The final keynote was by Robert Coles, listed as “Strategy and Budgeting in Practice – Art or Science?” He was CISO of Merrill Lynch and is now at the Bank of America. His actual title was “Information Security – Art or Science?” (A few sensitive points have been cut at his request.)

His topic was whether current budgeting processes are very relevant to us. Banks are very much driven by Basel II. There’s a whole raft of security-relevant standards such as ISO27001 and COBIT, but none of them particularly consistent.

Case study: before he joined Oct 2006, Merrill Lynch had experienced some high-profile data losses. So he sat down and tried to do a systematic analysis of how staff could get bits out, and loss vectors from accident through external attack to departing employees. Quantifying these threats was hard: what’s the value of a golden client list, for example? Anyway the bank agreed to stump up (mid-budget-cycle) for software to control who could copy what files to USBs where.

Then an HR employee took some data – name, salary, SSN etc on 33,000 staff – and put it on an external hard drive to save money. It got lost during an office move, and this was front page on the Wall Street Journal (http://www.cnbc.com/id/20162588/). Suddenly he was dealing with the original people’s bosses’ bosses’ bosses.

So he got consultants to look at three other FIs to get the comparative picture, using a threat and control matrix. They started with threats (starting with assets would have taken too long) and also looked at control maturity (ad hoc, up through formal, to enterprise-wide, and finally to continuous and validated with a control loop). He came up with a prioritised roadmap. That he could have done ad hoc, but as he was new to the organisation it was helpful that he’d spent money on trusted consultants. He ended up having to budget 40 projects in a short period of time.

He concludes that running security in a big organisation is art, not science. There’s no real data with which to make real assessments of probability; it’s almost impossible to catalogue assets in large complex organisations and understand the impact of losing them; the prioritisation process is pretty arbitrary; you end up doing the stuff with a high profile rather than what’s necessary. See D’Arcy and Hovav, article in Handbook of Research on Information Security and Assurance about lack of research in security management. See Anderson, Hernot, Hodgkinson, J. Occupational and Organisational Psychology 2001 on the widely different demands on practitioners. Need more opportunities for academics to work with practitioners. Pragmatic science – with both rigor and relevance – is the goal.

In questions, he doubted that we’d get decent loss history for interesting incidents from a single organisation; it would take data collection from many organisations to do that. Security decision making is difficult and important; the kind of information collation and dissemination that Bruce does is important. However real organisations often find it hard to deal with complex policy issues and just adopt a baselining approach – put together a policy once, drawing on various international and other standards, and stick with it. Closed-door information exchanges? They participate in CPNI; Steven Bonner could talk more. Are internal controls driven by the big four accountants? Not sure – some junior auditors started demanding stuff after SOX but were pushed back after the industry said those controls wouldn’t work. And as for pragmatic research, the building blocks – technology, economics, psychology – are probably there; the challenge is to put them together into stuff that practitioners can use.

Note that my last name is Chia.

Frank Stajano talked of work on scams with Paul Wilson, of The Real Hustle (our dinner speaker yesterday): we should learn from scammers. He showed a video clip of “the black money blag”: the line is that cancelled banknotes are cancelled by being painted black before being sent to be burned. The conman produces a magic solution to remove the ink, demonstrates that it “works” using sleight of hand, and sells the crowd black banknotes plus solution. Such scams lead to principles: distraction, social compliance, herd, dishonesty, deception, need and greed, and time. They have a paper on this: see Frank’s home page.

Next up was Richard Henson of the University of Worcester, researching what infosec can do for SMEs, and looking at stats of ISO 27001 certifications. Most go to big companies in the UK; SMEs do it only if customers tell them to. Only 28% were even aware of PCI DSS. Does this matter?

Third speaker was Joe Bonneau on “Making Privacy Viral”. Lots of people have published guides on how to protect your privacy on facebook; the most popular one has been downloaded over a million times. Joe can’t figure out how it works without experimenting; users clearly want to know. Now it’s economic and there’s a book: “The Holy Grail of Facebook Privacy” (by the author of the million-download pdf). Privacy is about control, which often means delegating to others. Maybe what we need is a means for people to adopt the privacy settings already set by others: “I want Joe’s facebook settings”. A paper on this will appear at SOUPS.

Kanta Matsuura spoke next on “The Broader View, and Interactions” inspired by yesterday’s panel on interdisciplinary working. He’d like more inter-sector working: three quarters of this WEIS’s papers are from university people only. How do we encourage industry participants? He mentioned the IFIP conference on trust management in Japan next year, http://www.ifip-tm2010.org. General security events like Oakland and SCIS exhibit more industry-academia collaboration.

Nicolas Courtois: “Economics of Keeping the Spec Secret”. Businesses often see secrecy as simply raising the barrier for competitors and keeping out hackers. How can we value this? Take for example Mifare classic, whose cipher was secret (contrary to Kerckhoffs) and recently broken. The optimal financial strategy for a security company may be to sell snake oil, and go bankrupt when their products are broken, Should there be some regulatory intervention, such as requirement for bonding or evaluation?

Pern Hui Chua is working on collaborative software scrutiny for mobile platforms with Nokia. Android does not require testing; iPhone uses centralised scrutiny; Symbian and J2ME require independent testing. What’s the future for third-party apps? They did a study and found that only a quarter or so of users paid attention to signatures; and the gmail client isn’t signed while the flexispy spyware is. He concludes that signing is a sigalling game, and wonders whether social rating might not be better. The risk communication might get better. As part of this, he prototyped a UI, in which users had to kill a Pac-man monster in order to install an app, in order to prevent automatised click-through; 80% of users liked the idea.

Eric Johnson is working on rating vendors. At present, a security vendor like Iron Mountain is being rated by hundreds of customers, and a customer like Goldman spends tons of money rating vendors. (BITS has got some traction but is self-assessment.) So Moody’s and Goldman tried a rating agency as a joint venture. Is the rating market viable, and do ratings affect vendor competition? Moody’s charge vendors $23,000 for initial assessment and $10,000 pa for monitoring; customers charge $3,000 pa plus $500-750 per report. (In the bond market, only the issuers pay.) Moody’s is stepping back and Goldman’s interested in continuing with other partners. (John Moody started in 1909 with analysis of railroad investments, got a bit of traction in the 1930s, and took off in 1975 when they were blessed by the SEC as part of a regulated oligopoly).

Jean Camp announced SPIMACS for Nov 13 – http://www.infosecon.net will have the link soon. She is also working on incentive-based access control. The idea is that there are two types of insiders – malicious and inadvertent; the proposed fix is to provide each employee with a risk budget and pricing risky actions. Consistent rewards, even if small, can bring large changes in behaviour. Prices can even be a time friction. The goal is to align personal and organisational risk budgets, and also identify staff who are particularly risk-seeking or risk-averse.

The final rump session talk was by Ronald from Oxford, working on usable security. Protocols such as bluetooth require users to tell, compare or agree key fingerprints, the dependability of which can be hugely context dependent. Rather than formal proofs we need to pay attention to users’ intentions and incentives. Where are the trade-offs? This could be a useful thing to study.

The second talk, by Vicente Segura, was about evaluating the incentives behind DDoS attacks, specifically on the femtocells being deployed by Telefonica. (Their proposed architecture included gateways which they were concerned might be DDoS’ed.) They tried to estimate possible revenuews from extortion, and to negotiate bandwidth prices with Russian botmasters. With the numbers they got, so long as fewer than 13% of users refused to pay up, extortion would not be a viable business. The data collection process taught them that cybercriminals are highly specialised and well organised. In questions, Soeren questioned whether a botnet might be rented for less to an associate of its herder. Richard complained that the model is nothing like complex enough, by comparison with the history of Russian DDoS attacks on the UK gambling industry – where the victims stopped the extortion by agreeing not to pay up any more.

The last regular speaker of the workshop was Stefan Frei, on the dynamics of insecurity. he collected lifecycle data on 27,000 vulnerabilities. This provided statistics of discovery, exploitation and patching. Only 15% of exploits are zero-day; the likelihood of an exploit goes up sharply from 15% to 78% at disclosure day, and 94% after 30 days. As for patch dynamics, 43% of vulns had a patch available at disclosure day, which measures responsible disclosure; within 30 days 72% had a patch available. The “insecurity gap” arises because exploits are systematically available faster than patches. It seems that the hackers have the better coders! Thus, he says, there is a need for independent information provision, and a business opportunity for AV/IDS to provide non-vendor defences. As for vuln distribution: in 1998, the top 100 vendors accounted for 98% of the vulns and now it’s only 40%! MS is consistently the top vuln vendor, and Apple the second. Linux is currently 10th. Whatever platform you use, you can’t hide! However there are huge inter-vendor differences in responsible disclosure. As for the whitemarket (Tipping point etc), it clearly has its place in the ecosystem: Sophos gets 57% of its vulns there and CA 39%. In short, it is now quite possible to relate lifecycle data to the processes in the security system. In questions: how does patch uptake affect all this – surely it’s worse in practice? Stefan agreed: he has also been using google data to track browser patching. What’s the big picture? The main problem is botnets; they’re built from user machines; but the patching cycle is optimised for corporates; yet the home users don’t enjoy the perimeter protection that corporates do. We could get a better equilibrium from more frequent patching. The general model appears to be sustainable though.