Productivity Space of Information Security in an Extension ：在一个扩展的信息安全生产力空间

1、Economics of Provable Security and Probable SecurityKanta Matsuura(The University of Tokyo)2009 NIMS International Workshop on Mathematical CryptologyThis work is partly supported by NEDO (New Energy and Industrial Technology Development Organization) of Japan.Abstract (1/4)How much should we invest

2、 into information security? Can provably-secure primitives provide differences in the real world, despite the risk of implementation blunders? Can we transfer risks associated with distributed nature of security infrastructures? 2Abstract (2/4)Answers to these questions, or implications helpful in e

3、xploring them, may have impacts on mitigating the deployment problems of cutting-edge cryptography and information-security technologies.3Abstract (3/4)Now we have at least a decade of history in the economics of information security, this talk shows some mathematical models that provide such helpfu

4、l implications. The models include an optimal investment model based on cost-benefit analysis, a two-dimensional space of information-security productivity, and a token model with option-pricing theories. 4Abstract (4/4)Although the implications do not discourage engineers who investigate provable s

5、ecurity and probable but higher security, cautions will be suggested regarding information sharing.56AgendaEconomics of provable securitySecurity efforts and their impactsInvestment modelsProductivity space and Optimal investmentSensitivity analysis and implicationsEconomics of probable securityRisk

6、s resulting from the distributed nature of information-security infrastructureExploitation of financial derivatives for risk transfer, risk assessment, and moreElementarycalculusStochasticcalculus71. Economics of Provable Security8Security efforts and their impactsSome countermeasures are provided s

7、o that attacks will fail.= Vulnerability reductionOthers are provided so that attacks will not occur.= Threat reduction (Research is rather sparse.)How the reductions influence the optimal investment strategies and relevant implications?9Investment modelsTaxonomies (e.g., Rue et al.WEIS07)Macro-econ

8、omic input/output models, More traditional econometric techniques, Methods derived from financial markets, Case studies of firms, Heuristic models, Risk management & insurance framework, Game theoretic models, Accounting models.“A model is supposed to reveal the essence of what is going on: your mod

9、el should be reduced to just those pieces that are required to make it work.” (Varian 1997)“Clearer insights are provided by models that are less rather than more complex.” (Gordon and Loeb 2002)10The Gordon-Loeb modelBasic theory (Gordon and Loeb 2002)Investigation considering Return-on-Investment

10、in a one-period economic model.Empirical supportsThe optimal investment strategy of focusing on mid-range vulnerabilities (Tanaka et al. 2005).A class of security function (Liu et al. 2007).Extensive formulationA model for information sharing and free-rider problem (Gordon et al. 2003).11Parameters

11、& functions in the GL modelThe loss when breached: lThe probability of a threat occurring: tThe potential loss: L = t lThe conditional probability of the threat being successful (conditional on the occurrence), called “vulnerability” in the model: vThe information-security investment: zThe condition

12、al probability after the investment (security-breach probability function): S (z,v)Class I: S (z,v) = v/(az+1)bClass II: S (z,v) = v a z+1This a is called the productivity of information security.12The optimal investment z*Maximize the ENBIS (Expected Net Benefit of Information Security)Closed-form

13、solutions:Class I: Focus on high vulnerabilities.Class II: Focus on mid vulnerabilities.(Some empirical supports)Optimal Level of Information Security InvestmentVulnerabilityZ*VV(tl)V(tl)13An extension: Matsuura model WEIS2008Let us assume the investment z reduces the threat-occurring probability, t

14、, down to T(z,t).Fundamental assumption:The threat reduction depends only on the investment and the current level of threat.Additional assumptions:T(z,0) = 0 for all z.T(0,t) = t for all t.For all and for all z, Tz(z,t)0.For all , .14The optimal investment z* under the risk-neutrality assumptionDete

15、rmined byNote: If the marginal benefit at z=0 is less than or equal to the marginal cost of such investment, z* equals zero.=B=CRisk neutralityIf someone is risk-neutral, it means that they are indifferent to investments that have the same expected value, even though the investments may have varying

16、 amounts of risk.15ExampleA risk-neutral decision-maker would be indifferent to Investment #1 that generates either a net return of $200,000 or a net loss of $100,000 each with probability of 0.5, and Investment #2 that generates a net return of either $40,000 or $60,000 each with probability of 0.5

17、, as both investments have an expected net return of $50,000.16A note for the exampleNotice that Investment #1 has more risk (i.e., larger standard deviation around the expected value) than investment #2, and yet the two investments are being considered equal.1718Class-II functionsHereafter, we cons

18、ider the class-II functions: S(z,v)=v az+1, T(z,t)=t bz+1.Two productivitiesVulnerability-reduction productivity: a.Threat-reduction productivity: b.We are going to examine the behavior of z* in the two-dimensional space formed by the two productivities.19Closed-form solutionThe condition for having

19、 a zero investment as the optimum:That is, .When F (v)0 iff b0, the optimal investment increases/decreases as the productivities increase, in the following manner:Theorem 1Theorem 3Theorem 2v,29A note on the peak of the mid-vulnerability intensive z*-v curveIf one rather chooses a strategy of focusi

20、ng sharply around the maximum of the z*-v curve, the focus is outside the vulnerability range for .,30A tradeoff between vulnerability reduction and threat reductionWhen engineers efforts increase the productivities, users investment may increase (white) or decrease (dark-gray).The feature in the li

21、ght-gray region depends on the interpretation of the mid-vulnerability intensive strategy.Some vendors may prefer the former, but others may not.31Be careful about externalityThree possibilities: Ones efforts for threat reduction may haveNo impact on threats to others. (Presented today)A positive im

22、pact on (i.e., increase) threats to others (e.g., attackers change their targets).A negative impact on (i.e., decrease) threats to others (e.g., attackers are totally discouraged).watchdog322. Economics of Probable SecurityAn example: E-commerceProtocols require frequent (and feasible but heavy) ver

23、ifications.Why?Digital certificates.Avoid copyright violation.Need freshness.Trust management.33Verify, verify,verify, .Real-time, distributed & trusted directories are too difficult.Probably OK . . .Associated risksThe verification may output NG. It may output OK. Who knows in advance?Suppose a dig

24、ital ticket signed by an issuer. When I buy it, I verified the signature and the result was OK. However, when I attempt to use it at a virtual theater, the verification may output NG. Or I may even face a congestion that keeps me from connection with the theater, or TTP needed for verification.34An

25、abstraction (Setok: security token)Digital object with Price & “Value(s)”Confidence,Priority,Insurance,Compatibility,Freshness, . . .Uncertainty351 0 0 % Trusted$10When I buy ,useSetok36Price InterpretationValue InterpretationImplicit price: SExplicit price: S=y(t, S)Implicit value: VExplicit value:

26、 V=h(t, V)ContentsTimestamp: t0RisksChange in price.Change in value.Setok(S, V), t0Written on purchaseMonetary value in a transaction depends on. . .Y(t)=y(t, S(t)H(t)=h(t, V(t)The stochastic processesThe implicit price, S, represents the market price of the setok. S is a stochastic process.The impl

27、icit value, V, is composed of a set of stochastic processes. Each process Vi represents an indicator (e.g. a firms transaction volume, a financial rating, revocation frequency, etc.) that influences values associated with the setok.37Interpretation functionsWhen an issuer issues a setok, it writes a

28、 particular price S (on the setok) that depends on the current time t and the current occurrence S(t) of the implicit price.This action is captured by a price-interpretation function y as S=y(t, S).The issuer also writes a value V that depends on t and the current occurrences Vi(t) of the elements o

29、f the implicit values. This is captured by V=h(t, V).38S, VInterpretation when t=t0.Setok(S, V), t0Issuer39SetokPrice InterpretationValue InterpretationImplicit price: SExplicit price: S=y(t, S)Implicit value: VExplicit value: V=h(t, V)ContentsTimestamp: t0RisksChange in price.Change in value.Implem

30、entationFixed price would allow wider range of digital-payment schemes.Setok(S, V), t0Written on purchaseY(t)=y(t, S(t)H(t)=h(t, V(t)Monetary value in a transaction depends on. . .Single-valued Setok(a simple example)Revocation when compromised in value:H(t)=0 when V(t)=0.Tradability:Can be sold at

31、yV/h if tt0, t0+T where T=t0(t,H(t) and t0(t,h) = T0 (h0) 0 (h=0).Refundability:Can be sold at S if tt0, t0+T where T=t1(t,H(t) and t1(t,h) = 0 (h0) T0 (h=0).Indivisibility:Cannot be divided into multiple pieces.40Call option on the valueAdditional assumptions on the setok:Y(t)=1.Cannot go for short

32、.European callRight to buy a share of the setok with a fixed strike value K at the time of a maturity T(t0+T0).Divisible (i.e. one can buy/sell any amount).Can go for short.Let C(t)=c(t, H(t) be the price process where c(t,0)=0.41Market assumptionsThere are no transaction costs of trading both in ti

33、me and in money; any transaction can be completed immediately, free of charge.The market is completely liquid, i.e. it is always possible to buy/sell unlimited quantities.The selling price is equal to the buying price.The market is free of arbitrage.There is a riskless asset with the short rate r (i

34、ntuitively, the interest rate of the bank account). 42Modeling the dynamicsCompromise (assumed to bring a systemic risk): a Poisson process with intensity l.The value dynamics: dH = (1-ldt)(mHdt+sHdW)-Hldt where m and s are deterministic constants and W is a Wiener process.43Geometric Brownian motio

35、n unless compromised (m: velocity; s: volatility)Revoked if compromisedWe consider the expected value conditioned by the information available at the beginning of the infinitesimal time interval (t, t+dt.Wiener processW(0) = 0, dt dW= 0.If rstu, then W(u)-W(t) and W(s)-W(r) are independent.For st, t

36、he stochastic variable W(t)-W(s) has the Gaussian distribution N0,(t-s)1/2.W has continuous trajectories.Paying attention to (dt)2=0, we have dH = (m-l)Hdt + sHdW (1)44deterministicstochasticItos formulaAssume that H has a stochastic differential given by dH=adt+bdW where a and b are adapted process

37、es, and let x be a C1,2-function. Define the process X by X(t)=x(t,H(t). Then X has a stochastic differential given by45(In our dynamics, a=(m-l)H and b=sH if X is free from the Poisson jump. a=mH and b=sH otherwise.)A variable change(simply a technique to find a closed-form solution afterwards.)Let

38、 G(t)=g(t,H(t) where g(t,h)=1/h.Let us represent partial derivatives by subscripts. Then, Itos formula (considering Eqn.(1) gives dG=gt+(m-l)Hgh+s2H2ghh/2dt+sHghdW=0-(m-l)H/H2+s2H2/H3dt-s(H/H2)dW=(s2-m+l)Gdt - sGdW. (2)46Pay attention to the Poisson jump when considering dCLet z(t, g)=c(t, 1/g).Then

39、 ch = -zg/H2 = -G2zg, ct=zt, and chh=2G3zg+G4zgg.Unless compromised, we can use Itos formula. If compromised, C jumps to be 0. Since (dt)2=0 and (dt)(dW)=0, we have dC=(1-ldt)(ct+mHch+s2H2chh/2)dt+sHchdW-(ldt)c=zt-lz+(s2-m)Gzg+s2G2zgg/2dt-sGzgdW. (3)47Let us consider a riskless portfolioComposed of

40、one share of the setok and M options.Let F be the monetary value (in terms of the initial investment at the beginning of the infinitesimal time interval (t, t+dt) of this portfolio.F = 1 + MC.48M1We want to see dF.Remark: We should write the expected gain conditioned by the information available at

41、the beginning of the infinitesimal time interval (t, t+dt.Regarding the term that considers the M options (i.e. MdC), we can use Eqn.(3).49The term that considers the one share of the setokA liquid market allows us a repetition of immediate trades : Sell one share (issued at the beginning of the inf

42、initesimal time interval) at the end of the time interval at the price of (G+dG)/G according to the tradability, and buy one share (issued at the end of the time interval) at the fixed price 1.Thus, the term is given by dG/G. 50The dynamics of the portfolioBy using Eqns. (2) and (3), we have dF = dG

43、/G + MdC= (s2-m+l)Gdt - sGdW/G + Mzt-lz+(s2-m)Gzg+s2G2zgg/2dt-sGzgdW=s2-m+l+Mzt-lz+(s2-m)Gzg+s2G2zgg/2dt - s(MGzg+1)dW.51By constructing the portfolio with M=-1/Gzg options, we can make it riskless (i.e. no stochastic term).No-arbitrage conditionLetting M=-1/(Gzg) in the deterministic term of the po

44、rtfolios dynamics, we have s2-m+l-zt-lz+(s2-m)Gzg+s2G2zgg/2/(Gzg)=l+lz/(Gzg)-zt/(Gzg)-s2Gzgg/(2zg)No arbitrage requires this to be rF where F=1+MC (otherwise, free-lunch is possible).52PDE (partial differential equation) for z(t,g)No-arbitrage condition l+lz/(Gzg)-zt/(Gzg)-s2Gzgg/(2zg) = r1-z/(Gzg)W

45、e replace G with g to write the PDE: s2g2zgg/2+(r-l)gzg-(r+l)z+zt = 0 (4)(in the domain 0,TxR+.)53Payoff when t=TThe option price at the maturity must be equal to the payoff (to avoid free lunch).If hK, the holder of the option does not exercise it.Therefore, the boundary condition of the PDE is z(T

46、,g)=max0,Kg-1.54A special caseIf there is no possibility of compromise (i.e. l=0), we solve s2g2zgg/2+rgzg-rz+zt = 0 (5) z(T,g)=max0,Kg-1 in the domain 0,TxR+.55Call option on a stockLet the dynamics of a stock price Y be dY = mYdt + sYdW.Let us consider a European call option:Right to buy a share o

47、f the stock with a fixed strike price K at the time of a maturity T.Divisible.Can go for short.Let C(t)=c(t, Y(t) be the price process.56The Black-Scholes formulaThe PDE for c is s2y2cyy/2+rycy-rc+ct = 0 under the boundary condition c(T,y)=max0,y-K in the domain 0,TxR+.Their Novel-prize work gave th

48、e solutionC(t,y)=yNd1(t,y)-e-r(T-t)KNd2(t,y) where N is the cumulative distribution function for the standard normal distribution and d1(t,y)=ln(y/K)+(r+s2/2)(T-t)/s(T-t)1/2 d2(t,y)=d1(t,y)-s(T-t)1/2.57Analogy to the Black-ScholesReplace y with g, c with z/K, and K with 1/K.Thus we find our solution

49、 to (5) as z(t,g)/K=gNd1(t,g)-e-r(T-t)Nd2(t,g)/K.Finally, we obtain c(t,h)=KNd1(t,h)/h-e-r(T-t)Nd2(t,h) where N is the cumulative distribution function for the standard normal distribution and d1(t,h)=ln(K/h)+(r+s2/2)(T-t)/s(T-t)1/2 d2(t,h)=d1(t,h)-s(T-t)1/2.5859Further maturityMore uncertainRelaxin

50、g both chance and riskT = 0.5, T = 1, T = 2.60Larger volatilityMore uncertainRelaxing both chance and riskT=1, 61Higher strike value Better positionT=1, 62Higher short rate More profitable investmentT=1 ApplicationSudden ruin of valuesHow often?Systemic risk Could be implied by the option priceSecur

51、ity minister63Lets measure the market evaluation of the risk.How to solve the PDE (4)In general, use an iterative approach.Intuitively, higher l higher C.64Compute CGuess lObserveError l0 ?65Compute CSet l=l0ObserveToo high?Alarm!(With some statistical tests) Sensitivity: Fortunately or unfortunatel

52、y, short rate r is very low. Another expectation: Introducing derivatives can enhance information dissemination and collection.References (1/3)R. Rue, S. L. Pfleeger, and D. Ortiz: A Framework for Classifying and Comparing Models of Cyber Security Investment to Support Policy and Decision-Making. Workshop on the Economics of Information Security 2007.H. Varian: How to build an economic model in your spare time. Part of a collection titled Passion and Craft: Economists at Work (M. Szenberg ed.), University of Michigan Press, 1997.L. A. Gordon and M. P. Loeb: The Economics of Informat