Economics and Psychology of Botnets - Security Insights
Systems engineering, economics, and information security play vital roles in understanding modern security challenges. The intersection of economic incentives, psychological factors, and technical vulnerabilities highlights the complexity of safeguarding digital systems. Explore how economic analysis, behavioral economics, and security economics contribute to mitigating threats in the digital landscape.
Download Presentation

Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
The Economics and Psychology of Botnets Ross Anderson Cambridge July 10th 2014 DIMVA 2014
Traditional systems engineering Build systems for scalability choose efficient algorithms and data structures Once you start to distribute stuff, pay attention to consistency (file locking, fault tolerance etc) See security as keeping the bad guys out by adding crypto, authentication, filtering React to malware by hardening platforms, writing scanners, talking about safe computing But about 2000, some of us started to realize that this is not enough! July 10th 2014 DIMVA 2014
Economics also vital Since 2000, we have started to apply economic analysis to security and dependability Systems often fail because the folks who guard them, or who could fix them, have insufficient incentives If electricity generation companies don t have an incentive to provide reserve capacity, there will be blackouts Where banks can dump fraud risk on customers or merchants, fraud increases What about taking an insecure computer online? Insecurity and fragility are often an externality July 10th 2014 DIMVA 2014
Information security economics In the last 12 years, it s grown from zero to over 100 active researchers, working on many topics! Models of what s likely to go wrong perverse incentives, asymmetric information Measurements of what is going wrong patching cycle, malware, fraud Recommendations what actors can likely do what Policy recommendations now being adopted in both the USA and Europe (but often twisted by lobbyists) Now growing into behavioral economics, psychology July 10th 2014 DIMVA 2014
Security economics 101 High fixed/low marginal costs, network effects and switching costs all tend to lead to dominant-firm markets with big first-mover advantage So time-to-market is critical Microsoft philosophy of we ll ship it Tuesday and get it right by version 3 was quite rational This is why platforms have so many bugs! Bad guys who are motivated by economics write malware for the dominant platforms So buggy dominant platforms get exploited July 10th 2014 DIMVA 2014
Wholl catch the bad guys? Suppose you re the Commissioner of the Metropolitan police A bad guy in Moscow sends out 106 phish London s 1% of the Internet, so you see 104 Do you say (a) right, let s spend 500k trying to identify this villain and extradite him ; or (b) the FBI will have seen 200,000 of these; let them do the heavy lifting! July 10th 2014 DIMVA 2014
Tragedy of the commons Are we heading for a world with global systems and distributed harm, where law enforcement doesn t give local incremental benefits? Who benefits from the systems we are compelled to trust, and who maintains them? As for emergent globalised phenomena who can deal with them, or cares enough to try? What sort of institutions are eventually needed? A new feudalism? Reinvention of the state? Meantime, how can we minimise losses? July 10th 2014 DIMVA 2014
Security economics and policy Theory s all very well, but what about data? 2008: Security Economics and the Single Market report looked at cybercrime and what governments could do about it 2011: Resilience of the Internet Interconnection Ecosystem examined critical infrastructure and made recommendations 2012 Measuring the Cost of Cybercrime sets out to debunk myths and scaremongering July 10th 2014 DIMVA 2014
Measuring the Cost of Cybercrime Undertaken at request of Sir Mark Welland, then chief scientific adviser at the MoD Coauthors: Chris Barton, Rainer B hme, Richard Clayton, Michel van Eeten, Michael Levi, Tyler Moore, Stefan Savage We set out to estimate cybercrime losses from publicly available data We use EU definition of cybercrime as Traditional frauds now done by electronic means Uniquely electronic crimes such as DDoS, hacking July 10th 2014 DIMVA 2014
Decomposing the cost of cybercrime Many existing studies conflate different things. We broke up costs as Criminal revenue (gross crime receipts) Direct losses (losses, damage, suffering) Defence costs Indirect losses (costs in anticipation such as defence; costs in consequence such as opportunity costs) We ran a separate account of the costs of common crime infrastructure such as botnets July 10th 2014 DIMVA 2014
Cybercrimes we considered Online banking fraud Stranded traveler scams Fake antivirus Advanced fee fraud IP-infringing pharmaceuticals IP-infringing music, software Bank card fraud and forgery PABX fraud Cyber-espionage and extortion Tax and welfare fraud July 10th 2014 DIMVA 2014
Cybercrimes we considered Online banking fraud Stranded traveler scams Fake antivirus Advanced fee fraud IP-infringing pharmaceuticals IP-infringing music, software Bank card fraud and forgery PABX fraud Cyber-espionage and extortion Tax and welfare fraud Pure cybercrime Transitional crime Traditional crime July 10th 2014 DIMVA 2014
Proceeds of pure cybercrime Type Online bank fraud phishing Malware Bank defences Fake AV Infringing software Infringing music etc Infringing pharma Stranded traveler Fake escrow Advance fee fraud DIMVA 2014 July 10th 2014 UK Global Period $16m $10m $50m $5m $1m $7m $14m $1m $10m $50m $320m $370m $1000m 2010 $97m $22m $150m 2011 $288m 2010 $20m $200m 2010 $200m 2011 2007 2010 2010 2010 2011
Costs of transitional cybercrime Type Online card fraud Offline card fraud domestic International Bank / merch defences $120m Indirect costs of payment fraud confidence (consumer) $700m confidence (merchant) $1600m $20000m 2009 PABX fraud UK $210m $4200m 2010 Global Period $106m $147m $2100m 2010 $2940m 2010 $2400m 2010 $10000m 2010 $185m $4960m 2011 July 10th 2014 DIMVA 2014
Cost of traditional crime becoming cyber Type UK Global Period Welfare fraud $1900m $20000m 2011 Tax fraud $12000m $125000m 2011 Corruption? July 10th 2014 DIMVA 2014
The infrastructure supporting cybercrime Much of the infrastructure is common to many scams (spam, botnets, ) Indirect losses and defence costs are also affected by many scams (loss of trust, antivirus software ) To save double counting we measured these separately July 10th 2014 DIMVA 2014
Cost of cybercriminal infrastructure Type UK Global Period Antivirus $170m $3400m 2011 Patching cost $50m $1000m 2010 Clean-up (ISPs) $2m $40m 2010 Clean-up (users) $500m $10000m 2011 Defence (firms) $500m $10000m 2010 Policing $15m $400m 2010 [NB: most of this is extra IT industry turnover!] July 10th 2014 DIMVA 2014
Lessons learned costs by category Traditional frauds such as tax and welfare fraud cost each citizen a few hundred pounds/euros/dollars a year Transitional frauds such as bank and payment fraud cost each citizen a few tens pounds/euros/dollars a year New cyber frauds such as fake antivirus: a few tens pounds/euros/dollars a year, but almost all of these are indirect and defence costs July 10th 2014 DIMVA 2014
Direct versus indirect costs Traditional crimes like tax fraud: the losses are most of it Genuine cybercrimes earn criminals little (tens of cents per citizen per category) but impose huge indirect defence and opportunity costs E.g. in 2010 the Rustock botnet earned its operators $3.5m via fake pharma, but sent a third of all spam which cost about $1bn to deal with July 10th 2014 DIMVA 2014
Policy lessons One conclusion is that we don t spend anything like the optimal amount on policing! The USA does most of the heavy lifting: $100m Federally (FBI, secret service, NCFTA) $100m at state and local level Other countries largely free-ride Some firms spend lots (Google, MS maybe $100m each) but it s targeted on their concerns; some vendors are net beneficiaries! July 10th 2014 DIMVA 2014
Policy lessons (2) A second lesson is that infection rates vary hugely across ISPs (two orders of magnitude) Big ISPs are generally worse (small ISPs peering is at risk if they emit too much spam) But still there are large variations within each category of ISP The crucial factor is the cost of cleanup In Europe, it s hard to bully users as they just switch. We need better ways to persuade July 10th 2014 DIMVA 2014
Browser warnings Browsers throw up warnings we ignore, e.g. if a web page contains malware, or is a phishing site, or has an invalid certificate How can we get users to pay attention, for the cases where it actually matters? Can we use words, or do we need a face? Big experiment at Google (Adrienne Porter- Felt): faces in this context don t seem to help! July 10th 2014 DIMVA 2014
Browser warnings (2) With David Modic, tested response to Appeal to authority Social compliance Concrete vs vague threats Based on much research on psychology of persuasion, and on scam compliance We re also investigating who turned off their browser phishing warnings (or would have had they known how) July 10th 2014 DIMVA 2014
Who turns off the warnings? Of 496 mTurkers, 17 (3%) turned warnings off, and a further 34 would have if they could Reasons given (descending order) False positives Prefers to make own decisions Don t like the hassle Don t understand them Same rank ordering between those who did turn them off, and those who would have July 10th 2014 DIMVA 2014
Who turns off the warnings (2)? Some interesting correlations turned up which explain most of the tendency to turn off warnings: Desire for autonomy Trust (in real-world and Facebook friends) Confidence in IT competence Lack of trust on authority (companies too) Not using Windows Gender These explain over 80% of the effect! July 10th 2014 DIMVA 2014
What stops people clicking? The most significant effect was giving concrete warnings as opposed to vague ones Some way behind was appeal to authority Factors other than our treatments: trust in the browser vendor was strongest, then mistrust of authority All factors together explain 60% of the effect A strong status quo bias emerged July 10th 2014 DIMVA 2014
Why this might be useful Almost all warnings are designed to benefit the warner, not the recipient The lawyers will game anything they can Then people will learn to screen it out Highly specific warnings are the exception, as they are intrinsically hard to game! Compare: Google search ads work much better than general display ads July 10th 2014 DIMVA 2014
Conclusions Malware matters! Cyber-criminal infrastructure is a serious global public-goods problem Rather like environmental degradation While some players have incentives to do some work on the problem (some vendors, ISPs, AV firms, the FBI, academics ), all our efforts combined are less than socially optimal Economics & psychology can help understand why, and help us find better ways to cope July 10th 2014 DIMVA 2014