Shostack + Friends Blog Archive


Security Prediction Markets: theory & practice

reckless-experimentation.jpgThere are a lot of great comments on the “Security Prediction Markets” post.

There’s a tremendous amount of theorizing going on here, and no one has any data. Why don’t we experiment and get some? What would it take to create a market in breach notification prediction?

Dan Guido said in a comment, “In security, SOMEONE knows the RIGHT answer. It is not indeterminate, the code is out there, your network is accessible to me and so on. There’s none of this wishy-washy risk stuff.”

I don’t think he’s actually right. Often times, no one knows the answer. Gathering it is expensive. Translating from “there’s a vuln” to “I can exploit it” isn’t always easy. For example, one of my co-workers tried exploit a (known, reported, not yet fixed) issue in an internal site via Sharepoint. Something in Sharepoint keeps munging his exploit code. I’ve even set my browser homepage to a page under his control. Who cares what I think, when we can experiment?

What would be involved in setting up an experiment? We’d need, in no particular order:

  • A web site with some market software. Is there a market for such sites? (There is! Inkling [ no longer works] will let you run a 45 day pilot with up to 400 traders [link to no longer works]. There’s likely others.)
  • Terms & conditions. Some issues to be determined:
    1. Can you bet on your employer? Clients? Customers?
    2. Are bets anonymous?
    3. What’s the terms of the payoff? Are you betting company X has a breach of PII, or a vuln? Would Lazard count?
    4. What’s the term of a futures option? What’s the ideal for a quick experiment? What’s the ideal for an operational market?
    5. Are we taking singleton bets (Bank A will have a problem) or comparative (Bank A will have more problems than bank B.)
  • Participants. I think that’s pretty easy.
  • Dispute arbitration. What if someone claims that Amazon’s issue on Friday the 6th was a break-in? Amazon hasn’t yet said what happened.

So, we could debate like mad, or we could experiment. Michael Cloppert asked a good question. Let’s experiment and see what emerges.

Photo: “Better living…” by GallixSee media.

8 comments on "Security Prediction Markets: theory & practice"

  • Dan Guido says:

    Thanks for noticing my comments 🙂
    Let me first explain the statement of mine you quoted before explaining why I don’t think prediction markets are the right tool for security decisions. I’ll explain with your coworker and his SharePoint bug.
    What if your coworker develops an exploit for that vuln and then goes on the prediction market and “predicts” that there will be a vuln in SharePoint? Or better, predicts that company X, which uses SharePoint, will suffer a breach? He waits until sufficient people have taken counter-views and then he discloses the vulnerability to iDefense anonymously or gives it to a blackhat to 0wn up company X with.
    Another failure scenario:
    Now someone on the security monitoring team at company X is discovers the blackhat 0wning up the internal network. SecMon guy goes on the market and also “predicts” a large breach (IMHO the market MUST be anonymous or it falls completely apart).
    And another:
    SecMon guy handles the breach with his auditors before disclosing the breach publicly. All the auditors jump on the market and “predict” more breaches.
    And another:
    Even better, what if someone from iDefense starts making bets?
    The wrong type of questions:
    Ok, enough of that. Now about prediction markets in general. Prediction markets make sense for certain problems. They probably make sense for BCP-type events, like when a major net outage is going to occur. They work well for flow data, things like how many transactions is this app going to process today. But all the security questions you want answered are the wrong type of question for prediction markets. There are things that make sense to be asked to groups of people and others that don’t. If your question can be answered on a scale of 1 to 100, prediction markets are a great tool. If the question is to pick a solution from an indefinite set of solutions (ie. the solution space is infinite), prediction markets aren’t the right tool.
    Manipulate actions by controlling the market:
    Here’s another scary thought. In The Alchemy of Finance, George Soros makes the point that people in a market aren’t really reacting to reality, they’re reacting to their perception of it. This should make sense to all you social engineers out there. If you set up this prediction market, I can make a giant panic at a large firm by creating a prediction that big bank X will have a huge break-in and betting heavily on it. I’ll be able to control the security policies of a big bank by selectively participating in the market, ie. I can manipulate actions just by controlling the market. This is never good.
    Low numbers = easy to manipulate:
    I’m going to guess that a security prediction market isn’t going to have that mass appeal needed to get a large number of participants. Few people are going to want to pretend they know something about security. To really explain why this is a bad thing you’re going to have to talk with someone with more of a math background, or wait a few days for me to figure out more about it, but… without a minimum number of people playing in the market, you make it extremely easy for people to game the whole system by playing both sides of each prediction. Once an actor in the market acquires a sufficient amount of capital, they’ll be able to overcome any drawdown and double down each prediction to just, well, make everyone lose money all the time.
    And really, at the end of the day, if I’m an expert working for a big firm, am I really going to base any of my decisions on this prediction market or am I just going to do what I think is best?

  • Stian Øvrevåge says:

    This reminds me of last years “How many critical vulnerabilities will be addressed by Microsoft in their March, 2007, Security Bulletin cycle?” over at inkling markets:

  • Adam says:

    I think that for your first few scenarios, the market is functioning. It’s rewarding people who have information when they share that information. The mode of that sharing may have some side effects, and you may question the ethics of encouraging such sharing, but I’ll question the ethics & effectiveness of keeping everything secret.
    Regarding perception manipulaion, if you can afford to make a large bet that a bank is going to be hacked, perhaps you have information that the market could use. Alternately, banks could be required to play in the market under Basel IIbis. If they have a good assessment of their own infosec, they should be able to make money. If they can’t, they should perhaps adjust their capital reserves.
    I agree with you regarding a thinly traded market.

  • I’ve been offline for a few days and I have to say that I’m very pleased with all the feedback. Adam, thanks for taking the time to highlight this, much obliged. To all those commenting, although the feedback has been skeptical, I greatly appreciate the comments. There have definitely been some issues I hadn’t initially considered that warranted attention.
    In general, my question was to whether or not the notion was sane enough to experiment with, and generate empirical data. If such an approach was obviously destined to fail, and I had overlooked some critical issue, then certainly my efforts are better spent on following up or developing some other nascent theory.
    I’d very much like to be involved if any contributors to or readers of this blog are interested in putting together an experiment like this. I haven’t done any research into what software and approaches are best suited to such an endeavor, but I know careful consideration needs to be paid to make sure gambling and SEC laws are not violated in the process of this academic pursuit.
    Kind regards,
    Michael Cloppert

  • Abner says:

    I’ve been a long time follower of prediction markets and security and I’m slightly involved with IDG’s attempt at technology oriented prediction markets at the beta website. I think some of the weaknesses highlighted in some of the other comments are certainly fair.
    The trick with using prediction markets to forecast something is to 1. Have something decent to predict 2. Make sure that whatever you predict has a quantifiable and finite yes or no answer. 3. Make it something that a large number of people feel they have some knowledge on.
    Of course all of that is for a public facing and public accessible prediction market. In the security world, there are probably very good applications for private markets within certain organizations. The CIA proposed doing one around terrorist threats a while back and it was probably one of the better ideas they had. Alas, it got killed around the same time as the Carnivore (which was worth killing) I can see a prediction market working well in a very large IT organization where a CSO is trying to get a handle on where the nastiest vulnerabilities lie.
    I suggest you come up with a few things to predict, toss them up on the industry standard, and then rally the troops to participate.

  • Abner says:

    Opps, wrong URL above, it’s:

  • ASiegel says:

    I’ve been following this stream and had commented in the original article about the utility of prediction markets. I’m the co-founder of Inkling, the prediction market platform company mentioned a couple times. We’d be happy to facilitate an experiment if you’d like to try out some of the theories bantered around as i think this is an interesting area that has not really been explored in the space. If someone (the original adam) wants to email me we can talk more about getting something set up. (adam [at] inklingmarkets [dot] com)

  • jason zann says:

    I think the creation of a futures market for Info Sec would be very beneficial. I was turned onto the idea a number of years ago after reading about a concept for a futures market for terrorist events, movies, and the like. Here is the quick and dirty: (I am sorry if this is a dupe of some other info, but I followed all of the links on the post and did not see any of this mentioned)
    Post 9/11, DARPA funded a program called ‘Future Map’, a since aborted program that was designed to create futures contracts on what might happen in the Middle East and elsewhere (i.e. bombings, terrorist events, etc.). There were two markets: an internal market comprised of select intelligence analysts that were permitted to focus on providing the most accurate forecast (instead keeping to a political agenda), and another market called the policy analysis market (PAM). PAM was designed to be opened up to the public and allow them to create futures contracts on the Middle East and elsewhere events. Basically, the same way that other futures markets (movies, stocks, etc.) leverage collective wisdom to give relatively accurate forecasts of the future, PAM would provide relatively accurate forecasts of terrorism. As you might imagine, PAM was killed by politicians, but there is a strong belief in many circles that it could have worked wonders for collecting information and predicting the future. Here is a link to a short NPR story that gives a very high level overview of the concept. If you are not familiar with this, I am sure that you might be thinking things like ‘if there is a some predicative information that is gathered and the good guys use it to stop the event, then the approach has limited value.’ James Surowiecki’s book, The Wisdom of Crowds goes into great detail on how markets adjust for things like this and how the data would still be good. Here is a simple example of how the HSX does this for movies, Oscars, and the like… and they have consistently nailed Oscar winners, blockbuster movies, flops, and a bunch of other stuff related to Hollywood. Intrade ( is another example of this.
    Re: the Info Sec world, I think this type of concept would work if it was moved up a notch. Instead of looking at technical vulns, look at something a bit more abstract, like ‘unwanted events’. For example, ‘unwanted event’ = Company X will have a public disclosure for loosing 1mm + customer records by 12/1/08. From the point that statement has been made, the market is set. In theory, there will be people betting for this, and they will most likely point out or contribute vulnerabilities or weaknesses in processes that would cause this unwanted event so that they can realize the money they have on the contract. Additionally, there will be people not wanting this to happen (Company X comes to mind 😉 ), and they will be scrambling to neutralize points that are brought up that they feel will be used against them… and the market continues.
    Now, before you think that I have gone off the deep end, I would like to go back to the ‘Future Maps’ stated above. The only reason that it worked is because terrorists were given the opportunity to profit off of their knowledge. In the same respect, in this model, the criminals would need to weigh in and potentially profit off of their knowledge as well. This is not to say that they will profit, it is just to say that they are players in the market. In fact, it is my belief that most criminals would fuel the market and if [Company X] started to really correct themselves and their deficiencies, then the criminals would probably short his position to cut losses. The only way that I can see this work is if the largest cross section of people (good, bad, technical, non-technical, etc.) available are actively involved in the market… and money has a tendency to that (get people involved).
    I realize that setting up a market that will show what companies are going to get hacked will be met with stiff political resistance… but I think that it would be really cool to see something like this work in our industry.

Comments are closed.