Who Should Pay for Interdependent Risk? Policy Implications for Security Interdependence Among Airports

We study interdependent risks in security, and shed light on the economic and policy implications of increasing security interdependence in presence of reactive attackers. We investigate the impact of potential public policy arrangements on the security of a group of interdependent organizations, namely, airports. Focusing on security expenditures and costs to society, as assessed by a social planner, to individual airports and to attackers, we first develop a game-theoretic framework, and derive explicit Nash equilibrium and socially optimal solutions in the airports network. We then conduct numerical experiments mirroring real-world cyber scenarios, to assess how a change in interdependence impact the airports' security expenditures, the overall expected costs to society, and the fairness of security financing. Our study provides insights on the economic and policy implications for the United States, Europe, and Asia.     

网络恐怖主义对公共信息安全的挑战与对策

网络恐怖主义是一个非传统安全领域的、新的全球性问题,是对公共信息安全的野蛮挑战。公共信息安全已经成为一个国家政治、经济、文化、军事安全的集中体现,我国的网络快速发展与公共信息安全保卫措施滞后之间的突出矛盾,反映了当代反网络恐怖主义的现实性和艰巨性。如何加紧这方面的科研和备战以打赢这场新形势下的特殊战争,切实维护公共信息安全,是我们必须认真思考的课题。     

网络安全法律的符号学阐释

基于自建语料库,研究发现信息（数据）是美国、中国和欧盟网络安全法律的核心规制对象。网络安全法律及其中的法律术语具有符号学时空性特点。一方面,美国、中国和欧盟在网络安全法律内容及其法律术语阐释方面存在空间性的差异,即在不同的司法管辖区,对网络安全法律以及同一法律术语存在不同的解释项;另一方面,法律术语作为语言符号具有时间性,规范现实空间的传统法律术语已不适应网络时代社会的发展,亟须对其进行重构以适用于网络空间。此外,社会发展、法的发展和各国互联网技术发展水平的不平衡性决定了网络安全法律移植的必要性,而在移植过程中,应充分考虑网络安全法律及其术语的空间性、本国国情以及国外法与本国法之间的兼容性。     

Behavioral Determinants of Target Shifting and Deterrence in an Analog Cyber-Attack Game

This study examines how exploiting biases in probability judgment can enhance deterrence using a fixed allocation of defensive resources. We investigate attacker anchoring heuristics for conjunctive events with missing information to distort attacker estimates of success for targets with equal defensive resources. We designed and conducted a behavioral experiment functioning as an analog cyber attack with multiple targets requiring three stages of attack to successfully acquire a target. Each stage is associated with a probability of successfully attacking a layer of defense, reflecting the allocation of resources for each layer. There are four types of targets that have nearly equal likelihood of being successfully attacked, including one type with equally distributed success probabilities over every layer and three types with success probabilities that are concentrated to be lowest in the first, second, or third layer. Players are incentivized by a payoff system that offers a reward for successfully attacked targets and a penalty for failed attacks. We collected data from a total of 1,600 separate target selections from 80 players and discovered that the target type with the lowest probability of success on the first layer was least preferred among attackers, providing the greatest deterrent. Targets with equally distributed success probabilities across layers were the next least preferred among attackers, indicating greater deterrence for uniform-layered defenses compared to defenses that are concentrated at the inner (second or third) levels. This finding is consistent with both attacker anchoring and ambiguity biases and an interpretation of failed attacks as near misses.     

Internet governance in China: a content analysis

Using content analysis, this paper explores the policy-making trends for Internet governance in China. It examines the manner by which policy changes over time, the different policy-making agencies in the country, and the various application scopes and topical focuses of policy. This paper aims to determine the distribution of key policy decisions over different policy-making agencies and which policy issues receive the most attention from China's government in its efforts to regulate the Internet.     

The Case against Commercial Antivirus Software: Risk Homeostasis and Information Problems in Cybersecurity

New cybersecurity technologies, such as commercial antivirus software (AV), sometimes fail to deliver on their promised benefits. This article develops and tests a revised version of risk homeostasis theory, which suggests that new cybersecurity technologies can sometimes have ill effects on security outcomes in the short run and little-to-no effect over the long run. It tests the preliminary plausibility of four predictions from the revised risk homeostasis theory using new survey data from 1,072 respondents. The estimations suggest the plausible operation of a number of risk homeostasis dynamics: (1) commercial AV users are significantly more likely to self-report a cybersecurity event in the past year than nonusers, even after correcting for potential reverse causality and informational mechanisms; (2) nonusers become somewhat less likely to self-report a cybersecurity event as the perceived riskiness of various e-mail-based behaviors increases, while commercial AV users do not; (3) the negative short-run effect of commercial AV use on cybersecurity outcomes fade over time at a predicted rate of about 7.03 percentage points per year of use; and (4) after five years of use, commercial AV users are statistically indistinguishable from nonusers in terms of their probability of self-reporting a cybersecurity event as perceptions of risky e-mail-based behaviors increase.     

Protecting From Malware Obfuscation Attacks Through Adversarial Risk Analysis

Malware constitutes a major global risk affecting millions of users each year. Standard algorithms in detection systems perform insufficiently when dealing with malware passed through obfuscation tools. We illustrate this studying in detail an open source metamorphic software, making use of a hybrid framework to obtain the relevant features from binaries. We then provide an improved alternative solution based on adversarial risk analysis which we illustrate describe with an example.     

澳大利亚关键基础设施安全法解读及其启示

关键信息基础设施安全是网络安全的重中之重。法律是关键信息基础设施安全保障的重要措施和手段。澳大利亚关键基础设施安全法构建了完善的关键信息基础设施风险保护制度框架。借鉴澳大利亚关键基础设施安全法,完善我国关键信息基础设施安全保护法律体系,明确关键信息基础设施的保护客体,确立关键信息基础设施信息报告制度,建立网络安全风险防控机制,完善监管体制,提升网络安全意识,以防范化解关键信息基础设施所面临的重大网络安全风险。     

美国的国家网络安全战略及其借鉴意义

自2008年开始,网络安全问题日渐严峻,成为全球瞩目的焦点。在网络技术方面领先全球的美国也面临着来自网络空间的不断威胁。经过近10年巨大的资金和精力投入,美国已经建立了相对完善的由政府主导的网络安全战略体系。凭借技术优势进行防御和攻击的“攻防一体”是该战略的最主要特色,“形成战略威慑”是其最主要的目的。这一战略显露的浓郁渗透性和攻击性提醒我国应时刻保持警惕;与此同时,剖析该战略各具体组成部分成熟、高效运转的成因能为中国建立自己的网络安全战略提供丰富的经验借鉴。     

网络知识产权司法保护与研究动向

在分析网络知识产权具有著作权问题突出、涉案范围广、诉讼当事人众多、法律适用相对滞后等特点的基础上,认为现行法律体系和司法实践应不断改革,与网络发展相适应。坚持网络环境下知识产权保护底线,平衡知识产权保护与公众获取信息的利益,构建与网络信息发展相适应的制度和理论,维护网络安全与保护网络用户特别是青少年权益是今后工作的重点。