# Network Security Pricing and Economics David Naccache

## Presentation on theme: "Network Security Pricing and Economics David Naccache"— Presentation transcript:

Network Security Pricing and Economics David Naccache david.naccache@ens.fr

Security seen economically… Probability of threat materialization. Loss when threat materializes. Cost of countermeasures. Probability that countermeasures work.

Security seen economically… Probability of threat materialization. p[i] Loss when threat materializes. L[i] Cost of countermeasures. C[j, parameters] Probability that countermeasures work. q[j,i, parameters]

Example Probability of threat materialization. p[i] –p[“virus attack/day”]=1/1000 –p[“DoS attack/day”]=1/300 –p[“SQL injection/day”]=1/1000 etc. Hard to estimate precisely Threats are not independent events

Example Loss when threat materializes. L[i] –L[“virus attack/day”]=€2000 –L[“DoS attack/day”]=€1300 –L[“SQL injection/day”]=€10000 etc. Fairly easy to estimate

Cost of countermeasures. C[j, parameters] –C[“Norton”,weekly update]=€200 –C[“Norton”, monthly update]=€100 –C[“Norton”, no firewall option]=€50 –C[“Checkpoint”, standard ver.]=€500 –C[“Spam Assassin”, (no options)]=€0 etc. Some choices are incompatible. Parameters can be discrete or continuous Easy to estimate precisely Example

Probability that countermeasures work. q[j,i, parameters] Countermeasure j bought with “parameters” will reduce risk p[i] to q[j,i, parameters] Hard to estimate precisely Example

A complex bayesian optimisation problem. –Continuous and non continuous variables. –Find algorithmic approaches to tackle it. –Propose a “clean” (simplified) model. Assuming that probabilities are correctly assessed. –Benchmark model against reality. Current enterprise approaches are empiric –Based on individual experience –Based on standards (de facto) –Based on legacy systems… The Challenges

The Opportunity Bring together: –Security specialists –Mathematicians –Economists Target-rich academic / industrial area.