Skip to main content

Distinguished Seminar:  Bottom Line Security - Improving Cybersecurity by Understanding Costs and Benefits

Date:January 23, 2017 
Talk Title:Bottom Line Security - Improving Cybersecurity by Understanding Costs and Benefits
Speaker:Chris Kanich, Assistant Professor, University of Illinois at Chicago
Time & Location:12:00pm - 1:00pm
DEC, CIC Building, Pittsburgh

Abstract

Using the Internet is a risky venture: cybercriminals could be lurking behind any email or in any web page, just waiting to compromise your machine. Practicing and researching cybersecurity is about minimizing that risk. Unfortunately, modern cybercriminals don't compromise machines just because they can - they do it to make money or steal data. Likewise, the risks that end users care about aren't measured in vulnerabilities discovered or hosts compromised, they care about losing hard earned money, embarrassing pictures, or simply a night of their free time because they had to remove malware from the family computer. Cybersecurity research should minimize the chance of successful attacks by maximizing the number of vulnerabilities patched or infiltrations thwarted. However, these technical goals are fundamentally intermediate goals: the ultimate goal of cybersecurity is to minimize the amount of harm that comes to users, which is a quantity denominated in dollars lost, days spent recovering from attacks, or data lost to attackers. By quantifying the harm of these attacks in these meaningful quantities, we can focus defenses and mitigations on the attacks that cause the most harm to the Internet's users.

This talk will highlight recent results that improve our understanding the true cost of cybersecurity events and the benefits of its enablers. I'll also show how these results can lead to actionable insights into which attacks we should be spending our finite effort combating. I'll cover losses due to affiliate fraud, measured in profits lost, both by the platforms and legitimate marketers. I'll also cover losses incurred due to typosquatting: while typosquatting is perpetrated by thousands upon thousands of domains, the harm caused is not clear. Furthermore, I'll explain some of our results looking at how features in modern browsers benefit end users. Finally, I'll showcase a tool which quantifies the value of a user's private data (their account logins), which can motivate better security behavior through a personalized warning regarding how much their account might be worth to cybercriminals.

Speaker Bio

Chris Kanich is an Assistant Professor in the Department of Computer Science at the University of Illinois at Chicago. He received his Ph.D. in Computer Science and Engineering at UC San Diego and a B.S. in Mathematics and Computer Science at Purdue University. His current research focuses on improving user experience in the face of cybersecurity attacks. His approach uses myriad data-driven techniques (anything from botnet infiltration to user studies) to improve our understanding of how to counteract the true motivations of cybercriminals and minimize real-world losses for targets of cybercrime.