Cross-cutting themes

Security economics

Security economics combines perspectives from information technology and the social sciences. It applies ideas from microeconomic and game theory to information security in order to understand the trade-offs and misaligned incentives that arise in the design and use of security solutions. Security economics examines, for example, the incentives of internet service providers (ISPs) and software companies in situations where they encounter malware, and how these incentives affect the overall level of system security.

The attacker economy is also becoming an important perspective, as it helps to understand how attackers weigh costs and benefits when selecting targets. It can also be used to design better defences. In addition, this perspective examines how cybercriminals protect their own operations from law enforcement, for example by building resilient botnets or using techniques designed to conceal traces.

Security economics is important when analysing different attacks and defensive measures. It also helps in understanding the costs faced by both users and attackers. The central idea of this kind of sociotechnical approach—based on the interaction between people and technology—is that security is not purely a technical problem. Instead, it always involves decisions in which benefits and costs are weighed from the perspectives of both defenders and attackers.

Security architecture and lifecycle

Security architecture refers to the high-level design of a system from a security perspective, in particular how key security measures are motivated and positioned. This requires understanding the lifecycle of systems as a whole, from design to decommissioning [18]. It is worth reviewing the entire introductory module once you are familiar with the rest of the material. At that point, the links in this section to other modules will help you grasp this broad subject. You may also note at the outset that, for example, [18] above refers to a software lifecycle model.

The first stage of design is to examine the intended use of the system. From the business process, it is necessary to identify the interactions between users, data, and services. There may be a need to modify the business process when interactions with potentially too high [8] risk are identified. Requirements may also arise from outside the system through regulations or contracts [4].

The next step is to group users and data into rough categories using role-based access needs. This can be complemented with more formal classification. In any case, these categories form a draft structure of the system’s compartments, for example public data for general users, salary data for administrative staff, and design data for engineers. The compartment structure should be designed so that boundaries only need to be crossed in uses that have been identified and accepted at the highest risk level. Such compartmentalisation is typically implemented through network structure [20]. Detailed design then continues within compartments by specifying user roles, data structures, and access control [15]. Refined risk assessments [3] are carried out as the design progresses.

System security is improved by a consistent approach to security infrastructure, such as

• key management [19] + network protocols [20];
• resource management + coordination [13];
• roles + access control [15]:;
• modelling of user behaviour [5] + intrusion detection [9].

In addition, standards or at least best practices are required. In some industries, best practices are mandatory (e.g. the payment card industry). In other cases, best practices may include open sources (e.g. OWASP) or benchmarking between companies.

The broad overview of security architecture and lifecycle presented here can be summarised as security by design and security by default. Taking security into account throughout the lifecycle, including beyond default configurations, reduces insecurity in deployed systems.

Select one or more options.

Question 1

Select the correct statements.

When designing security architecture, decisions are made on how the system is divided into parts.

A security infrastructure works well as soon as each of its components works well individually.

When securing systems, cost-benefit trade-offs are central to understanding the decisions of both defenders and attackers.

Most of the time, cybercriminals do not care about the actions of law enforcement.

Risk management is not part of security economics.

Implementing security also requires understanding the business process.

The most important thing in implementing security is to utilize technology that complies with best practices.

The business process should not be modified for security reasons.

If an industry publishes good security practices, it means they are mandatory.

An attacker may consider whether an attack is worthwhile.

High-risk operations should be protected with simple, robust mechanisms.

Sources for module 1:

• Boholm, M., Möller, N. and Hansson, S.O. (2016), The Concepts of Risk, Safety, and Security: Applications in Everyday Language. Risk Analysis, 36: 320-338. doi:10.1111/risa.12464

Posting submission...