Daniel W Woods
Economics of security and privacy. Lecturer at the University of Edinburgh + Researcher at Coalition.
- This project asks whether addressing software vulnerabilities or misconfiguration should be higher priority when pursuing Secure by Design. Here, vulnerabilities are flaws introduced by the vendor, in contrast to configuration which is controlled by the end-user.
- In a new paper for Lawfare's Security by Design Series, Sezaneh Seymour and @ieltop.bsky.social argue that "Secure by Design (SbD) policies should be calibrated to the actual risks faced by small businesses, rather than focusing primarily on software vulnerabilities."
- We looked at two main data sources: the causes of cyber incidents via DFIR investigations, and the presence of security issues found via scans. We found: - Exploits of vulnerabilities were the initial access vectors in <50% of incidents across 7 studies, with 32% being the median estimate
- - The median estimate of stolen credentials was 29% and phishing 17%. - Vulnerabilities represented a lower share of initial access vectors in samples comprising smaller firms. - Exposed vulnerabilities/End of Life software represent a minority of notifications sent by Coalition.
- Based on this evidence, we argued that to calibrate Secure by Design with small business risk, there should be more focus on reducing misconfigurations. www.lawfaremedia.org/article/cali...
- Workshop on the Economics of Information Security (WEIS'25) venue and dates just announced. Date: June 23-25, 2025 Venue: Institute of Industrial Science (IIS), The University of Tokyo kmlabcw.iis.u-tokyo.ac.jp/weis/2025/in...
- Reposted by Daniel W Woods
- Initial access vectors according to various DFIR firms. Random thoughts: - None of the reports find the majority are caused by vulns/exploits - How do some of these firms *not* have an "unknown" category - Many categories are overlapping - We really need a standardized schema @zakird.com
- Reposted by Daniel W WoodsI've started building a starter pack for security economics researchers. It's a work in progress, so feedback and suggestions are more than welcome! We'll continue to update it—stay tuned! go.bsky.app/BgGNPep
- Reposted by Daniel W Woodsfun fact from SEC Chairman Gary Gensler's resignation announcement 18% of tips/complaints that come to the SEC relate to crypto, even though the crypto market is less than 1% of all financial markets www.sec.gov/newsroom/pre...
- What does personal cyber insurance cover? Our new article found that personal cyber insurance covers a range of online harms, including social media abuse. "Why would money protect me from cyber bullying?": A Mixed-Methods Study of Personal Cyber Insurance www.computer.org/csdl/proceed...
- The second stage designed a survey to explore coverage, risk and product uncertainty. Some of these coverages are well understood by both high and low security awareness participants, such as cyberbullying and ID theft. Cyber extortion was perceived to be the hardest to define.
- Cyber attack and online fraud are possibly too generic. There was multiple examples where participants thought they were "very easy" to define, only to find the real definitions from a policy are "not at all similar" when presented with one. These discrepancies can lead to nasty surprises.
-
View full threadJust 1.6% of respondents have cyber coverage, and 8.5% are aware of the product. It'll be interesting to see how this product evolves. I think these losses will be absorbed into home insurance policies as a premium option. It's hard to justify a separate sales channel for a <$50 product.
- Very proud of Lawrence (Yangheran) Piao who had his first article accepted at Oakland'25. The paper looks at the role of hacker teams in the Chinese bug bounty ecosystem. We very sadly lost Ross Anderson mid way through this project. www.computer.org/csdl/proceed...
- My favourite finding is that these teams function like labour unions in negotiating with large tech companies to receive fair bug bounty payouts. This fighting for the little guy was very Ross. We scraped a bunch of descriptive stats on team size, finding that the biggest teams have 500+ members.
- Open access version: www.research.ed.ac.uk/en/publicati...
- I enjoyed Tyler Cowen and Alex Tabarrok on insurance, especially reflections on where the good insurance scholarship is. No surprise that the sociologists were more insightful than the economists. marginalrevolution.com/marginalrevo...
- Reposted by Daniel W WoodsMost people outside of research are still unaware of how much the cyberattack on @britishlibrary.bsky.social is still affecting the research community one year on. Good piece covering that + need to invest in libraries www.timeshighereducation.com/depth/how-br... @timeshighered.bsky.social
- Reposted by Daniel W WoodsStill love this service we started way back when (2020 I think), & very proud that it’s now got over 35 million reports! If you get a suspicious email then send it to report@phishing.gov.uk
