earlier today)

4. Interop Moscow© Stephen Cobb, 20064 of 14 Examples in these 3 areas Products  An effective anti-spam technology Practices  A growing problem with “shared secrets” Principles  Changes in thinking required to prevent information security breaches from undermining commerce, society, and government

5. Interop Moscow© Stephen Cobb, 20065 of 14 Good principles must keep pace with reality Old fortress mentality does not fit the distributed computing model and shared information custody Principles must address evolving threat motives My data My bank’s data Threats to systems evolve over time Avarice Malice Curiosity ?

6. Interop Moscow© Stephen Cobb, 20066 of 14 Principles must reflect human factors Experience tells us:  Security technology is an arms race without end  Most security problems are really people problems Sciences that study human behavior can help  E.g. “Economics is the science which studies human behavior as the relationship between ends and scarce means which have alternative uses.” – Robbins, 1932 Applied to security = infoseconomics? Let us consider an example of infoseconomics applied to security product design:  Symantec’s Turntide “Spam Squelcher”

7. Interop Moscow© Stephen Cobb, 20067 of 14 Applying economics to security product design In the late 1990s, email emerged as primary vector for virus infection and worm propagation About 2001, spam emerged as a serious threat to information systems, impacting availability, then integrity and confidentiality via zombies, bots, etc. Main line of defense? Products that apply anti-virus technology, i.e. scan all email to filter out the spam Problem: resource intensive, excessive number of false-positives, generally not very successful Solution: apply economics

8. Interop Moscow© Stephen Cobb, 20068 of 14 Economics of spam and viruses very different Spammers seek money, not bragging rights Spam relies on a response rate of 1 in 1 million* If a spammer can’t stuff X emails into your network within Y seconds he is wasting money, so? He looks for a different network to attack What happens if you slow down network response time on connections containing spam? You get a massive reduction in spam with zero false positives and big gains in usable bandwidth  Productized as TurnTide, acquired by Symantec

9. Interop Moscow© Stephen Cobb, 20069 of 14 Let’s apply economics to security practices Massive security breaches are exposing large amounts of personally identifiable information (PII) 66 million records in the US in the first half of 2005 and 26 million in one incident in May, 2006 This undermines the real value of the data Inflating the value of data = dataflation Consider the impact this has on the bedrock of current e-commerce practices: “shared secrets” How many people now know your mother’s maiden name, PIN, city of birth, favorite color, pet’s name?

10. Interop Moscow© Stephen Cobb, 200610 of 14 “Shared Secrets” In March 2005, data held by LexisNexis relating to more than 300,000 people was compromised by hackers. Here’s an example of the type of information LexisNexis collects and stores:

11. Interop Moscow© Stephen Cobb, 200611 of 14 Marketplace for PII creates 3 levels of crime A: Fraudulent use PII for gain (identity theft, etc) B: Theft of PII that can be sold to A C: Compromise of systems for use by A+B Implications for security practices?  Use of shared secrets derived from PII for authentication is looking increasingly risky  Serious improvements in securing PII are needed  When shared secrets are used, consider sharing only part of the secret to prevent internal compromises E.g. “Provide the 2 nd and 4 th characters of your xxxxxx”

12. Interop Moscow© Stephen Cobb, 200612 of 14 How does security affect data value? As with any other commodity, the value of data lies at the intersection of supply and demand curves Information system security constrains the elasticity of data supply, maintaining data value and reducing the risk of dataflation Price Quantity Supply Demand Price Quantity Supply Demand

13. Interop Moscow© Stephen Cobb, 200613 of 14 Applying economics to security principles “Information is the lifeblood of the company” It is also the lifeblood of society and government Dataflation, the wholesale exposure of information, undermines not only commerce but the functioning of government and society Effective government relies on good information  E.g. census, taxes, planning, provisioning of services Lack of security translates to lack of trust  More members of society will withhold data if they don’t trust those that hold the data

14. Interop Moscow© Stephen Cobb, 200614 of 14 Я благодарю вас very much Questions?  Da? Nyet? Slides?  www.cobbassociates.com/help Email  sc @ cobbassociates dot com