Security Prediction Markets

Published
by
Dan Guido
on June 11, 2008
in Uncategorized
.

A few days ago, Adam Shostack over at the Emergent Chaos blog invited some comments about using prediction markets for security-related events/decisions. This is a topic I’ve discussed quite a few times with a friend of mine and I have some fairly strong opinions about it (it’s a dead end), so I made a few quick statements pointing out its shortcomings. In a follow-up article, Adam quoted one of my responses in the article itself! I thought his comments and my response were relevant enough to repost here, but if this is a topic that interests you I encourage you to read both of the original articles and leave a comment there.

Quoted from Adam’s follow-up post:

Dan Guido said in a comment, “In security, SOMEONE knows the RIGHT answer. It is not indeterminate, the code is out there, your network is accessible to me and so on. There’s none of this wishy-washy risk stuff.”

I don’t think he’s actually right. Often times, no one knows the answer. Gathering it is expensive. Translating from “there’s a vuln” to “I can exploit it” isn’t always easy. For example, one of my co-workers tried exploit a (known, reported, not yet fixed) issue in an internal site via Sharepoint. Something in Sharepoint keeps munging his exploit code. I’ve even set my browser homepage to a page under his control. Who cares what I think, when we can experiment?

My followup comment, elaborating on my initial statements:

Thanks for noticing my comments :-)

Let me first explain the statement of mine you quoted before explaining why I don’t think prediction markets are the right tool for security decisions. I’ll explain with your coworker and his SharePoint bug.

What if your coworker develops an exploit for that vuln and then goes on the prediction market and “predicts” that there will be a vuln in SharePoint? Or better, predicts that company X, which uses SharePoint, will suffer a breach? He waits until sufficient people have taken counter-views and then he discloses the vulnerability to iDefense anonymously or gives it to a blackhat to 0wn up company X with.

Another failure scenario:
Now someone on the security monitoring team at company X is discovers the blackhat 0wning up the internal network. SecMon guy goes on the market and also “predicts” a large breach (IMHO the market MUST be anonymous or it falls completely apart).

And another:
SecMon guy handles the breach with his auditors before disclosing the breach publicly. All the auditors jump on the market and “predict” more breaches.

And another:
Even better, what if someone from iDefense starts making bets?

The wrong type of questions:
Ok, enough of that. Now about prediction markets in general. Prediction markets make sense for certain problems. They probably make sense for BCP-type events, like when a major net outage is going to occur. They work well for flow data, things like how many transactions is this app going to process today. But all the security questions you want answered are the wrong type of question for prediction markets. There are things that make sense to be asked to groups of people and others that don’t. If your question can be answered on a scale of 1 to 100, prediction markets are a great tool. If the question is to pick a solution from an indefinite set of solutions (ie. the solution space is infinite), prediction markets aren’t the right tool.

Manipulate actions by controlling the market:
Here’s another scary thought. In The Alchemy of Finance, George Soros makes the point that people in a market aren’t really reacting to reality, they’re reacting to their perception of it. This should make sense to all you social engineers out there. If you set up this prediction market, I can make a giant panic at a large firm by creating a prediction that big bank X will have a huge break-in and betting heavily on it. I’ll be able to control the security policies of a big bank by selectively participating in the market, ie. I can manipulate actions just by controlling the market. This is never good.

Low numbers = easy to manipulate:
I’m going to guess that a security prediction market isn’t going to have that mass appeal needed to get a large number of participants. Few people are going to want to pretend they know something about security. To really explain why this is a bad thing you’re going to have to talk with someone with more of a math background, or wait a few days for me to figure out more about it, but… without a minimum number of people playing in the market, you make it extremely easy for people to game the whole system by playing both sides of each prediction. Once an actor in the market acquires a sufficient amount of capital, they’ll be able to overcome any drawdown and double down each prediction to just, well, make everyone lose money all the time.

And really, at the end of the day, if I’m an expert working for a big firm, am I really going to base any of my decisions on this prediction market or am I just going to do what I think is best?

  • Digg
  • del.icio.us
  • NewsVine
  • Reddit
  • Slashdot
  • StumbleUpon
  • Technorati
  • YahooMyWeb
  • Facebook
  • Google
  • Pownce
  • TwitThis
  • E-mail this story to a friend!
This work, unless otherwise expressly stated, is licensed under a Creative Commons Attribution 3.0 License.

0 Responses to “Security Prediction Markets”

Feed for this Entry Trackback Address
  1. No Comments

Leave a Reply