Professional Documents
Culture Documents
Craig S Wright
PhD Candidate,
Charles Sturt University
Craig.Wright@information-defense.com
Introduction
Criminal
Specialization as a
corollary of
Rational Choice.
Rational choice theory
is based on the
assumption an agent
as Homo economicus
holds particular sets
of discrete, fixed,
hierarchical
predilections
Rational Choice Theory
Criminal
Specialization as a
corollary of
Rational Choice.
The addition of income
achieved by successful
cybercriminals
changes the levels of
economic constraints
and leads to increasing
levels of crime.
Rational Choice Theory
Criminal
Specialization as
a corollary of
Rational Choice.
Economic
constraints and price
policies through
increases in the
expected cost of
criminal activity
leads to lower rates
of cybercrime.
Rational Choice Theory
Rationally opting
for the insecure 1.What is the importance of the
alternative: information or resource being
Negative protected?
2.What is the potential impact, if
externalities and the security is breached?
the selection of 3.Who is the attacker likely to be?
security controls 4.What are the skills and
resources available to an
Relative computer attacker?
security can be 5.What constraints are imposed
measured using six by legitimate usage?
6.What resources are available to
factors implement security?
Stag Hunt
Incomplete This game has two pure
information is strategy equilibria in which
not always both of the players prefer
the lower risk equilibrium
information
to the higher payoff
asymmetry equilibrium.
A better game The game is both Pareto
model for the optimal and Hicks optimal,
but the sub-optimal and
software industry hence inefficient
is the Stag equilibrium poses a lower
Hunt. risk to either player.
Stag Hunt
Incomplete This game has two pure
information is strategy equilibria in which
not always both of the players prefer
the lower risk equilibrium
information
to the higher payoff
asymmetry equilibrium.
A better game The game is both Pareto
model for the optimal and Hicks optimal,
but the sub-optimal and
software industry hence inefficient
is the Stag equilibrium poses a lower
Hunt. risk to either player.
System Modelling
Modelling System
Audit as a
Sequential test Modeling the failure rate of systems
with Discovery as and the propagation rate of an
a Failure Time attack, allows us to calculate an
expected number of hosts that are
Endpoint anticipated to have been
compromised in the time between an
audit given a specified survival
function or threat.
System Modelling
Modelling System
Audit as a
Sequential test
with Discovery as Past data and comparisons from
similar systems (such as survival
a Failure Time data from DShield[1]) allow for the
Endpoint modeling of alternative systems
where a reported number of events
have been reported against those
deployed.
System Modelling
Modelling System
Audit as a
Sequential test
with Discovery as Past data and comparisons from
similar systems (such as survival
a Failure Time data from DShield[1]) allow for the
Endpoint modeling of alternative systems
where a reported number of events
have been reported against those
deployed.
System Modelling
SIR
(Susceptible- Allowing that a compromised
Infected- or infected system remains
Removed) infected for a random amount
of time , the discovery of an
epidemic
incident by an auditor will be
modelling of dependent on a combination
incidents of the extent of the sample
during Audit tested during the audit and
the rate at which the incident
impacts individual hosts
A quantitative analysis into the
economics of testing software bugs
Program size
against Coding
time
A quantitative analysis into the
economics of testing software bugs
A Box plot of
the ratio of
buggy patches
A quantitative analysis into the
economics of testing software bugs
Training in
security helps
Perceptrons can
automate risk
detection
Imperfect Information
At present, it can
be demonstrated The vendor does not know the
that neither side situation of the user (for the
(the user or the most part) and the user may
not have an easily accessibly
vendor) is
means of determining the risk
informed as to from software.
the true risks and Worse, neither side is likely to
costs of software. know the risk posed from
integrating multiple software
products
Security and Compliance
Audit with employee incentives
1. The employee has no knowledge of
extra testing by the auditor and no
extra tests are to be conducted
2. The client has knowledge of testing
(from past experience) conducted by
the auditor.
3. Prior tests have occurred, but new
auditors have done the testing.
Audit with no employee incentives
4. The employee has no knowledge of
extra testing by the auditor and no
extra tests are to be conducted
5. The client has knowledge of testing
(from past experience) conducted by
the auditor.
6. Prior tests have occurred, but new
auditors have done the testing.
Patching is aligned to Audit
Some systems
are well
configured and
patched.
Others are
terrible
It all depends on
what is audited
Compliance does not mean
Security
1
As systems
become more
compliant, more
0.8
0.6
Security
Compliance
is taken from
C.S
Total Security security.
0.4
0.2
0
Software is on average
improving
80.00 Bugs / M.
SLOC
M. SLOC
70.00 Bugs/10
There is just
60.00
SO MUCH MORE
50.00
of it!
40.00
30.00
20.00
10.00
C
LO
.S
/M
0.00
gs
Bu
93
94
96
00
19
01
19
03
19
06
20
09
20
20
20
20
Security Features work
Firewalling
unpatched
systems has a
significant effect
Security Features work
More people leads to less
Larger teams can
find less
More people leads to less
Larger teams can
find less and cost
more
Better managed systems
survive
Displayed above we
have a plot of the
survival time against
automated
processes (green)
overlayed with that
of manual processes
(red).
The Loess fit for each
is also incorporated
into the plot.
Conclusion
The addition of measures that take
externalities into account act as a
signaling instrument that reduce
information asymmetry and improve the
overall risk position of both the
consumer and vendor.
The development of a software risk
derivative mechanism would be
beneficial to security through the
provision a signaling process to security
and risk.
Questions/Discussions
Any questions?