Shostack + Friends Blog Archive

 

The Costs of Secrecy

Security continues to be crippled by a conspiracy of silence. The ongoing costs of not talking about what’s going wrong are absolutely huge, and today, we got insight into just how huge.

Richard Clayton and Tyler Moore of Cambridge University have a new paper on phishing, “The consequence of non-cooperation in the fight against phishing.” In it, they look at how phishing sites are taken down, and estimate how much faster it would be if there were better sharing of data. From their blogpost:

Since extended lifetimes equate to more unsuspecting visitors handing over their credentials and having their bank accounts cleaned out, these delays can also be expressed in monetary terms. Using the rough and ready model we developed last year, we estimate that an extra $326 million per annum is currently being put at risk by the lack of data sharing. This figure is from our analysis of just two companies’ feeds, and there are several more such companies in this business.

I haven’t had time to read the paper in depth, but I have a lot of respect for both Richard and Tyler. Have you read the paper? Impressions? (Here or on their blog.)

One comment on "The Costs of Secrecy"

  • Chris says:

    I read it. I am of two minds about it. Mind 1 says, “Wow. These tech guys really get it, and are taking yet another important step into layers 8 and 9 of the stack”.
    Mind 2 says “A paper that discusses incentive structures impeding the emergence of cooperation, with its earliest citation being of a 1983 Hirshleifer paper? Grumble…”.
    With their data, and the approach they use, these guys have an opportunity to move beyond the game-theoretic just-so stories that some of the B-school folks in the field like to tell (which are all theory and no data), and I hope their next paper does this. I felt this paper was a bit too data-centric, and didn’t provide sufficient theoretical grounding. I suspect this reaction is as much due to my indoctrination @Chicago as it is to anything else, so apply the suitable discount rate.
    Massive agreement on the respect, BTW.

Comments are closed.