session 4: economics of...web vulnerability data 4 hackerone wooyun hq us & nl china founded...
TRANSCRIPT
![Page 1: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/1.jpg)
![Page 2: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/2.jpg)
Session 4: Economics of
Privacy & Security
![Page 3: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/3.jpg)
Jens GrossklagsPennsylvania State University
An Empirical Study of Web Vulnerability Discovery Ecosystems
Co-authors: Mingyi Zhao, Peng Liu (Pennsylvania State University)
![Page 4: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/4.jpg)
An Empirical Study of Web Vulnerability Discovery Ecosystems
Mingyi Zhao, Jens Grossklags, Peng Liu
Pennsylvania State University
![Page 5: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/5.jpg)
(1995)
Bug Bounty HistoryBug Bounty Platforms
(Web Vulnerability Discovery Ecosystems)
HackerOne
Wooyun
2
![Page 6: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/6.jpg)
Motivation and Approach
• Motivation: Detailed studies of Web vulnerability discovery ecosystems are absent– Debate on the impact of bug bounties for web security– Policy: e.g., limits on legality of vulnerability research
• Approach: Empirically study characteristics, trajectories and impact of two representative ecosystems– Stakeholders: Companies/organizations, white hats, black hats,
public, policymakers, bounty platform providers etc.– Focus of this presentation: Perspective of companies and
organizations
3
![Page 7: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/7.jpg)
Web Vulnerability Data
4
HackerOne WooyunHQ US & NL ChinaFounded 2013‐11 2010‐07# Vulnerabilities 10,997 64,134# White hats 1,653 7,744Participation Model Organization‐initiated White hat‐initiatedBounty Level Avg. $424 (Various) Very LowDisclosure Partial FullData Collected Bounty Amount
Response TimelineVulnerability Type Severity
(Data until 2015‐07)
![Page 8: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/8.jpg)
Participation by Organizations
5
![Page 9: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/9.jpg)
Organization Types
6
• HackerOne: 99 organizations– All IT companies– Social networking, security, bitcoin …
• Wooyun: 17328 organizations
# Orgs # VulnGov 3179 4772Edu 1457 4017Fin 1040 2794
IT Sector Non‐IT Sectors
![Page 10: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/10.jpg)
• The white hat-initiated model (Wooyun) achieves a much broader coverage of organizations– Less constraints for targeting organizations with web security
issues– Growing size and diversity of the white hat community
• More limited participation under the organization-initiated model (HackerOne)– Raises question about ways to increase participation by
companies and white hats
7
Takeaways: Participation
![Page 11: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/11.jpg)
Types of Vulnerabilities & Severity
8
![Page 12: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/12.jpg)
Types & Severity - Wooyun
9
* OWASP TOP 10 in bold font
High: 44%Med: 40%Low: 16%
![Page 13: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/13.jpg)
Severity – HackerOne
• Infer medium and high severity percentage from bounty distribution and policy statement
10
21% 23% 19%
35% 37% 8%
![Page 14: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/14.jpg)
• White hats make considerable contributions– Broad range of vulnerability types– Significant percentage of medium/high severity reports
• White hat-initiated model (Wooyun) harvests potential of the community more comprehensively– Occasional contributors perform as a group almost as well as top
white hats in terms of finding high severity issues– Can organizations properly handle all reports?
11
Takeaways: Types & Severity
![Page 15: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/15.jpg)
Response Behaviors by Organizations
12
![Page 16: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/16.jpg)
Response - Wooyun
13
• Segmenting organizations by Alexa rank (i.e., popularity) reveals differences in response patterns
0%10%20%30%40%50%60%70%80%
Handled Handled(Third Party)
No Response
Large (Alexa 1 ‐ 200)Medium (Alexa 201 ‐ 2000)Small (Alexa > 2000)
Types of Response to Vulnerability Reports
Percentage of R
eports
![Page 17: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/17.jpg)
Response - HackerOne
14
• Organization-initiated programs handle most reports and have quick response times– First response time median: 4.5 hours– 90% of the disclosed reports were resolved in 30 days
![Page 18: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/18.jpg)
15
• Wooyun: Many organizations are not prepared!– Particularly smaller, less popular websites (Alexa > 2000)
• White hat-initiated model may increase risk for unprepared organizations– Vulnerabilities are published after 45 days; vulnerabilities with
no response (unhandled) could still be exploitable– Balance trade-off between applying pressure and reasonable
expectations for response by small companies
Takeaways: Response
![Page 19: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/19.jpg)
Cost and Impact of Bounties
16
![Page 20: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/20.jpg)
• Different levels of bounties:
Impact of bounties?
Bounty Structure - HackerOne
17
020406080100120
0 50 171 319 487 538 611 700
Avg # Vu
ln. p
er M
onth
Average Bounty ($)
![Page 21: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/21.jpg)
Impact of Bounties
• Regression methodology
• Dependent variable: – Average # reports per month
• Independent variables:– Average bounty– Alexa rank– Platform manpower (time-weighted # white hats / # org.)
18
![Page 22: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/22.jpg)
Regression Analysis Results
19
+$100 ~ +3 vuln./month
More popular
More attentionMore complex
More reports
![Page 23: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/23.jpg)
20
• While HackerOne puts focus on monetary compensation of white hats, we still observe many contributions (20% of all reports) to programs without bounties (33% of all programs)– Pay-nothing is a viable approach
• However, higher bounty amount is associated with considerable increase of number of vulnerability reports
Takeaways: Bounties
![Page 24: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/24.jpg)
Security Improvements
21
![Page 25: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/25.jpg)
Vulnerability Trend: Data
22
• Wooyun:
• HackerOne:
![Page 26: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/26.jpg)
Statistical Trend Test
• Laplace Test – Used in previous vulnerability study (Ozment, 2006)– Criteria: >= 4 months and >= 50 reports
23
Decrease Increase No TrendHackerOne 32 8 9
Wooyun 11 81 17
![Page 27: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/27.jpg)
• Despite/because monetary incentives on HackerOne: Fewer vulnerabilities are found over time– Indicative of improved web security of participating IT companies– Initial spike: With sufficient incentive, many vulnerabilities which
likely where known/existed before launch are reported when the program opens
• Opposing trend for Wooyun programs– Likely worse integration between bug bounty program and SDL
24
Takeaways: Trends
![Page 28: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/28.jpg)
Thank you.
25
• Comparison between different Web vulnerability ecosystems provides unique opportunities to study effectiveness of policies and practices– Many more results in the paper(s)
• Jury is still out about which participation model offers the most important benefits
![Page 29: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/29.jpg)
Veronica MarottaCarnegie Mellon University
Alessandro AcquistiCarnegie Mellon University
Who Benefits from Targeted Advertising?Co-author: Kaifu Zhang (Carnegie Mellon University)
![Page 30: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/30.jpg)
Veronica Marotta, Kaifu Zhang, Alessandro Acquisti
Carnegie Mellon University
Federal Trade CommissionPrivacyCon 2016
Who Benefits From Targeted Advertising?
![Page 31: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/31.jpg)
![Page 32: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/32.jpg)
Personal information is the lifeblood of the Internet
Loss of privacy is the price to pay for the benefits of big data
Sharing personal data is an economic win‐win
![Page 33: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/33.jpg)
Who Benefits from Targeted Advertising?
• To what extent availability of more and more preciseinformation about consumers leads to:– An increase in total welfare?– A change of allocation of benefits between different stakeholders?
• Firms• Consumers• Intermediaries (i.e. ad exchanges)
![Page 34: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/34.jpg)
Methodology
• Multi‐stage, 3‐players model of online targeted advertising
• Compare scenarios that differ in the type and amount ofconsumer’s information available during the targeting process
• Account for the role of the intermediary (the ad exchange) inthe advertising ecosystem
• Focus on “Real‐Time Bidding” (RBT)
![Page 35: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/35.jpg)
Advertisers are Bidding for Consumers
Ad Exchange
![Page 36: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/36.jpg)
Advertisers are Bidding for Consumers
Ad Exchange
- Impression- Users
parameters- Cookies
![Page 37: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/37.jpg)
Advertisers are Bidding for Consumers
Ad Exchange
Winner
- Impression- Users
parameters- Cookies
AD
![Page 38: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/38.jpg)
The Model: Basic Setting
3. Consumers:• Have product preference, but need to find seller• Differ along two dimensions: horizontal (brand preference) and
vertical (purchase power)
1. Firms (the Advertisers):• Profit‐Maximizer• Cannot target consumers directly
2. Intermediary (the Ad Exchange):• Profit‐Maximizer• Runs auctions for advertisements’ allocation
![Page 39: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/39.jpg)
The Model: Sequence of Events
ConsumerTwo Dimensions:• Horizontal• Vertical
1 Ad Exchange
2
Firms
Information about consumers made
available
3
Second-Price Auction
4
• Bid for Advertisement (Consumer)
• Price of the product
5
Winner of the Auction• Pays second-highest
bid• Shows the Ad 6
• Sees the Ad• Purchase decision
Consumer
Observes the consumer’s information
![Page 40: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/40.jpg)
The Model: Sequence of Events
ConsumerTwo Dimensions:• Horizontal• Vertical
1 Ad Exchange
2
FirmsObserves the
consumer’s information
3
Second-Price Auction• Horizontal Info• Vertical Info• Both Info• No Info 4
• Bid for Advertisement (Consumer)
• Price of the product
5
Winner of the Auction• Pays second-highest
bid• Shows the Ad 6
• Sees the Ad• Purchase decision
Consumer
![Page 41: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/41.jpg)
Analysis
1. For each scenario, we derive:• Firm’s bidding strategy (for advertisement)• Firm’s pricing strategy (for product being advertised)• Intermediary’s profit• Consumer’s choice
Equilibrium Concept: Nash Equilibrium for Second‐PriceAuctions
2. Through simulations of the model, we analyze how the outcome interms of consumers’ welfare, intermediary’s profit and firms’ profitchanges under the different scenarios
![Page 42: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/42.jpg)
“Consumers at Auction," Veronica Marotta, Alessandro Acquisti, and Kaifu Zhang, ICIS 2015
Welfare Analysis
Consumers’ surplus
X axis: degree of horizontal differentiation
Y ax
is: d
egre
e of
ver
tical
diff
eren
tiatio
n
Horizontal Information
No Information
![Page 43: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/43.jpg)
“Consumers at Auction," Veronica Marotta, Alessandro Acquisti, and Kaifu Zhang, ICIS 2015
Welfare Analysis
Consumers’ surplus
X axis: degree of horizontal differentiation
Y ax
is: d
egre
e of
ver
tical
diff
eren
tiatio
n
Horizontal Information
No Information
Intermediary’s profit
No Information
Vertical Information
![Page 44: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/44.jpg)
Welfare Analysis
• Allocation of Benefits (proportions) among Consumer, Advertiser and Intermediary under the four scenarios
a. No Information
![Page 45: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/45.jpg)
Welfare Analysis
• Allocation of Benefits (proportions) among Consumer, Advertiser and Intermediary under the four scenarios
d. Complete Information
b. Horizontal Information
c. Vertical Information
a. No Information
![Page 46: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/46.jpg)
Results
1. Consumer’s surplus is higher when only specific type of informationis available (horizontal information) and, generally, when lessinformation is available
2. There exist situations in which the incentives of the Intermediary aremisaligned with respect to consumer‘s interest
3. Under certain conditions, the Intermediary obtains the highestproportion of benefits from the targeting process
4. A strategic intermediary may choose to selectively share consumerdata in order to maximize its profits
![Page 47: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/47.jpg)
Limitations/Future work
• Competition among ad networks
• Costs/investments for ad networks
• Reduction in consumer search costs
• Empirical analysis
![Page 48: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/48.jpg)
“The Economics of Privacy,” Acquisti, Taylor, and Wagman, Journal of Economic Literature, (forthcoming)
Personal information is the lifeblood of the Internet
How is the surplus generated by personal data allocated?
Loss of privacy is the price to pay for the benefits of big data
Who bears the costs of privacy enhancing technologies?
Sharing personal datais an economic win‐win
When do consumers benefit from trades in their data?
![Page 49: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/49.jpg)
Catherine TuckerMassachusetts Institute of Technology
Privacy Protection, Personalized Medicine and Genetic Testing
Co-author: Amalia Miller (University of Virginia)
![Page 50: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/50.jpg)
Privacy Protection,Personalized
Medicine andGenetic Testing
Amalia R. Miller andCatherine Tucker
![Page 51: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/51.jpg)
Our research questionWhat kinds of privacyprotections encourage ordiscourage the spread ofhospital genetic testingfor cancer?
![Page 52: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/52.jpg)
What cangenetic tests beused for?Identifying geneticinformation to predict
• susceptibility to disease• course of disease• response to treatment.
![Page 53: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/53.jpg)
BRCA1 mutation
![Page 54: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/54.jpg)
Look at state law variation from2000-2010 which echoes3approaches toprivacy
• Informed consent (EU privacydirectiveof 1996?)
• Regulating datause (USapproach?)
• Establishing property rightsover data(Coasian)
![Page 55: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/55.jpg)
Weuse anational survey tounderstand who gets agenetictest
• National Health InterviewSurveys (NHIS) - part of CDC
• In 2000, 2005, 2010 theyasked30k survey takersabout genetic testing.
![Page 56: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/56.jpg)
There are pros andcons of thedependent variable
• Yes: Testing for predictors ofbreast, ovarian cancer. Actionable.
• But: Few positiveobservations (< 1%)
![Page 57: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/57.jpg)
Weuse standard econometrictechniques
• Statistically relatethe decisionto takeagenetic test tochanges in the patient’s state’sprivacy law.
• Seethe paper for theequations andmethods
![Page 58: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/58.jpg)
Informed Consent reducesgenetic testing by one third,Individual Control increasesgenetic testing by one third
InformedConsent
Usage Restriction
Individual Control
![Page 59: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/59.jpg)
The controls hadweak butexpectedeffects
• Female, black, family cancerpositively affect decision
• No insurance(weakly)negatively affects decision
• Statecharacteristics, age,private insurancearen’tsignificant
![Page 60: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/60.jpg)
The positiveeffect forIndividual Control is notdriven by hospitals
• Hospitals react negatively toconsent laws
• But also react negatively topatient property rights
![Page 61: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/61.jpg)
Weprovide evidencethat oureffect is causal with placebos
• No effect for genetic laws forHIV testing - not drivenbytastes for privacy
• No effect for genetic laws onflu shots - not driven by tastesfor preventativecare
![Page 62: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/62.jpg)
What is going on?• Discrimination laws - lack of information?
• Consent without control-highlights powerlessness?
• Data ownership - Perception ofcontrol or Coase?
![Page 63: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/63.jpg)
Pure consent
![Page 64: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/64.jpg)
Consent with Property Rights
![Page 65: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/65.jpg)
Our effects appear tobedriven by privacy concerns
• Larger effects for those withhigher underlying risk
• No effects for those withpast cancer diagnosis
• Larger effects for‘privacy-protecting’individuals
![Page 66: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/66.jpg)
Summing Up
![Page 67: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/67.jpg)
There are of course limitations1. The unobserved2. No information about
interpretation3. Early stage of diffusion.
![Page 68: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/68.jpg)
When states givemore controlover how their privateinformationis shared genetic testing increases
• Particularly for those whoaremore worried about ‘badnews’
• Hospitals respondnegatively
![Page 69: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/69.jpg)
Wefind that informed consentdeters patients andhospitalsfrom testing
![Page 70: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/70.jpg)
Data usage policies have littleeffect
• Goodor badnewsdepending on how you lookat it
![Page 71: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/71.jpg)
Thank you! [email protected]
![Page 72: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/72.jpg)
Sasha RomanoskyRAND Corporation
Examining the Costs and Causes of Cyber Incidents
![Page 73: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/73.jpg)
Costs and Consequences of Cyber IncidentsSasha Romanosky
Costs and Consequences of Cyber IncidentsSasha Romanosky
![Page 74: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/74.jpg)
Motivation
• Data breaches and privacy violations have become commonplace, affecting thousands of firms, and millions of individuals,
- yet we don’t fully understand their costs or impacts- nor do we properly understand the firm’s incentives to invest in
cyber security controls
• Therefore, using a dataset of 12,000 events, we examine the costs, scale, and overall risk of events, by industry and over time
![Page 75: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/75.jpg)
Four types of cyber events
Unauthorized disclosure of private information
Unauthorized disclosure of personal infoData breaches
Security incidents
Privacy violations
Computer attacks against a company
A company’s willful collection or use of personal info
Phishing/skimming Financial criminal acts committed against individuals and firms
![Page 76: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/76.jpg)
We observe publicly available data
Cyber event occurs
Detected
Disclosed
Recorded
Legal action
Notdetected
Notdisclosed
Notrecorded
No legal action
![Page 77: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/77.jpg)
Data breaches greatly outnumber all other incidents
1,500
1,000
500
250
200
150
100
50
0
2004 2006 2008 2010 2012 2014
Databreaches
/////////////////////////////////////////////////////////////////////////////////////////
Numberof
cyberevents
Privacy violations
Securityincidents
Phishing
![Page 78: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/78.jpg)
But security incidents are increasing rapidly
1,500
1,000
500
250
200
150
100
50
0
/////////////////////////////////////////////////////////////////////////////////////////
Numberof
cyberevents
Databreaches
Privacy violations
Phishing
Securityincidents
2004 2006 2008 2010 2012 2014
![Page 79: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/79.jpg)
Industry analysis
• There are many ways to understand risk by industry:- Total incidents, and incident rate- Total lawsuits, and litigation rate- Costs per event
• This helps us understand which industries pose the greatest risk
![Page 80: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/80.jpg)
Finance and Insurance, and Health Care sectorssuffer highest number of incidents
Total incidents
2,000
Finance and
Ins.
Health care
Government
Education
Manufacturing
1,0000
![Page 81: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/81.jpg)
But Govt, and Education sectors suffer highest incident rates
Total incidents Incident rate
.015
Government
Education
Information
Finance and
Ins.
Utilities
.01.0502,000
Finance and
Ins.
Health care
Government
Education
Manufacturing
1,0000
![Page 82: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/82.jpg)
Firms in Information and Finance/Insurance sectors are most often litigated
Number of lawsuits
200
Information
Finance and
Ins.
Manufacturing
Retail Trade
Health Care
1000 25015050
![Page 83: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/83.jpg)
But, Oil & Gas suffers the highest litigation rate
Number of lawsuits Litigation rate
.3
Mining, Oil & Gas
Admin and SupportServices
Ag., Fishing, Hunting
Retail Trade
Information
.2.10200
Information
Finance and
Ins.
Manufacturing
Retail Trade
Health Care
1000 25015050 .4
![Page 84: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/84.jpg)
Next, let’s examine legal actionsAll Legal Actions (1,687)
Civil (1,394) Criminal (293)
State (271) Federal (202) State (91)
Private(922)
Public(201)
Private (221)
Public(50)
Federal (1,123)
![Page 85: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/85.jpg)
2004 2006 2008 2010 2012 2014
Privacy litigation has increased sharply
150
100
50
Total number of lawsuits
0
Databreaches
Privacy violations
Phishing
Securityincidents
![Page 86: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/86.jpg)
2004 2006 2008 2010 2012 2014
150
100
50
Total number of lawsuits
0
Databreaches
Privacy violations
Phishing
Securityincidents
2004 2006 2008
1.0
0.8
0.6
2010 2012
Litigation rate
0.4
0.2
0
2014
But overall litigation rates are declining
![Page 87: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/87.jpg)
Most data breaches cost firms less than $200K
Min Max Median N
Data Breaches $25 $572m $170 K 602Security Incidents $100 $100m $330 K 36Privacy Violations $180 $750m $1.34 M 234Phishing/Skimming $0 $710 m $150 K 49
963These costs are much lower than the $5m often cited
![Page 88: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/88.jpg)
Repeat Players
• 38% of firms (almost 4800) in our dataset suffered multiple incidents
• 50% of all incidents within the Information and Finance/Insurance industries involve repeat players
• No significant difference in legal actions or litigation rate for this group, relative to single players
• However, data breach costs are twice as large for repeat players:- $9.8m vs $4m for single players
![Page 89: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/89.jpg)
Annual losses from cyber events are comparatively small
3.5
10
33
69
70
97
105
151
200
0 100 200 300
Online fraud
Losses from cyber events
Retail shrinkage
Healthcare fraud
Global spending on cybersecurity
Insurance fraud
Cybercrime
Hurricane Katrina
Loss of intellectual property
$ Billions
![Page 90: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/90.jpg)
As a percent of revenue, the cost of cyber events is also very small
0.4
0.9
1.4
3.1
5.2
5.9
20.0
0 10 20 30
Cyber events
Online fraud
Retail shrinkage
Healthcare fraud
Global payment card fraud
Hospitals (bad debt)
Restaurant industry shrinkage
Percent of revenue/volume
![Page 91: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/91.jpg)
Troubling paradox; where do the incentives lie?
• On one hand, cyber events and legal actions are increasing- Compromising the most sensitive kinds of personal information
• On the other hand, typical costs are relatively small- And consumers seem quite satisfied with firm responses (Ablon et
al, 2016)
• What does this suggest for firm incentives in cyber security?
![Page 93: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/93.jpg)
Retail, Information, and Manufacturing sectorssuffer highest losses
Total losses (in Millions $) Loss per event
1.5
Management
Retail
Information
Manufacturing
Wholesale Trade
1.502,000
Information
Manufacturing
Retail
Finance and Ins.
Health care
1,0000 2
![Page 94: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/94.jpg)
• Breach notification, counsel, forensics, IT repair, consumer redress
• Also includes money stolen from banks,financial companies
• Settlements and other judicial awards• Administrative rulings, cy pres
1st-party losses
3rd-party losses
Losses are typically of two types
![Page 95: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/95.jpg)
Total recorded losses of $10 billion
But this represents only 10% of all observed events
$(billions)
Data breaches
8
6
2
0
4
Securityincidents
Privacy violations
Phishing
1st Party
3rd Party
![Page 96: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/96.jpg)
0
20
40
60
80
Numberof cyberevents
In most cases, cyber events cost firms about what they spend on IT security
Annual cost of IT security minus annual cost of cyber events
–$5M $0 $5M
![Page 97: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/97.jpg)
Distribution of Repeat Players
Single
8
6
2
0
4
2-5 6-10 > 10
Number of Firms(in’000s)
Number of repeat incidents
![Page 98: Session 4: Economics of...Web Vulnerability Data 4 HackerOne Wooyun HQ US & NL China Founded 2013‐11 2010‐07 # Vulnerabilities 10,997 64,134 #White hats 1,653 7,744 Participation](https://reader033.vdocuments.site/reader033/viewer/2022060218/5f0693247e708231d418aaf1/html5/thumbnails/98.jpg)
Discussion of Session 4Discussants:• Kevin Moriarty, Federal
Trade Commission
• Doug Smith, Federal Trade Commission
• Siona Listokin, George Mason University
Presenters:• Jens Grossklags,
Pennsylvania State University
• Veronica Marotta,Carnegie Mellon University& Alessandro Acquisti,Carnegie Mellon University
• Catherine Tucker, Massachusetts Institute of Technology
• Sasha Romanosky,RAND Corporation