Friday, March 13, 2015

Network Economics of Cybercrime and Cybersecurity

Lately I have been quite fascinated by the modeling challenges of both cybercrime and cybersecurity with my belief that the latter can only be well understood and captured if one has a good handle on the former.

I have for quite a few years been researching network vulnerabilities and Patrick Qiang and I even wrote a book on that topic: Fragile Networks: Identifying Vulnerabilities and Synergies in an Uncertain World. So moving into cyberspace vulnerabilities was a natural. In addition, when the opportunity presented itself for funding in this area through the Advanced Cyber Security Center then clearly the timing was also right. In a collaboration between the Isenberg School of Management and the College of Engineering at UMass Amherst, we received 2 grants. As part of the second grant, our team organized a terrific workshop at the Sloan School at MIT  (I may be biased but it really was terrific from both idea generation and networking perspectives).. The workshop was on  cybersecurity risk analysis for enterprises.   One of the benefits of such a workshop is not only the brainstorming that takes place but also that research ideas that gel.

The first paper in this area in a stream of papers that I have authored or co-authored was recently published in the INFORMS journal Service Science and it is entitled: A Multiproduct Network Economic Model of Cybercrime in Financial Services, Service Science 7(1): (2015) pp 70-81.

INFORMS was kind enough to issue a press release on it: A New Model of Cybercrime Factors in Perishanility of Stolen Data, thanks to our wonderful Communications Director, Barry List.  The model focuses on financial service firms and captures the decay in the value of cyberhacked products over time in terms of their prices.

The network economic framework that I constructed in the paper permits quantifiable evaluation of various policy interventions that are investigated:
  1. Determining the impact of strategies that make it harder to attack financial products’ source locations (computer servers)
  2. Evaluating ways that make it harder for cybercriminals to make transactions through the common technique of increasing transaction costs
  3. Exploring changes in the demand price to evaluate greater or lesser interest in criminal products at demand markets. 
The release has appeared on EurekAlert!, physorg.com, and also by UMass Amherst. I very much like the writeup by Paul Roberts on this paper that appeared in the Digital Guardian: Sale By Date: Research Finds that Stolen Data is Perishable.

As for our research on cybersecurity, there we also focus on the network issues and on the probability of an organization getting hacked and incurring associated damages, based on its investments in cybersecurity and also those of the others in their "network." We have developed a series of more general models with the latest one dealing with nonlinear budge constraints. In our work we care not only about good models but also effective computational procedures as well as insights for policy makers. We are utilizing game theory and variational inequality theory for the model formulations, qualitative analyses, and algorithmic implementations.