Monday, September 29, 2014

Modeling the Network Economics of Cybercrime in Financial Services

For as long as I can remember, I have been fascinated by networks - their graphical structure and as a means of representing economic activity in terms of product flows, costs, and profits, along with the associated decision-making.

Typically, I work on network systems as varied as global supply chains,  complex financial networks, electric power generation and distribution networks, as even the Internet, for which we have a large-scale National Science Foundation grant: Network Innovation Through Choice, which is part of the Future Internet Architecture program. In fact, soon I will be getting ready for our almost weekly teleconference among our partners on this project, which we are calling ChoiceNet.

Over two years ago, we started working, through a Prime the Pump project, funded by the Advanced Cyber Security Center (ACSC), on cybersecurity and risk assessment. As my readers know, this project was followed by another project, the culmination of which took place only 10 days ago, with a workshop that several Isenberg School colleagues and a College of Engineering colleague at UMass Amherst co-organized with me. On Friday, September 19, 2014, we hosted a workshop at the Sloan School at MIT, entitled:  Cybersecurity Risk Analysis for Enterprise Security, which I blogged about, and which has received some nice press. I very much enjoyed the keynotes at the conference as well as the panels with terrific industry panelists.

In my presentation at the workshop on Network Science on Economics,  I motivated the major issues through the following graphics which illustrate very dramatically the impacts of cybercrime and, also, if I may say, fascinating research questions.
Source: The Economic Impact of Cybercrime and Cyber Espionage, Center for Strategic and International Studies, July 2013, sponsored by McAfee.

According to a recent survey  cyber crime is placing heavy strains on the global financial sector, with cyber crime now the second most commonly reported economic crime affecting financial services firms. Cyber crime accounted for 38% of all economic crimes in the financial sector, as compared to an average of 16% across all other industries.  Every minute, of every hour, of ever day, a major financial institution is under attack (Wilson writing  in The Telegraph, October 6, 2013).

Cyber attacks are intrusive and economically costly. In addition, they may adversely affect a company’s most valuable asset – its reputation.

There is both vertical and horizontal information asymmetry - as noted above, organizations may not even be aware that sensitive data has been stolen from them (and for many months, no less). Moreover, other firms in the same industry may not be aware of attacks of their competitors or even partners.  Finally, and, again and again, I am seeing real commonalities between supply chains, behavior, and cyber crime activities: how confident are you that the software that is to battle computer viruses, malware, denial of service attacks, etc., delivers what is being promised? Here we get into the quality of outsourced production!

As noted by Ablon, Libicki, and Golay  in their 2014 Rand Report, the black market for cybercrime products can be more profitable than the illegal drug trade. They also argued in their study that an economic approach to tackling cybercrime in warranted, which I completely agree with.

I had been researching the network economics of cybercrime for two years and had spoken both at the INFORMS Minneapolis conference last year and at the Boston Analytics Conference on the topic and, after our workshop, completed a paper: "A Multiproduct Network Economic Model of Cybercrime in Financial Services." In this paper, we propose a network economic model of cybercrime with a focus on financial services, since such organizations are one of the principal targets of such illicit activity. The model is a multiproduct one and constructed as a layered bipartite network with supply price, transaction cost, and demand price functions linking the networks. A novelty of the new model is the incorporation of average time associated with illicit product delivery at the demand markets with the demand price functions being decreasing functions of such times, as noted in reality. For example, it is recognized that there is a short time window during which the value of a financial product acquired through cybercrime is positive but it decreases during the time window. Following the major Target breach, credit cards obtained thus initially sold for $120 each on the black market, but, within weeks, as banks started to cancel the cards, the price dropped to $8 and, seven months after Target learned about the breach, the cards had essentially no value. In addition, different “brands” of credit cards can be viewed as different products since they command different prices on the black market. For example, credit cards with the highest credit limits, such as an American Express Platinum card, command the highest prices. A card number with a low limit might sell for $1 or $2, while a high limit can sell for $15 or considerably more, as noted above.

In the paper, the governing equilibrium conditions are formulated as a variational inequality problem with qualitative properties of the solution presented. An algorithm, with nice features for computations, is then applied to two sets of numerical examples in order to illustrate the model and computational procedure as well as the types of interventions that can be investigated from a policy perspective to make it more difficult for cybercriminals to obtain sensitive data.