boomtime: risk as economics (allison miller, siracon15)
TRANSCRIPT
THEMES OF SECURITY ECONOMICS Security ROI Cybercrime supply chains Market for Lemons Make it more expensive for the
attacker Tragedy of the Commons Risk Tolerance Exploit/Vuln markets Behavioral Economics / Gamification
#B O O M T I M E #R I S K @ S E L E N A K Y L E
MICROECONOMICS Model for estimating consumption given individual
preferences, under a budget constraint • Utility maximization
• Preferences: Consumption mix • Good A vs Good B • Labor vs leisure • Budget constraint
#B O O M T I M E #R I S K @ S E L E N A K Y L E
THE CONSUMER MODEL: EXPANDED Extensible from micro into macro • Extensible to firms Ø Estimate production given profits under cost/demand/price constraints
• Extensible to competition for resources (consumers, firms) Ø Roots of game theory
• Extensible to markets Ø Aggregation across many to many (markets for goods, money, labor)
• Extensible to public sector Ø Government spend (fiscal) & policy (monetary)
• Extensible to economies
#B O O M T I M E #R I S K @ S E L E N A K Y L E
THE LANGUAGE OF RISK Some optimization functions
assume *certainty* • e.g. preferences, costs
But making decisions under uncertainty is core to:
• Competition • Investment • Reality
#B O O M T I M E #R I S K @ S E L E N A K Y L E
RISK AVERSION Concept where theory meets behavior • Expected value vs expected variance • Probability gives you both, we tend to focus on E(x)
• Risk aversion is a condition that relies on V(x)
#B O O M T I M E #R I S K @ S E L E N A K Y L E
AN EXAMPLE You have $20k, but a 50/50 chance of losing $10k • Expected value? • $15k (i.e. .5($20k)+.5($10k))
Insurance costing $5k will cover full loss. Should you buy it or not? • Expected value w/insurance? • $15k (for sure) • Expected value w/o insurance • $15k (but as EITHER $10k or $20k)
The risk averse individual will opt for the same expected value with less uncertainty (less risk) § People seek utility maximization, not payoffs § Risk, i.e. uncertainty, reduces overall utility (wealth)
#B O O M T I M E #R I S K @ S E L E N A K Y L E
AN EXAMPLE…CONTINUED You have $20k, but a 50/50 chance of losing $10k • Expected value = $15k You are offered partial insurance costing $2.5k will cover half of the loss ($5k). @ No Loss: $17.5k ($20k – 2.5k) @ Loss: $12.5k ($20k – 2.5k – 10k – 5k) • Expected value = • $15k (but as EITHER $17.5k or $12.5k)
Risk, i.e. uncertainty, is reduced but there is still a $5k variance
#B O O M T I M E #R I S K @ S E L E N A K Y L E
WHAT THIS LOOKS LIKE Utility
Wealth E(V)
U(total) U(partial)
U(no insurance)
12.5 17.5 15
#B O O M T I M E #R I S K @ S E L E N A K Y L E
HOW TO WIN AT RISK Win or lose? • Game theory approach: maximize payoff …Tends to gravitate towards expected value • The “defender’s dilemma” assumes a risk intolerant
system manager …Lower expected loss. Ok, sounds like expected value. • Optimal investments manage to value and variance …Build systems with better risk capacity …Portfolio theory, not just point performance Boom or bust maybe a better analogy?
#B O O M T I M E #R I S K @ S E L E N A K Y L E
WINNING AT ECONOMICS
BOOM! #B O O M T I M E #R I S K @ S E L E N A K Y L E
A BIT ABOUT ECONOMICS Speaking of econ
#B O O M T I M E #R I S K @ S E L E N A K Y L E
META ON MACRO Early 20th century: Ø Panics! Chaos!
Depression!
30’s-50’s: Data Ø Gather, Count & Measure
50’s-70’s: Models Ø Keynesians Rule!
70’s - now: Modern Macro Ø RBC vs New Keynesians
Given that the structure of an econometric model consists of optimal decision rules of economic agents,
and that optimal decision rules vary systematically with changes in the structure of series relevant to the decision maker, it follows that any change in policy will
systematically alter the structure of econometric models. −Lucas' Critique (1976)
#B O O M T I M E #R I S K @ S E L E N A K Y L E
SUPERMODELS
Lucas Critique The α coefficients in Keynesian macroeconometric frameworks should be
thought of as depending on government policy directly.
Source: Modern Macroeconomics, Sanjay Chugh http://skchugh.com/teachingmanuscript.html
#B O O M T I M E #R I S K @ S E L E N A K Y L E
POSITIVE VS NORMATIVE ECONOMICS
Positive Normative
What it is
What it should be
Descriptions Recommendations
#B O O M T I M E #R I S K @ S E L E N A K Y L E
CURRENCY OF RISK
Preferences Utility Money
Returns Competition
Tolerances Uncertainty
Data
Returns Adversaries
#B O O M T I M E #R I S K @ S E L E N A K Y L E
BOOMTIME
Preferences Utility Money
Returns Competition
Tolerances Uncertainty
Data
Returns Adversaries
Policy Analysis Graph Theory Dynamic Threat Models
Cyberinsurance Security Econometrics Classification
Inferior Goods Security “CPI” Incentive Design Coalitional Game Theory
#B O O M T I M E #R I S K @ S E L E N A K Y L E
HOW TO WIN [RISK] FRIENDS & INFLUENCE [INVESTMENT] PEOPLE
BoomTime • Consider framing our goals
as “booming” vs “winning”
All about that base…variance
• Bring your E(x) AND V(x) game
Positive vs Normative Risk • Your model’s in my policy…
your policy’s in my model
#B O O M T I M E #R I S K @ S E L E N A K Y L E
#B O O M T I M E #R I S K @ S E L E N A K Y L E