Predictive markets & betting on when apps or companies get owned

Posted by Tate Hansen Thu, 01 May 2008 05:30:00 GMT

A recent WSJ article titled “Trading on the Wisdom of Crowds” sparked my interest as it may relate to security. Are there ways to build a business around helping organizations understand the risk to their data assets by using predictive market models? Or maybe building it around betting on commercial applications?

“Betting odds are generally taken as the best indicator of probable results in presidential campaigns," this newspaper explained in 1924.

I’m placing a bet that retail store XYZ gets owned and reveals grandma’s credit card details in ‘08. I’m placing another bet that application ABC will have a remote admin level vulnerability by October ’08.

Alas, we must have more transparency and trust in the publicly disclosed information to play. Participation is key as well:

Predicting markets seem to work so long as there are enough traders whose aggregate information is fully reflected in bets.

Would enough people find it worthwhile to become active traders? Maybe. There was an active predictive market created around the following question:

What will the government's 2007 computer security grade be?

It’s probably a big stretch to build a successful predictive market business around the types of security bets which would benefit organizations. By that I mean if I was responsible for a commercial application in which 75% of the traders were betting on my application being owned within the year, I’d probably work hard to change the odds (i.e. allocate resources to improving the security of my app).

Tags , , , ,  | no comments

When virtual servers play havoc

Posted by Tate Hansen Mon, 14 Apr 2008 21:19:00 GMT

I recorded a tidbit which came from a comment spoken at one of this year's RSA panel tracks. I hadn't thought of this issue on a big scale. It was a comment on how disruptive an environment which frequently "resets" virtual servers as part of normal business is to security.

It's obvious such an environment can have a significant impact on security tools, especially those which strive to learn patterns or look at history or both.

I was just imagining if I was a security admin responsible for a large block of EC2 virtual servers. As part of that, maybe the use of these blocks of servers is similar to a class lab whereby students get to install and do anything they want on the servers. When they're done, the instructor runs around and resets all the servers. Extrapolate this and it can lead to a hard problem, security speaking, for general cases.

I haven't meditated on this issue, but I'm guessing it'll become more visible in short time.

Tags , , , , ,  | no comments