There are a lot of great comments on the “Security Prediction Markets” post.
There’s a tremendous amount of theorizing going on here, and no one has any data. Why don’t we experiment and get some? What would it take to create a market in breach notification prediction?
Dan Guido said in a comment, “In security, SOMEONE knows the RIGHT answer. It is not indeterminate, the code is out there, your network is accessible to me and so on. There’s none of this wishy-washy risk stuff.”
I don’t think he’s actually right. Often times, no one knows the answer. Gathering it is expensive. Translating from “there’s a vuln” to “I can exploit it” isn’t always easy. For example, one of my co-workers tried exploit a (known, reported, not yet fixed) issue in an internal site via Sharepoint. Something in Sharepoint keeps munging his exploit code. I’ve even set my browser homepage to a page under his control. Who cares what I think, when we can experiment?
What would be involved in setting up an experiment? We’d need, in no particular order:
- A web site with some market software. Is there a market for such sites? (There is! Inkling will let you run a 45 day pilot with up to 400 traders. There’s likely others.)
- Terms & conditions. Some issues to be determined:
- Can you bet on your employer? Clients? Customers?
- Are bets anonymous?
- What’s the terms of the payoff? Are you betting company X has a breach of PII, or a vuln? Would Lazard count?
- What’s the term of a futures option? What’s the ideal for a quick experiment? What’s the ideal for an operational market?
- Are we taking singleton bets (Bank A will have a problem) or comparative (Bank A will have more problems than bank B.)
- Participants. I think that’s pretty easy.
- Dispute arbitration. What if someone claims that Amazon’s issue on Friday the 6th was a break-in? Amazon hasn’t yet said what happened.
So, we could debate like mad, or we could experiment. Michael Cloppert asked a good question. Let’s experiment and see what emerges.
Photo: “Better living…” by GallixSee media.