SlideShare une entreprise Scribd logo

Something Wicked

Allison Miller
Allison Miller

Something Wicked: Defensible Social Architecture in the context of Big Data, Behavioral Econ, Bot Hives, and Bad Actors. BSides Las Vegas 2017 keynote presentation from Allison Miller (@selenakyle)

Technologie
1  sur  57
Something Wicked Defensible Social Architecture in the context of Big Data, Behavioral Econ, Bot Hives, and Bad Actors allison miller @selenakyle
a world of firewalls & moats
soylent perimeter is people
scammers phishing malware @selenakyle
troll thunderdrome
from behavior to tech to behavior
decision science + applied economics
behavior data analytics economics preferences incentives
system theory + machine learning = smarter social systems
data rules everything around me
modeling + feedback driving risk to a chokepoint decisions have cost quantified performance
models + feedback
UX Platform Back Office Event Post-decision UX Post-Txn Experience Models* Decision Strategy Score / Policy Verdict Response Post-event actions Post-event data Data aggregates (txn & acct records) Model training, testing, & builds
* speaking ground truth to power
* speaking ground truth to power
* speaking ground truth to power
decisions & cost
Authorize Block Good false positive Bad false negative Good Action Gets Blocked Bad Action Gets Through Downstream Impacts
quantified performance
%BadisTrue % Total
Gain %BadisTrue % Total
Gain %BadisTrue % Total
modeling + feedback driving risk to a chokepoint decisions have cost quantified performance
preferential treatments
no, YOU’RE irrational
behavioral... ...finance ...economics ...game theory
choice architecture opinionated design data devaluation ...competition
framing + anchoring
opinionated design are you sure?
opinionated design let’s not.
data devaluation
choice architecture opinionated design data devaluation ...other system agents
dismal scienceing
Microeconomics • Model for estimating consumption given individual preferences, under a budget constraint • Utility maximization • Preferences: Consumption mix • Good A vs Good B • Labor vs leisure • Budget constraint
Positive Normative What it is What it should be Descriptions Recommendations
Themes of Security Economics • Security ROI • Cybercrime supply chains • Market for Lemons • Make it more expensive for the attacker • Tragedy of the Commons • Risk Tolerance • Exploit/Vuln markets • Behavioral Economics / Gamification
Wicked Games Preferences Utility Money Returns Competition Tolerances Uncertainty Data Returns Adversaries Policy Analysis Graph Theory Dynamic Threat Models Cyberinsurance Security Econometrics Classification Inferior Goods Security “CPI” Incentive Design Coalitional Game Theory @selenakyle
Toolkit to Consider Security ROI  Tradeoff distributions Security Poverty Line  Inferior Goods Information Asymmetries  Signaling Repeated Games  Coalitional Game Theory Risk management  Going for V(X) vs E(X) @selenakyle
coalitional game theory consumption & maturity signal development omg risk
(you’ve just been risk-rolled btw) Concept where theory meets behavior • Expected value vs expected variance • Probability gives you both, we tend to focus on E(x) • Risk aversion is a condition that relies on V(x)
Payoffs UP DOWN CIRCLE RED BLUE MARIO LUIGI KIRBY GIZMO 10, 3 2, 10 2, 5 -3, 3 A B B A A A
An example You have $20k, but a 50/50 chance of losing $10k • Expected value? • $15k (i.e. .5($20k)+.5($10k)) Insurance costing $5k will cover full loss. Should you buy it or not? • E(X) w/insurance?  $15k (for sure) • E(X) w/o insurance  $15k (but as EITHER $10k or $20k) A risk averse individual will opt for the same E(X) w/less uncertainty (less risk) • People seek utility maximization, not payoffs • Risk, i.e. uncertainty, reduces overall utility (wealth)
An example…continued You have $20k, but a 50/50 chance of losing $10k • E(X)= $15k You are offered partial insurance costing $2.5k will cover half of the loss ($5k). @ No Loss: $17.5k ($20k – 2.5k) @ Loss: $12.5k ($20k – 2.5k – 10k – 5k) • Expected value = $15k (but as EITHER $17.5k or $12.5k) Risk, i.e. uncertainty, is reduced but there is still a $5k variance
#BOOMTIME #RISK @SELENAKYLE What this Looks like Utility Wealth E(V) U(total) U(partial) U(no insurance) 12.5 17.515
The language of risk • Some optimization functions assume *certainty* • But making decisions under uncertainty is core to: • Competition • Investment • Reality • How are we talking about risk? Focus on E(X) or V(X)?
How to Win at Risk Win or lose? • Game theory approach: maximize payoff …Tends to gravitate towards expected value • The “defender’s dilemma” assumes a risk intolerant system manager …Lower expected loss. • Optimal investments manage to value and variance …Build systems with better risk capacity …Portfolio theory, not just point performance
<regroup>
humans: how do they work?
humans: how do they work? are you sure?
by the pricking of my thumbs, something wicked this way comes. open, locks, whoever knocks.
Thank You BSidesLV! Allison Miller @selenakyle
. Some references (mostly about behavior) • Improving SSL Warnings: Comprehension and Adherence. A. Felt, A. Ainslie, R. Reeder, S. Consolvo, S. Thyagaraja, A. Bettes, H. Harris, and J. Grimes. CHI, page 2893-2902. ACM, (2015) https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43265.pdf • D. Akhawe and A. P. Felt. Alice in warningland: A large-scale field study of browser security warning effectiveness. In Proc. of USENIX Security, pages 257–272, 2013. • Ariely, Dan. Predictably Irrational: The Hidden Forces That Shape Our Decisions. New York, NY: HarperCollins, 2008. • Arthur, W Brian. All Systems will be Gamed: Exploitive Behavior in Economic and Social Systems. Santa Fe Institute: SFI WORKING PAPER: 2014-06- 016. http://tuvalu.santafe.edu/~wbarthur/Papers/All%20Systems%20Gamed.pdf To appear in Complexity and the Economy, W. B Arthur, Oxford University Press, 2014 • Kahneman, Daniel. Thinking, Fast and Slow. New York: Farrar, Straus and Giroux, 2011. • Leyton-Brown, Kevin, and Yoav Shoham. Essentials of Game Theory: A Concise, Multidisciplinary Introduction. [San Rafael, Calif.]: Morgan & Claypool, 2008. • Meadows, Donella. Thinking in Systems: A Primer. London: Chelsea Green Publishing, 2008.
. More references (mostly about decisions & game theory) • Axelrod, Robert M. The Evolution of Cooperation. New York: Basic, 1984. • Dixit, Avinash and Nalebuff, Barry. The Art of Strategy: A Game Theorist’s Guide to Success in Business and in Life. • Dormehl, Luke. Thinking Machines. Tarcher Perigee. New York, 2017. • Fisher, Len. Rock, Paper, Scissors: Game Theory in Everyday Life. New York: Basic, 2008. • Gibbons, Robert. Game Theory for Applied Economists. Princeton, NJ: Princeton UP, 1992. • Gintis, Herbert. Game Theory Evolving: A Problem-centered Introduction to Modeling Strategic Behavior. Princeton, NJ: Princeton UP, 2000. • Ignacio Palacios-Heurta (2003) “Professionals Play Minimax”. Review of Economic Studies, Volume 70, pp 395-415. • Jackson, Leyton-Brown & Shoham. Game Theory. (Stanford University and University of British Columbia: Coursera), http://www.coursera.org, Accessed 2013. • Polak, Ben. Game Theory (Yale University: Open Yale Courses), http://oyc.yale.edu, Accessed 2012. License: Creative Commons BY-NC-SA Thomas, L. C. Games, Theory, and Applications. Chichester: E. Horwood, 1984. • Wikipedia’s sections on Game Theory, Economics, & Probability.
. Even more references (mostly about security economics)• Anderson, Ross. "Risk and Privacy Implications of Consumer Payment Innovation." PDF available at http://www.cl.cam.ac.uk/~rja14/Papers/anderson-frb-kansas-mar27.pdf Paper presented at "Consumer Payment Innovation in the Connected Age" conference took place March 29-30, 2012, in Kansas City, Mo. • Anderson, Ross, Chris Barton, Rainer Bohme, Richard Clayton, Michel J.G. van Eeten, Michael Levi, Tyler Moore, and Stefan Savage. “Measuring the cost of cybercrime”. (2012) PDF available at: http://weis2012.econinfosec.org/papers/Anderson_WEIS2012.pdf. • Camp, L. Jean and Wolfram, Catherine D., “Pricing Security: Vulnerabilities as Externalities.” Economics of Information Security, Vol. 12, 2004. Available at SSRN: http://ssrn.com/abstract=894966. • MacCarthy, Mark. “Information Security Policy in the U.S. Retail Payments Industry.” Workshop on the Economics of Information Security, June 2010. • Sullivan, Richard J. “The Changing Nature of U.S. Card Payment Fraud: Issues for Industry and Public Policy.” For presentation at the 2010 Workshop of Economics of Information Security. May 21, 2010. • Skeen, Dale. "How Real-Time Analytics Protects Banks from Large Scale Cyber Attacks." Information Security Buzz, accessed Feb 23, 2014. http://www.informationsecuritybuzz.com/real-time-analytics- protects-banks-large-scale-cyberattacks/ • Varian, Hal. “Managing Online Security Risks.” New York Times; New York, N.Y.; Jun 1,2000.

Recommandé

Boomtime: Risk as Economics (Allison Miller, SiRAcon15)
Boomtime: Risk as Economics (Allison Miller, SiRAcon15)Boomtime: Risk as Economics (Allison Miller, SiRAcon15)
Boomtime: Risk as Economics (Allison Miller, SiRAcon15)
Allison Miller
 
Practical AI workshop, AWS pop-up loft SF, June 20 2017 --- Data design & eco...
Practical AI workshop, AWS pop-up loft SF, June 20 2017 --- Data design & eco...Practical AI workshop, AWS pop-up loft SF, June 20 2017 --- Data design & eco...
Practical AI workshop, AWS pop-up loft SF, June 20 2017 --- Data design & eco...
Twain Liu 刘秋艳
 
Algorithmic fairness
Algorithmic fairnessAlgorithmic fairness
Algorithmic fairness
Alexey Grigorev
 
Big, Open, Data and Semantics for Real-World Application Near You
Big, Open, Data and Semantics for Real-World Application Near YouBig, Open, Data and Semantics for Real-World Application Near You
Big, Open, Data and Semantics for Real-World Application Near You
Biplav Srivastava
 
Pragmatic Designer's Guide to Identity on the Web
Pragmatic Designer's Guide to Identity on the WebPragmatic Designer's Guide to Identity on the Web
Pragmatic Designer's Guide to Identity on the Web
Jamie Reffell
 
Data Responsibly: The next decade of data science
Data Responsibly: The next decade of data scienceData Responsibly: The next decade of data science
Data Responsibly: The next decade of data science
University of Washington
 
Michael Edson @ Potomac Forum: Relevance is in the Eyes of the Beholder
Michael Edson @ Potomac Forum: Relevance is in the Eyes of the BeholderMichael Edson @ Potomac Forum: Relevance is in the Eyes of the Beholder
Michael Edson @ Potomac Forum: Relevance is in the Eyes of the Beholder
Michael Edson
 
Cybersecurity Risk Perception and Communication
Cybersecurity Risk Perception and CommunicationCybersecurity Risk Perception and Communication
Cybersecurity Risk Perception and Communication
Stephen Cobb
 

Recommandé

Boomtime: Risk as Economics (Allison Miller, SiRAcon15)
Boomtime: Risk as Economics (Allison Miller, SiRAcon15)Boomtime: Risk as Economics (Allison Miller, SiRAcon15)
Boomtime: Risk as Economics (Allison Miller, SiRAcon15)
Allison Miller
 
Practical AI workshop, AWS pop-up loft SF, June 20 2017 --- Data design & eco...
Practical AI workshop, AWS pop-up loft SF, June 20 2017 --- Data design & eco...Practical AI workshop, AWS pop-up loft SF, June 20 2017 --- Data design & eco...
Practical AI workshop, AWS pop-up loft SF, June 20 2017 --- Data design & eco...
Twain Liu 刘秋艳
 
Algorithmic fairness
Algorithmic fairnessAlgorithmic fairness
Algorithmic fairness
Alexey Grigorev
 
Big, Open, Data and Semantics for Real-World Application Near You
Big, Open, Data and Semantics for Real-World Application Near YouBig, Open, Data and Semantics for Real-World Application Near You
Big, Open, Data and Semantics for Real-World Application Near You
Biplav Srivastava
 
Pragmatic Designer's Guide to Identity on the Web
Pragmatic Designer's Guide to Identity on the WebPragmatic Designer's Guide to Identity on the Web
Pragmatic Designer's Guide to Identity on the Web
Jamie Reffell
 
Data Responsibly: The next decade of data science
Data Responsibly: The next decade of data scienceData Responsibly: The next decade of data science
Data Responsibly: The next decade of data science
University of Washington
 
Michael Edson @ Potomac Forum: Relevance is in the Eyes of the Beholder
Michael Edson @ Potomac Forum: Relevance is in the Eyes of the BeholderMichael Edson @ Potomac Forum: Relevance is in the Eyes of the Beholder
Michael Edson @ Potomac Forum: Relevance is in the Eyes of the Beholder
Michael Edson
 
Cybersecurity Risk Perception and Communication
Cybersecurity Risk Perception and CommunicationCybersecurity Risk Perception and Communication
Cybersecurity Risk Perception and Communication
Stephen Cobb
 
DeepSec 2014 - The Measured CSO
DeepSec 2014 - The Measured CSODeepSec 2014 - The Measured CSO
DeepSec 2014 - The Measured CSO
Alexander Hutton
 
What Business Innovators Need to Know about Content Analytics
What Business Innovators Need to Know about Content AnalyticsWhat Business Innovators Need to Know about Content Analytics
What Business Innovators Need to Know about Content Analytics
Seth Grimes
 
Ethics & AI: Designing for Health
Ethics & AI: Designing for HealthEthics & AI: Designing for Health
Ethics & AI: Designing for Health
Amy Chenault
 
Black Box Learning Analytics? Beyond Algorithmic Transparency
Black Box Learning Analytics? Beyond Algorithmic TransparencyBlack Box Learning Analytics? Beyond Algorithmic Transparency
Black Box Learning Analytics? Beyond Algorithmic Transparency
Simon Buckingham Shum
 
Algorithmic Accountability & Learning Analytics (UCL)
Algorithmic Accountability & Learning Analytics (UCL)Algorithmic Accountability & Learning Analytics (UCL)
Algorithmic Accountability & Learning Analytics (UCL)
Simon Buckingham Shum
 
Ntegra 20231003 v3.pptx
Ntegra 20231003 v3.pptxNtegra 20231003 v3.pptx
Ntegra 20231003 v3.pptx
ISSIP
 
XR for Higher Education: Experiential Design Affordances, Ethical Considerati...
XR for Higher Education: Experiential Design Affordances, Ethical Considerati...XR for Higher Education: Experiential Design Affordances, Ethical Considerati...
XR for Higher Education: Experiential Design Affordances, Ethical Considerati...
Kent Bye
 
12 sept2013 imd network orchestration martha g russell
12 sept2013 imd network orchestration martha g russell12 sept2013 imd network orchestration martha g russell
12 sept2013 imd network orchestration martha g russell
Martha Russell
 
Social Science Applications of Agent Based Modelling
Social Science Applications of Agent Based ModellingSocial Science Applications of Agent Based Modelling
Social Science Applications of Agent Based Modelling
Edmund Chattoe-Brown
 
Spreadsheets And Stories: STP & A presentation, Oct 26, 2013
Spreadsheets And Stories: STP & A presentation, Oct 26, 2013Spreadsheets And Stories: STP & A presentation, Oct 26, 2013
Spreadsheets And Stories: STP & A presentation, Oct 26, 2013
Snow Dowd
 
Sociophysics
SociophysicsSociophysics
Sociophysics
Fundacion Sicomoro
 
Semiconductors 20240320 v14 Narayanasamy event.pptx
Semiconductors 20240320 v14 Narayanasamy event.pptxSemiconductors 20240320 v14 Narayanasamy event.pptx
Semiconductors 20240320 v14 Narayanasamy event.pptx
ISSIP
 
Health Care Collaboration & Community in Virtual Worlds & Second Life
Health Care Collaboration & Community in Virtual Worlds & Second LifeHealth Care Collaboration & Community in Virtual Worlds & Second Life
Health Care Collaboration & Community in Virtual Worlds & Second Life
University of Michigan Taubman Health Sciences Library
 
Semiconductors 20240320 v14 corrected slides.pptx
Semiconductors 20240320 v14 corrected slides.pptxSemiconductors 20240320 v14 corrected slides.pptx
Semiconductors 20240320 v14 corrected slides.pptx
ISSIP
 
Data Science for Business
Data Science for Business Data Science for Business
Data Science for Business
Anurag Wakhlu, CFA
 
Why Second Life?
Why Second Life?Why Second Life?
Why Second Life?
University of Michigan Taubman Health Sciences Library
 
R af d
R af dR af d
R af d
William L. McGill
 
Risk Analysis for Dummies
Risk Analysis for DummiesRisk Analysis for Dummies
Risk Analysis for Dummies
William L. McGill
 
NHH 20231105 v6.pptx
NHH 20231105 v6.pptxNHH 20231105 v6.pptx
NHH 20231105 v6.pptx
International Society of Service Innovation Professionals
 
The Edge Group Quito Lima - july 2014
The Edge Group Quito Lima - july 2014The Edge Group Quito Lima - july 2014
The Edge Group Quito Lima - july 2014
Jose A Torres
 
When Algorithms Are Our Co-Pilots
When Algorithms Are Our Co-PilotsWhen Algorithms Are Our Co-Pilots
When Algorithms Are Our Co-Pilots
Allison Miller
 
2010.08 Applied Threat Modeling: Live (Hutton/Miller)
2010.08 Applied Threat Modeling: Live (Hutton/Miller)2010.08 Applied Threat Modeling: Live (Hutton/Miller)
2010.08 Applied Threat Modeling: Live (Hutton/Miller)
Allison Miller
 

Contenu connexe

Similaire à Something Wicked

Black Box Learning Analytics? Beyond Algorithmic Transparency
Black Box Learning Analytics? Beyond Algorithmic TransparencyBlack Box Learning Analytics? Beyond Algorithmic Transparency
Black Box Learning Analytics? Beyond Algorithmic Transparency
Simon Buckingham Shum
 
Algorithmic Accountability & Learning Analytics (UCL)
Algorithmic Accountability & Learning Analytics (UCL)Algorithmic Accountability & Learning Analytics (UCL)
Algorithmic Accountability & Learning Analytics (UCL)
Simon Buckingham Shum
 
XR for Higher Education: Experiential Design Affordances, Ethical Considerati...
XR for Higher Education: Experiential Design Affordances, Ethical Considerati...XR for Higher Education: Experiential Design Affordances, Ethical Considerati...
XR for Higher Education: Experiential Design Affordances, Ethical Considerati...
Kent Bye
 
Spreadsheets And Stories: STP & A presentation, Oct 26, 2013
Spreadsheets And Stories: STP & A presentation, Oct 26, 2013Spreadsheets And Stories: STP & A presentation, Oct 26, 2013
Spreadsheets And Stories: STP & A presentation, Oct 26, 2013
Snow Dowd
 
Health Care Collaboration & Community in Virtual Worlds & Second Life
Health Care Collaboration & Community in Virtual Worlds & Second LifeHealth Care Collaboration & Community in Virtual Worlds & Second Life
Health Care Collaboration & Community in Virtual Worlds & Second Life
University of Michigan Taubman Health Sciences Library
 

Similaire à Something Wicked (20)

DeepSec 2014 - The Measured CSO
DeepSec 2014 - The Measured CSODeepSec 2014 - The Measured CSO
DeepSec 2014 - The Measured CSO
 
What Business Innovators Need to Know about Content Analytics
What Business Innovators Need to Know about Content AnalyticsWhat Business Innovators Need to Know about Content Analytics
What Business Innovators Need to Know about Content Analytics
 
Ethics & AI: Designing for Health
Ethics & AI: Designing for HealthEthics & AI: Designing for Health
Ethics & AI: Designing for Health
 
Black Box Learning Analytics? Beyond Algorithmic Transparency
Black Box Learning Analytics? Beyond Algorithmic TransparencyBlack Box Learning Analytics? Beyond Algorithmic Transparency
Black Box Learning Analytics? Beyond Algorithmic Transparency
 
Algorithmic Accountability & Learning Analytics (UCL)
Algorithmic Accountability & Learning Analytics (UCL)Algorithmic Accountability & Learning Analytics (UCL)
Algorithmic Accountability & Learning Analytics (UCL)
 
Ntegra 20231003 v3.pptx
Ntegra 20231003 v3.pptxNtegra 20231003 v3.pptx
Ntegra 20231003 v3.pptx
 
XR for Higher Education: Experiential Design Affordances, Ethical Considerati...
XR for Higher Education: Experiential Design Affordances, Ethical Considerati...XR for Higher Education: Experiential Design Affordances, Ethical Considerati...
XR for Higher Education: Experiential Design Affordances, Ethical Considerati...
 
12 sept2013 imd network orchestration martha g russell
12 sept2013 imd network orchestration martha g russell12 sept2013 imd network orchestration martha g russell
12 sept2013 imd network orchestration martha g russell
 
Social Science Applications of Agent Based Modelling
Social Science Applications of Agent Based ModellingSocial Science Applications of Agent Based Modelling
Social Science Applications of Agent Based Modelling
 
Spreadsheets And Stories: STP & A presentation, Oct 26, 2013
Spreadsheets And Stories: STP & A presentation, Oct 26, 2013Spreadsheets And Stories: STP & A presentation, Oct 26, 2013
Spreadsheets And Stories: STP & A presentation, Oct 26, 2013
 
Sociophysics
SociophysicsSociophysics
Sociophysics
 
Semiconductors 20240320 v14 Narayanasamy event.pptx
Semiconductors 20240320 v14 Narayanasamy event.pptxSemiconductors 20240320 v14 Narayanasamy event.pptx
Semiconductors 20240320 v14 Narayanasamy event.pptx
 
Health Care Collaboration & Community in Virtual Worlds & Second Life
Health Care Collaboration & Community in Virtual Worlds & Second LifeHealth Care Collaboration & Community in Virtual Worlds & Second Life
Health Care Collaboration & Community in Virtual Worlds & Second Life
 
Semiconductors 20240320 v14 corrected slides.pptx
Semiconductors 20240320 v14 corrected slides.pptxSemiconductors 20240320 v14 corrected slides.pptx
Semiconductors 20240320 v14 corrected slides.pptx
 
Data Science for Business
Data Science for Business Data Science for Business
Data Science for Business
 
Why Second Life?
Why Second Life?Why Second Life?
Why Second Life?
 
R af d
R af dR af d
R af d
 
Risk Analysis for Dummies
Risk Analysis for DummiesRisk Analysis for Dummies
Risk Analysis for Dummies
 
NHH 20231105 v6.pptx
NHH 20231105 v6.pptxNHH 20231105 v6.pptx
NHH 20231105 v6.pptx
 
The Edge Group Quito Lima - july 2014
The Edge Group Quito Lima - july 2014The Edge Group Quito Lima - july 2014
The Edge Group Quito Lima - july 2014
 

Plus de Allison Miller

Plus de Allison Miller (9)

When Algorithms Are Our Co-Pilots
When Algorithms Are Our Co-PilotsWhen Algorithms Are Our Co-Pilots
When Algorithms Are Our Co-Pilots
 
2010.08 Applied Threat Modeling: Live (Hutton/Miller)
2010.08 Applied Threat Modeling: Live (Hutton/Miller)2010.08 Applied Threat Modeling: Live (Hutton/Miller)
2010.08 Applied Threat Modeling: Live (Hutton/Miller)
 
2013.05 Games We Play: Payoffs & Chaos Monkeys
2013.05 Games We Play: Payoffs & Chaos Monkeys2013.05 Games We Play: Payoffs & Chaos Monkeys
2013.05 Games We Play: Payoffs & Chaos Monkeys
 
2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better...
2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better...2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better...
2012.09 A Million Mousetraps: Using Big Data and Little Loops to Build Better...
 
2014.06 Defending Debit
2014.06 Defending Debit2014.06 Defending Debit
2014.06 Defending Debit
 
2014.04 Bit, Bit, Coin
2014.04 Bit, Bit, Coin2014.04 Bit, Bit, Coin
2014.04 Bit, Bit, Coin
 
2013.10 Operating * by the Numbers
2013.10 Operating * by the Numbers2013.10 Operating * by the Numbers
2013.10 Operating * by the Numbers
 
2012.12 Games We Play: Defenses & Disincentives
2012.12 Games We Play: Defenses & Disincentives2012.12 Games We Play: Defenses & Disincentives
2012.12 Games We Play: Defenses & Disincentives
 
2011.04 How to Isotope Tag a Ghost
2011.04 How to Isotope Tag a Ghost2011.04 How to Isotope Tag a Ghost
2011.04 How to Isotope Tag a Ghost
 

Dernier

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Dernier (20)

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 

Something Wicked

  • 1. Something Wicked Defensible Social Architecture in the context of Big Data, Behavioral Econ, Bot Hives, and Bad Actors allison miller @selenakyle
  • 2. a world of firewalls & moats
  • 3.
  • 4.
  • 8.
  • 9. from behavior to tech to behavior
  • 14. modeling + feedback driving risk to a chokepoint decisions have cost quantified performance
  • 16. UX Platform Back Office Event Post-decision UX Post-Txn Experience Models* Decision Strategy Score / Policy Verdict Response Post-event actions Post-event data Data aggregates (txn & acct records) Model training, testing, & builds
  • 17. * speaking ground truth to power
  • 18. * speaking ground truth to power
  • 19. * speaking ground truth to power
  • 26. modeling + feedback driving risk to a chokepoint decisions have cost quantified performance
  • 30. choice architecture opinionated design data devaluation ...competition
  • 35. choice architecture opinionated design data devaluation ...other system agents
  • 37. Microeconomics • Model for estimating consumption given individual preferences, under a budget constraint • Utility maximization • Preferences: Consumption mix • Good A vs Good B • Labor vs leisure • Budget constraint
  • 38. Positive Normative What it is What it should be Descriptions Recommendations
  • 39. Themes of Security Economics • Security ROI • Cybercrime supply chains • Market for Lemons • Make it more expensive for the attacker • Tragedy of the Commons • Risk Tolerance • Exploit/Vuln markets • Behavioral Economics / Gamification
  • 40. Wicked Games Preferences Utility Money Returns Competition Tolerances Uncertainty Data Returns Adversaries Policy Analysis Graph Theory Dynamic Threat Models Cyberinsurance Security Econometrics Classification Inferior Goods Security “CPI” Incentive Design Coalitional Game Theory @selenakyle
  • 41. Toolkit to Consider Security ROI  Tradeoff distributions Security Poverty Line  Inferior Goods Information Asymmetries  Signaling Repeated Games  Coalitional Game Theory Risk management  Going for V(X) vs E(X) @selenakyle
  • 42. coalitional game theory consumption & maturity signal development omg risk
  • 43. (you’ve just been risk-rolled btw) Concept where theory meets behavior • Expected value vs expected variance • Probability gives you both, we tend to focus on E(x) • Risk aversion is a condition that relies on V(x)
  • 45. An example You have $20k, but a 50/50 chance of losing $10k • Expected value? • $15k (i.e. .5($20k)+.5($10k)) Insurance costing $5k will cover full loss. Should you buy it or not? • E(X) w/insurance?  $15k (for sure) • E(X) w/o insurance  $15k (but as EITHER $10k or $20k) A risk averse individual will opt for the same E(X) w/less uncertainty (less risk) • People seek utility maximization, not payoffs • Risk, i.e. uncertainty, reduces overall utility (wealth)
  • 46. An example…continued You have $20k, but a 50/50 chance of losing $10k • E(X)= $15k You are offered partial insurance costing $2.5k will cover half of the loss ($5k). @ No Loss: $17.5k ($20k – 2.5k) @ Loss: $12.5k ($20k – 2.5k – 10k – 5k) • Expected value = $15k (but as EITHER $17.5k or $12.5k) Risk, i.e. uncertainty, is reduced but there is still a $5k variance
  • 47. #BOOMTIME #RISK @SELENAKYLE What this Looks like Utility Wealth E(V) U(total) U(partial) U(no insurance) 12.5 17.515
  • 48. The language of risk • Some optimization functions assume *certainty* • But making decisions under uncertainty is core to: • Competition • Investment • Reality • How are we talking about risk? Focus on E(X) or V(X)?
  • 49. How to Win at Risk Win or lose? • Game theory approach: maximize payoff …Tends to gravitate towards expected value • The “defender’s dilemma” assumes a risk intolerant system manager …Lower expected loss. • Optimal investments manage to value and variance …Build systems with better risk capacity …Portfolio theory, not just point performance
  • 51. humans: how do they work?
  • 52. humans: how do they work? are you sure?
  • 53. by the pricking of my thumbs, something wicked this way comes. open, locks, whoever knocks.
  • 54. Thank You BSidesLV! Allison Miller @selenakyle
  • 55. . Some references (mostly about behavior) • Improving SSL Warnings: Comprehension and Adherence. A. Felt, A. Ainslie, R. Reeder, S. Consolvo, S. Thyagaraja, A. Bettes, H. Harris, and J. Grimes. CHI, page 2893-2902. ACM, (2015) https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43265.pdf • D. Akhawe and A. P. Felt. Alice in warningland: A large-scale field study of browser security warning effectiveness. In Proc. of USENIX Security, pages 257–272, 2013. • Ariely, Dan. Predictably Irrational: The Hidden Forces That Shape Our Decisions. New York, NY: HarperCollins, 2008. • Arthur, W Brian. All Systems will be Gamed: Exploitive Behavior in Economic and Social Systems. Santa Fe Institute: SFI WORKING PAPER: 2014-06- 016. http://tuvalu.santafe.edu/~wbarthur/Papers/All%20Systems%20Gamed.pdf To appear in Complexity and the Economy, W. B Arthur, Oxford University Press, 2014 • Kahneman, Daniel. Thinking, Fast and Slow. New York: Farrar, Straus and Giroux, 2011. • Leyton-Brown, Kevin, and Yoav Shoham. Essentials of Game Theory: A Concise, Multidisciplinary Introduction. [San Rafael, Calif.]: Morgan & Claypool, 2008. • Meadows, Donella. Thinking in Systems: A Primer. London: Chelsea Green Publishing, 2008.
  • 56. . More references (mostly about decisions & game theory) • Axelrod, Robert M. The Evolution of Cooperation. New York: Basic, 1984. • Dixit, Avinash and Nalebuff, Barry. The Art of Strategy: A Game Theorist’s Guide to Success in Business and in Life. • Dormehl, Luke. Thinking Machines. Tarcher Perigee. New York, 2017. • Fisher, Len. Rock, Paper, Scissors: Game Theory in Everyday Life. New York: Basic, 2008. • Gibbons, Robert. Game Theory for Applied Economists. Princeton, NJ: Princeton UP, 1992. • Gintis, Herbert. Game Theory Evolving: A Problem-centered Introduction to Modeling Strategic Behavior. Princeton, NJ: Princeton UP, 2000. • Ignacio Palacios-Heurta (2003) “Professionals Play Minimax”. Review of Economic Studies, Volume 70, pp 395-415. • Jackson, Leyton-Brown & Shoham. Game Theory. (Stanford University and University of British Columbia: Coursera), http://www.coursera.org, Accessed 2013. • Polak, Ben. Game Theory (Yale University: Open Yale Courses), http://oyc.yale.edu, Accessed 2012. License: Creative Commons BY-NC-SA Thomas, L. C. Games, Theory, and Applications. Chichester: E. Horwood, 1984. • Wikipedia’s sections on Game Theory, Economics, & Probability.
  • 57. . Even more references (mostly about security economics)• Anderson, Ross. "Risk and Privacy Implications of Consumer Payment Innovation." PDF available at http://www.cl.cam.ac.uk/~rja14/Papers/anderson-frb-kansas-mar27.pdf Paper presented at "Consumer Payment Innovation in the Connected Age" conference took place March 29-30, 2012, in Kansas City, Mo. • Anderson, Ross, Chris Barton, Rainer Bohme, Richard Clayton, Michel J.G. van Eeten, Michael Levi, Tyler Moore, and Stefan Savage. “Measuring the cost of cybercrime”. (2012) PDF available at: http://weis2012.econinfosec.org/papers/Anderson_WEIS2012.pdf. • Camp, L. Jean and Wolfram, Catherine D., “Pricing Security: Vulnerabilities as Externalities.” Economics of Information Security, Vol. 12, 2004. Available at SSRN: http://ssrn.com/abstract=894966. • MacCarthy, Mark. “Information Security Policy in the U.S. Retail Payments Industry.” Workshop on the Economics of Information Security, June 2010. • Sullivan, Richard J. “The Changing Nature of U.S. Card Payment Fraud: Issues for Industry and Public Policy.” For presentation at the 2010 Workshop of Economics of Information Security. May 21, 2010. • Skeen, Dale. "How Real-Time Analytics Protects Banks from Large Scale Cyber Attacks." Information Security Buzz, accessed Feb 23, 2014. http://www.informationsecuritybuzz.com/real-time-analytics- protects-banks-large-scale-cyberattacks/ • Varian, Hal. “Managing Online Security Risks.” New York Times; New York, N.Y.; Jun 1,2000.