A Market-based Approach to Predicting Compromises

This is an idea I've been noodling over and shopping around to some in the industry for a month or two now, and I think I'm ready to at least suggest it intelligently here to see what others may think.

I was reading a Scientific American article on the University of Iowa's long-running experiment in using prediction markets to forecast the outcome of presidential elections, and I thought: why not try a similar model to forecast data breaches and security compromises at publicly-traded companies?

As the article notes, prediction markets have been applied to a variety of different problem sets. Their implementations have ranged from the mundane to the contentious (worth a read), but their real prescience is difficult to prove and the subject of long-running debate. It certainly seems that causality wasn't on the drawing board when they were created - the article even acknowledges, "Economic theoreticians have yet to understand precisely why this novel means of forecasting elections should work better than well-tested social science methods," which extends to other uses of prediction markets as well. But hey, these are economists and business folks we're talking about, so we'll let it slide. One thing that is certainly true is that a prediction market is an effective mechanism for aggregating knowledge. Those with the most knowledge are the most likely to invest more, which means the state of the market represents the experts' best guesses on the reality of a difficult-to-measure situation.

So what does this mean in terms of the market's utility? Like a financial market, a security market could improve confidence in decision-making by consumers and businesses alike, without having to be an expert in the industry. The value of companies on the exchange represents their relative and "absolute" (I use that term loosely) data security posture. While this is unlikely to be a key decision point in any but the most specific cases, it supplements decision-making based on other criteria, and could serve as leverage for large deals and acquisitions. Do we want to invest in this company that deals almost exclusively in personal data? Do I want to open an account with this bank? You see where I'm going here.

Naturally, this model isn't without its problems, the first and most difficult of which is at the heart of many security challenges: how does one know when a security compromise occurs? Underlying this question are problems of definition, disclosure, and internal measurement. The solution to this problem is a robust set of market rules, driven by breach disclosure and data protection laws. Can these be broken? Of course, and while breaking the rules of market participation would undermine its confidence, this is a balance that is successfully struck in financial markets with robust oversight complementing the rules of the market.

Market manipulation is manifested in a little different manner than we see in financial markets. If one knows of the potential for a security breach, one could invest accordingly, cause the breach, and profit handsomely. The fundamental difference is control - in large financial markets, it's more difficult for one person or group of people to bet money on an outcome with the knowledge that they can, with some degree of likelihood, create that outcome. So, parallels to insider trading in financial markets are clear, but incomplete. That notwithstanding, while some mitigations may differ in their nature between the two markets, the presence of this problem shouldn't be a show-stopper towards market success as it can be mitigated via rigorous oversight and enforcement.

I don't see this as a panacea to anything, but rather a knowledge aggregator and magnifier. Whether or not it would be useful, or even accurate, I cannot say - nor do I believe anyone could. IANAE (not an economist), nor have I ever sincerely studied the subject of prediction markets, so it's quite possible this proposal reveals my naivety by overlooking some serious faults. If a "real" economist were to give the idea a preliminary thumbs up, or at least not laugh themselves to tears over the thought, I think further study would be an interesting endeavor. At the very least, I think applying economic models to security problems holds a great deal of promise, and is already being considered by others out there, although I haven't been able to find anyone considering this particular approach.

Update 5/27 08:51
It comes as no surprise to learn that this isn't the first time such a market-based approach to security problems has been proposed (thanks for the link, Richard). You'll find this an interesting and more general read on pretty much the same topic.

Update 6/10 20:30
Adam, and readers from Emergent Chaos, provided some good feedback on this idea. Even though the general response is that this wouldn't be a supportable approach, I appreciate the input! This helps me focus my research intentions on the most promising theories and technologies.

Economics and the Security Cold War

The current state of the computer security threat landscape, it has been said, is a new cold war. I feel, regardless of how deeply this anecdote holds, that lessons can be learned from it. Let's accept the cold war metaphor as an axiom for the moment.

It is widely agreed that the cold war between the United States and Soviet Union was decided by economics - quite simply, the US outspent the USSR. In an effort to keep up with American defense spending, the Soviets sent their economy into collapse. If we follow this lesson through our anecdote, the problem of security boils down to one of economics, not complete security. Slowly, the truth that no computer system or network can be perfectly secured is being accepted by decision makers. Thus, the goal of computer security becomes to make the cost of compromise higher than some other alternative. In a necessary divergence from a comparison to the 20th century cold war, and making the economics of computer security more difficult, we must understand that there is no terminal state. There is no Soviet Union to collapse, relaxing the obligation of net defenders. There will always be some entity with a computer and an ambiguous moral compass.

Economic efficiency therefore becomes the ultimate goal of security - to not just defend, but defend in the cheapest possible way, so the most robust defenses can be erected and the prospect of compromising a network becomes too expensive to warrant investment as the adversary considers options in achieving their various ends. Ideally, this makes the cost of achieving a goal more cost effective via moral and legal means. Most likely, though, it just moves the problem to another entity or altogether different domain.

Understanding the threat landscape of the environment to be defended, in this paradigm, is paramount. Adversaries that are looking to save money by sharing games, videos, or music (classically referred to as warez) can quickly and cheaply be driven out of profitability when you consider the cost of a DVD is around $25. Quite a bit more effort (money) is necessary to outspend the likes of scammers and organized crime syndicates. Once espionage - nation-states attempting to achieve multibillion-dollar generational jumps in their military technology - comes into the picture, it's easy to see that the costs become staggering.

Why, then, are we not condoning threat-appropriate strategies for different industries? The defense industrial base and DoD are starting to diverge as an entity from the rest of the world, but this is an exception. Our collective mindset needs to change, and we need to begin by educating other security professionals. Computer security defense intelligence is needed in every industry, to map the computer security needs of an organization to the economics of its adversaries. This is how security is achieved.