We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byMatthew Sherburne
Modified over 2 years ago
Interop Moscow© Stephen Cobb, 20061 of 14 Dataflation: The next big problem? Implications & examples “infoseconomics” Stephen Cobb, CISSP Author: Privacy for Business Adjunct Professor of Information Assurance, Norwich University Co-founder/developer Turntide (Symantec) anti-spam router Former Chief Security Executive STSN/iBahn Co-founder InfoSec Labs & ePrivacy Group Security Conference 23 June, 2006
Interop Moscow© Stephen Cobb, 20062 of 14 What am I talking about? Application of economic thinking to problems in information system security This is not new, for example: WEIS, the annual Workshop on Economics and Information Security, has been held since 2002 See www.cobbassociates.com/help But information system security could benefit from more widespread application of economics We will consider examples in 3 areas
Interop Moscow© Stephen Cobb, 20063 of 14 Information system security may be seen as Products I am sure you have seen many impressive security products here at Interop Moscow Practices At this conference we have had numerous presentations and discussions about security practices Principles The basis for crafting the right practices and choosing the right products. A good example? Winn Schwartau’s Time Based Security (presented earlier today)
Interop Moscow© Stephen Cobb, 20064 of 14 Examples in these 3 areas Products An effective anti-spam technology Practices A growing problem with “shared secrets” Principles Changes in thinking required to prevent information security breaches from undermining commerce, society, and government
Interop Moscow© Stephen Cobb, 20065 of 14 Good principles must keep pace with reality Old fortress mentality does not fit the distributed computing model and shared information custody Principles must address evolving threat motives My data My bank’s data Threats to systems evolve over time Avarice Malice Curiosity ?
Interop Moscow© Stephen Cobb, 20066 of 14 Principles must reflect human factors Experience tells us: Security technology is an arms race without end Most security problems are really people problems Sciences that study human behavior can help E.g. “Economics is the science which studies human behavior as the relationship between ends and scarce means which have alternative uses.” – Robbins, 1932 Applied to security = infoseconomics? Let us consider an example of infoseconomics applied to security product design: Symantec’s Turntide “Spam Squelcher”
Interop Moscow© Stephen Cobb, 20067 of 14 Applying economics to security product design In the late 1990s, email emerged as primary vector for virus infection and worm propagation About 2001, spam emerged as a serious threat to information systems, impacting availability, then integrity and confidentiality via zombies, bots, etc. Main line of defense? Products that apply anti-virus technology, i.e. scan all email to filter out the spam Problem: resource intensive, excessive number of false-positives, generally not very successful Solution: apply economics
Interop Moscow© Stephen Cobb, 20068 of 14 Economics of spam and viruses very different Spammers seek money, not bragging rights Spam relies on a response rate of 1 in 1 million* If a spammer can’t stuff X emails into your network within Y seconds he is wasting money, so? He looks for a different network to attack What happens if you slow down network response time on connections containing spam? You get a massive reduction in spam with zero false positives and big gains in usable bandwidth Productized as TurnTide, acquired by Symantec
Interop Moscow© Stephen Cobb, 20069 of 14 Let’s apply economics to security practices Massive security breaches are exposing large amounts of personally identifiable information (PII) 66 million records in the US in the first half of 2005 and 26 million in one incident in May, 2006 This undermines the real value of the data Inflating the value of data = dataflation Consider the impact this has on the bedrock of current e-commerce practices: “shared secrets” How many people now know your mother’s maiden name, PIN, city of birth, favorite color, pet’s name?
Interop Moscow© Stephen Cobb, 200610 of 14 “Shared Secrets” In March 2005, data held by LexisNexis relating to more than 300,000 people was compromised by hackers. Here’s an example of the type of information LexisNexis collects and stores:
Interop Moscow© Stephen Cobb, 200611 of 14 Marketplace for PII creates 3 levels of crime A: Fraudulent use PII for gain (identity theft, etc) B: Theft of PII that can be sold to A C: Compromise of systems for use by A+B Implications for security practices? Use of shared secrets derived from PII for authentication is looking increasingly risky Serious improvements in securing PII are needed When shared secrets are used, consider sharing only part of the secret to prevent internal compromises E.g. “Provide the 2 nd and 4 th characters of your xxxxxx”
Interop Moscow© Stephen Cobb, 200612 of 14 How does security affect data value? As with any other commodity, the value of data lies at the intersection of supply and demand curves Information system security constrains the elasticity of data supply, maintaining data value and reducing the risk of dataflation Price Quantity Supply Demand Price Quantity Supply Demand
Interop Moscow© Stephen Cobb, 200613 of 14 Applying economics to security principles “Information is the lifeblood of the company” It is also the lifeblood of society and government Dataflation, the wholesale exposure of information, undermines not only commerce but the functioning of government and society Effective government relies on good information E.g. census, taxes, planning, provisioning of services Lack of security translates to lack of trust More members of society will withhold data if they don’t trust those that hold the data
Interop Moscow© Stephen Cobb, 200614 of 14 Я благодарю вас very much Questions? Da? Nyet? Slides? www.cobbassociates.com/help Email sc @ cobbassociates dot com
Values, Ethics, and Research: Commerce, Politics, Integrity, and Culture OECD/IMHE General Conference 2006 Hans N. Weiler Stanford University.
COM Navigating Information Networks Playing it “Safe” on the Internet Daniel Schwalbe, CISSP Network Security Engineer University of Washington.
-Tyler. Social/Ethical Concern Security -Sony’s Playstation Network (PSN) hacked in April Hacker gained access to personal information -May have.
Assessment Presentation Philip Robbins - July 14, 2012 University of Phoenix Hawaii Campus Fundamentals of Information Systems Security.
Developing Open MAS for Context-Aware Next Generation Wireless Network, ContextualNGWN Rafael Machado da Rocha.
For ALB Conference 2006 Outsourcing: reducing operational risk Adrian Amariei CEO, Axonite Adrian Amariei CEO, Axonite.
Gender equality planning as a tool for implementing gender equality and democracy in practice WO-MEN: GENDER EQUALITY CREATES DEMOCRACY Lithuania
Information Security in Higher Education Today Current Threats
EAR-BASED AMENDMENT FORUM. September PROCESS AND PROCEDURES From Preparation of an Amendment to a Finding of “In Compliance”
How your feelings about privacy affect your company How your company may profit from privacy The Privacy Meter and Privacy Possibilities Stephen Cobb,
Introduction and Overview of Digital Crime and Digital Terrorism
Combating cyber-crime: the context Justice Canada March 2005.
The Perception of Privacy Risk Gerald W. Gates Chief Privacy Officer U.S. Census Bureau.
Managing Data Against Insider Threats Dr. John D. Johnson, CISSP.
1 C12 - March 19, 2008 Business 54 - Introduction to eCommerce Spring 2008 C12 - March 19, 2008.
14 Sep 2006NVO Summer School T HE US N ATIONAL V IRTUAL O BSERVATORY Shape of Galaxy Rotation Curves A multiwavelength study using the VO Barbara.
MUSHI-Life Presenter Richard Joiner Designer : Chris Quintana.
Data accreditation standard for the IM&T DES12 Sept The IM&T DES Using the tools that support e- audit John Williams & James Barrett.
Magazine Journalism Welcome back to JO /10/2014template from copyright Overview Take attendance Review readings Write.
Using Technology and Techno-People to Improve your Threat Resistance and Cyber Security Stephen Cobb, CISSP Senior Security Researcher, ESET NA.
© Rudolf P Muller Anthology – basis for action ?
Computer Crime crime accomplished through knowledge or use of computer technology. Computers are tools – we choose how to use / apply the technology.
Internet Security Breach & Its Impact on Business Operations Kim Nguyen Manish Shirke Wa Mo Saravanan Velrajan.
6 July EFET Position on Information Transparency Paul Dawson, Barclays Capital ERGEG Public Hearing on Transparency 6 th July 2006.
ICAO Radio Spectrum SeminarMID Office, Cairo, 4 – 6 June Implementation of ICAO Systems Prepared by Torsten Jacob ICAO ANB/CNS.
Security System Ability of a system to protect information and system resources with respect to confidentiality and integrity.
© Boardworks Ltd of 12 ‘The Man He Killed’ Pre-1914 Poetry These icons indicate that teacher’s notes or useful web addresses are available in the.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem Overall size of cybercrime unclear; amount of losses.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Develop your Legal Practice using “Cloud” applications, but … Make sure your data is safe! Tuesday 17 November 2015 The Law Society, London Allan Carton,
The Threat of Cyber War The Issue of Cyber Security.
The purpose of this report is to inform people that the spyware and virus threat is growing and what people can do to stop the spread of spyware and.
8/23/2006What's New Maybe We Should Leave That Up to the Computer – NY Times July 18, 2006 Mark E. Nissen, a professor at the Naval Postgraduate.
Supply (The Business Point of View) Another Key Economic Concept.
BUSINESS B1 Information Security.
4th Annual Enterprise Security Asia Conference February 2007, Kuala Lumpur, Malaysia Bright Ideas on Business Privacy Stephen Cobb, CISSP Cobb Associates.
Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.
INFORMATION TECHNOLOGY IN A GLOBAL SOCIETY: SECURITY Taylor Moncrief.
Building Trust in Digital Online World Dr. Shekhar Kirani Vice President VeriSign India 5th June 2009 IBA Conference.
The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions Steve Katz, CISSP Security.
BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.
McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.
CONTEMPORARY ECONOMICS© Thomson South-Western 11.4Aggregate Demand and Aggregate Supply Explain what is meant by aggregate output and the economy’s price.
The Future of Internet Banking By Michael Skiscim.
Computer Security Mike Asoodeh & Ray Dejean Office of Technology Southeastern Louisiana University.
SECURITY AND INFORMATION SYSTEMS THE EVOLUTION OF SECURITY SYSTEMS Created By: Jamere Hill Instructor: Kyhia Bostic Section University of Houston.
McGraw-Hill/Irwin Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. Money and Banking Lecture 14.
Microsoft Internet Safety Enforcement: A worldwide team of lawyers, investigators, technical analysts and other specialists whose mission it is to make.
To protect the confidential and proprietary information included in this material, it may not be disclosed or provided to any third parties without the.
© 2017 SlidePlayer.com Inc. All rights reserved.