August 05, 2010

Are we spending too little on security? Or are we spending too much??

Luther Martin asks this open question:


I have a quick question for you based on some recent discussions. Here's the background.

The first was with a former co-worker who works for the VC division of a large commercial bank. He tells me that his bank really isn't interested in investing in security companies. Why? Apparently foreach $100 of credit card transactions there's about $4 of loss due to bad debt and about only $0.10 of loss due to fraud. So if you're making investments, it's clear where you should put your money.

Next, I was talking with a guy who runs a large credit card processing business. He was complaining about having to spend an extra $6 million on fraud reduction while his annual losses due to fraud are only about $250K.

Finally, I was also talking to some people from a government agency who were proud of the fact that they had reduced losses due to security incidents in their division by $2 million last year. The only problem is that they actually spent $10 million to do this.

So the question is this: are we not spending enough on security or are we spending too much, but on the wrong things?


Posted by iang at August 5, 2010 10:38 PM | TrackBack

Cormac Herley's work is interesting

In particular, read

C. Herley and D. Florencio, “Nobody Sells Gold for the Price of Silver: Dishonesty, Uncertainty and the Underground Economy,” WEIS 2009, London

C. Herley, "So Long, and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users," NSPW 2009, Oxford

Posted by: anonymouse at August 6, 2010 03:48 PM

That first paper, Herley and Florencio, /Dishonesty/ I was unaware of.

It is a little odd at the start, I think because it is bemused by the Akerlof prediction that the market should collapse and not exist. This I think is a bit extreme, and the best way I can think of describing it is the market for spam: basic mathematical and economic models would also predict it will collapse, because so many emails need to be sent out ... but the market exists, so the theory is wrong. There is more to investigate.

Beyond that, I'd suggest the reader carry on. The paper's argumentation is well thought out. I certainly found compelling its claim that the IRC/credit card trading market is a /market for lemons/.

I especially like the integration with Coase's transaction economics, and the prediction that there is therefore a two tier market. OK, so it won't be so neat in real life, but there is enough of a foundation here to actually describe something that is happening in that market.

We know the bigger gangs are in operation, and have sophisticated trading; we know the IRC channels involve an inefficient trade. The notion of the IRC market as a lemons market, and the gang market as a private, controlled/owned market like a Coasian Corporation makes a lot of sense. Indeed, the implication that they are hermetically sealed from each other is quite fascinating, and should be testable.

Posted by: (Iang on) Dishonesty, Uncertainty and the Underground Economy at August 7, 2010 06:29 AM

recent post about "security proportional to risk" ... merchants interest in the transaction (information) is proportional to profit ... possibly a couple dollars ... and processors interest in the transaction (information) is possibly a couple cents ... while the risk to the consumer (and what the crooks are after) is the credit limit &/or account balance ... as a result the crooks may be able to outspend (attacking the system) the merchant/processors (
the system) by a factor of 100 times.

x9.59 addressed the "security proportional to risk" aspect ... but it also tweak the paradigm so the consumer information at the merchants & processors wasn't "at risk" ... aka the current paradigm is trying to create motivation for the merchants and processors to protect consumer information (where most security infrastructures have entities protecting their own assets ... it gets harder to motivate entities to protect the assets of others)

Posted by: Lynn Whtpeeler at August 7, 2010 12:22 PM

some of this goes back to "Naked Transaction Metaphor" ... several old posts ...

and related here: Naked Payments I - New ISO standard for payments security - the Emperor's new clothes? Naked Payments II - uncovering alternates, merchants v. issuers, Brits bungle the risk, and just what are MBAs good for? Naked Payments III - the well-dressed bank Naked Payments IV - let's all go naked

besides the issue of motivating institutions to "protect" vulnerable consumer information ... there is a lot of difficulty (enormous expense and lots of cracks) with attempting to prevent misuse of (vulnerable) consumer/transaction information that is widely distributed and required in large number of business processes. The x9.59 assertion is rather than attempting to plug the millions of possible leaks (to prevent the information from falling into the hands of crooks), it is much more effective to change the paradigm and eliminate the crooks being able to use the information for fraudulent transactions.

Posted by: Lynn Wheeler at August 8, 2010 08:30 AM

Another related paper of Herley and Florencio is:

Phishing as Tragedy of the Commons, NSPW, 2008.

They claim that estimates of phishing losses are exaggerated by 100x or so. That'd corroborate Luther Martin's data points. I.e. banks don't do much because it's too small a problem.

Posted by: Arctic Hare at August 10, 2010 10:05 PM

>foreach $100 of credit card transactions there's about $4 of
>loss due to bad debt and about only $0.10 of loss due to

That is weird since I frequently hear that "accepted" CC fraud loss is around 2-4% - not 0.1%

What's the story hear?

Posted by: Anton Chuvakin at August 13, 2010 08:05 PM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.