Boomtime: Risk as Economics (Notes)

Thank you, internets, for all the feedback I’ve gotten on BoomTime: Risk As Economics. Of course my slides are nigh indecipherable without my voiceover, and my notes didn’t make it to the slideshare, so here are some notes to fill in (some) of the blanks until the video hits YouTube (SiRA members will get early access to SiRAcon15 videos via the SiRA Discourse forum, BTW). (You will want to look at the notes and the slides side by side, probably, as one doesn’t make sense w/o the other.)

An intro here is that in addition to being a product manager specializing in designing large-scale, data-driven security/anti-fraud/anti-abuse automation (yep, that’s a thing), I’m also an economics nerd. (Currently working on an MS in Applied Econ at JHU). Given my background in payments, and a general penchant for “following the money”, framing technology problems on platforms through an economic/financial lens is second nature.

Themes of Security Economics

A list of typical themes one hears when discussing information security & economics: within businesses we are requested to talk about exposures and threats in terms of financial impact, or consider the financial (money) drivers. Also the theme of information asymmetries (Market for Lemons) is a big theme of information economics and of software markets in general: when information about quality of a product is difficult to find, that lack of transparency drives down prices, and we get less incentives to improve quality. (Ask me questions about market signals as a mechanism for correcting information asymmetries.) “Make it more expensive for the attacker” or “don’t outrun the bear, outrun the guy next to you” is also an idea that gets raised. Game theory, concepts of quantifying “risk” (exposure, tolerance), markets for exploits & vulns is a hot topic at the moment, as is behavioral economics and all things related to incentive design – gamification being the most buzzwordy example, perhaps, but framing as a method for improving consumers’ ability to make good choices related to privacy preferences also something that has come up a bit lately in security economics research. Anyway, these are some themes that tend to be repeated in recent research literature.

Continue reading

Inferior Goods & the Security CPI

I spend a lot of time thinking about how to use economics to create safer, more secure systems. That’s what’s been driving my forays into seeing if how economists deal with grey markets might work in infosec, what we as system designers can learn from game theory, how to connect secure networks using graph theory (haha), why submitted a paper to WEIS, and why, now, I’ve gone back to school (again) to study economics in more depth. I’m taking microeconomic theory now. It’s just like micro the last two times around, with less folksy examples and more calculus.

So. What I want to talk to you about is a little idea I had regarding inferior goods as they may relate to a firm’s level of maturity, and how that might be interesting both on it’s own, and if we had the concept of a CPI (consumer price index) for security. Let’s call this @selenakyle’s Security CPI, in case anyone wants to adopt this idea in the pantheon of the Hutton Security Mendoza line or Corman’s HD Moore’s law.


Some background.

What’s an inferior good?

The simple answer is: an inferior good is one where when consumer income rises, their demand for the good decreases. (Period. “Inferior goods” as a concept is totally distinct from information asymmetry and conversations about lemon markets)

More detail on inferior goods:

spare a util, brother?

Utility curves: Preferences between Good A & Good B, at different levels of investment (U1, U2, U3). Thanks investopedia!

Start with the assumption that consumers seek to maximize their utility given a fixed budget, i.e. they have an income, and they spend it in a way to get the most for their money, given their individual preferences. When consumers experience an increase in income, they will consume *more* of most goods (due to rational utility maximization and non-satiation) but will purchase less “inferior” goods – potentially because they can afford better.

A classic example is potatoes within a food budget; when income goes up many consumers will purchase less potatoes…and more meat, or higher-end food items. So, the effect of changes in prices may also be affected by the mix of normal vs inferior goods in the bundle. An example – when prices go up and income stays flat, a consumer may change their mix to include more inferior goods. Or another example – when prices are flat and income goes up, a consumer may shift their mix to include less inferior goods. In any case, the consumer will shift their consumption to maximize their utility, and adjust to new prices or income levels.

The key here is what happens as income rises: does the mix of products in the bundle consumed change (preferences shift) or is it just *more* of the products (same preferences)?

Continue reading

2014.11 (ISC)2 Election Time!

Hi everyone,
I am running for the (ISC)2 Board of Directors this fall.

Basically – I have been a CISSP for almost 15 years and would like the opportunity to help out (ISC)2 more directly. I’d like to spend some time building out the (ISC)2 foundation, and also work on clarifying the strategy and growth plans for the certification/training programs. In addition to my experience in the infosec/risk management space, I have leadership experience with non-profit and volunteer-driven organizations that will be useful. If you are interested in the election and have questions – ask away. Otherwise I feel like I’m talking to myself (more than usual).

About the election (includes Board slate, timeline, & process)

Of course, I will keep updating this with additional content.

About me

I’m adding this section from my statement on (ISC)2 website because it gets to the core of what I’ve been thinking about and discussing with colleagues when it comes to (ISC)2. Check out my full statement on the election website for more details, and come back to me with questions!

(ISC)²’s ambitious vision is to “Inspire a safe and secure cyber world,” and we are strongly positioned to lead the industry forward, as our organization has both the expertise (our membership) and the reach (through the Foundation) to up-level security for businesses AND consumers globally. Since most of my career has been dedicated to protecting consumers and end-users from online threats, I am both keenly interested and uniquely qualified to help the organization refine and achieve this vision.

To pursue this larger long-term vision for tomorrow, today we need to address a few key questions related to the future of (ISC)²’s core program components: certification, membership, and training. The bottom-line is that (ISC)² members need:

  • Confidence in the credibility of (ISC)² certifications
  • A clear value proposition to ongoing affiliation with the organization
  • Access to useful training and education opportunities

While what we expect from (ISC)² is straightforward, what the industry expects from us is a little more complex. Market needs for infosec are evolving, and successful certification/training programs must find a better way to meet practitioner requirements for both specialization (e.g. application security or quantitative risk analytics) and generalization (broad base of “basics,” fluency in companion domains like network operations, law enforcement, software development, or management/business strategy). Professionals already require credibility (and potentially certifications) across several dimensions. With demand for critical skills continuing to increase, to raise the level of our game means as professionals, certification is the beginning – not the end – of our practice.

Payment Risk: DSS & Close Range Combat

When it comes to PCI-DSS, it is easy to get confused about whether or not it’s working. And part of the reason why is that it has never been very clear what problem the PCI-DSS is attempting to solve. Is it trying to prevent fraud, or ensure a dependable minimum level of security in the payment system? My answer so far is neither.

Fraud has always been a problem of payment systems. Cards, like cash, can be counterfeited – and as technology to make counterfeiting more difficult advances, so too does the technology with which anti-counterfeiting methods can be defeated. In card payments, liability for fraudulent transactions is defined within their operating rules (for example the Visa Operating Regulations), and tends to be determined on a transaction-by-transaction basis. To prevent fraud the card issuer that authorizes the transactions needs as much information as possible to detect off behavior, and the merchant that accepts the transaction needs to take some basic precautions at the point-of-sale (in the U.S., at the simplest level this is swipe the card and check the signature). Liability for fraud in the face-to-face environment (when the merchant follows the correct operating procedures) usually rests with the Issuing bank. Liability for fraud in the Card Not Present (CNP) world often rests with the merchant, because the merchant *can’t* follow the existing procedures — no signature.

The point here is that liability is determined on a case-by-case basis, applying the operating rules to the details of each transaction, as evidenced by the data that has gone back and forth between the merchant and cardholder, and then from the merchant through their acquirer/processor to the issuing bank and back again. Transactional liability is both well-defined and, given the scenario, relatively easy to assign.

However when payments started going online, something interesting happened. It became fairly obvious that the information needed to process a payment online (16-digit PAN, expiration date, address information of the cardholder) was also (obviously) being transmitted online and (not so obviously, but, in the early 2000’s kind of terrifying) being stored online. This opened up the possibility that an entity could get popped and lose not just a week’s worth of transactions at one point-of-sale — but hundreds, thousands, *millions* of cards in a single swoop, and fraudsters could use those cards downstream.

Let’s review that scenario: an online retailer gets popped and then those cards get used…at OTHER online retailers. Or face-to-face retailers that allow key-entered (manually typed in) transactions. Maybe across many retailers. And across many Issuers. Not a “local” merchant, like a gas station, where it would be fairly obvious to connect the fraud cases that follow. How long would it take to detect it? How many downstream participants in the system, following the operating procedures as designed, would have to deal with the negative aftershocks coming from that one compromise event? And since the party that “should” be accountable is not actually part of the manifesting fraud transactions, how can liability be shifted?

Historical note (fraud prevention infrastructure): In the early 2000’s the discussion was mostly focused on the CNP environment because a) it was new, b) it was the wild west, and c) a number of high profile web companies got hax0red. Payment/fraud geeks can think of this as the era of: Address Verification System (AVS) was *pretty* well established at this point, SET was finally acknowledged as totally DOA, the drumbeat for 3D Secure was on but *nobody* was adopting yet (it was before the big push in the EU)…and early days for chip. Also: still on regular DES in the PIN infrastructure.

Historical note (fraud prevention & security strategy): One may also remember the era in this way: Issuing banks owned authorization strategy (meaning, they were making the approval decisions on transactions) and very few merchants had made investments in fraud screening. All of the banks were getting a little spooked that databases full of juicy card details were sitting outside the payment system and that so many of them were accessible from the internet. Merchants of yore never needed to store card details — just receipts.

Back to the scenario: one of those wild west outposts full of juicy card data gets popped, downstream participants (Issuers, merchants, cardholders) feel the pain, the compromised party may or may not be known. The network operating guidelines’ transactional rules don’t adequately assign liability back to the accountable party: what are the banks going to do? Well, there are pretty much two options: adjust the system to assign liability back to an accountable party OR go outside the system to demand restitution. The former is difficult and the latter takes issues of the payment system outside standard channels which for several reasons is not ideal for the payment systems themselves, who have elaborate systems set up for arbitration and compliance to address issues between participants.

It is out of this alchemy that the card network data protection programs were born. They are liability plays all the way, and I give them the benefit of the doubt that they were meant to be incentives to encourage merchants to “do the right thing” and secure payment card data. MasterCard and Visa developed slightly different programs. My paraphrase is: MasterCard’s SDP essentially said to merchants — we trust you to secure the data, but if you get hacked we are going to levy fines to high heaven. And Visa’s CISP/AIS programs essentially said — we want to see some proof in advance — so get audited by a Qualified Security Assessor (QSA) who will attest you’re cool, and then if something happens but you were compliant, we’ll work with you.

Both approaches are sticks, neither is a carrot. The subsequent merger and morph into the PCI-DSS sort of also merged the compliance program approach. Merchants must both get attestations of compliance AND if breached there are programs for providing remuneration to downstream system participants affected. (BTW: PCI has more than one standard in it’s purview, though most people when referring to PCI mean the Data Security Standard…poor PIN/PED requirements, always subordinated to DSS…)

The PCI-DSS requirements themselves were developed as a set of reasonable industry best practices (I can only speak w/authority on intentions behind the Visa program progenitors but let’s just go with it). At their best, they are meant to provide guidance to merchants who otherwise would have no idea how to protect cardholder data. The criticisms of the DSS itself are wide-ranging but I personally find the DSS simply basic, not bad, and just a narrow view (focused on payment card data and systems) and yet still very general (security is contextual and needs to be tailored). Really the DSS should have been left as guidance, but unfortunately there’s this business of being assessed and a whole industry that has grown-up around QSA-dom. I find the process of getting assessed to be much more objectionable than the requirements themselves: “compensating controls” could be a book in and of itself, but QSA’s are auditors first and foremost (ROC on), and generally asked to interpret or design strategic security as a secondary concern, if at all.

Now, while in the early 2000’s the focus of all this angst was on CNP merchants, since then the scope of the PCI-DSS problem has embiggened. The DSS quickly expanded to include non-CNP, payment processors, and even the banks themselves. So a program of best practices designed to secure payment card data *outside* of the payments infrastructure got some retrofitting to also cover payment card data ostensibly *inside* the payments infrastructure. You can’t see me right now, but I’m raising an eyebrow, because the payment infrastructure is so interdependent, and has so many legacy components – to step-level up the security of payments infrastructure is impossible to manage without some serious planning, a boatload of direct economic impacts, and hell of a lot of specificity. *Upgrade to triple-DES I’m looking at you*. All I’m saying is, if you’ve got payments infrastructure requirements – don’t bring a knife to a gun fight.

Speaking of knife fights, let’s chat about fraud. Yes, fraud may go up after a major compromise. If counterfeiters flood the market with bad cards, it may take a while for the issuer fraud screening to kick in. Card re-issuance is expensive and so some issuers take a risk and leave potentially compromised cards open and then miss some fraud transactions. However, if major compromises go down, will the fraud rate also go down? That is less clear. Motherlode-sized compromises are a recent phenomenon, and while the fraud rates have ticked-up in the past two years, from 2003-2010 they were hovering near historical lows. Note: fraud losses in total dollars continue to climb, but the global fraud rates (i.e. the portions of total payment volume that ends up as fraud) are relatively steady over the past decade, less than 6 basis points (percents of a percent). (If you’re a U.S. CNP merchant you’re laughing out loud that people would be in a huff over 6 bp). The Nilson Report is a good place to get some data. I also like the CyberSource report but I’m writing this all in notepad.

My point here is that major compromises (that have been getting a LOT of press and attention) are only ONE method the fraud economy uses to operate. All of other methods like skimming, social engineering, insider threats, and plain old theft still exist. And so with all of this, how is fraud being kept down below 10bp? That’s a multiple choice answer: some markets have opted for prevention strategies (Europe loves their chip & PIN and 3D Secure is working there), others have opted for more advanced detection strategies (in the U.S., both issuers and merchants have adopted more advanced fraud screening technology). There are a lot of influences, but it’s pretty clear that most entities that get hit with transactional fraud losses are a) not waiting around for a panacea, and b) not depending on upstream security to reduce their exposure to fraud. (Fraud counterpoint: if you’ve got fraud prevention requirements, don’t bother with a gun in a knife fight.)

Thus if we are to ask ourselves what the PCI-DSS program (requirements plus compliance program) is set up to solve, the answer is something along the lines of “to provide a benchmark of *NOT negligent*” for individual system participants. And that might actually be an okay scope, as long as everyone’s clear what problem is being solved and that it is in the industry/community’s best interest to solve it. However, to solve problems like “fraud prevention” or “payments infrastructure security”, stronger — or at least more direct — medicine (and economic incentives) will be required.


This particular post was inspired in part by this Business Week Online article. As an industry, if we are looking to make improvements to infrastructure security or fraud management, we need to be asking the right questions. And as we seek to improve defenses and system strategy in general, it’s useful to clarify the different problem spaces of fraud & security, if only to confirm the variety of solution sets (technology, process, economics, compliance) we have to work with. 

Operating [All the Things] By the Numbers

I just finishing giving a third version of a presentation that I put together on lessons Infosec/Risk/Platform owners can learn from classic Operations Research/Management Science type work. The talk (“Operating * By the Numbers”) was shared in Reykjavik (Nordic Security Conference), Seattle (SIRACon 2013), and in Silicon Valley (BayThreat). Thanks everyone who attended, especially those of you who asked questions and provided feedback.

A few folks have asked for reading lists. Some asked for the quick run-through sample from my bookshelf, others want some further reading. Here’s the quick run through:

And I also want to give another shout-out to Combat Modeling, by Alan Washburn and Moshe Kress, of the Naval Postgraduate School. It’s a pricey text, but take a look at the table of contents & the topics they cover. Really interesting work to consider for control system designers.

Also, I haven’t read these personally but they are on my “to read” list as they came recommended by fellow quant/risk nerds:

And here’s a link to one of my blog posts (Quant Ops), which includes a few references and some thinking on the topic from a different angle.

Banned Book Club: Les Fleurs du Mal

Title: The Flowers of Evil

Published: 1857

Author: Charles Baudelaire

Challenge status: After publication of the book, both the author and the publisher were prosecuted for the French equivalent of obscenity, aka “outrage aux bonnes mœurs” (trans. “an insult to public decency”). Baudelaire was fined, and six poems were formally banned from publication/dissemnation: “Lesbos”, “Femmes damnés”, “Le Léthé”, “À celle qui est trop gaie”, “Les Bijoux”, and ” Les “Métamorphoses du Vampire”. The ban was not lifted in France until 1949; a second French edition was published in 1861 (with the suppressed poems removed, and new poems added). The censored poems were published in Brussels, in a volume called “Les Épaves” (Scraps). Book #44 on Summer of Banned Books ’13.

Why: Too sexy, Charles

First line: From the first poem, “Bénédiction“:

”Lorsque, par un décret des puissances suprêmes / Le Poète apparaît en ce monde ennuyé / Sa mère épouvantée et pleine de blasphèmes / Crispe ses poings vers Dieu, qui la prend en pitié…”

When, on a certain day, into this harassed world / The Poet, by decree of the high powers, was born, / His mother, overwhelmed by shame and fury, hurled / These blasphemies at God, clenching her fists in scorn…” (Edna St. Vincent Millay translation)


You didn’t think i was going to end with a D.H. Lawrence book, did you?

Continue reading

Banned Book Club: Sons and Lovers

Title: Sons and Lovers

Published: 1913

Author: D.H. Lawrence

Challenge status: #64 on Radcliffe Publishing Course Top 100 Novels of the 20th Century, and frequent target of banning attempts (frequently challenged classics) according to the ALA’s Office for Intellectual Freedom. Book #43 on Summer of Banned Books ’13.

Why: Ok. This made me laugh out loud so here’s the quote verbatim:In 1961 an Oklahoma City group called Mothers United for Decency hired a trailer, dubbed it “smutmobile,” and displayed books deemed objectionable, including Lawrence’s novel“. I’ve looked for some other references: Wikipedia says it was banned as obscenity but I don’t see a source, Lady Chatterley’s Lover and The Rainbow seem to get more of the censorship press. Let’s go with “controversial” and/or “allegedly obscene” on this one.

First line: ”’The Bottoms’ succeeded to ‘Hell Row’”.


As you may remember from Women in Love, D.H. Lawrence is not my favorite author. But, this book was all that was standing between me and clearing the ALA OIF Frequently Challenged Classics list, so here we are.

Published in his 20’s, Sons and Lovers is considered by many critics to be Lawrence’s strongest work – though the infamy and popularity of Lady Chatterley’s Lover and some of his other, later works ended up eclipsing this novel. Loosely autobiographical, it is probably the best one to start with if you are going to review Lawrence’s books as a broader set of narratives, as we are able to grow with the protagonist Paul Morel – from birth through adulthood.

Continue reading

Banned Book Club: Leaves of Grass

Title: Leaves of Grass

Published: 1855

Author: Walt Whitman

Challenge status: After Leaves of Grass was originally published, the Boston District Attorney and the New England Society for the Suppression of Vice worked to block publication of further copies/editions, and got retailers and bookshops to blackball the book. “With the single known exception of the Library Company of Philadelphia, libraries refused to buy the book, and the poem was legally banned in Boston in the 1880s and informally banned elsewhere“. Book #42 on Summer of Banned Books ’13.

Why: Too sensual. Even with a LOT of allegory, Whitman was writing not just about love, but about sex, and very clearly. The outrage was such that the book was panned by critics, was the grounds for Whitman’s dismissal from his job (Whitman worked for the Department of the Interior, but was fired after Secretary of the Interior James Harlan read and was offended by the book), and the source of rumors around Whitman’s sexuality (historians are still arguing about his possible bisexual or homosexual tendencies).

First line (from Song of Myself): ”I celebrate myself, and sing myself / And what I assume you shall assume / For every atom belonging to me as good belongs to you.”


Whitman is, for all intents and purposes, the father of American poetry – and Leaves of Grass represents his life’s work. I would describe Whitman as a romantic naturalist. Meaning, he pulls in a lot of pastoral scenes and metaphors; his work is romantic (not always sentimental, though) and lush, effulgent, fecund – always an homage to fertility. Ralph Waldo Emerson was one of his influences. Incidentally, both Emerson & Mark Twain defended Leaves of Grass from critics/censors.

I believe in you my soul, the other I am must not abase itself to you, And you must not be abased to the other. — Walt Whitman, Leaves of Grass, “Song of Myself”

Continue reading

Banned Book Club: The Color of Earth

Title: The Color of Earth (First book in the The Story of Life on the Golden Fields trilogy)

Published: 2003 (in Korea), 2009 (English translation)

Author: Kim Dong Hwa

Challenge status: In 2011, #2 most challenged book as tracked by ALA/OIF. Book #41 on Summer of Banned Books ’13.

Why: Some of the reasons given for challenges were: nudity, sex education, sexually explicit, and unsuited to age group.

First line: ”Them beetles are matin’.”


Ehwa lives with her mother in a small rural village. Every Spring, Ehwa learns a little more about life, and love – the book starts with her at age eight and follows her through puberty via a series of vignettes. If you can imagine Judy Blume’s “Are You There God? It’s Me, Margaret” set in rural Korea, as a prettily illustrated graphic novel, with a little more lyricism and a little less suburbia, you’ll have a sense of it.

Note: Speaking of frequently challenged books and their authors: Judy Blume has five books on The 100 Most Frequently Challenged Books of 1990 to 1999 list: Forever (7), Blubber (30), Deenie (42), Are You There, God? It’s Me, Margaret (60), and Tiger Eyes (89).

Continue reading

Banned Book Club: Howl

Title: Howl

Published: 1955/1956

Author: Allen Ginsberg

Challenge status: In 1957, 520 copies of the work being imported (from London) were seized by customs, and  the poem was the subject of an obscenity trial. City Lights bookstore in San Francisco was publishing/selling the book, and clerk Shig Murao was arrested and jailed after selling a copy to an undercover police officer. City Lights co-founder Lawrence Ferlinghetti, the publisher, was also arrested – the work, Murao, and Ferlinghetti were eventually acquitted, after a highly publicized trial. Book #40 on Summer of Banned Books ’13.

Why: References to sex (graphic – both heterosexual & homosexual), and drugs

First line: ”I saw the best minds of my generation destroyed by madness, starving hysterical naked,”


I do love me some poetry. I’m not a particularly skilled analyst of the Beats, though. I love how Howl is so clearly “of America” and speaks so clearly from a certain time period. A lot of poetry tends towards the pastoral and I do appreciate the more urban and political elements.

Moloch whose eyes are a thousand blind windows! – Allen Ginsberg, Howl

Continue reading