Nicolas Christin is the Associate Director of the Information Networking Institute, where he is also faculty, as well as a CyLab Systems Scientist. He was previously a resident faculty in our research and education center in Japan, CyLab Japan, located in Kōbe, Hyōgo Prefecture. He also serves as Faculty Advisor for the Master's of Information Technology-Information Security (MSIT-IS) degree program.
posted by Richard Power
CyLab Chronicles: Many security professionals are looking for answers to important questions, and know that some of those answers can be found in Economics, but most of them would probably find it difficult to get their minds around how mathematical models that can be used to uncover them. Tell us about your research into this area? How can mathematical models be used to analyze security and privacy risks in organizations and prescribe mechanisms for mitigating such risks?
Nicolas Christin: Mathematical models are a useful abstraction that enables us to reason about security in organizations. Having a model of organizational security allows us to test different intervention scenarios on that model and predict which effects they would have on the overall security of the organization. Let me give you an example. Consider you manage a hospital. Obviously, you have to maintain the confidentiality of all of your patients' records. But if you treat a celebrity, for instance, there may be some perverse incentives for some of your staff to sell juicy bits of information to the tabloids. So, you want to put in place some sort of monitoring infrastructure to ensure people do not commit such violations, but at the same time, you cannot monitor everything and everybody, all the time -- it would simply be too expensive, not to mention probably detrimental to employee productivity. How to strike the right balance in practice is a very difficult problem. Now, if I can come up with a reasonable mathematical abstraction for the problem, I can probably show you which strategies are most likely to be effective, so in the end I can provide a formal justification of which policy makes most sense. Having a formal basis on which to reason is really indispensable to make the right decisions. Also, the beauty of mathematical models is that they tend to rid you of political or other considerations that may hamper your judgment. If your model is sound, and if your assumptions are valid, then the model tells you exactly what is going to happen. It can be a powerful predictive tool.
CyLab Chronicles: How deep are you into this research? What can you report? What direction is it taking? How much closer are we to answering the question, "Why do people and corporations not invest more in security?"
Christin: Well, I was talking about assumptions before, and that is really the main challenge we face. Since the 1950s, people have been developing game-theory and other mathematical formalisms to examine how people interact in competitive or hostile environments. So, mathematically speaking, this is a well-studied problem with a large body of excellent research to support it. The problem is that these mathematical tools allow us to answer precise questions given a certain set of assumptions, but these assumptions tend to be overly restrictive in practice. For instance, John Nash developed a "best-response" equilibrium concept, which essentially says that each participant in a competitive game will choose the strategy that maximizes their payoff given the set of choices made by all other participants. It makes a lot of sense, and it is a very useful concept, but it also requires everybody to precisely know what the other guys are doing. In practice, we can't make that assumption -- most of the time, in large networked systems we don't even know how many people we are competing with. So, we have to deal with things like limited information, which the original formalism does not capture. Likewise, a common assumption is that people never make mistakes in executing whichever strategy they decided on -- obviously, that may be quite a stretch in practice, especially when dealing with humans. Part of my current research is in trying to relax some of these assumptions while keeping the mathematical foundations we built. We did a bit of work on the impact of limited information in security games, and realized that, for the scenarios we were looking at, only having limited information to rely on does not penalize much expert players. That is, users who understand the intricacies of the security game they are playing always seem to fare a lot better than naive players, regardless of the amount of information available. This yields a pretty powerful argument for educating people about security risks. Another thread of research I am currently investing a lot of time and effort in, is in trying to build models informed by existing, measurable data, in order to better understand the incentives on the attackers' side. More and more attacks are motivated by financial gain, so it makes sense to try to see if we can follow the money trail to figure out what are the best intervention practices to defeat online crime. For instance, we have been looking at a specific type of online scam in Japan called "one click fraud" and realized that not only there seems to be a quite high concentration of scammers (that is, a few groups seem to be responsible for most of the frauds), but the reason why they flourish and prosper is due to the existing incentives. Setting up such scams is very inexpensive, fraudsters have a low chance of getting caught, and, on the other hand, these scams have expected payoffs that are high. The question then becomes how to alter this perverse incentive structure -- technology, regulations, or even economic incentives can all play a role there.
CyLab Chronicles: How does your research into the Economics of Security relate to research into the Psychology of Security? Are there symmetries or correspondences in the two research areas? Do they compliment or illuminate each other in any interesting ways? Where is such research going? What trends in research do you see on the horizon?
Christin: There are definitely symmetries. I like to see this process as a feedback loop. We start by building formal models that rely, by necessity, on fairly stringent assumptions. Then we go in the field and test out these models, either by doing human subject experiments, or by collecting field data, and realize the main limitations of our original models. So, the experimental part allows us to correct the formal modeling and integrate behavioral aspects in it. I think we will see more and more of an integration between research coming from people working in usability/psychology, and people working in economics of security. We already see this happening here at Carnegie Mellon -- our NSF IGERT-sponsored PhD program in Usability and Security (http://cups.cs.cmu.edu/igert/) integrates all of these components.
CyLab Chronicles: Of course, we know you do not spend all of your time exploring the subtleties of mathematical equations. Tell us a little bit about Information Networking Institute (INI) and your role as its Associate Director.
Christin: That is my educational hat. INI is essentially the education arm of CyLab. That is, we prepare students to careers in networking and security through a set of professional Master's programs. We basically train tomorrow's leaders in security, information technology and networking. The main role of my position as Associate Director is to oversee the academic contents of our programs, and ensure that our students are well prepared for the job market, whether they want to pursue government or industry opportunities. Because we have programs not only in Pittsburgh, but also in Silicon Valley, Portugal, Greece, and Japan, and because I believe nothing replaces face-to-face interactions, I log a fair bit of frequent flyer miles. The main challenge one faces with international partnerships is to make sure that all campuses offer a true, identical Carnegie Mellon experience to all of our students. And I am proud to say we do: despite the geographical distance, most of our international students physically come to Pittsburgh at some point or another, and all of them routinely interact directly, face-to-face with Carnegie Mellon faculty and students based in Pittsburgh.
CyLab Chronicles: Equations are pristine in their abstraction; the faces of your students are poignantly human. What are your thoughts on the challenges and opportunities of pursuing security as a professional focus, whether in academia, government or industry?
Christin: As security professionals, we need all the help we can get. So, if you are a student and interested in a career in security, this is a really good time to focus on that area. The US administration, for instance, has clearly stated that there is a critical need for highly qualified security professionals in government. So they are aggressively recruiting capable people, for instance, through the Scholarship for Service program we offer here at Carnegie Mellon. SFS essentially gives US citizens a very generous financial aid package, which covers tuition and a stipend, and provides students with opportunities to work for the federal government when they graduate. Not a bad way to get top-notch higher education for free! Even for non-US citizens, there are plenty of opportunities in the private sector. Everybody is interconnected nowadays: banks, online retailers, news organizations, content-delivery companies, etc. They are all learning that cybersecurity is a critical need for their business, and they are recruiting accordingly. And of course, for people more interested in academic pursuits, with the constant rise of online services comes a host of very interesting research challenges that demand a lot of attention. It is really a good time to work in the security field!
See all CyLab Chronicles articles