Entries Tagged "risk assessment"

Page 7 of 21

The Problem with Cyber-crime Surveys

Good paper: “Sex, Lies and Cyber-crime Surveys,” Dinei Florêncio and Cormac Herley, Microsoft Research.

Abstract: Much of the information we have on cyber-crime losses is derived from surveys. We examine some of the difficulties of forming an accurate estimate by survey. First, losses are extremely concentrated, so that representative sampling of the population does not give representative sampling of the losses. Second, losses are based on unverified self-reported numbers. Not only is it possible for a single outlier to distort the result, we find evidence that most surveys are dominated by a minority of responses in the upper tail (i.e., a majority of the estimate is coming from as few as one or two responses). Finally, the fact that losses are confined to a small segment of the population magnifies the difficulties of refusal rate and small sample sizes. Far from being broadly-based estimates of losses across the population, the cyber-crime estimates that we have appear to be largely the answers of a handful of people extrapolated to the whole population. A single individual who claims $50,000 losses, in an N=1000 person survey, is all it takes to generate a $10 billion loss over the population. One unverified claim of $7,500 in phishing losses translates into $1.5 billion.

I’ve been complaining about our reliance on self-reported statistics for cyber-crime.

Posted on June 21, 2011 at 5:58 AMView Comments

Bin Laden's Death Causes Spike in Suspicious Package Reports

It’s not that the risk is greater, it’s that the fear is greater. Data from New York:

There were 10,566 reports of suspicious objects across the five boroughs in 2010. So far this year, the total was 2,775 as of Tuesday compared with 2,477 through the same period last year.

[…]

The daily totals typically spike when terrorist plot makes headlines here or overseas, NYPD spokesman Paul Browne said Tuesday. The false alarms themselves sometimes get break-in cable news coverage or feed chatter online, fueling further fright.

On Monday, with news of the dramatic military raid of bin Laden’s Pakistani lair at full throttle, there were 62 reports of suspicious packages. The previous Monday, the 24-hour total was 18. All were deemed non-threats.

Despite all the false alarms, the New York Police Department still wants to hear them:

“We anticipate that with increased public vigilance comes an increase in false alarms for suspicious packages,” Kelly said at the Monday news conference. “This typically happens at times of heightened awareness. But we don’t want to discourage the public. If you see something, say something.”

That slogan, oddly enough, is owned by New York’s transit authority.

I have a different opinion: “If you ask amateurs to act as front-line security personnel, you shouldn’t be surprised when you get amateur security.”

People have always come forward to tell the police when they see something genuinely suspicious, and should continue to do so. But encouraging people to raise an alarm every time they’re spooked only squanders our security resources and makes no one safer.

Refuse to be terrorized,” people.

Posted on May 5, 2011 at 6:43 AMView Comments

The Cyberwar Arms Race

Good paper: “Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy,” by Jerry Brito and Tate Watkins.

Over the past two years there has been a steady drumbeat of alarmist rhetoric coming out of Washington about potential catastrophic cyber threats. For example, at a Senate Armed Services Committee hearing last year, Chairman Carl Levin said that “cyberweapons and cyberattacks potentially can be devastating, approaching weapons of mass destruction in their effects.” Proposed responses include increased federal spending on cybersecurity and the regulation of private network security practices.

The rhetoric of “cyber doom” employed by proponents of increased federal intervention, however, lacks clear evidence of a serious threat that can be verified by the public. As a result, the United States may be witnessing a bout of threat inflation similar to that seen in the run-up to the Iraq War. Additionally, a cyber-industrial complex is emerging, much like the military-industrial complex of the Cold War. This complex may serve to not only supply cybersecurity solutions to the federal government, but to drum up demand for them as well.

Part I of this article draws a parallel between today’s cybersecurity debate and the run-up to the Iraq War and looks at how an inflated public conception of the threat we face may lead to unnecessary regulation of the Internet. Part II draws a parallel between the emerging cybersecurity establishment and the military-industrial complex of the Cold War and looks at how unwarranted external influence can lead to unnecessary federal spending. Finally, Part III surveys several federal cybersecurity proposals and presents a framework for analyzing the cybersecurity threat.

Also worth reading is an earlier paper by Sean Lawson: “Beyond Cyber Doom.”

EDITED TO ADD (5/3): Good article on the paper.

Posted on April 28, 2011 at 6:56 AMView Comments

Counterterrorism Security Cost-Benefit Analysis

Terror, Security, and Money: Balancing the Risks, Benefits, and Costs of Homeland Security,” by John Mueller and Mark Stewart:

Abstract:The cumulative increase in expenditures on US domestic homeland security over the decade since 9/11 exceeds one trillion dollars. It is clearly time to examine these massive expenditures applying risk assessment and cost-benefit approaches that have been standard for decades. Thus far, officials do not seem to have done so and have engaged in various forms of probability neglect by focusing on worst case scenarios; adding, rather than multiplying, the probabilities; assessing relative, rather than absolute, risk; and inflating terrorist capacities and the importance of potential terrorist targets. We find that enhanced expenditures have been excessive: to be deemed cost-effective in analyses that substantially bias the consideration toward the opposite conclusion, they would have to deter, prevent, foil, or protect against 1,667 otherwise successful Times-Square type attacks per year, or more than four per day. Although there are emotional and political pressures on the terrorism issue, this does not relieve politicians and bureaucrats of the fundamental responsibility of informing the public of the limited risk that terrorism presents and of seeking to expend funds wisely. Moreover, political concerns may be over-wrought: restrained reaction has often proved to be entirely acceptable politically.

Posted on April 6, 2011 at 6:03 AMView Comments

Good Article About the Terrorist Non-Threat

From Reason:

Know thy enemy is an ancient principle of warfare. And if America had
heeded it, it might have refrained from a full-scale “war” on terrorism whose price tag is touching $2 TRILLION. That’s because the Islamist enemy it is confronting is not some hyper-power capable of inflicting existential—or even grave—harm. It is, rather, a rag-tag band of peasants whose malevolent ambitions are far beyond the capacity of their shallow talent pool to deliver.

Posted on February 24, 2011 at 6:44 AMView Comments

Micromorts

I’d never heard the term “micromort” before. It’s a probability: a one-in-a-million probability of death. For example, one-micromort activities are “travelling 230 miles (370 km) by car (accident),” and “living 2 days in New York or Boston (air pollution).”

I don’t know if that data is accurate; it’s from the Wikipedia entry. In any case, I think it’s a useful term.

EDITED TO ADD (2/12): Discussion here.

Posted on February 8, 2011 at 5:46 AMView Comments

Surviving a Terrorist's Nuclear Attack

Interesting reading, mostly for the probable effects of a terrorist-sized nuclear bomb.

A terrorist bomb is likely to be relatively small—possibly only a fraction of the Hiroshima bomb’s explosive power—and likely exploded at ground level. This means that the area totally destroyed by the explosion is likely to be much smaller than the area exposed to lesser damage or to fallout radiation (this nuclear weapons effects calculator from the Federation of Atomic Scientists will let you see the effect of different sized bombs burst at different heights). Because of this, Homeland Security people in the Obama Administration have been encouraging a duck-and-cover approach, followed by advice to “shelter in place” against fallout rather than trying to evacuate the area.

Posted on January 14, 2011 at 7:07 AMView Comments

Stealing SIM Cards from Traffic Lights

Johannesburg installed hundreds of networked traffic lights on its streets. The lights use a cellular modem and a SIM card to communicate.

Those lights introduced a security risk I’ll bet no one gave a moment’s thought to: that criminals might steal the SIM cards from the traffic lights and use them to make free phone calls. But that’s exactly what happened.

Aside from the theft of phone service, repairing those traffic lights is far more expensive than those components are worth.

I wrote about this general issue before:

These crimes are particularly expensive to society because the replacement cost is much higher than the thief’s profit. A manhole is worth $5–$10 as scrap, but it costs $500 to replace, including labor. A thief may take $20 worth of copper from a construction site, but do $10,000 in damage in the process. And the increased threat means more money being spent on security to protect those commodities in the first place.

Security can be viewed as a tax on the honest, and these thefts demonstrate that our taxes are going up. And unlike many taxes, we don’t benefit from their collection. The cost to society of retrofitting manhole covers with locks, or replacing them with less re­salable alternatives, is high; but there is no benefit other than reducing theft.

These crimes are a harbinger of the future: evolutionary pressure on our society, if you will. Criminals are often referred to as social parasites, but they are an early warning system of societal changes. Unfettered by laws or moral restrictions, they can be the first to respond to changes that the rest of society will be slower to pick up on. In fact, currently there’s a reprieve. Scrap metal prices are all down from last year—copper is currently $1.62 per pound, and lead is half what Berge got—and thefts are down too.

We’ve designed much of our infrastructure around the assumptions that commodities are cheap and theft is rare. We don’t protect transmission lines, manhole covers, iron fences, or lead flashing on roofs. But if commodity prices really are headed for new higher stable points, society will eventually react and find alternatives for these items—or find ways to protect them. Criminals were the first to point this out, and will continue to exploit the system until it restabilizes.

Posted on January 13, 2011 at 12:54 PMView Comments

1 5 6 7 8 9 21

Sidebar photo of Bruce Schneier by Joe MacInnis.