Julian M. Williams

Investments and Trade-offs in the Economics of Information Security

We develop and simulate a dynamic model of investment in information security. The model is based on the recognition that both IT managers and users appreciate the trade-off between two of the fundamental characteristics of information security, namely confidentiality and availability. The models parameters can be clustered in a manner that allows us to categorize and compare the responses to shocks of various types of organizations. We derive the systems stability conditions and find that they admit a wide choice of parameters. We examine the systems responses to the same shock in confidentiality under different parameter constellations that correspond to various types of organizations. Our analysis illustrates that the response to investments in information security will be uniform in neither size nor time evolution.

Information security trade-offs and optimal patching policies

We develop and simulate a basic mathematical model of the costly deployment of software patches in the presence of trade-offs between confidentiality and availability. The model incorporates representations of the key aspects of the system architecture, the managers’ preferences, and the stochastic nature of the threat environment. Using the model, we compute the optimal frequencies for regular and irregular patching, for both networks and clients, for two example types of organization, military and financial. Such examples are characterized by their constellations of parameters. Military organizations, being relatively less cost-sensitive, tend to apply network patches upon their arrival. The relatively high cost of applying irregular client patches leads both types of organization to avoid deployment upon arrival.

Fixed Costs, Investment Rigidities, and Risk Aversion in Information Security: A Utility-theoretic Approach.

This paper addresses the question of determining the optimal timing of interventions in information security management. Using utility theory, we derive the limiting condition under which, given a potential or realized risk, a decision to invest, delay, or abandon can be justified. Our primary focus is on the decision to defer costly deterministic investments, such as the removal of a service or implementation of a security patch, when the costs associated with future security vulnerabilities are uncertain. We outline an investment function with irreversible fixed costs that introduces a rigidity into the investment decision-making profile. This rigidity introduces delay in the implementation of security measures, resulting in cyclical investments in information security, as the decision-maker determines the optimal investment horizon. We therefore show that cycles emerge endogenously given the policy-maker’s chosen trade-offs between investment and the deterioration of the system attributes.

Are there benefits to being naked? The returns and diversification impact of capital structure arbitrage

In a naked credit default swap (CDS) position, a party pays an income stream to a seller of protection to swap away default risk on an underlying defaultable security without actually holding this reference instrument. Using mark-to-market returns on a large cross section of CDS positions, held independent from their reference entity, we implement a novel test to establish whether their inclusion in an optimised portfolio is replicable by a large set of alternative assets. Overall, we find significant excess returns of over 28% per annum against an optimised benchmark, we speculate that it is these characteristics that could be driving a bubble in the CDS market.

The Importance of Jumps in Modelling Volatility During the 2008 Financial Crisis

We combine recent developments on extracting jumps from high frequency stock index data with the literature on option pricing with time varying volatility to model S&P 500 index returns from 2005. We compare the fit of several GARCH models, with and without jumps, from the historical return series to models imputed from the index options market across a range of strike prices. Whilst we find strong evidence of jumps in the period after September 2008, it is evident that much of the variation often attributed to jumps should in all likelihood be ascribed to an increase in the volatility of the continuous diffusion.

Contagion in cyber security attacks

Systems security is essential for the efficient operation of all organizations. Indeed, most large firms employ a designated ‘Chief Information Security Officer’ to coordinate the operational aspects of the organization’s information security. Part of this role is in planning investment responses to information security threats against the firm’s corporate network infrastructure. To this end, we develop and estimate a vector equation system of threats to 10 important IP services, using industry standard SANS data on threats to various components of a firm’s information system over the period January 2003 – February 2011. Our results reveal strong evidence of contagion between such attacks, with attacks on ssh and Secure Web Server indicating increased attack activity on other ports. Security managers who ignore such contagious inter-relationships may underestimate the underlying risk to their systems’ defence of security attributes, such as sensitivity and criticality, and thus delay appropriate information security investments.

The Seconomics (Security-Economics) Vulnerabilities of Decentralized Autonomous Organizations

Traditionally, security and economics functionalities in IT financial services and protocols (FinTech) have been perceived as separate objectives. We argue that keeping them separate is a bad idea for FinTech “Decentralized Autonomous Organizations” (DAOs). In fact, security and economics are one for DAOs: we show that the failure of a security property, e.g. anonymity, can destroy a DAOs because economic attacks can be tailgated to security attacks. This is illustrated by the examples of “TheDAO” (built on the Ethereum platform) and the DAOed version of a Futures Exchange. We claim that security and economics vulnerabilities, which we named seconomics vulnerabilities, are indeed new “beasts” to be reckoned with.

Economic Impacts of Rules- versus Risk-Based Cybersecurity Regulations for Critical Infrastructure Providers

Whats the optimal way to regulate cybersecurity for the critical infrastructure operators in charge of electricity transmission? Should regulation follow the US style (a mostly rules-based model), the EU approach (which is mostly risk-based), or a balance of both? The authors discuss the economic issues behind making this choice and present a cybersecurity economics model for public policy in the presence of strategic attackers. They calibrated these models in the field with the support of National Grid, which operates in the UK and on the US East Coast. The model shows that optimal choices are subject to phase transitions: depending on the combination of incentives, operators will stop investing in risk assessment and only care about compliance (and vice versa). This finding suggests that different approaches might be more appropriate in different conditions and that just pushing for more rules could have unintended consequences.

Economic Impacts of Rules-based vs Risk-based Cybersecurity Regulations in Critical Infrastructure Providers (Bulk Electricity Providers)

Whats the optimal way to regulate cybersecurity for the critical infrastructure operators in charge of electricity transmission? Should regulation follow the US style (a mostly rules-based model), the EU approach (which is mostly risk-based), or a balance of both? The authors discuss the economic issues behind making this choice and present a cybersecurity economics model for public policy in the presence of strategic attackers. They calibrated these models in the field with the support of National Grid, which operates in the UK and on the US East Coast. The model shows that optimal choices are subject to phase transitions: depending on the combination of incentives, operators will stop investing in risk assessment and only care about compliance (and vice versa). This finding suggests that different approaches might be more appropriate in different conditions and that just pushing for more rules could have unintended consequences.

Empirical Recovery: Hansen-Scheinkman Factorization and Ross Recovery from High Frequency Option Prices

Determining the transition matrix of a discrete Markov process from sequential forecasts of smoothed density functions is an important element of many problems in decision theory and economics. Recent theoretical results have demonstrated that the Perron-Frobenius eigenfunction of a Markov risk neutral state price transition matrix has an interesting economic interpretation and could permit the extraction of physical forward pricing densities from options markets. Yet, the application to actual market prices is challenging. For instance, even at the intraday frequency, option market panels contain substantial gaps and can contain unpredictable levels of noise across strike prices and tenors. This paper derives an exact nonlinear programming framework utilizing the properties of the Drazin inverse of an irreducible matrix. Simulation and fit to actual data demonstrates the consistency and usefulness of the technique.