I’m at the 22nd Workshop on the Economics of Information Security in Geneva, and will be liveblogging the sessions in the followups to this post. Links to previous editions of WEIS, along with liveblogs and recordings, may be found here.
I’m at the 22nd Workshop on the Economics of Information Security in Geneva, and will be liveblogging the sessions in the followups to this post. Links to previous editions of WEIS, along with liveblogs and recordings, may be found here.
We were welcomed to WEIS 2023 in the University of Geneva by Afroditi Anastasaki from UNITAR, the UN Institute for Training and Research, whose mission is training diplomats, particularly from less developed countries. Her agency has recently been working on digital empowerment and digital sovereignty, which encompasses many questions around how states can maintain sovereignty in today’s complex online world. There will be a digital sovereignty hackathon on Friday and Saturday where UNITAR, the University of Geneva and commercial sponsors invite participation.
The first refereed paper at WEIS 2023 was given by a local researcher, Dingchen Ning of the University of St Gallen, with a talk on Time Dynamics of Cyber Risk. How are risks changing, and how can we measure this? All sorts of grand statements are made by marketing folks, but there are inconsistent empirical results on actual cyber losses, so Dingchen has been studying three databases of claims, maintained by Advisen, SAS OpRisk Global and Privacy Rights Clearinghouse. He does not find strong evidence of significant changes but finds various second-order effects such as changes in delay bias, and a possible shift to more claims but smaller ones from smaller firms. Dingchen also sets out to use more modern methods to measure tail risk; risks are still heavy-tailed, but the risk of negligent incidents appears stable while that of malicious ones appears to be decreasing. Pushing this research forward requires more standardised data and serious interdisciplinary work.
The next speaker was Nan Clement talking on the M&A Effect on Data Breaches in Hospitals: 2010-2022. Nan’s question is whether mergers cause more data breaches in hospitals. Data breaches harm patient welfare, as the measured mortality rate goes up. Mergers can lead to disruption, incompatibility, honest mistakes, disgruntled staff and a larger target both from the merging hospitals and all the advisers. She got data on 6000 hospital mergers and breaches from DHHS since 2010 and applied a two-year window I test. She found from stacked difference-in-differences that the breach probability doubled from 3% to 6% on merger. Looking more closely the significant change was insider misconduct data beaches which went up from 2.7% to 30%, and even worse (50%) when the target was a struggling hospital (e.g. reporting bankruptcy in the previous year). Hacking went up from 0.25% to 2.6%. An exception here was ransomware increased more in the period between announcement and deal closure (1.41%) than after closure (1.14%). In the pre-signing period, insider misconduct actually fell by about a percent, which may be an effect of the hospital management making greater efforts. It’s not clear what’s special about hospitals; it would be great to run these tests on public companies generally, if we had the data,
The last speaker of the first session was Justin Theriot whose question was Does Decomposing Losses Improve Our Understanding of the Financial Impact of Data Breaches? He’s been working for four years on a project to provide accurate and defensible risk quantification to clients, incorporating some insights from past WEIS papers into the code base. His FAIR methodology’s focus is breaches of confidentiality, and their associated primary response costs, as well as the frequency of secondary costs such as lawsuits and fines. He has 2.983 data points from Jan 2005 to Dec 2021. There are large differences between OLS and elastic net models; PCI DSS increases costs by 278% vs 9% for these two models. Industry regulation allows for more fines and judgments. European firms are more worried about privacy, and rules lead to larger numbers of smaller judgments. Secondary response costs are significantly lower either way.
The second session was a panel on “Incentivizing Cyber Resilience”; its members were Scott Stransky and Carol Aplin of Marsh MacLennan, Dingchen Ning who spoke in the first session, and the program chair Thomas Maillart. Cyber insurance prices doubled in 2021-22 because of the proliferation of ransomware, though they have come down just a bit recently; Scott has observed this as a broker, while Thomas measures it as an academic. The unique thing about cyber risks is correlation of risk; you can’t spread risk by geographical diversification, because of monocultures. So we need to pay attention to the tails of the risk distribution. How large might losses be in the future? Which controls are most predictive of cyber risk? Carol has run stats by sector, turnover and even by the self-assessment that companies fill out when they buy insurance, and paired that with ten years of claims data. She found about 20 different controls showed some effect. MFA is really helpful if you do it thoroughly, for example. However a corporate IT system is an evolving thing and must be seen as a process rather than something you evaluate at one snapshot; this is a big challenge. And what’s the extreme event we want to model? Nobody models an asteroid hitting the earth, or Yellowstone erupting; similarly we’re not going to model the Internet, or Amazon, going away. But Amazon’s gone down for 50 hours already; do we model a week? And when we have some defined “catastrophes”, do we issue “cat-bonds”? You can buy a cat-bond for a hurricane hitting Miami, and it pays a high rate of interest – only if a hurricane hits Miami, you lose your principal. Its virtue for investors is that it’s uncorrelated with the rest of the stock market. Where the rubber hits the road is when companies decide whether to spend their last $100k on MFA of on insurance. In response to questions, Carol admitted that fewer customers are answering questionnaires but that may change as the market tightens. And might insurance bring moral hazard? Even if direct losses are covered, not all losses will be. Again, the data are lacking as it’s not a badge of honour to rebuild after a hack the way it is after a hurricane. People need to stop being embarrassed about cyber events.
The third session started with Jack Hughes discussing Argot as a Trust Signal: Slang, Jargon & Reputation on a Large Cybercrime Forum. He trained a model to recognise argot (slang and jargon), then investigated its use in Hackforums. It’s used less by people with high reputation, suggesting it may be used more by newbies trying to join the swim – the “cold start problem”. This was supported by data analysis. Argot also drops off as users enter into contracts with others; these can be measured as Hackforums has an archive of contracts to support its escrow mechanism. It seems that new members’ use of argot tends to drop off after four months or so once they’re established. There have been attempts by law enforcement agents to disrupt underground markets by abusing such signals. Attempts were made to do more granular analysis by argot subtypes but doing that properly may require more data annotation.
Michele Campobasso gave the last talk of Wednesday about You Can Tell a Cybercriminal by the Company they Keep: A Framework to Infer the Relevance of Underground Communities to the Threat Landscape. Which underground markets “work”? This depends on filtering out bad sellers, so markets have mechanisms to resolve disputes and ban scammers; they have reputation systems and escrow mechanisms; they can be closed, with entry fees; and markets can themselves evaporate in an exist scam. Michele considers a market to be “good” if at least one of the users have been indicted. He has built a framework to analyse which mechanisms work; strict seller verification policies and good customer relationships are important, and it also helps if the admins themselves are not sellers. Good markets tend to be a bit more segregated and thus remain under the radar. They tend to be more stable and somewhat similar to each other. In short, dealing with adverse selection and moral hazard have to be dealt with; the markets’ efficacy at facilitating crime is probably also a factor.
Armin Sarabi opened Thursday’s sessions with a talk on Enhancing Vulnerability Prioritization: Data-Driven Exploit Predictions with Community-Driven Insights. He collects data from intrusion detection systems and measures exploits; about 5% of known vulnerabilities are exploited in the wild. Both numbers are increasing steadily! His Exploit Prediction Scoring System (EPSS) makes these data available as a tool for prioritising remediation, and is supported by a community of about 200 organisations. As the CVSS score isn’t a good predictor, they’ve developed a succession of EPSS scores with v1 relying on hand-crafted features, while v2 added gradient-boosted trees and v3 added more data sources, including publicly available exploit code and presence in offensive tools and zero-day lists. The base model is XGboost, and labels for training include exploit evidence from IDS and honeypots. With EPSS v3, for example, covering the top 15.3% of vulns will cover you against 90.4% of attacks. This system’s users include Justin Theriot who spoke yesterday.
Yu-Kai Lin was next with A Theory of Open Source Security: The Spillover of Security Knowledge in Vulnerability Disclosures through Software Supply Chains. He argues that in an open-source ecosystem, security knowledge flows downstream from OSS suppliers to customers, just as vulnerabilities do. There exist literatures on organisational learning, OSS development, OSS security and security vulnerabilities; how can we synthesise them? Yu-Kai’s framework follows the bugs from genesis through discovery, exploitation, patching and remediation. The Open Source Vulnerabilities (OSV) database from Google links up the National Vulnerabilities Database (NVD) with libraries.io which tracks the open-source stuff. He analysed disclosures by suppliers and consumers from Jan 2017 to Dec 2020, by supplier-CWE-consumer triad, for over 400 suppliers and almost 300k consumers. It turns out that consumers are very much more likely to disclose vulnerabilities that were already disclosed by their suppliers. Perhaps one explanation, a questioner noted, is that an upstream disclosure makes it impossible for a firm to cover up a vulnerability in their code; another issue is that SBOMs will signal an enormous number of false positives, such as MD4 code that isn’t invoked by the supplier’s code, so vendors will have to filter on whether they really believe they’re vulnerable.
Lefteris Andreadis has been studying Cyberattacks, Media Coverage and Municipal Finance. Municipalities are particularly vulnerable to hackers as they have less capable IT teams but a lot of personal information, and confidence in them can be measured via their bond values. So how does the spread of news about cyberattacks affect their cost of capital? Lefteris used Privacy Rights Clearinghouse data for breaches, a web crawler to track news of breaches, and a diff-in-diff approach to analyse them. He found that the effect is concentrated on bonds with higher default risks, and counties are more exposed than municipalities whose finance is more likely to be internal. Also, it affects investors who are local to the attacked public body, and the effect is stronger on bonds that have an explicit warning about cybersecurity risk. The results do not replicate for “private” attacks, namely those that got little publicity.
In the rump session, I reported our work in No Easy Way Out: The Effectiveness of Deplatforming an Extremist Forum to Suppress Hate and Harassment. Here, we measured the industry’s campaign in late 2022 to close down Kiwi Farms, after that platform was used to launch attacks on a trans activist, who responded by mobilising people on Twitter to persuade a number of tech firms to withdraw their services, starting with Cloudflare. This may be a warning of the limitations of the process proposed in the UK Online Safety Bill whereby Ofcom will get court orders to deplatform undesirable services. It is also an example of the research that can be done with the ExtremeBB database that Cambridge makes available to researchers.
Mingyan Liu was on next, talking on quantifying the social cost of data breaches. We normally only measure the primary costs of breaches, such as the cost of cleanup. Mingyan is looking for collaborators to work on the secondary and tertiary costs, such as the financial harm to victims’ customers who may suffer card fraud and the associated psychological and social costs. Another example related to the disclosure of personal health information related to insurance fraud in the USA.
Tyler Moore has been studying gaps in enterprise cyber attack reporting. For example, Norwegian Cruise Line buried a breach disclosure in an SEC filing in 2018 and then put out a news release as Covid broke. What else can be found about firms’ manipulative reporting? He sampled 1300 of the 7809 firms mentioning “cyber” in SEC filings and found 15 in SEC alone, 46 in SEC and Hackmageddon, and 64 in Hackmageddon only. Publicly-traded health companies are also interesting; hospitals always report to the HHS but sometimes don’t report to the SEC. Email Tyler for a copy of this paper.
Tyler’s second quick talk was on how cryptocurrency exchange interruptions create arbitrage opportunities. Bitfinex gives very accurate data on outages, but trading often continued, intermittently, during the outage, yet with the price spread exceeding the arbitrage band during 68.5% of events. The takeaway is that people are DDoSing the exchange to create arbitrage opportunities, with the median profit exceeding $60k per outage.
Nicholas Niggli from the canton of Geneva moderated Thursday morning’s panel on open source intelligence and information security. Kurt Nielsen is an entrepreneur who runs Partisia Blockchain. Stephan Duguin runs the Cyber Peace Institute, protecting vulnerable communities from online disinformation and hybrid threats; he was formerly at Europol and his clients are now mostly international NGOs. Huskaj Gazmend runs the Geneva Center for Security Policy, having previously been in the Swedish armed forces. One problem is how we train future international leaders to be sophisticated about intelligence, including OSINT and AI. The classic cycle of direction, collection, analysis and dissemination takes weeks; modern tools can compress that to hours and then minutes, and the consumers will not be just humans but machines. But can artificial intelligence trump natural stupidity, the traditional disenabler of government information collection and analysis? And what happens once the Internet gets filled with blah, generated by LLMs; can your OSINT systems rely on it any more? And the bad guys use OSINT too. So when should breaches be make public, and when should they be shared in closed communities? And how can you build sustainable economic models around open source? And when using open techniques to investigate crime online, how can you respect privacy and avoid revictimising people? It can be tough, as the banks will claim GDPR to stop you talking to their customers. The regulatory environment matters: and the AI Act, the DSA, and the rest of European regulatory spaghetti-ball will change the rules. Nobody really knows any more what the rules are. Can you comply with all the spaghetti, or can you deal with it some other way? GDPR, for example, calls for a lot of box ticking, but people who want to grab control of their data find it almost impossible; and if they get disclosures of their data, understanding it is almost impossible. Self-regulation doesn’t really work (see how little firms cared about terrorist content) but regulation mostly works for the big guys. The legal challenges are ramified by organisational ones, and small organisations have little chance of navigating the mess without some risk. So one of the things the Cyber Peace Institute does is to help small NGOs with the navigation.
Waking us up after lunch was the job of Clara Jean, whose topic was Trade-offs in Automating Platform Regulatory Compliance By Algorithm: Evidence from the COVID-19 Pandemic. As President Macron has just been talking about stopping riots by switching off social media, and European law is starting to mandate more platform moderation, what can researchers say about this? Platforms are left to design their own advertising rules and the volumes require moderation to be automated. Algorithms are inefficient at times of crisis as they’re expected to deal with material on which they’ve not been trained. Clara studied the effects of Facebook adapting its mechanisms for US political advertising (which mandate ad authorisation for a “paid by” label) to the broader category of SIEP (social issues, economics and politics) during the pandemic. This resulted in normal UK public-health ads being blocked as they didn’t have the right disclaimer. So Clara collected FB ads from January to June 2020 and also scraped advertisers’ pagers. She found that over 3% of government ads were disqualified compared with 1% of all ads, and these figures were both multiplied by about three for covid-related ads. Where advertisers had a blue check to signal that the advertiser was verified, this cut the rejection rate for company ads but not for government ads. Why might this be? She checked a variety of hypotheses, but none of the ones she could check seemed to explain the effect.
Fiona Payne was next presenting research on Municipal Cyber Risk. She compiled a novel dataset of IT investment in towns and then compared this with both breach data and municipal bond yields on secondary markets (a survey of bond market sentiment in late 2021 had put cybersecurity sixth in the list of concerns). She created a matched sample of town pairs to run a diff-in-diff on bond yields and IT investment. She finds that IT expenditure rises in hacked towns. She finds a similar effect with small-scale hacks that are reported only locally, unlike this morning’s paper. She concludes that hacks cause IT spend to rise and eventually bond yields fall. Does IT spend predict future hacking? Yes, it’s cut somewhat. What’s the effect of hack publicity? The effect is trading volume and thus liquidity. So, why is cybersecurity underprovided? It seems that ransomware attacks serve as disciplining devices. Are towns short-termist? High resident turnover means that town react more. The same hold for towns with more newspapers. This undermines the hypothesis that hacked towns are just badly governed. But money might not be the answer for towns that lack technical knowledge and can’t hire at the local level. This talk provoked very extensive discussion about all the possible factors, and the tension with the results in this morning’s paper. Those were mostly coastal towns while this study looked at the middle of the country where there may be smaller IT departments and fewer newspapers. Bond ratings are so sticky that they provide no useful signal; and the results appeared to hold across a range of town sizes.
The panel on digital sovereignty was chaired by Jean-Marc Rickli, with Victoria Wang of SDG China, a lawyer involved in tech policy; Dr Alain Mermaud of Armasuisse, the Swiss government tech purchasing agency, who has a cybersecurity background and now does tech forecasting; Vagisha Srivastava, a PhD candidate at Georgia Tech studying tech policy in India; and Mihoko Kumamoto of UNITAR who has been at the UN for twenty years. The definition of sovereignty depends on your definition of the sovereign; if this means democracy, then people must be able to vote. It might also mean personal sovereignty in the sense of empowering individuals with capacity in the form of digital skills. Both involve some aspect of loss of citizenship. The shift of digital power has many aspects: that the populations of India and China together are less than Facebook’s users; that the market cap of the tech majors exceeds the whole stock market of many countries; that tech distances children from parents. Sovereignty is never absolute though and states large and small spy too much on their citizens. The real debates are about control of data and practical ways forward include open source software. Another is offset purchasing; when Armasuisse spends $6bn on F35 fighters it demands $3bn back in offset technology purchases. Unitar tackles digital gaps such as individuals with no Internet access or no digital literacy, particularly in poor and post-conflict countries. Industry remains sceptical because of government lack of competence at making policy and enforcing the laws that already exist.
The first paper of Thursday’s final session was by Austin Ebel, on Attackers and Defenders in Cybersecurity and their Optimal Investment Decisions. He builds on the Gordon-Loeb model as extended by Baryshnikov, and makes it into a two-sided model by adding a rational attacker. The attacker has a monotonically increasing concave breach probability function, inspired by John Danskin’s max-min theory of weapons allocation. This enables Austin to estimate a price of deterrence – just enough to make it not worth the attacker’s while to try an attack at all. The defender’s strategy is complex as it’s a non-convex optimisation problem and there are several cases to consider. The solution might be all-or-none where you either deter or do nothing, or all-or-some where you might invest less than full deterrence. The end result is that a rational defender might spend more than under Gordon-Loeb; and when you add risk-averse defenders, it gets more complex still.
The last paper of Thursday was given by Ziyuan Huang, discussing Interdependent Security Games in the Stackelberg Style: How First-Mover Advantage Impacts Free-Riding and Security (Under-)Investment. We can combine network and Stackelberg games where players invest in security with negative spillover to neighbours. There exists a unique subgame perfect equilibrium whose profile is the Nash equilibrium profile of the reduced game. Also, such sequential games tend to lead to less security investment than in sequential games. They are simpler to analyse in transient-free networks, i.e. where every node is either a source or a sink.
Friday’s first speaker was Lioba Heimbach, discussing The Potential of Self-Regulation for Front-Running Prevention on DEXes. Decentralised exchanges, or DEXes, let people exchange virtual currencies via smart contracts that act as constant product market makers (CPMMs) with a liquidity pool that comes from many market participants. A pool trading bitcoin for ether has a pool of both and a price curve, with each trade moving the price to a different point. So transactions that come between order and execution shift the price, a phenomenon known as slippage; trades are submitted with a stated slippage tolerance. This leads to the sandwich attack in which the attacker places a buy in front of a trade and a matching sell after it; it’s profitable as the price curve is convex. DEXes on ethereum experience sandwich attacks that cost traders $10m a month and make attackers $2m profit. What happens when a liquidity pool implements front-running prevention? Lioba models the game between sandwich attackers, traders, arbitrageurs and liquidity pool providers. She shows that the liquidity will usually end up in one pool or the other, and that for most of the parameter space it will be the pool with front-running prevention.
Next was Oleh Stupak speaking on Secure and Efficient Networks. Oleh has been using contest theory to analyse a network design and protection game in which the defender has a number of nodes and can connect them in various ways; the attacker attempts to compromise one vertex while the defender protects one too, or a proper subset (generalising Colonel Blott). Oleh considers security and efficiency simultaneously. As in rock/paper/scissors, there is no equilibrium in pure strategies; a rational defender will choose a “no soft spots” strategy so that any target protected with positive probability is equally attractive to the attacker. The defender’s payoff is maximised on a star network, and maximised on a complete network. An interesting special case is a “maxi-core” network with two nodes of degree nine and eight nodes of degree four.
The last refereed paper of WEIS23 was given by Swaathi Vetrivel, and her talk title was Birds of a Feather? A Comparative Analysis of DDoS Victimisation by IoT Botnet and Amplification Attacks. The biggest botnet DDoS attacks have been a lot larger than the biggest amplification attacks; who gets targeted? Swaathi collected target IPs from honeypots and CnC servers, obtained via Netlab. ISPs attract more amplification attacks and hosting more botnets; botnets were more likely to target high-ranked ASes, domains on dedicated hosting, and richer countries. Overall they are more likely to involve profits rather than social activism and criminal law enforcement may be what works best against them. She suspects that botnet attacks cost more, so kids are less likely to use them.
The rump session was started off by Boris Hemkemeier and Wiebke Reimer, on The Untrue Cost of Cybercrime. The EU cyber-resilience act was justified by a claim that cybercrime cost Eur 5.5tr, equal to $6tr. This number is everywhere! It seems to come from “Cyber Security Ventures” for 2021 and has been repeated by the UN and elsewhere. Yet global military spending is only $2tr and the cost of reconstructing Ukraine is estimated at $400bn. The EU attribuuted its claim to its joint research centre, which cited CSV, a marketing magazine for the US cybersecurity industry, who in turn cite a blog post by Microsoft from 2016, who cited the WEF claiming $3tr by 2025. The WEF attributed the $3tr to the cost over 2014–2020 of consumer caution and cyber-regulation, and in the worst case!
Daniel Woods was next, and he’s collecting evidence for security controls. Which studies are collected from systems exposed to real threat actors (e.g. insurance claims), where the independent variables are security controls, procedures or technologies, and the outputs matter to the organisation. He’s found about a dozen; if you know of any more, please send them to him.
Aljona Rebakovski is also interested in quantifying cyber risk, but for modelling. She uses the FAIR standard, from The Open Group. This calculates a loss exceedance curve based on estimates loss event frequencies and loss magnitudes. After workshopping your business processes and crown jewels, you estimate minimum, mode and maximum loss values, run Monte Carlo simulations and then look at the 95% low and high outcomes to guide capital investments. The soft spots are in the supply chain and more generally knowing which scenarios to worry about.
Sanghyun Han discussed trade policy and non-trade barriers; false claims about non-trade barriers are widely used by states as a shadow industrial policy. What ideas from security economics might be useful in analysing this?
Sebastian Gillard has been simulating cooperation and resilience in complex systems using agent-based models. Under what set of parameters does cooperation in multi-round prisoners’ dilemma played by a grid of agents lead to cyber resilience in the grid as a whole?
Jean Camp argued for better linguistic analysis in cybercrime forums. Looking at Conti, she found that a lot of stuff was missed, notably Russian humour. People opposed to an authoritarian state resort to it, and there’s been a long history through trickbot and the arrest of Kaspersky. Scholars often miss the imagery which hovers between patriotism and satire, and the subtleties of “Russia is not weird (western, educated, industrialised, rich, democratic)”. Training NLP on English systems can miss stuff structurally.
Serge Egelman had been studying data brokers, who sell data collected from consumers, e.g. via location tracking in apps. They tend to claim some tortured version of “consent” or “anonymous”; yet FullContact claims to reidentify such data and to have 10^9 mobile ad ids. Of course all this data is “ethically sourced”. So he got “anonymous” data, reidentified the subjects, and surveyed them to see whether they had “consented” and whether they wanted to sue. In the meanwhile the FTC filed suit against Kochava, so the brokers now all want you to sign ferocious NDAs. What’s the best way round / forward?
Dann Arce announced that WEIS 2024 will be at UT Dallas on April 9 and 10, the two days after the solar eclipse on April 8th.
The final panel was moderated by Steve Ramsden, CISO of the Global Fund which fights HIV, TB and Malaria, with Ben Segal of CERN, Zeina Zakhour Eviden the CTO and R&D head of Atos, and Marieke Hood of GESDA. Ben joined Cern in 1971 to do data communications and encountered the Internet in 1977, realising that TCP/IP could connect their computers and did it underground as “standards” were the religion; he taught TBL network programming. He was in charge of protecting their Cray, using the first two Cisco routers in Europe to do IP filtering (Cisco had 20 staff then). He got the routers to act as terminal multiplexers too for remote support, with dialback to authenticate users, and introduced smart cards for access (though he couldn’t give them to Iranians). Back then security was widely considered to be a pain in the neck! Zeina maintains a list of 150 security technologies and estimates their maturity to get an idea of when ATOS’s clients are likely to be implementing them. She thinks that digital sovereignty (whatever that is) may be a coming thing, along with OT and the integration of AI/ML into identity and access management “solutions”. GESDA is the Geneva Science and Diplomacy Anticipator; its job is to anticipate scientific breakthroughs and bring science-based evidence to help diplomats plan what new science might help over the next 5-10 years. Right now they’re pushing quantum computing. Their questions are where’s the real potential for climate change, food security and other important problems. There’s a chasm between the to-down standardisation approach favoured by states and the more humble bottom-up approach involving RFCs and running code that works in tech. What we’re still lacking includes high-level international governance and treaties. At CERN, they noticed that Siemens controllers could be hacked but found no interest in fixing them; even if updates were available, operators of nuclear plant and the like would not be interested in installing them. So Stuxnet was no surprise, and a big problem for the future will be patching. Whose responsibility will it be when a vuln isn’t patched and this leads to a failure – the plant operator or the vendor? The vendors wriggle out if they can, and may even claim that the bug was a feature.
The final event at WEIS was the awards.
The best paper award went to Nan Clement for her paper Does Decomposing Losses Improve Our Understanding of the Financial Impact of Data Breaches? while the best presentation award went to Lioba Heimbach for The Potential of Self-Regulation for Front-Running Prevention on DEXes and the best poster to Rachiyta Jain, Margherita Marinetti and Daniel Woods for their poster Consumer Insurance and Cyber Losses: Gaps, Coverage and Pricing.
Thank you for the blogging!
Here is the link to my rump session talk.
https://www.researchgate.net/publication/372244921_Rump_Session_Presentation_WEIS_2023
And the paper
https://www.researchgate.net/publication/372244795_An_Argument_for_Linguistic_Expertise_in_Cyberthreat_Analysis_LOLSec_in_Russian_Language_eCrime_Landscape
Thank you for sharing our paper!