Economics of Cyber Security

Everything in life boils down to economics. When there is a decision you can either go with your heart or go with your purse/wallet. But I wager that even following your heart there is a part of you which weighs up the cost-benefit implicitly.

When you are looking at security you have a budget and you have business goals and needs and you have to figure out where to spend it. In this post I am tying together a couple of thoughts on how thinking in economics with your brain instead of your gut affects security thinking. It is mostly rambling so this is my personal blog.

Why did I do this?

I was prompted to write this today because of a tweet by the Scotsman:

Scots are going on ‘alcohol cruises’ to England to get around minimum pricinghttps://t.co/rahB5SF5po

— The Scotsman (@TheScotsman) August 1, 2019

Firstly I haven’t bothered to read the article. But I would like to point out literally nobody is “cruising” to England. They can actually walk over bridges in places or take a 5 minute bus. That is the beauty of a friction-less border with free trade.

All about incentives

Understanding what motivates people is vital. This will help you when dealing with people. Think about what they are trying to do and see if you can frame the conversation such that you both get what you need.

I keep pondering this quote more and more:

“It is difficult to get a man to understand something, when his salary depends on his not understanding it.”

— Upton Sinclair

To widen the scope of this post a lot, lets stare at man made climate change. The grandest stage we have is wiping out the planet’s ability to sustain human life. In part due to the economics encouraging people to look the other way. It is all about incentives from where to buy your beer right up continuing doing what you are doing despite mounting evidence that it is killing the planet.

Relating incentives back to the Scotsman’s article. By increasing the duty on alcohol (a so called “Sin tax”) the Scottish government has placed an economic incentive to “drink less”. By making things more expensive people will either be unable to afford to drink as much, or will simply make different choices.

How is this about Cyber Security?

The policy of varying tax to discourage/encourage specific behaviours is a relatable story. The response of consumers has resulted in fewer units being sold. An enterprising band of consumers have identified a niche where, presumably, they live close enough to the border for it to be in their economic interests at the moment to go to England.

Boil this story down to the basics and translate to Cyber Security:

1. A problem was identified (too many units being consumed) and a solution was put in place to reduce the risk (economic sanctions).
2. Attackers evaluated the situation and found an avenue which was economical enough for them to make a buck (vulnerability detected).
3. Attackers exploited that (vulnerability exploited)

There is a relationship between the sin tax approach and Data Breach fines in that they have similar effects. However, a tax is something which always applies and the fine only happens when a breach occurs. You can try and roll a dice and see if you avoid a breach for another financial year. You cannot avoid the tax within Scottish jurisdiction.

Budget, fines, and broken business models

I could not put it better than this belter of a tweet by a person I do not know at all called Dylan (hi Dylan *waves*):

– Hire a competent infosec team.
– We don’t have budget for that.
– OK, be prepared to pay 1.5% of turnover in fines for each GDPR violation
– We don’t have budget for that either.
– Well, golly. Sounds to me like you don’t have a viable business model any more. Sorry about that.

— Dylan Beattie 🇪🇺💉💉🤠 (@dylanbeattie) July 8, 2019

With a name like Dylan he is obviously a wordsmith, I salute you sir.

This perfectly captures for me the economics of cyber security. Increasingly the choice is to do security competently or worry about paying fines. While there is a hint of Fear Uncertainty and Doubt (FUD) about this I think the general idea is right here.

With the first GDPR based fines clearing the system it is obvious that the new regime is just how life is going to be going forward. So while it is distinctly “fuddy” you cannot deny that this FUD is based in reality.

A fine is a threat which is seeking to alter behaviour. “You do this or else!”. If you sufficiently fear the else part then economics states that you should shape up.

Economics of Attackers

The economics for an attacker are pretty simple. They will exploit a target IF they find a vulnerability that:

• has sufficient economic gain when exploited (worth doing)
• for which the likelihood of being caught or the disincentive of the punishment is acceptable to them (attackers accept risks too :D)
• and the investment of effort to exploit is within their skill
• and the attacker has enough resources to devote to exploiting it (in terms of time and tools).

When all of these items are met there is an incentive and motivation for the attacker and the target will get exploited.

Economics of Defenders

Assume some theoretical system which is absolutely secure. That system would likely be absolutely useless to users. Security is the art of safeguarding without rendering something unusable.

What we need to attain is a standard of assurance equivalent with the risks that are realistic. Starting from the situation that in reality nothing is 100% secure it takes the pressure off a little bit. Now that the band-aid has been pulled off lets limit the bleeding.

First, understand the systems you have and the data they process. Determine the value of that data. When you process data valuable on the black market then the risks of attack go up.

Secondly, understand who your adversaries are. There is an entire blog post on its own about the levels of adversaries that I need to write. But in brief lets say this:

• Untargeted automated attackers – these do not care who you are, or know anything about your business interests. Typically a functional exploit for some outdated software or default credentials will be put into a scanner which simply tries to exploit every IP address on the Internet.
• Script Kiddies – these attackers will be targeting you specifically with a human behind the effort. They can use existing exploits and tools to enable password guessing but will be unlikely to develop new tools or attack in a sophisticated manner.
• Organised Criminal attackers – if you are handling information which has value on the black market, or if you process credit card transactions etc then you will be on their radar. They may use “Phishing” or social engineering to exploit your staff and many will have “Zero Day” vulnerabilities which are often traded illegally. They will attempt to exploit you with ransomware and use anything else that can gain money.
• Politically Motivated attackers – if your organisation has ever been protested, or if you trade across borders which have friction you may be targeted by this class of attacker. Frequently they will deploy techniques to disrupt your business such as denial of service or anything to get their agenda into the news. At the extreme end of this category you can expect your data to be stolen and published online by wikileaks.
• Nation states – If you operate between borders which have friction, deliver projects for a government, or have access to people/data of interest to nation states. Then you can pretty much expect to be targeted sooner or later. What we have learned about their tactics is that they will have “Zero Day” exploits, and significant resources at their disposal.

A lot is written about “Zero Days”. I will say for the bulk of companies nobody is looking to waste a valuable exploit on you. There is also very little you can do to proactively defend against them since the vendor you use does not have a patch available.

With security the basics really are: Patch everything all the time, ensure no default or weak passwords are set, and engage with an offensive security partner to simulate the reasonable risks you face. For the bulk of you that means penetration testing, for those with mature cyber security practices in-house that may mean red teaming.

Full disclosure: I am a penetration tester and red teamer by trade. So that last recommendation is not free of bias if you think about what I just wrote cynically. However, I believe what I do every day genuinely helps customers. Note: I did not say you come to ME for these services. I said that you find a security partner with those skills period.

Before you insure your house you get a valuation right? The two-steps above in summary were:

1. Get a valuation for the data you horde.
2. Understand who will attack you and how to arrive at your level of cover.

Now with that out of the way. The economics of defence is to ensure that you make yourself as prickly as possible to deter attackers. While nothing is 100% secure what you want to do is raise the bar beyond low-skilled attackers as the minimum.

As with the “Sin Tax” you are trying to reduce the incentive to the attacker to exploit you. By increasing the amount of time and tooling required you will reduce the pool of attackers.

Have you ever seen one of the many segments on TV where an ex-offender looks at a home and gives advice on how to secure it from robbers? It is the exact same advice here. You want the robber to not see you as a soft touch and you want them to walk down the street to someone who is.

Well, dear reader, I think that is enough for today on the economics of cyber security. I think we covered incentives and how attack and defence is really just like choosing where you buy your beer.