Daniel W Woods's Avatar

Daniel W Woods

@ieltop.bsky.social

Economics of security and privacy. Lecturer at the University of Edinburgh + Researcher at Coalition.

150 Followers  |  211 Following  |  28 Posts  |  Joined: 20.11.2024  |  2.1903

Latest posts by ieltop.bsky.social on Bluesky


For the table, I followed the classifications/categories used by the reports.

Fwiw, if the exploit steals config details/usernames/passwords, then enabling MFA or not exposing the admin panel could still prevent the attack. So in a sense, configuration would still matter. It is murky tho.

18.02.2025 08:53 โ€” ๐Ÿ‘ 2    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Calibrating Secure by Design with the Risks Faced by Small Businesses Empirical evidence suggests guiding small businesses toward more secure configurations is more important than eliminating vulnerabilities. 

Based on this evidence, we argued that to calibrate Secure by Design with small business risk, there should be more focus on reducing misconfigurations.

www.lawfaremedia.org/article/cali...

18.02.2025 08:44 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0

- The median estimate of stolen credentials was 29% and phishing 17%.
- Vulnerabilities represented a lower share of initial access vectors in samples comprising smaller firms.
- Exposed vulnerabilities/End of Life software represent a minority of notifications sent by Coalition.

18.02.2025 08:43 โ€” ๐Ÿ‘ 1    ๐Ÿ” 0    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0

We looked at two main data sources: the causes of cyber incidents via DFIR investigations, and the presence of security issues found via scans. We found:
- Exploits of vulnerabilities were the initial access vectors in <50% of incidents across 7 studies, with 32% being the median estimate

18.02.2025 08:43 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0

This project asks whether addressing software vulnerabilities or misconfiguration should be higher priority when pursuing Secure by Design.

Here, vulnerabilities are flaws introduced by the vendor, in contrast to configuration which is controlled by the end-user.

18.02.2025 08:43 โ€” ๐Ÿ‘ 4    ๐Ÿ” 1    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 1
WEIS 2025 โ€“ The 24th Workshop on the Economics of Information Security (Tokyo, Japan)

Workshop on the Economics of Information Security (WEIS'25) venue and dates just announced.

Date: June 23-25, 2025
Venue: Institute of Industrial Science (IIS), The University of Tokyo
kmlabcw.iis.u-tokyo.ac.jp/weis/2025/in...

03.12.2024 13:26 โ€” ๐Ÿ‘ 1    ๐Ÿ” 1    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Preview
[Keynote @ RAID'24] How to solve cybersecurity once and for all [Keynote @ RAID'24] How to solve cybersecurity once and for all - Download as a PDF or view online for free

www.slideshare.net/slideshow/ke...

03.12.2024 09:12 โ€” ๐Ÿ‘ 12    ๐Ÿ” 1    ๐Ÿ’ฌ 2    ๐Ÿ“Œ 0
Post image

Definitely a blind men and an elephant problem

03.12.2024 09:20 โ€” ๐Ÿ‘ 1    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0

Interesting slides tho. Will there be a recording?

03.12.2024 09:18 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0

humble title ๐Ÿ˜‚

03.12.2024 09:13 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0

One attack could hit three if the attacker phished credentials and used them to login via RDP

03.12.2024 09:05 โ€” ๐Ÿ‘ 1    ๐Ÿ” 0    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0

Ah it could be. I'll double check. It's why I like sharing figures before publication

03.12.2024 09:04 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Post image

Initial access vectors according to various DFIR firms.

Random thoughts:
- None of the reports find the majority are caused by vulns/exploits
- How do some of these firms *not* have an "unknown" category
- Many categories are overlapping
- We really need a standardized schema @zakird.com

03.12.2024 08:56 โ€” ๐Ÿ‘ 7    ๐Ÿ” 2    ๐Ÿ’ฌ 3    ๐Ÿ“Œ 0
Preview
Security Economics Join the conversation

I've started building a starter pack for security economics researchers. It's a work in progress, so feedback and suggestions are more than welcome! We'll continue to update itโ€”stay tuned!
go.bsky.app/BgGNPep

26.11.2024 14:13 โ€” ๐Ÿ‘ 9    ๐Ÿ” 2    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0

Strong agree! The threat against consumers is often unrelated to a security breach, typically rooted in defamation, often groundless.

26.11.2024 10:41 โ€” ๐Ÿ‘ 1    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0

Ofc! You're the most curious person in cyber risk

25.11.2024 15:34 โ€” ๐Ÿ‘ 1    ๐Ÿ” 0    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0
Post image

fun fact from SEC Chairman Gary Gensler's resignation announcement

18% of tips/complaints that come to the SEC relate to crypto, even though the crypto market is less than 1% of all financial markets

www.sec.gov/newsroom/pre...

22.11.2024 16:49 โ€” ๐Ÿ‘ 577    ๐Ÿ” 192    ๐Ÿ’ฌ 9    ๐Ÿ“Œ 10

Just 1.6% of respondents have cyber coverage, and 8.5% are aware of the product.

It'll be interesting to see how this product evolves.

I think these losses will be absorbed into home insurance policies as a premium option. It's hard to justify a separate sales channel for a <$50 product.

25.11.2024 10:05 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Post image

Notably, insurers see non-trivial costs associated with cyberbullying.

The typical claim may involve legal costs, counselling and lost wages to respond to the incident.

But in extreme cases, cyber insurance will cover costs associated with moving home or school.

25.11.2024 10:02 โ€” ๐Ÿ‘ 1    ๐Ÿ” 0    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0
Post image

We also asked participants to estimate how much compensation they would need to cover each cyber incident.

Financial frauds were estimated to be the most expensive, with no statistically significant difference between victims and nn-victims.

The median cost of cyberbullying was estimated to be $0.

25.11.2024 09:59 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0
Post image

Cyber attack and online fraud are possibly too generic.

There was multiple examples where participants thought they were "very easy" to define, only to find the real definitions from a policy are "not at all similar" when presented with one.

These discrepancies can lead to nasty surprises.

25.11.2024 09:57 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0
Post image

The second stage designed a survey to explore coverage, risk and product uncertainty.

Some of these coverages are well understood by both high and low security awareness participants, such as cyberbullying and ID theft.

Cyber extortion was perceived to be the hardest to define.

25.11.2024 09:55 โ€” ๐Ÿ‘ 1    ๐Ÿ” 0    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0
Figure showing cyber insurance covers a range of harms covering security, privacy, scams and online abuse.

Figure showing cyber insurance covers a range of harms covering security, privacy, scams and online abuse.

What does personal cyber insurance cover?

Our new article found that personal cyber insurance covers a range of online harms, including social media abuse.

"Why would money protect me from cyber bullying?": A Mixed-Methods Study of Personal Cyber Insurance
www.computer.org/csdl/proceed...

25.11.2024 09:53 โ€” ๐Ÿ‘ 6    ๐Ÿ” 2    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 1
Preview
Study club, labor union or start-up? Characterizing teams and collaboration in the bug bounty ecosystem

Open access version: www.research.ed.ac.uk/en/publicati...

22.11.2024 15:13 โ€” ๐Ÿ‘ 1    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Post image

My favourite finding is that these teams function like labour unions in negotiating with large tech companies to receive fair bug bounty payouts. This fighting for the little guy was very Ross.

We scraped a bunch of descriptive stats on team size, finding that the biggest teams have 500+ members.

22.11.2024 15:13 โ€” ๐Ÿ‘ 1    ๐Ÿ” 0    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0
CSDL | IEEE Computer Society

Very proud of Lawrence (Yangheran) Piao who had his first article accepted at Oakland'25.

The paper looks at the role of hacker teams in the Chinese bug bounty ecosystem.

We very sadly lost Ross Anderson mid way through this project.
www.computer.org/csdl/proceed...

22.11.2024 15:12 โ€” ๐Ÿ‘ 6    ๐Ÿ” 2    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0
Preview
MR Podcast: Insurance! - Marginal REVOLUTION In our new Marginal Revolution Podcast Tyler and I talk insurance, the history of insurance, the economics of insurance, the prospects for new types of insurance and more. Did you know that life insur...

I enjoyed Tyler Cowen and Alex Tabarrok on insurance, especially reflections on where the good insurance scholarship is.

No surprise that the sociologists were more insightful than the economists.
marginalrevolution.com/marginalrevo...

21.11.2024 20:02 โ€” ๐Ÿ‘ 2    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Preview
How the British Library cyberattack disrupted research Academics who rely on the British Libraryโ€™s unmatched collection are still feeling the impact of a devastating cyberattack a year ago. Jack Grove hears from those affected and considers how another ca...

Most people outside of research are still unaware of how much the cyberattack on @britishlibrary.bsky.social is still affecting the research community one year on. Good piece covering that + need to invest in libraries
www.timeshighereducation.com/depth/how-br... @timeshighered.bsky.social

21.11.2024 10:59 โ€” ๐Ÿ‘ 206    ๐Ÿ” 109    ๐Ÿ’ฌ 4    ๐Ÿ“Œ 10

She'd already reported to Google but hadn't heard back.

21.11.2024 11:02 โ€” ๐Ÿ‘ 1    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0

I recommended this to a colleague who was being impersonated via a gmail account just last week.

21.11.2024 11:02 โ€” ๐Ÿ‘ 1    ๐Ÿ” 0    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0

@ieltop is following 20 prominent accounts