Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Session 4: Economics of
Privacy & Security
Jens GrossklagsPennsylvania State University
An Empirical Study of Web Vulnerability Discovery Ecosystems
Co-authors: Mingyi Zhao, Peng Liu (Pennsylvania State University)
An Empirical Study of Web Vulnerability Discovery Ecosystems
Mingyi Zhao, Jens Grossklags, Peng Liu
Pennsylvania State University
(1995)
Bug Bounty HistoryBug Bounty Platforms
(Web Vulnerability Discovery Ecosystems)
HackerOne
Wooyun
2
Motivation and Approach
• Motivation: Detailed studies of Web vulnerability discovery ecosystems are absent– Debate on the impact of bug bounties for web security– Policy: e.g., limits on legality of vulnerability research
• Approach: Empirically study characteristics, trajectories and impact of two representative ecosystems– Stakeholders: Companies/organizations, white hats, black hats,
public, policymakers, bounty platform providers etc.– Focus of this presentation: Perspective of companies and
organizations
3
Web Vulnerability Data
4
HackerOne WooyunHQ US & NL ChinaFounded 2013‐11 2010‐07# Vulnerabilities 10,997 64,134# White hats 1,653 7,744Participation Model Organization‐initiated White hat‐initiatedBounty Level Avg. $424 (Various) Very LowDisclosure Partial FullData Collected Bounty Amount
Response TimelineVulnerability Type Severity
(Data until 2015‐07)
Participation by Organizations
5
Organization Types
6
• HackerOne: 99 organizations– All IT companies– Social networking, security, bitcoin …
• Wooyun: 17328 organizations
# Orgs # VulnGov 3179 4772Edu 1457 4017Fin 1040 2794
IT Sector Non‐IT Sectors
• The white hat-initiated model (Wooyun) achieves a much broader coverage of organizations– Less constraints for targeting organizations with web security
issues– Growing size and diversity of the white hat community
• More limited participation under the organization-initiated model (HackerOne)– Raises question about ways to increase participation by
companies and white hats
7
Takeaways: Participation
Types of Vulnerabilities & Severity
8
Types & Severity - Wooyun
9
* OWASP TOP 10 in bold font
High: 44%Med: 40%Low: 16%
Severity – HackerOne
• Infer medium and high severity percentage from bounty distribution and policy statement
10
21% 23% 19%
35% 37% 8%
• White hats make considerable contributions– Broad range of vulnerability types– Significant percentage of medium/high severity reports
• White hat-initiated model (Wooyun) harvests potential of the community more comprehensively– Occasional contributors perform as a group almost as well as top
white hats in terms of finding high severity issues– Can organizations properly handle all reports?
11
Takeaways: Types & Severity
Response Behaviors by Organizations
12
Response - Wooyun
13
• Segmenting organizations by Alexa rank (i.e., popularity) reveals differences in response patterns
0%10%20%30%40%50%60%70%80%
Handled Handled(Third Party)
No Response
Large (Alexa 1 ‐ 200)Medium (Alexa 201 ‐ 2000)Small (Alexa > 2000)
Types of Response to Vulnerability Reports
Percentage of R
eports
Response - HackerOne
14
• Organization-initiated programs handle most reports and have quick response times– First response time median: 4.5 hours– 90% of the disclosed reports were resolved in 30 days
15
• Wooyun: Many organizations are not prepared!– Particularly smaller, less popular websites (Alexa > 2000)
• White hat-initiated model may increase risk for unprepared organizations– Vulnerabilities are published after 45 days; vulnerabilities with
no response (unhandled) could still be exploitable– Balance trade-off between applying pressure and reasonable
expectations for response by small companies
Takeaways: Response
Cost and Impact of Bounties
16
• Different levels of bounties:
Impact of bounties?
Bounty Structure - HackerOne
17
020406080100120
0 50 171 319 487 538 611 700
Avg # Vu
ln. p
er M
onth
Average Bounty ($)
Impact of Bounties
• Regression methodology
• Dependent variable: – Average # reports per month
• Independent variables:– Average bounty– Alexa rank– Platform manpower (time-weighted # white hats / # org.)
18
Regression Analysis Results
19
+$100 ~ +3 vuln./month
More popular
More attentionMore complex
More reports
20
• While HackerOne puts focus on monetary compensation of white hats, we still observe many contributions (20% of all reports) to programs without bounties (33% of all programs)– Pay-nothing is a viable approach
• However, higher bounty amount is associated with considerable increase of number of vulnerability reports
Takeaways: Bounties
Security Improvements
21
Vulnerability Trend: Data
22
• Wooyun:
• HackerOne:
Statistical Trend Test
• Laplace Test – Used in previous vulnerability study (Ozment, 2006)– Criteria: >= 4 months and >= 50 reports
23
Decrease Increase No TrendHackerOne 32 8 9
Wooyun 11 81 17
• Despite/because monetary incentives on HackerOne: Fewer vulnerabilities are found over time– Indicative of improved web security of participating IT companies– Initial spike: With sufficient incentive, many vulnerabilities which
likely where known/existed before launch are reported when the program opens
• Opposing trend for Wooyun programs– Likely worse integration between bug bounty program and SDL
24
Takeaways: Trends
Thank you.
25
• Comparison between different Web vulnerability ecosystems provides unique opportunities to study effectiveness of policies and practices– Many more results in the paper(s)
• Jury is still out about which participation model offers the most important benefits
Veronica MarottaCarnegie Mellon University
Alessandro AcquistiCarnegie Mellon University
Who Benefits from Targeted Advertising?Co-author: Kaifu Zhang (Carnegie Mellon University)
Veronica Marotta, Kaifu Zhang, Alessandro Acquisti
Carnegie Mellon University
Federal Trade CommissionPrivacyCon 2016
Who Benefits From Targeted Advertising?
Personal information is the lifeblood of the Internet
Loss of privacy is the price to pay for the benefits of big data
Sharing personal data is an economic win‐win
Who Benefits from Targeted Advertising?
• To what extent availability of more and more preciseinformation about consumers leads to:– An increase in total welfare?– A change of allocation of benefits between different stakeholders?
• Firms• Consumers• Intermediaries (i.e. ad exchanges)
Methodology
• Multi‐stage, 3‐players model of online targeted advertising
• Compare scenarios that differ in the type and amount ofconsumer’s information available during the targeting process
• Account for the role of the intermediary (the ad exchange) inthe advertising ecosystem
• Focus on “Real‐Time Bidding” (RBT)
Advertisers are Bidding for Consumers
Ad Exchange
Advertisers are Bidding for Consumers
Ad Exchange
- Impression- Users
parameters- Cookies
Advertisers are Bidding for Consumers
Ad Exchange
Winner
- Impression- Users
parameters- Cookies
AD
The Model: Basic Setting
3. Consumers:• Have product preference, but need to find seller• Differ along two dimensions: horizontal (brand preference) and
vertical (purchase power)
1. Firms (the Advertisers):• Profit‐Maximizer• Cannot target consumers directly
2. Intermediary (the Ad Exchange):• Profit‐Maximizer• Runs auctions for advertisements’ allocation
The Model: Sequence of Events
ConsumerTwo Dimensions:• Horizontal• Vertical
1 Ad Exchange
2
Firms
Information about consumers made
available
3
Second-Price Auction
4
• Bid for Advertisement (Consumer)
• Price of the product
5
Winner of the Auction• Pays second-highest
bid• Shows the Ad 6
• Sees the Ad• Purchase decision
Consumer
Observes the consumer’s information
The Model: Sequence of Events
ConsumerTwo Dimensions:• Horizontal• Vertical
1 Ad Exchange
2
FirmsObserves the
consumer’s information
3
Second-Price Auction• Horizontal Info• Vertical Info• Both Info• No Info 4
• Bid for Advertisement (Consumer)
• Price of the product
5
Winner of the Auction• Pays second-highest
bid• Shows the Ad 6
• Sees the Ad• Purchase decision
Consumer
Analysis
1. For each scenario, we derive:• Firm’s bidding strategy (for advertisement)• Firm’s pricing strategy (for product being advertised)• Intermediary’s profit• Consumer’s choice
Equilibrium Concept: Nash Equilibrium for Second‐PriceAuctions
2. Through simulations of the model, we analyze how the outcome interms of consumers’ welfare, intermediary’s profit and firms’ profitchanges under the different scenarios
“Consumers at Auction," Veronica Marotta, Alessandro Acquisti, and Kaifu Zhang, ICIS 2015
Welfare Analysis
Consumers’ surplus
X axis: degree of horizontal differentiation
Y ax
is: d
egre
e of
ver
tical
diff
eren
tiatio
n
Horizontal Information
No Information
“Consumers at Auction," Veronica Marotta, Alessandro Acquisti, and Kaifu Zhang, ICIS 2015
Welfare Analysis
Consumers’ surplus
X axis: degree of horizontal differentiation
Y ax
is: d
egre
e of
ver
tical
diff
eren
tiatio
n
Horizontal Information
No Information
Intermediary’s profit
No Information
Vertical Information
Welfare Analysis
• Allocation of Benefits (proportions) among Consumer, Advertiser and Intermediary under the four scenarios
a. No Information
Welfare Analysis
• Allocation of Benefits (proportions) among Consumer, Advertiser and Intermediary under the four scenarios
d. Complete Information
b. Horizontal Information
c. Vertical Information
a. No Information
Results
1. Consumer’s surplus is higher when only specific type of informationis available (horizontal information) and, generally, when lessinformation is available
2. There exist situations in which the incentives of the Intermediary aremisaligned with respect to consumer‘s interest
3. Under certain conditions, the Intermediary obtains the highestproportion of benefits from the targeting process
4. A strategic intermediary may choose to selectively share consumerdata in order to maximize its profits
Limitations/Future work
• Competition among ad networks
• Costs/investments for ad networks
• Reduction in consumer search costs
• Empirical analysis
“The Economics of Privacy,” Acquisti, Taylor, and Wagman, Journal of Economic Literature, (forthcoming)
Personal information is the lifeblood of the Internet
How is the surplus generated by personal data allocated?
Loss of privacy is the price to pay for the benefits of big data
Who bears the costs of privacy enhancing technologies?
Sharing personal datais an economic win‐win
When do consumers benefit from trades in their data?
Catherine TuckerMassachusetts Institute of Technology
Privacy Protection, Personalized Medicine and Genetic Testing
Co-author: Amalia Miller (University of Virginia)
Privacy Protection,Personalized
Medicine andGenetic Testing
Amalia R. Miller andCatherine Tucker
Our research questionWhat kinds of privacyprotections encourage ordiscourage the spread ofhospital genetic testingfor cancer?
What cangenetic tests beused for?Identifying geneticinformation to predict
• susceptibility to disease• course of disease• response to treatment.
BRCA1 mutation
Look at state law variation from2000-2010 which echoes3approaches toprivacy
• Informed consent (EU privacydirectiveof 1996?)
• Regulating datause (USapproach?)
• Establishing property rightsover data(Coasian)
Weuse anational survey tounderstand who gets agenetictest
• National Health InterviewSurveys (NHIS) - part of CDC
• In 2000, 2005, 2010 theyasked30k survey takersabout genetic testing.
There are pros andcons of thedependent variable
• Yes: Testing for predictors ofbreast, ovarian cancer. Actionable.
• But: Few positiveobservations (< 1%)
Weuse standard econometrictechniques
• Statistically relatethe decisionto takeagenetic test tochanges in the patient’s state’sprivacy law.
• Seethe paper for theequations andmethods
Informed Consent reducesgenetic testing by one third,Individual Control increasesgenetic testing by one third
InformedConsent
Usage Restriction
Individual Control
The controls hadweak butexpectedeffects
• Female, black, family cancerpositively affect decision
• No insurance(weakly)negatively affects decision
• Statecharacteristics, age,private insurancearen’tsignificant
The positiveeffect forIndividual Control is notdriven by hospitals
• Hospitals react negatively toconsent laws
• But also react negatively topatient property rights
Weprovide evidencethat oureffect is causal with placebos
• No effect for genetic laws forHIV testing - not drivenbytastes for privacy
• No effect for genetic laws onflu shots - not driven by tastesfor preventativecare
What is going on?• Discrimination laws - lack of information?
• Consent without control-highlights powerlessness?
• Data ownership - Perception ofcontrol or Coase?
Pure consent
Consent with Property Rights
Our effects appear tobedriven by privacy concerns
• Larger effects for those withhigher underlying risk
• No effects for those withpast cancer diagnosis
• Larger effects for‘privacy-protecting’individuals
Summing Up
There are of course limitations1. The unobserved2. No information about
interpretation3. Early stage of diffusion.
When states givemore controlover how their privateinformationis shared genetic testing increases
• Particularly for those whoaremore worried about ‘badnews’
• Hospitals respondnegatively
Wefind that informed consentdeters patients andhospitalsfrom testing
Data usage policies have littleeffect
• Goodor badnewsdepending on how you lookat it
Thank you! [email protected]
Sasha RomanoskyRAND Corporation
Examining the Costs and Causes of Cyber Incidents
Costs and Consequences of Cyber IncidentsSasha Romanosky
Costs and Consequences of Cyber IncidentsSasha Romanosky
Motivation
• Data breaches and privacy violations have become commonplace, affecting thousands of firms, and millions of individuals,
- yet we don’t fully understand their costs or impacts- nor do we properly understand the firm’s incentives to invest in
cyber security controls
• Therefore, using a dataset of 12,000 events, we examine the costs, scale, and overall risk of events, by industry and over time
Four types of cyber events
Unauthorized disclosure of private information
Unauthorized disclosure of personal infoData breaches
Security incidents
Privacy violations
Computer attacks against a company
A company’s willful collection or use of personal info
Phishing/skimming Financial criminal acts committed against individuals and firms
We observe publicly available data
Cyber event occurs
Detected
Disclosed
Recorded
Legal action
Notdetected
Notdisclosed
Notrecorded
No legal action
Data breaches greatly outnumber all other incidents
1,500
1,000
500
250
200
150
100
50
0
2004 2006 2008 2010 2012 2014
Databreaches
/////////////////////////////////////////////////////////////////////////////////////////
Numberof
cyberevents
Privacy violations
Securityincidents
Phishing
But security incidents are increasing rapidly
1,500
1,000
500
250
200
150
100
50
0
/////////////////////////////////////////////////////////////////////////////////////////
Numberof
cyberevents
Databreaches
Privacy violations
Phishing
Securityincidents
2004 2006 2008 2010 2012 2014
Industry analysis
• There are many ways to understand risk by industry:- Total incidents, and incident rate- Total lawsuits, and litigation rate- Costs per event
• This helps us understand which industries pose the greatest risk
Finance and Insurance, and Health Care sectorssuffer highest number of incidents
Total incidents
2,000
Finance and
Ins.
Health care
Government
Education
Manufacturing
1,0000
But Govt, and Education sectors suffer highest incident rates
Total incidents Incident rate
.015
Government
Education
Information
Finance and
Ins.
Utilities
.01.0502,000
Finance and
Ins.
Health care
Government
Education
Manufacturing
1,0000
Firms in Information and Finance/Insurance sectors are most often litigated
Number of lawsuits
200
Information
Finance and
Ins.
Manufacturing
Retail Trade
Health Care
1000 25015050
But, Oil & Gas suffers the highest litigation rate
Number of lawsuits Litigation rate
.3
Mining, Oil & Gas
Admin and SupportServices
Ag., Fishing, Hunting
Retail Trade
Information
.2.10200
Information
Finance and
Ins.
Manufacturing
Retail Trade
Health Care
1000 25015050 .4
Next, let’s examine legal actionsAll Legal Actions (1,687)
Civil (1,394) Criminal (293)
State (271) Federal (202) State (91)
Private(922)
Public(201)
Private (221)
Public(50)
Federal (1,123)
2004 2006 2008 2010 2012 2014
Privacy litigation has increased sharply
150
100
50
Total number of lawsuits
0
Databreaches
Privacy violations
Phishing
Securityincidents
2004 2006 2008 2010 2012 2014
150
100
50
Total number of lawsuits
0
Databreaches
Privacy violations
Phishing
Securityincidents
2004 2006 2008
1.0
0.8
0.6
2010 2012
Litigation rate
0.4
0.2
0
2014
But overall litigation rates are declining
Most data breaches cost firms less than $200K
Min Max Median N
Data Breaches $25 $572m $170 K 602Security Incidents $100 $100m $330 K 36Privacy Violations $180 $750m $1.34 M 234Phishing/Skimming $0 $710 m $150 K 49
963These costs are much lower than the $5m often cited
Repeat Players
• 38% of firms (almost 4800) in our dataset suffered multiple incidents
• 50% of all incidents within the Information and Finance/Insurance industries involve repeat players
• No significant difference in legal actions or litigation rate for this group, relative to single players
• However, data breach costs are twice as large for repeat players:- $9.8m vs $4m for single players
Annual losses from cyber events are comparatively small
3.5
10
33
69
70
97
105
151
200
0 100 200 300
Online fraud
Losses from cyber events
Retail shrinkage
Healthcare fraud
Global spending on cybersecurity
Insurance fraud
Cybercrime
Hurricane Katrina
Loss of intellectual property
$ Billions
As a percent of revenue, the cost of cyber events is also very small
0.4
0.9
1.4
3.1
5.2
5.9
20.0
0 10 20 30
Cyber events
Online fraud
Retail shrinkage
Healthcare fraud
Global payment card fraud
Hospitals (bad debt)
Restaurant industry shrinkage
Percent of revenue/volume
Troubling paradox; where do the incentives lie?
• On one hand, cyber events and legal actions are increasing- Compromising the most sensitive kinds of personal information
• On the other hand, typical costs are relatively small- And consumers seem quite satisfied with firm responses (Ablon et
al, 2016)
• What does this suggest for firm incentives in cyber security?
Questions?
Retail, Information, and Manufacturing sectorssuffer highest losses
Total losses (in Millions $) Loss per event
1.5
Management
Retail
Information
Manufacturing
Wholesale Trade
1.502,000
Information
Manufacturing
Retail
Finance and Ins.
Health care
1,0000 2
• Breach notification, counsel, forensics, IT repair, consumer redress
• Also includes money stolen from banks,financial companies
• Settlements and other judicial awards• Administrative rulings, cy pres
1st-party losses
3rd-party losses
Losses are typically of two types
Total recorded losses of $10 billion
But this represents only 10% of all observed events
$(billions)
Data breaches
8
6
2
0
4
Securityincidents
Privacy violations
Phishing
1st Party
3rd Party
0
20
40
60
80
Numberof cyberevents
In most cases, cyber events cost firms about what they spend on IT security
Annual cost of IT security minus annual cost of cyber events
–$5M $0 $5M
Distribution of Repeat Players
Single
8
6
2
0
4
2-5 6-10 > 10
Number of Firms(in’000s)
Number of repeat incidents
Discussion of Session 4Discussants:• Kevin Moriarty, Federal
Trade Commission
• Doug Smith, Federal Trade Commission
• Siona Listokin, George Mason University
Presenters:• Jens Grossklags,
Pennsylvania State University
• Veronica Marotta,Carnegie Mellon University& Alessandro Acquisti,Carnegie Mellon University
• Catherine Tucker, Massachusetts Institute of Technology
• Sasha Romanosky,RAND Corporation