By Fer O’Neil, a Knowledgebase Technical Writer at a security software company and a Ph.D. student.
Why every cyber security professional needs to know about the Workshop on the Economics of Information Security (WEIS) conference
In the final week of June, the Rady School of Management at UC San Diego hosted the 16th annual Workshop on the Economics of Information Security (WEIS) conference. Over the course of two full days, seasoned researchers presented and discussed the tools, processes, and methodologies that inform cyber security technologies as well as national and international cyber security policy.
As a first time attendee, I will share my perspective of the sessions and the conference as a whole.
What is WEIS—Why haven’t I heard of this?
WEIS is the leading forum for interdisciplinary scholarship on information security and privacy,
combining expertise from the fields of economics, social science, business, law, policy, and computer science. From the WEIS website, the conference pages describe how its unique expertise in interdisciplinary fields contributes to information security and privacy, as both continue to grow in
importance, with threats proliferating, privacy eroding, and attackers finding new sources of value.
Themes and highlights from the sessions
Nearly all of the presentations were empirical research studies that used economic statistical models to look at correlation and causation of behaviors and events applied to cyber security topics. This type of research is important because of the constantly changing information security landscape. I thought that the presentation by Hasan Cavusoglu An Empirical Investigation of the Antecedents and Consequences of Privacy Uncertainty in the Context of Mobile Apps elucidated nicely how uncertainty in economics relates to cyber technology applications, marketing efforts, and information security systems. That is, uncertainty is the consequence of incomplete information, and this relates to the models and frameworks for how people make decisions with incomplete information and the outcomes as a result (for instance, consequences or benefits).
If one were able to combine all of the information from all sessions, you would have a tremendous ability to predict levels of security vulnerability based on intrinsic and extrinsic factors such as market share, competition, lack of security patching etc. For example, Sam Ransbotham investigated the The Effects of Security Management on Security Events to determine whether a security event at a competitor affects a firm’s security management practices. He found that breaches do increase active port management (observable activity), and that firms respond to breaches at other firms in their industry.
There were 25 presentations and there was so much information shared that I can only encourage others to look at the session topics and read the abstracts to the papers that interest you—and also note that the WEIS website does an excellent job posting links to every paper presented at all WEIS conferences since 2005.
Practical applications from robust research
When I posted that I was attending WEIS this year, several people in the cyber security industry commented that the sessions looked “academic,” but I didn’t quite understand what that meant. The conference presenters were a mix of pioneering and influential information security researchers, top government security directors, leading security and privacy lawyers, and prominent security think tank researchers, among others too many to list. The conference was full of strategy and policy information for how cybersecurity risk should be managed and business decisions made based on empirical evidence.
Next year’s conference will be held in Innsbruck, Austria, mid-June. I encourage you to review the papers on the conference website for the topics that are relevant to your industry to see the most current research available related to cyber and information security.
For a comprehensive overview of every session, one of the founding members of the conference, Ross Anderson (a pioneer and world leader in security engineering), liveblogged the entire conference, which you can view on his website: https://www.lightbluetouchpaper.org/2017/06/26/weis-2017-liveblog/
Selected examples of some predictive results from the sessions
For industry professionals that question what benefit they would receive by attending WEIS, I have compiled a selected list of presentations that provide applied research for various cyber security topics.
- Inferring Security Performance of Providers from Noisy and Heterogenous Abuse Datasets Concentration metrics reveal attacker and defender economics, such as how attackers can gain advantage by scaling their operations, and this in turn can be used to study the effectiveness of
countermeasures. For example, this research shows that the size of provider, popularity, and price leads to exposure and incidents. Therefore, better security procedures leads to less security incidents.
- An Analysis of Pay-per-Install Economics Using Entity Graphs Platon Kotzias presented an economic analysis of Potential Unwanted Programs (PUP) operations of commercial pay-per-install services used to distribute PUP. Most of the major PUP are properly signed by Microsoft. In 2014, there was a sharp decrease in the number of PUP samples. The research found that 5% of unique IPs accessing Google have injected
advertisements and that three times the number of malware are PUP warnings, according to Google’s safe browsing report (USENIX 2016). This means that PUP defenses implemented in 2014 from Google, Microsoft, and Symantec, have affected the pay-per-install market:
- Impact of Security Events and Fraudulent Transactions on Customer Loyalty:
A Field Study Sriram Somanchi found that customers are likely to end relationship with a bank with an adverse security event, but these models are affected by a bank’s dominance in a market and by the length of time after the event. This research is important to understand customer behavior
related to fraud and can be used to help predict which customers are more likely to leave a bank for certain adverse security events (and when).
- Make Notifications Great Again: Learning How to Notify in the Age of Large-Scale Vulnerability Scanning
This was Interesting research that attempted to determine the most effective way to notify domain owners about a vulnerability. For example, they created a demonstration video of the vulnerability and sent a link to the site owner. However, using traditional communication channels and methods (for instance, email), most notifications bounced. Even when the resource owners were reached, they would not remediate the vulnerabilities, some of them don’t read the notification or understand them (the vulnerability remediation). Their research proposed some recommendations: Move away from email; use alternative information sharing mechanisms such as Api (but have to opt-in), “nudges” with threatened legal action, and hosting
remediation advice at trusted sites.
- Standardisation and Certification of the `Internet of Things’
Ross Anderson’s paper reports a project for the European Commission and demonstrated that maintaining critical software, such as medical devices, vehicles, and power grids is going to continue to be a big problem. Ross discussed the strategic educational challenges as safety and security become intertwined where safety engineers will have to learn adversarial thinking while security engineers will have to think more about usability and maintainability. He outlined his current teaching at Cambridge for first-year undergraduates, when they get an introductory course in `Software and security engineering’ where security and safety are taught as two aspects of the same mission: designing systems to mitigate harm, whether caused by adversaries or not.
- Security Breaches in the U.S. Federal Government
Min-Seok Pang found that for every 1% increase in cyber spending, there was a 5% decrease in security incidents (phishing, malicious code, social engineering, policy violation etc.). Further, the more dispersed (not concentrated) offices are, the fewer security incidents it encountered.
Not surprising was that legacy systems were more likely to experience security incidents, but a very useful finding found that more cloud spending resulted in fewer DDoS attacks