Economics of Information Security and Privacy III Bruce Schneier Editor Economics of Information Security and Privacy III 123 Editor BruceSchneier Minneapolis MN,USA [email protected] ISBN978-1-4614-1980-8 ISBN978-1-4614-1981-5(eBook) DOI10.1007/978-1-4614-1981-5 SpringerNewYorkHeidelbergDordrechtLondon LibraryofCongressControlNumber:2012944738 ©SpringerScience+BusinessMediaNewYork2013 Thisworkissubjecttocopyright.AllrightsarereservedbythePublisher,whetherthewholeorpartof thematerialisconcerned,specificallytherightsoftranslation,reprinting,reuseofillustrations,recitation, broadcasting,reproductiononmicrofilmsorinanyotherphysicalway,andtransmissionorinformation storageandretrieval,electronicadaptation,computersoftware,orbysimilarordissimilarmethodology nowknownorhereafterdeveloped.Exemptedfromthislegalreservationarebriefexcerptsinconnection with reviews or scholarly analysis or material supplied specifically for the purpose of being entered and executed on a computer system, for exclusive use by the purchaser of the work. Duplication of this publication or parts thereof is permitted only under the provisions of the Copyright Law of the Publisher’slocation,initscurrentversion,andpermissionforusemustalwaysbeobtainedfromSpringer. PermissionsforusemaybeobtainedthroughRightsLinkattheCopyrightClearanceCenter.Violations areliabletoprosecutionundertherespectiveCopyrightLaw. Theuseofgeneraldescriptivenames,registerednames,trademarks,servicemarks,etc.inthispublication doesnotimply,evenintheabsenceofaspecificstatement,thatsuchnamesareexemptfromtherelevant protectivelawsandregulationsandthereforefreeforgeneraluse. While the advice and information in this book are believed to be true and accurate at the date of publication,neithertheauthorsnortheeditorsnorthepublishercanacceptanylegalresponsibilityfor anyerrorsoromissionsthatmaybemade.Thepublishermakesnowarranty,expressorimplied,with respecttothematerialcontainedherein. Printedonacid-freepaper SpringerispartofSpringerScience+BusinessMedia(www.springer.com) Preface You have in your hands most of the papers—some are missing because of various publication requirements—from the Tenth Workshop on Economics and InformationSecurityorWEIS2011. The idea that economics has anything to do with computer security is only slightlyolderthanthisworkshop.RossAndersonandIseemtohavestumbledupon the idea independently—he in his brilliant article from 2001, “Why Information Security Is Hard—An Economic Perspective” (http://www.cl.cam.ac.uk/∼rja14/ Papers/econ.pdf),andmeinvariousessaysandpresentationsfromthatsameperiod. WEISwasinaugurateda yearlater attheUniversityofCaliforniaatBerkeleyand has been held annually ever since in both the USA and Europe. It is the only workshop where security technologists get together with economists and policy makersandtrytounderstandtheeconomicproblemsrelatedtocomputersecurity. And economics has a lot to teach computer security. We generally think of computer security as a problem of technology, but it is a technological problem that has people as an essential element. Security designs need to take intelligent attackersintoaccount,ofcourse,buttheyhavetotakeintoaccounttheinterestsand motivationsof the usersas well. Thismakescomputersecurityunique,andopens upvastareasoffailurethattraditionalcomputerengineeringsystemsdon’thaveto dealwith.Oftensystemsfailbecauseofmisplacedeconomicincentives,whenthe peoplewhocouldprotectasystemarenottheoneswhosufferthecostsoffailure. When you start looking, economic considerations are everywhere in com- putersecurity.Hospitals’ medicalrecordssystems providecomprehensivebilling- managementfeaturesfortheadministratorswhospecifythem,butarenotsogood at protecting patients’ privacy. Automated teller machines suffered from fraud in countries like the UK and the Netherlands, where poor regulation left banks without sufficient incentive to secure their systems, and allowed them to pass the cost of fraud along to their customers. And one reason the Internet is insecure is that liability for attacks is so diffuse. In all of these examples, the economic considerationsofsecurityaremoreimportantthanthetechnicalconsiderations. More generally,manyof the mostbasic security questionsare atleast asmuch economicastechnical.Dowespendenoughonkeepinghackersoutofourcomputer v vi Preface systems? Or do we spend too much? For that matter, do we spend appropriate amountsonpoliceandmilitaryservices?Andarewespendingoursecuritybudgets ontherightthings?Inthe10yearssincetheterroristattacksof9/11,questionslike thesehaveaheightenedimportance. Economics can actually explain many of the puzzling realities of Internet security. Firewalls are commonand e-mail encryptionis rare—notbecause of the relativeeffectivenessofthetechnologies,butbecauseoftheeconomicpressuresthat drive companies to install them. Corporations rarely publicize information about intrusions;thatisbecauseofeconomicincentivesagainstdoingso.Andaninsecure operatingsystemistheinternationalstandard;inpart,thatisbecauseitseconomic effectsare largelybornenotby the companythatbuildsthe operatingsystem, but bythecustomerswhobuyit. Some of the most controversial cyberpolicy issues also sit squarely between information security and economics. For example, the issue of digital rights management:is copyrightlaw too restrictive—or not restrictive enough—tomax- imize society’s creative output? And if it needs to be more restrictive, will DRM technologiesbenefitthemusicindustryorthetechnologyvendors?IsApple’sstrict control over iPhone and iPad applications good for security, or just another way for the company to lock its customers into its platforms? What are the costs and benefits of different Internet security proposals: systems that restrict anonymity, breach disclosure laws, or Internet “kill switches”? Any attempt to answer these questionsbecomesrapidlyentangledwithbothinformationsecurityandeconomic arguments. WEIS 2011 was held at George Mason University, in Fairfax, Virginia (http:// weis2011.econinfosec.org/). Over the course of two days, 95 attendees heard 20 talks,twoinvitedspeakers,andonepanel.Topicscoveredincludedprivacy,identity, securityresilience,andtheeconomicsofcomputercrime. This year marked a milestone for WEIS: ten conferences in 10 years. I’ve longsaid thatthe fundamentalproblemsin computersecurity are no longerabout technology; they’re about applying technology. Workshops like WEIS help us understandwhygoodsecuritytechnologiesfailandbadonessucceed,andthatkind ofinsightiscriticalifwe’regoingtoimprovesecurityintheinformationage. Minneapolis,MN,USA BruceSchneier Contents TheImpactofImmediateDisclosureonAttackDiffusionandVolume.... 1 SamRansbothamandSabyasachiMitra WhereDoAlltheAttacksGo? ................................................. 13 DineiFloreˆncioandCormacHerley Sex,LiesandCyber-CrimeSurveys ........................................... 35 DineiFloreˆncioandCormacHerley TheUndergroundEconomyofFakeAntivirusSoftware.................... 55 Brett Stone-Gross, Ryan Abman, Richard A. Kemmerer, ChristopherKruegel,DouglasG.Steigerwald,andGiovanniVigna TheInconvenientTruthAboutWebCertificates............................. 79 NevenaVratonjic, Julien Freudiger,VincentBindschaedler, andJean-PierreHubaux ResilienceoftheInternetInterconnectionEcosystem ....................... 119 ChrisHall,RossAnderson,RichardClayton,EvangelosOuzounis, andPanagiotisTrimintzios ModelingInternet-ScalePoliciesforCleaningupMalware................. 149 Steven Hofmeyr, Tyler Moore, Stephanie Forrest, BenjaminEdwards,andGeorgeStelle Fixed Costs, Investment Rigidities, and Risk Aversion inInformationSecurity:AUtility-theoreticApproach...................... 171 ChristosIoannidis,DavidPym,andJulianWilliams AreHomeInternetUsersWillingtoPayISPsforImprovements inCyberSecurity?............................................................... 193 BrentRoweandDallasWood vii viii Contents EconomicMethodsandDecisionMakingbySecurityProfessionals....... 213 Adrian Baldwin, Yolanta Beres, Geoffrey B. Duggan, Marco Casassa Mont, Hilary Johnson, Chris Middup, andSimonShiu RealNameVerificationLawontheInternet:APoisonorCure forPrivacy?....................................................................... 239 DaegonCho ThePrivacyLandscape:ProductDifferentiationonDataCollection...... 263 So¨renPreibuschandJosephBonneau Contributors RyanAbman UniversityofCalifornia,SantaBarbara,SantaBarbara,CA,USA RossAnderson UniversityofCambridge,Cambridge,UK AdrianBaldwin HPLabs,Bristol,England,UK YolantaBeres HPLabs,Bristol,England,UK VincentBindschaedler EPFL,Lausanne,Switzerland JosephBonneau UniversityofCambridge,Cambridge,UK MarcoCasassaMont HPLabs,Bristol,England,UK DaegonCho CarnegieMellonUniversity,Pittsburgh,PA,USA RichardClayton UniversityofCambridge,Cambridge,UK GeoffreyB.Duggan UniversityofBath,Bath,England,UK BenjaminEdwards UniversityofNewMexico,Albuquerque,NM,USA DineiFloreˆncio MicrosoftResearch,Redmond,WA,USA StephanieForrest UniversityofNewMexico,Albuquerque,NM,USA JulienFreudiger EPFL,Lausanne,Switzerland ChrisHall HighwaymanAssociatesLtd.,Leatherhead,UK CormacHerley MicrosoftResearch,Redmond,WA,USA StevenHofmeyr LawrenceBerkeleyNationalLaboratory,Berkeley,CA,USA Jean-PierreHubaux EPFL,Lausanne,Switzerland ChristosIoannidis UniversityofBath,Bath,England,UK HilaryJohnson UniversityofBath,Bath,England,UK ix x Contributors Richard A. Kemmerer University of California, Santa Barbara, Santa Barbara, CA,USA ChristopherKruegel UniversityofCalifornia,SantaBarbara,SantaBarbara,CA, USA ChrisMiddup OpenUniversity,England,UK Sabyasachi Mitra College of Management, Georgia Institute of Technology, Atlanta,GA,USA TylerMoore HarvardUniversity,Cambridge,MA,USA Evangelos Ouzounis European Network and Information Security Agency, Heraklion,Greece So¨renPreibusch UniversityofCambridge,Cambridge,UK DavidPym UniversityofAberdeen,Aberdeen,Scotland,UK SamRansbotham BostonCollege,ChestnutHill,MA,USA BrentRowe RTIInternational,SanFrancisco,CA,USA SimonShiu HPLabs,Bristol,England,UK DouglasG. Steigerwald University of California, Santa Barbara, Santa Barbara, CA,USA GeorgeStelle UniversityofNewMexico,Albuquerque,NM,USA Brett Stone-Gross University of California, Santa Barbara, Santa Barbara, CA, USA Panagiotis Trimintzios European Network and Information Security Agency, Heraklion,Greece GiovanniVigna UniversityofCalifornia,SantaBarbara,SantaBarbara,CA,USA NevenaVratonjic EPFL,Lausanne,Switzerland JulianWilliams UniversityofAberdeen,Aberdeen,Scotland,UK DallasWood RTIInternational,SanFrancisco,CA,USA