Economics of Security Workshop 2024

Workshop on Real-life impacts of security vulnerabilities (2024)

Introduction

Offensive (information) security is where security researchers analyze existing systems to uncover security or privacy vulnerabilities. Usually, a vulnerability found in a prominent system is accompanied by substantial coverage in the technology, and sometimes even popular, media.

Although claims of security vulnerabilities in top academic conferences are usually technically correct, sometimes they may not have any discernible impact in practice immediately. But practitioners and decision makers need to decide what remedial action, if any, is warranted – ranging from doing nothing to immediate recall or replacement of the system in question. The security research community usually does not have the expertise (and often does not even attempt) to assess the likely real-life impact of a given vulnerability because the impact is dependent not just on technological factors but also on several other factors, chief among them economic.

On the other hand, widespread negative perception from well-publicized vulnerabilities can lead to a substantial opportunity cost. Decision makers in the industry may be tempted to prematurely pull technologies from deployment. Students and researchers may shy away from a particular technology that was found to have vulnerabilities because they perceive it as too risky.

This leads to questions like (how) can we assess the realistic real-life impact of claimed security vulnerabilities? Are there tools, techniques, principles, checklists, or best-practice guidelines that can help? Are there other settings (for example, environmental impact assessments) where similar needs have arisen and addressed? What can security experts contribute to make similar approaches applicable to information security?

A prerequisite to answering this question is starting a conversation among offensive security experts, industry practitioners, and experts in economic matters. We hope to do this by holding a half-day workshop at ETH Zurich bringing together (1) offensive security researchers who have found significant security/privacy vulnerabilities, (2) practitioners with insights about how such vulnerabilities were dealt with in real-life, and (3) economists, actuaries, and accountants who have expertise in methods and processes to assess potential real-world impact (possibly in other similar contexts than just cybersecurity or privacy)

To keep the scope tractable, we can limit the discussion to hardware-assisted security mechanisms where we, the organizers, have expertise in. We plan to have a few short introductory talks to set the stage, followed by a panel involving experts from different disciplines. We hope for very active audience participation.

For some context on this topic, see this blog article by N. Asokan.

Program

Thursday, April 18, 2024

13:30-14:00: Registration and Coffee
14:00-14:10: Welcome, Prof. Bonhoeffer (Director, Collegium Helveticum)
14:10-14:25: Introduction, N. Asokan (University of Waterloo) (Slides [pdf] [ppsx])
14:25-14:45: Finding, Patching, and Promoting Security Research – and what about Sustainability? Daniel Gruss (TU Graz) (Slides [pdf])
14:45-15:05: Modeling Vulnerabilities Based on Attack Value, Eduardo Vela Nava (Google) [Google Slides]
15:05-15:25: Quantifying Cyber Risk, Rainer Boehme (University of Innsbruck) (Slides [pdf])
15:25-15:50: Information security vulnerabilities from an insurer’s perspective – risk transfer and the real-life financial impact on the economy and general public, Lucas Engl (Zurich Insurance) (Slides [pdf])
15:50-16:10: Break
16:10-17:40: Panel discussion on Real-life impacts of security vulnerabilities, host: Shweta Shinde (ETH Zurich), participants: Hans Gersbach (ETH Zurich), Kaveh Razavi (ETH Zurich), Mark Brand (Google), Anders Fogh (Intel)
17:40-17:55: Closing, Kari Kostiainen (ETH Zurich)
18:00: Apéro

Invited Speakers

Daniel Gruss (@lavados) is an Associate Professor at Graz University of Technology. He has been teaching undergraduate courses since 2010. Daniel’s research focuses on side channels and transient execution attacks. He implemented the first remote fault attack running in a website, known as Rowhammer.js. His research team was one of the teams that found the Meltdown and Spectre bugs published in early 2018. In 2023, he received an ERC Starting Grant to research the sustainability of security. He frequently speaks at top international venues.

Abstract of his talk:
Every day our systems receive multiple patches against security vulnerabilities. Each of these patches comes with its costs that stack up in an unsustainable way. One of these patches was our KAISER patch against the Meltdown vulnerability we published in 2018. In 2030, a single patch of this gravity could drive up global electricity consumption by 0.5%. We will look at some security issues inside
processor microarchitectures and how we can address them. We will understand why the patches are necessary and why they are expensive. Finally, we will discuss how fundamental changes in how we design systems could yield alternatives more sustainable, both in terms of energy consumption and creating systems with inherent strong secure properties.

Eduardo Vela plays a key role in Google’s ongoing battle against vulnerabilities. Working with teams across the company, he helps ensure that flaws in Google products are addressed and that responsible disclosure practices extend throughout the industry. He was one of the pioneers of Google’s bug bounty program and has led it for over a decade, shaping the landscape for ethical security research. Currently he analyzes Linux kernel and CPU exploits to identify and understand fundamental weaknesses. His work aims to strengthen the technological foundation upon which we all rely, enabling a future where everyone can use technology safely.

Abstract of his talk:
A vulnerability on its own doesn’t mean much and not all security holes are created equal. Traditional security checks focus on the technical details of a vulnerability. But to really grasp the risk, we need to broaden our view. This talk explains how the true danger of a vulnerability isn’t just about what it is and how easy it is to exploit. We’ll look at what makes attackers tick, what’s at stake for victims, and a company’s ability to respond all shape the true impact of a vulnerability. By understanding these factors, we can get a better idea of which vulnerabilities pose the biggest risks and how to prioritize fixes accordingly in the long term.

Lucas Engl is a lead for cyber underwriting of large corporations in the specialty insurance department of Zurich Insurance. He is responsible for developing risk transfer solutions for major financial and commercial enterprises with internationally exposed insurance programs, but also involved in handling domestic SME portfolios. In addition to his role in direct insurance as market facing underwriter, Lucas is seasoned with reinsurance on the buyer and seller side as well as captive solutions, working in tight collaboration with the top carriers in the (re)insurance industry. Furthermore, his tasks encompass the maintenance and growth of OSP/MSSP pipelines as well as provision of correlated risk consulting, which aims to improve insureds cyber maturities. With a finance background and high involvement in the cyber insurance market since its early kick-off as mainstream line of business, he is skilled in bridging his know-how to bring both fields closer together.

Abstract of his talk:
This presentation explores information security vulnerabilities from the perspective of insurers, focusing on the risk transfer and the real-life financial impact on the economy and general public. First, the goal is to give a brief introduction to cyber insurance, highlighting its significance in today’s digital landscape. The assessment of a company’s cybersecurity posture is then discussed under consideration of key factors like market cycles, frequency/severity calculations and research on claims data. Understanding these helps insurers evaluate and underwrite policies effectively. Furthermore, we will examine the direct and indirect costs that can result from a cyber incident at a company. By analyzing financial implications such as business interruption, reputational damage, and (regulatory) fines, insurers gain insights into the potential impact on their policyholders and the wider economy. Addressing vulnerabilities of policyholders is a critical aspect explored in the next point. Insurance carriers must develop strategies to mitigate risk and support their insureds in managing and preventing cyber threats. Patch and vulnerability management are identified as crucial components in this process, emphasizing the importance of timely updates and security measures. The presentation highlights the prevalent concerns regarding ransomware actors, financially motivated hackers, and organized crime. Their tactics, motives, and the potential consequences of their actions are discussed, shedding light on the evolving threat landscape. In the context of the workshop, it will be addressed how especially vulnerabilities that are easily exploitable pose significant risks as attackers are likely to move on to the next target if the exploitation process becomes challenging.

Rainer Böhme is Professor of Computer Science and Head of the Security & Privacy Laboratory at the University of Innsbruck in the Austrian Alps. As an engineer with a background in economics and media science, he is known for his interdisciplinary approach to solving challenging problems in information security and privacy. Rainer’s research interests include digital forensics, steganography and steganalysis, privacy-enhancing technologies, economic and behavioral aspects of information security & privacy, and – last but not least – virtual currencies and cryptographic financial instruments. Rainer holds a PhD in Computer Science from the TU Dresden in Germany. He has also held positions at the University of California at Berkeley, the University of Münster in Germany, the MIT Media Lab, and has worked for the European Central Bank and the Bank for International Settlements.

Abstract of his talk:
We introduce a causal model inspired by structural equation modeling that explains cyber risk outcomes in terms of latent factors measured using reflexive indicators. We use the model to classify empirical cyber harm studies. We discover cyber harms are not exceptional in terms of typical or extreme losses. The increasing frequency of data breaches is contested and stock market reactions to cyber incidents are becoming less negative over time. Focusing on harms alone breeds fatalism; the causal model is most useful in evaluating the effectiveness of security interventions. We show how simple statistical relationships lead to spurious results in which more security spending or applying updates are associated with greater rates of compromise. When accounting for threat and exposure, indicators of security are shown to be important factors in explaining the variance in rates of compromise, especially when the studies use multiple indicators of the security level.

Panelists

Anders Fogh is technical lead for offensive security research at Intel and is an Intel fellow. He is a reowned expert on microarchitecture and memory security. He has more than 20 years of experience with security and low-level topics and is work on security has been published in both industry and academic conference such as Black Hat USA and IEEE S&P. He has twice been recognized by the National Security Agency for excellence in research. Before joining Intel he worked as a principal security researcher where he worked on incident response and malware analysis. He spend 15 years of his career going from junior software developer to company founder and lead engineer. Anders holds a degree in economics.

Hans Gersbach is the Co-Director of KOF Swiss Economic Institute since January 2023. He also holds the Chair of Macroeconomics: Innovation and Policy at ETH Zurich (Switzerland). He is a member of the academic advisory council at the Federal Ministry for Economic Affairs and Climate Action in Germany. His current research focuses, among others, on the examination of systemic risk and how to deal with it, for instance in the context of the design of bug bounty schemes and financial stability, as well as on the design of new economic and political institutions for the well-being of societies.

Kaveh Razavi is a former hacker and current professor at ETH Zurich. His students often stumble on security vulnerabilities in popular commodity software and hardware. Consequently, he has been engaging in responsible disclosure with large entities such as Google, Microsoft, Apple, Intel, AMD, ARM, and Samsung for almost a decade. To empower security researchers and protect their anonymity when necessary, he has helped establishing 3rd party responsible disclosure practices in government CERTs in the Netherlands and more recently Switzerland.

Mark Brand is a software engineer on Google’s Project Zero team, which aims to reduce harm caused by targeted attacks on the Internet. His current focus is on web browser security.

Shweta Shinde is an assistant professor at ETH Zurich, where she leads the Secure and Trustworthy Systems Group. Her research is broadly at the intersection of trusted computing, system security, and program analysis. Her group focuses on foundational aspects of confidential computing to protect phones, servers, and accelerators as well as practical aspects of building large systems.

Organizers

Shweta Shinde, Assistant Professor, ETH Zurich shweta.shinde@inf.ethz.ch

Kari Kostiainen, Senior Researcher, ETH Zurich kari.kostiainen@inf.ethz.ch

N. Asokan, Professor, University of Waterloo (visiting ETH Zurich in 2024) asokan@acm.org

Event Details

When: April 18, 2024
Where: ETH Zürich, Alumni Pavillon, Rämistrasse 101, 8092 Zürich

eth1

eth2

eth3

Note: The funicular “Polybahn” is your easiest way up the hill, but will be very busy.
You can also take tram #6 (direction Zoo) from stop “Bahnhofstrasse/HB” or tram #10 (direction Airport) from stop „Bahnhofplatz/HB“ to stop „ETH/Universitätsspital“.