Friday, January 8, 2010
Nicolas Christin: "... see if we can follow the money trail to figure out what are the best intervention practices to defeat online crime"
"More and more attacks are motivated by financial gain, so it makes sense to try to see if we can follow the money trail to figure out what are the best intervention practices to defeat online crime." -- Nicolas Christin, CyLab Chronicles, 2010
Nicolas Christin: "... see if we can follow the money trail to figure out what are the best intervention practices to defeat online crime"
CyLab Chronicles is an ongoing feature of CyLab's online presence; it provides periodic interviews with CyLab researchers, and offers insights into vital issues and trends.
Here is a brief excerpt from the latest CyLab Chronicles, an Q and A with Nicolas Christin, a link to the full text follows:
CyLab Chronicles: Many security professionals are looking for answers to important questions, and know that some of those answers can be found in Economics, but most of them would probably find it difficult to get their minds around how mathematical models that can be used to uncover them. Tell us about your research into this area? How can mathematical models be used to analyze security and privacy risks in organizations and prescribe mechanisms for mitigating such risks?
Nicolas Christin: Mathematical models are a useful abstraction that enables us to reason about security in organizations. Having a model of organizational security allows us to test different intervention scenarios on that model and predict which effects they would have on the overall security of the organization. Let me give you an example. Consider you manage a hospital. Obviously, you have to maintain the confidentiality of all of your patients' records. But if you treat a celebrity, for instance, there may be some perverse incentives for some of your staff to sell juicy bits of information to the tabloids. So, you want to put in place some sort of monitoring infrastructure to ensure people do not commit such violations, but at the same time, you cannot monitor everything and everybody, all the time -- it would simply be too expensive, not to mention probably detrimental to employee productivity. How to strike the right balance in practice is a very difficult problem. Now, if I can come up with a reasonable mathematical abstraction for the problem, I can probably show you which strategies are most likely to be effective, so in the end I can provide a formal justification of which policy makes most sense. Having a formal basis on which to reason is really indispensable to make the right decisions. Also, the beauty of mathematical models is that they tend to rid you of political or other considerations that may hamper your judgment. If your model is sound, and if your assumptions are valid, then the model tells you exactly what is going to happen. It can be a powerful predictive tool. CyLab Chronicles: Q & A with Nicolas Christin (2010)
For an archive of all CyLab Chronicles, click here.
-- Richard Power