1 / 14

Security Economics and Public Policy

Security Economics and Public Policy. Ross Anderson Cambridge University. Economics and Security. The link between economics and security atrophied after WW2 Over the last six years, we have started to apply economic analysis to information security

ladonna-amaya
Download Presentation

Security Economics and Public Policy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Economics and Public Policy Ross Anderson Cambridge University

  2. Economics and Security • The link between economics and security atrophied after WW2 • Over the last six years, we have started to apply economic analysis to information security • Economic analysis often explains security failure better then technical analysis! • Information security mechanisms are used increasingly to support business models (DRM, accessory control) rather than to manage risk • So economic analysis is vital in several ways for the public policy aspects of security

  3. Traditional View of Infosec • People used to think that the Internet was insecure because of lack of features – crypto, authentication, filtering • So engineers worked on providing better, cheaper security features – AES, PKI, firewalls … • About 1999, we started to realize that this is not enough

  4. Incentives and Infosec • Electronic banking: UK banks were less liable for fraud, so ended up suffering more internal fraud and more errors • Distributed denial of service: viruses now don’t attack the infected machine so much as using it to attack others • Health records: hospitals, not patients, buy IT systems, so they protect hospitals’ interests rather than patient privacy • Why is Microsoft software so insecure, despite market dominance?

  5. New View of Infosec • Systems are often insecure because the people who could fix them have no incentive to • Bank customers suffer when bank systems allow fraud; patients suffer when hospital systems break privacy; everyone suffers when infected PCs spam you • In IT markets, firms ship too little security when building market share, then add lots (of the wrong kind) to lock customers in • What about the economics of crime?

  6. Chip and PIN fraud • In 1992–4, banks said ‘ATM fraud can’t happen’ – so their staff got lazy and it did • Chip and PIN is now following the same pattern • Widespread card cloning via skimmers at petrol stations, linked to Tamil Tigers • Nice cosy deal between banks and police stops you reporting card fraud any more except to your bank (crime stats down, bank control up) • So terrorist activity in UK is discovered by Thai police, not by UK police!

  7. If banks control crime reporting… • Will there be an end to stories like this?

  8. Phishing • Bank customer lured to bogus website • Money transferred from / via her account • Losses last year: £36m UK, > $100m USA • One gang (‘Rockphish’) does over half! • Technical measures aren’t going to fix this • Banks trained customers to click on links • IE toolbar was broken before it shipped • 2-factor auth will be met by real-time MITM

  9. Studying the Phishermen • Stolen money gets shipped through 2 or 3 hacked accounts, then turned into eGold • You might think it’s because eGold doesn’t respond to warrants – but they now do • It’s actually about transaction revocability! • The typical bank recovers 60–95% of phished funds (the one that does only 60% gets hit for most of the losses) • What’s the right regulatory response?

  10. The old way of working • If someone did a wire fraud, or a cheque fraud, the money would be got back • When I bought a car, I paid Lloyds £40 for a bank draft – to insure the dealer against the cheque bouncing later • In business, you had acceptance of bills, factoring without recourse, LCs, … • The risk of giving a customer an irrevocable instrument was recognised and priced

  11. The problem – and solution • There are more and more places to get ‘free’ bank drafts, and they’re attracting the villains • eGold, Western Union, Finnish banks … • Proposed regulatory change – any financial institution that sells an irrevocable instrument (including cash) for stolen funds should be liable • Time limit – maybe 90 days • This will be a better way to deal with nonbanks than trying to regulate them fully

  12. The way forward • Phishing, keyloggers, etc are here to stay • As well as having a few big bent insiders, we’ll have many compromised accounts at any time • We must move from payment system integrity to payment system resilience • Make counterparty risks (payment, fraud, legal, data-security) transparent, so the market can price them • This will benefit banks, customers and the police

  13. Regulatory failures • Right now, the UK is heading the wrong way: • Banks’ T&Cs dump transaction risk • HO agreement undermines reporting • Plan to make cheque payments irrevocable after 7 days from November • Pathetic enforcement, dismal forensics • Dispersed responsibility – Home Office, FSA, Treasury, ACPO, APACS – with everyone pursuing narrow selfish agendas • Risk: failure of trust in UK financial sector, opportunity cost of lack of trust in e-business

  14. More … • Economics and Security Resource Page – www.cl.cam.ac.uk/~rja14/econsec.html (or follow link from my home page) • Foundation for Information Policy Research – www.fipr.org

More Related