For the table, I followed the classifications/categories used by the reports.
Fwiw, if the exploit steals config details/usernames/passwords, then enabling MFA or not exposing the admin panel could still prevent the attack. So in a sense, configuration would still matter. It is murky tho.
Based on this evidence, we argued that to calibrate Secure by Design with small business risk, there should be more focus on reducing misconfigurations.
www.lawfaremedia.org/article/cali...
- The median estimate of stolen credentials was 29% and phishing 17%.
- Vulnerabilities represented a lower share of initial access vectors in samples comprising smaller firms.
- Exposed vulnerabilities/End of Life software represent a minority of notifications sent by Coalition.
We looked at two main data sources: the causes of cyber incidents via DFIR investigations, and the presence of security issues found via scans. We found:
- Exploits of vulnerabilities were the initial access vectors in <50% of incidents across 7 studies, with 32% being the median estimate
This project asks whether addressing software vulnerabilities or misconfiguration should be higher priority when pursuing Secure by Design.
Here, vulnerabilities are flaws introduced by the vendor, in contrast to configuration which is controlled by the end-user.
Workshop on the Economics of Information Security (WEIS'25) venue and dates just announced.
Date: June 23-25, 2025
Venue: Institute of Industrial Science (IIS), The University of Tokyo
kmlabcw.iis.u-tokyo.ac.jp/weis/2025/in...
Definitely a blind men and an elephant problem
Interesting slides tho. Will there be a recording?
humble title 😂
One attack could hit three if the attacker phished credentials and used them to login via RDP
Ah it could be. I'll double check. It's why I like sharing figures before publication
Initial access vectors according to various DFIR firms.
Random thoughts:
- None of the reports find the majority are caused by vulns/exploits
- How do some of these firms *not* have an "unknown" category
- Many categories are overlapping
- We really need a standardized schema @zakird.com
I've started building a starter pack for security economics researchers. It's a work in progress, so feedback and suggestions are more than welcome! We'll continue to update it—stay tuned!
go.bsky.app/BgGNPep
Strong agree! The threat against consumers is often unrelated to a security breach, typically rooted in defamation, often groundless.
Ofc! You're the most curious person in cyber risk
fun fact from SEC Chairman Gary Gensler's resignation announcement
18% of tips/complaints that come to the SEC relate to crypto, even though the crypto market is less than 1% of all financial markets
www.sec.gov/newsroom/pre...
Just 1.6% of respondents have cyber coverage, and 8.5% are aware of the product.
It'll be interesting to see how this product evolves.
I think these losses will be absorbed into home insurance policies as a premium option. It's hard to justify a separate sales channel for a <$50 product.
Notably, insurers see non-trivial costs associated with cyberbullying.
The typical claim may involve legal costs, counselling and lost wages to respond to the incident.
But in extreme cases, cyber insurance will cover costs associated with moving home or school.
We also asked participants to estimate how much compensation they would need to cover each cyber incident.
Financial frauds were estimated to be the most expensive, with no statistically significant difference between victims and nn-victims.
The median cost of cyberbullying was estimated to be $0.
Cyber attack and online fraud are possibly too generic.
There was multiple examples where participants thought they were "very easy" to define, only to find the real definitions from a policy are "not at all similar" when presented with one.
These discrepancies can lead to nasty surprises.
The second stage designed a survey to explore coverage, risk and product uncertainty.
Some of these coverages are well understood by both high and low security awareness participants, such as cyberbullying and ID theft.
Cyber extortion was perceived to be the hardest to define.
Figure showing cyber insurance covers a range of harms covering security, privacy, scams and online abuse.
What does personal cyber insurance cover?
Our new article found that personal cyber insurance covers a range of online harms, including social media abuse.
"Why would money protect me from cyber bullying?": A Mixed-Methods Study of Personal Cyber Insurance
www.computer.org/csdl/proceed...
My favourite finding is that these teams function like labour unions in negotiating with large tech companies to receive fair bug bounty payouts. This fighting for the little guy was very Ross.
We scraped a bunch of descriptive stats on team size, finding that the biggest teams have 500+ members.
Very proud of Lawrence (Yangheran) Piao who had his first article accepted at Oakland'25.
The paper looks at the role of hacker teams in the Chinese bug bounty ecosystem.
We very sadly lost Ross Anderson mid way through this project.
www.computer.org/csdl/proceed...
I enjoyed Tyler Cowen and Alex Tabarrok on insurance, especially reflections on where the good insurance scholarship is.
No surprise that the sociologists were more insightful than the economists.
marginalrevolution.com/marginalrevo...
Most people outside of research are still unaware of how much the cyberattack on @britishlibrary.bsky.social is still affecting the research community one year on. Good piece covering that + need to invest in libraries
www.timeshighereducation.com/depth/how-br... @timeshighered.bsky.social
She'd already reported to Google but hadn't heard back.
I recommended this to a colleague who was being impersonated via a gmail account just last week.
