 We're going to kind of have an open and hopefully enjoyable chat today about a little problem. So, you know, I get hired by the U.S. government to run the National Cyber Security Center. And that was to stitch together, help to link all the networks across military intelligence and the civilian government and to coordinate the defense of all those networks. And realize, you know, pretty quickly that there was some serious denero being dropped down on this problem. I mean, like, many, many billions of dollars. And having some background doing high-tech companies and, you know, software companies and internet companies and also doing a lot of economic and finance work, I said, well, where's the risk management models? You know, don't we have a risk management model? So we actually know what we're trying to get done in cybersecurity because we're going to spend, you know, tens or hundreds of billions of dollars over time, over decades. Shouldn't we really know? And the answer was no. There wasn't a model. And sometimes people would put up this little slide and say, you know, risk times, threat times, this or that. And that wasn't even a model. And I thought, well, you know, how can we go spend billions of dollars of taxpayers' money if we don't actually know what we're getting for it or think we're getting for it? So this work came out of that effort. So the initial thing I was thinking about is how do you do risk management for cybersecurity, okay? But then I thought about, well, you know, how are you going to figure out how to protect a network and how much you should spend a network? I mean, how do you decide what the network is worth, right? I mean, because would you want to spend $100 billion protecting a network that's worth $1 billion? That doesn't make much sense, right? So before you figure out how much you want to spend to protect something, you've got to figure out how much that thing is worth. And so that line of inquiry then led to looking at some things, namely looking at the traditional approaches to look at network valuation. So here's what we're going to do today is kind of look back to the history of how people have tried to approach this problem of saying what's a network worth. Then talk about a new model that actually may work, or actually does work, to answer that question. And then we'll look at cybersecurity in kind of like different ways to take the economic model and apply it. So how many of you have, like, I mean, this is a DEF CON festival, so I imagine we're mostly techies here. But how many people have a background in engineering, math, science, or computers, network administration? Okay. And is there anybody who's not comfortable with Greeks on the board? Good. Leave. If you're not comfortable with Greeks, leave. No, so we're going to, we're going to throw some math up here today just to, because the stuff has some bones that's behind it. So anyway, and I'm Rod Bextrum. I've normally been a high-tech entrepreneur. So I started my first software company when I was 24 that did derivative trading systems. I was a quantitative trader at Morgan Stanley, building my own derivative trading models in my early 20s. And then I left and started a company called Kat Software. And we got really lucky because we built these good analytical systems, and there really was a market. So second year in grad school, we sold about a million dollars of the software, and then we were able to actually build that up into a global company. So we had offices in New York, London, Tokyo, Sydney, Geneva, Hong Kong, kind of all over the place. And then we got really lucky because one of the professors I asked to help me start the company was a guy named Myron Scholes. Has anyone heard of Myron Scholes? Yeah, the hand going up there. So what model did he invent? Exactly. Black Scholes. The black Scholes, the fundamental options pricing theory. And what he did is he took the insights, he took the general diffusion equation out of thermodynamics and applied it to finance problems. And it worked. So he and Fisher Black took the diffusion model, applied it. That worked. So Myron was helping us and then he was just like a really smart professor at Stanford when we got to work with them. And it was really nice though because three years later they gave him a Nobel Prize. So he helped us solve some of our modeling problems and looking at derivatives. And then we had another guy helping us out named Bill Sharp. Has anyone heard of Bill Sharp in finance? Or William F. Sharp? Capital asset pricing model? Anyway, Bill did risk return analysis with two other guys helped develop the fundamental concepts of risk in finance. And he too won the Nobel Prize. So we got to work with some really smart people. And Bill actually helped us develop a model in economics for value at risk and he encouraged me to write a book on that which was the first book that I wrote which almost no one knows of unless you're a finance weenie and like risk management. But some of you may or may not have heard a book I worked on called Starfish and Spider. Has anyone heard of the Starfish and Spider? All right. So anyway, did some of that stuff and then I got recruited by the government to help out in cybersecurity. And I thought well that'd be really interesting because I've done only private sector companies and non-profit work for a long time. So let's go work for the government. So I did that and that was fascinating and that led to this work. So I was at DHS when we helped develop some of this stuff. And now I'm at ICANN. So it's my third, fourth week on the job at ICANN. So let's do a test. How many people have heard of ICANN? I know what ICANN does. All right. So for those who don't, ICANN is the Internet Corporation for Assigned Names and Numbers. And what we do is we address the Internet. We're addressing the Internet. When you go to a city, right, you open the phone book. I mean, is your phone, everyone's got a phone here. Is your phone number unique? I mean, if people call, your phone number, do they get to you or do they get to, if they're calling from somewhere else in the world, do they get to somebody else? Your phone numbers are unique, right? Well, someone has to enforce that policy to make sure that every phone number on the planet Earth is unique. Someone has to do that on the Internet to make sure that every network address is unique and that those get handed out and allocated through the ISPs and all the different parties. Same thing with names. So when you go to your phone book, and who's got Smith as the last name here? Any Smiths? Bakers? No, no luck. Okay. Well, there's a lot of Smiths and bakers in most cities. So in the phone book, right, you got a lot of John Smiths. Well, on the Internet, do you have a lot of johnsmiths.com? No. You only get one, right? So there's naming integrity in the Internet to maintain global space and there's addressing integrity and ICANN is the group behind the curtains that runs that policy process and contracts with all the governments of the world and with the other parties and the registries to allocate names and numbers. So anyway, that's what we do. There's about 200 million names in the world on the Internet that have been purchased and there's about a billion numbers that have been allocated in IPv4 and then of course when we get to IPv6, it'll be trillions and trillions of numbers. So that's what ICANN does. It's a non-profit and it doesn't work alone. It's part of an ecosystem. The kind of the amazing thing about the Internet is in some of you actually you'll probably work with one of these groups. So ICANN, IETF and Internet Society are three of the key players in the ecosystem. How many of you have heard of IETF or been a member? Thank you. If you're a member and you're a contributor and I have my advertisement for IETF on here because I just got back from Stockholm and then surf was introducing me to all the gods of the Internet. IETF is the Internet Engineering Task Force and these brains here develop all of the protocols for the Internet. Whether it's IPv4, IPv6, HTML5, wireless standards, all kind of IPv6 and the Internet of Things there and how to do low power devices and get them on the Internet and I don't need to geek out and all that but anyway, the Internet ecosystem is amazing because it's run by these non-profits in total, those three groups they have thousands and thousands of volunteers like many of you in the room and only 200 employees. So there's only 200 employees in the world that are basically coordinating these basic functions of the Internet that are used by 1.5 billion people. So that's one person per 7.5 million users. Anyway, and I'm the lucky guy I got hired to be CEO and president of ICANN so I'm totally thrilled about it. So that's that background. So why do the economics matter? You know, does it matter? Well, I think if a government's dropping tens of billions of dollars right into a problem, I think it matters and if our companies, you know, your companies are putting tens or hundreds of millions of dollars into it we've got to really ask some hard questions about where's the payoff and what we need is kind of a framework to hang it off of and let's look at some of the questions that we might want to look at. You know, just to make it really granular and personal, you know, what is the Internet worth to you personally? What's it worth to you? That's an economic question that we need to have a framework for answering. What's the total value of a network? Maybe your social network with 50 friends in it on Facebook or it may be a business network with 2,000 companies or it may be the Internet with 1.5 billion people. What is that whole network worth? How are we going to approach that? What are the economics of security? What about security risk management? So how are we going to do risk management and make decisions? What are hacker economics? How many of you are hackers? How many hackers we've got in the room? All right, we've got some hackers. So we've got to look at your economic model. You know, how do you make money? Because we have to understand that if we wanted to deter your activity, make it harder. Okay? And maybe you're a red teamer, you know, on the light side. But otherwise you're on the other side. But we need to understand the economic deterrence. We need to understand billions of dollars on or throw policy solutions at that won't work. Or we can use economic models to figure out how to incentivize the right behavior. So supply chain. How are we going to get it cleaned up? Get the malicious code out of the supply chain. And then we want to look at things like the protocols themselves. The Internet that are holding the Internet together and what are the economics of them? What are the economics of outages? What's the economics of resilience? So these are all really important problems. We can actually answer them. Okay? It's actually pretty easy. Pretty easy from a conceptual standpoint. And then there's some work into getting it done. But before we, you know, jump forward, you know, let's go back. So what is the law that most people refer to if they talk about what's the value of a network? Who was it? Bob Lynch's presentation yesterday morning. He mentioned it. It's a guy who worked on Ethernet. Giving you a hint. Metcalf. Metcalf's law, right? And what does Metcalf's law say? Anyone remember what Metcalf's law says? Okay. But what it says, that's right, is that the value of the network, let's say network J, the value of network J is equal to the square of the number of nodes on that network, or endpoints, times p, which is some constant. So basically, the value of every network in the world is portrayed by a picture that goes and it goes screaming upwards. Right? Does anyone want to buy stock based on that? Do you want to value a network based on that? Has this ever been done? It was in the late 90s. Okay. Metcalf's law was just used to justify you know, 10, 30, 50, 100 billion dollar valuations of these networking companies that were grabbing a piece of the network, you know, like pets.com. So, and what was the story? People remember the network that Metcalf used to justify why this model worked or should work? Fax network? Sound familiar? Right? So what Metcalf said was, well, look, obviously, you know, this is proven because the more people get faxes and the more people can communicate and the value just keeps going up. Now, is that really true? I mean, is it really valuable to you that another 10 million people in Africa and many of you care about the 10 million machines in Africa? Okay. Well, if you don't care about those 10 million fax machines in Africa or a lot of other countries, then why would there be this geometric progression? So, this was what Metcalf's law said. What it really relates to is the number of possible connections in a network is equal to mathematically n times in parentheses n minus 1 all divided by 2 which is a geometric progression that goes at half this rate basically. And it doesn't work. Okay? The problem with Metcalf's laws, it doesn't work. It doesn't tell you anything except the potential number of nodes in a network. So no one's used it for real valuation. So you can't use it to determine how much to invest in cybersecurity or national policy or any other issue. Your own corporate investment. So then other people came along and said, well, you know the problem with Metcalf's laws, it goes forever, right? It just goes zoop, so zip came along, z-i-p-f, and zip said I've got a law and I'm going to have it taper out. I'm going to have it go up and then I'm going to have it hit a peak and I'm going to have it curve down. Okay? So I'll add another little factor in the equation. Well, that's kind of good, but how are you supposed to get that other number and what does it really mean? And then Reid came along at Harvard and Reid said, well, I'm going to do Reid's law and Reid's law is going to say what's the number of sets of people in groups you can organize in a network? So the two of us could form a group, just the two of us, and then you and him and then you and three other people, five. So I think of all the different sets in this room. Okay? I don't know how many people we have in the room, someone smarter than me, but you know, it's probably like 10,000 sets or something we could have. Who cares? Who cares? Okay? It's irrelevant. It's just a theoretical like. So Reid's law is interesting about it. What's the total number of sets you could have? It doesn't really have any practical application. Well, there's one thing that all those models had in common. And by the way, and I spent years trying to fix Matt Kaft's law. Okay? I took Matt Kaft's law right here and I tried to add in substitutes. Because I looked at the email now, I mean faxes and I said, well, emails are a substitute, so they're making the fax network less valuable. So let's add substitutes to the equation. Let's add latency to the equation. Let's add pure cohesion of the participant. I started adding all these things to the equation and some people thought, well, maybe that's really interesting what the spectrum is working on. And then I realized one day when I was confronted with this problem on cybersecurity, I said it's a total joke. I'm just on the wrong track. I'm not going to get there. And so what I finally realized, and this was the realization that came last June, I was working on the problem on the whiteboard, which is it's not about N. It's about T. What is N? N is the number of nodes in a network. So think about the Internet of Things. We're going from, you know, devices and computers and toasters and refrigerators. So you assume this, you know, huge network of a trillion things. Well, the value of the network is not about how many endpoints or nodes you've got at all. That is not what's relevant. Because you might have a PC in your house that three people use. Or you may have eight machines that three people use, kind of like we have at our house, four people use. So what's T? So what's the T that matters in the economics? And that's transactions. What really matters in network economics and even cybersecurity is it's all about the transactions that we either want to have happen or don't want to have happen. That's the, and once I got that insight, then the question was, okay, how do you build an economic model around transactions that actually makes sense so that you can value a network? So, another way to express this, I want to talk about a little bit. Since some of you've heard of the Starfish and Spider, so the problem with the N view looking at the size of a network and trying to say, you know, what's it worth is that the N view is a centralized spider-like perspective. Because you're looking at the network as a whole and you're saying all I have to know is how many endpoints there are, okay? Well, that's a spider-like approach, totally centralized. The transaction approach is completely the opposite. It's very starfish-like or decentralized. We use the starfish as a metaphor for decentralization because you can cut off an arm and it regenerates because it's pretty decentralized, or if you cut off all five arms in this species here you get five new starfish. Each arm can regenerate an entire new living starfish. Why? Because it's completely decentralized. It doesn't have a centralized brain or a centralized nervous system or other central organs. It's got a nerve ring that's centralized to send messages and it can regenerate that nerve ring. So, when we look at transaction, we're decentralizing the problem and we're going to look at the network not from the middle but from the edge. From each one of you. From every one of you. We're going to look at the economics of the network to you and the perspective. If we can figure out what the network's worth to you and then just another billion and a half people on the earth we can solve the problem. So, here's Beckstrom's law and that is the value of the network equals the net value added to each user's transactions from their standpoint, by the way, summed for all users. Okay? That's the English. It's pretty simple. Or mathematically, we're going to look at the value to you. So, you are VI. You are what's your name, sir, in the orange shirt here? Corey. So, Corey in the orange shirt up here, thanks for volunteering. Raise your hand, Corey. All right. Corey, we're going to look at the value of the network to Corey as an example. He's the first instance of I and then J is the network. We'll say the value of the network for Corey and what the value of the network is to Corey is the sigma, the summation function of the benefit of all transaction Corey's going to do on the internet for, say, one year minus the cost of all transactions. So, very simple framework and we're going to get into making it a little more explicit in a second but let's just do a simple example. I mean, Corey, do you ever buy books online? Okay. You buy books online. Like, how many do you buy a year? About 20 books a year. And what do you think, what's the average price on those books, would you say? About 30 bucks. So you're buying some science books, security books, hardbacks. So, 30 bucks a year is what you pay online. What do you think you'd pay on average for those books if you went to a bookstore? About the same. And how much, and if you went to a bookstore, presumably you'd spend some time, right? Take more of your time to drive, spend some gas. Can we say that your time to go buy a book is probably worth at least 10 bucks? Okay. So, if Corey can buy a same $30 book online that he had to go to the store and spend $10 of his time, on average, the network is adding $10 to his transaction. And if he buys 20 bucks a year, then he's 20 bucks, he's saving $200 a year just in book transactions. Do you buy, your books represent like how much of your purchase is online percentage, like a third, a half, 10%? Maybe a fifth. So, let's just say for a second, there's 200 bucks there and you do a lot more transactions, five times that many. Are they probably average about the same size or some of them bigger and some of them smaller? About the same. So, if it's about the same. So, for Corey, he's saving about a thousand bucks a year then. Five times 200 bucks on those transactions. Now, you probably do emails too, right? Okay. Or send a lot of documents around. You do web research or use search engines, Google, Bing, Yahoo. If we take Corey, we look at every transaction he does in a year. And by the way, this is easy on computers, right? All you got to do is key log it. I mean, this is an economist's dream. The network is the most measurable thing on the planet Earth, these transactions. We can get everything. A little harder to go figure out what it costs him to go to the store in terms of time. Then we have to ask him how much is your time worth? You probably value your time in 100 bucks, 200 bucks an hour, right? So, it probably takes a half hour to get to the store and back. Maybe 40 minutes. Say, half hour. Say, your time's worth 200 bucks. So, it's actually costing you 100 bucks to go to the store. So, what we're doing is illustrating let's say Corey's transaction, he's saving a thousand bucks on products. Plus, you're doing research and emails. Now, another way we can figure out what the network's worth to him is what do we do? You tell him, Corey, now we go to his computer, right? And we take a hammer, we break the wireless card, and we unplug the back of it and say you're disconnected. You can't go online for a month. What's it worth to you? What do you think you'd pay to go online if you couldn't go online at home? At least a grand? A month or a year? And you're not sure. Well, you'll figure it out. You'd probably pay quite a bit. That's another way to look at the value. But, so once we know, let's say the network value to Corey is 3,000 bucks a year. At home. Now, that's not his job. It's also got value to him and his job. But that's just to Corey as an individual. Well, we're now answering this question then. Because we've got Sigma benefit for Corey is about net benefit we're saying is 3,000. So, actually he's saving money on transactions, but you're paying how much you pay for connectivity every month, Corey? 40 bucks a month. So, 480 dollars a month. Plus, he's a little tiny bit of electricity. Plus, you're worried on your computer a little bit. But you probably have it anyway. So, if you look at all the benefits and the costs then you're going to figure out what the net value is to Corey. Okay, so now we've got our building block. So, if we're going to take it into real math, or just make it more explicit, we're going to get more formalized. And I'm going to go, we're going to scale now from Corey, one user to the whole room and all the internet. So, what we're going to say is Sigma for all users I on this network, which is the internet. So, Sigma I equals 1 to N for users of the network. V of I sub J is equal to the summation of the benefits for every single user. Okay, the benefit transactions. Minus the cost transactions. And then a little function on the bottom, 1 plus E, raise the power of T is just, we call discounted cash flow analysis. So, in other words, if he saves a thousand dollars this month, it's worth more than saving in a thousand dollars a year from now, or five years from now. But this is the explicit formula. And this is the, from this model, you can value any network in the world. Now, the challenge is you got to go figure out what your transactions are. Right? You got to, but as I said, it's pretty easy to figure out what we're doing online because we can keystroke log it, okay? And then some of that finance we can measure, our costs are pretty easy to measure. The benefits are a lot harder. Because then we got to go find out what it would cost to go replace that product or service elsewhere. Okay? But this, so the fundamental notion of the law is it's entirely transaction base. And you have benefit transaction and cost transactions and the, now why would they not line up the same? You know, there's different counters here. There's K equals 1 to M on the benefits and there's L equals 1 to P on the costs. Why would we use a different counter? And by the way, someone on slash dot corrected my notation on this. I was using, I was using N equals 1 to N. I mean, I equals 1 to N on everything and someone on slash dot slash me up it's like, what are you doing? That's sloppy, you know, you need different counters and it's like, yeah you're right, thanks. Thanks, thanks for the catch. But why would there be different counters on the benefits versus versus the costs? Okay, so we do the book example he's going to pay 30 bucks and he gets a book that has some value. So that's kind of paired, right? But what about his internet service, right? You probably pay monthly, right? But you use the internet how often? Every day. Or every minute or every second or every hour depending upon how big an addict you are, Corey. Okay, right? So the transactions are not matched. So your cost transactions are not identical to your benefit transactions. Sometimes they'll pair up. But so there's separate counters on here. So this is the foundation and then we should roll forward. What then is the network effect, right? We've all heard about the network effect, right? The incredible network effect. What is the network effect? What is it mathematically? Can we even define it mathematically? Well, it ends up we can. We're now just going to leverage the model we just developed, this transaction based model, and explicitly define the condition where the network effect is present. So this is not the driver of the network effect, but this is a test to determine whether the network effect is present or not. And that's simply we're going to use the summation function. The only thing difference between the two sides of this equation is n plus 1 on the top versus n. So we're going to take a network and say it's like this room and we're all in a club together, okay? We're going to let one more member in the door, okay? That person comes in what happens to the value of the network? If the value of the network increases because that person came in and they're adding value so they're not jumping up and down and screaming and interrupting us and you know, being annoying or whatever. If they're a positive contributor and the value of the network increased they get a greater than sign, okay? So the network is now more valuable. But that's the perspective of the entire network including that person. But we're sitting in the room, right? And if we're sitting here do you really care about the value of the overall network? Well, maybe if you're really magnanimous, but if you're just looking at your own position, you care about the value to you. So let's tweak the model and look at it from your standpoint or the standpoint of the existing members of a network. The value then becomes the value of the N plus one network minus the value of that N plus one individual. Let's take their value out and then look at did the value of our network increase. And this is the one that MySpace may have missed, right? Because how do we know in part that these rules are valid? Let's look at the news this week. What did Bill Gates say something about Facebook? What did Bill Gates say about Facebook? Too many friends. Too many friends. So what did he do? He quit and left. Why? Not useful. Wasting his time. So look, if Metcalf's law was true, then Bill Gates would say, well, the more friends the better. But that's not true because he got the transactions he didn't want to have, which is all those updates and notices and all those things that pester us, right? I mean, I actually thought, well, geez, you know, should I think about the same thing? I'm getting pretty tired of Facebook messages at this point. You know, my network's over a thousand, I think, of friends and it just keeps growing. So here we come back. So here's the acid test and here's where MySpace is on a declining slope, I'd argue, and Facebook, I don't know where they are. But you've got new users coming on to MySpace and they think it's good for them but they're overloading other people so the value to other users is going down. So if you get past the tipping point, there's a positive network effect, then there's a negative network effect. Here we're on the positive, so we're saying, you know, it's just like the early days in Facebook and we're so excited to connect to those colleagues we worked with five years ago or people we went to high school with or from our hometown, it's like so cool and how we can connect to all these people is amazing and you have that great feeling until you keep getting more and more and more and more and more and then you get the inverse network effect. So here's the inverse network effect. We're going to use the same math, it's just a lesser than symbol. We've now gotten to a point where the larger network in plus one is worth less than the network was worth before and to make it more explicit we're now going to look at the previous members and take out one member. So we're going to take out the latest person that just joined, you know, the Facebook community and say, you know what this guy has come in or this gal has come in and now my network is worth less. Why? Because I'm past the growth point and I'm going to come on and secure in a second but the beauty is once we have this really ridiculously simple model, because the model is ridiculously simple, it's just tally your transactions and measure them. Once we have that we're able to start doing a lot of different quantitative measures to figure out where we are in a system and we can start developing the conceptual models as well because the underlying ideas are really simple, right? I mean I don't think it could be much simpler. So let's look at some examples. So who here plays golf? Who plays golf? Okay. Who here is in a private golf club? Okay, sir. What's the name of your golf club? Grand Oak. Grand Oak. Do you mind coming up the microphone, by the way? If I could ask you, please? So you're in Grand Oak Golf Club and what's your name, sir? Chris. Chris. And how many members do you have? Too many. Too many? I don't know how many. Okay, like maybe 400 or 500? Yeah. Okay. Now why do you say there's too many? It's become increasingly difficult to get a tee time. Thank you very much. So would you say that the next member is adding a you're in the positive network effect zone or the inverse? Inverse. So you're in the inverse network effect zone? Yep. In this private club you had to buy in to buy your piece, right? So on the one hand it's cheaper now, right, because you're spreading your costs over more people, but you're not getting the transaction you want, are you? Right, less enjoyable. Less enjoyable because you're not getting your tee time and that's the transaction value. So we go back to Beckstrom's law, your B is lower. Your benefit's lower because you're not getting the time slot you want. Does anyone know what the average size of these private golf clubs is around the world? It's about 4 to 500 people. You know why? Because we'll look at how often you play golf. How often you play golf? Twice a month now. Right? That's pretty average for a lot of clubs. So the tee times are staggering, every 12 minutes right or every 15, you know, and so only so much can get in. So golf clubs are a great example because if it only had 200 members it might be a little expensive, right? So you're probably okay up to some zone and then somebody took it too far. So thank you, thank you very much. That's a great example. So golf clubs show us these principles at work and think about your online networks, okay? It's the same thing. You don't want them too big. But support groups. So has anyone been like a cancer support group or any kind of support group? You know, no one wants to talk about it. Okay, don't raise your hands. Support groups tend to be best when they're around 10 people. Why? And this is a social network. Why would support groups be best of 10 people? I mean wouldn't you think the more people supporting you the better? Right? I mean I get 10 people support me. You want to be better if 50 people supported me? What are the transactions though that you do in a support group? What are the transactions? You support each other. Well you listen right? You have a listening transaction. So I'm in listening mode, right? You have a talking mode. Now let's talk about talking mode. If you got 10 people, what percent of the time are you talking? 10% on average. If you got 50 people, what percent of the time are you talking? Two percent. People want to be heard. So we're happy to support each other but we want to share as well as listening. So support groups tend to be best around 10 people. So it's another example where the transaction set and the trust level is defining the right size. Facebook, we just talked about Facebook. YPO, I'm a member of Young Presidents Organization. It's a global network of CEOs. It's hard to get into. You have to meet a certain, you know, level of revenues and employees and this and that. And so it's like this club. These people love each other all over the world because they have a lot of things in common and age. They got to be young and they got to be a certain size company and they face challenges. Well, of course, people always come on and say, well, let's just open up the membership definition. Well, let's just make it easier to get in. Well, is that going to make the network more valuable or less valuable? Make it less valuable for the people that are in it if they've really got cohesion in what they're doing. So Twitter, you know, I saw... I mean, how many people have Twitter accounts here? Okay. How many people are on Twitter every day? All right. That's a subset of us. Okay. The question in Twitter is what are those followerships worth, right? I mean, because you can build huge networks and followers. I've got 5,000 people following me on Twitter. What does it mean? You know, I guess it's good because some people want to hear the ideas and some people want to share. Some people could care less. They just want me to follow them and I've got autofot all turned on, right? So people are scaling up and building their followerships. So AARP. How many people are members of AARP? Okay. How many people are members? Or does it get too big at any point and become less valuable with members? What do you think? It's right. It's more valuable. And why? It's all about the transactions. It's a purchasing block. It's a lobbying block, you know, and every member that comes in is putting more money in. They deliver more services that get spread out across everybody. So AARP has a business model where it stays perpetually in the network effect. Doesn't have the same dynamics of a space, right? It's a different kind of network. So we're talking about this stuff so we can start thinking how the economic model applies what's right. But I know we want to get to security, so I get it moving on. But we can do this with almost any organization you're in. You can do it with every network in your life. Every network you're involved in, in fact, implicitly you do that analysis at some level, right? Do I stay in that church or do I move to another or this synagogue or, you know, temple, whatever? Do I stay here or do I go there? These are relationships and transactions that you're going through. You can look at it through the economic lens. Now let's go to security. So the basic model, if we simplify it, is the value is equal to benefits minus cost of all the transactions. Now let's go to security. We're going to take our cost transactions and we're going to break out our security investments. So SI is security investments and we're going to take our losses because the hackers get in every now and then and they're successful when they're not on the golf course. They're doing their job and they're getting into our systems. All right, so now it's benefit minus cost except security and investment losses which are going to separate separately. Now, this is a very subtle move, but it blew me away when something really simple happened next. And here's what happened. We now got our risk management function for cybersecurity. The thing we started to try on the very beginning of a very simple function we're trying to minimize our security costs. Security investments plus losses. Now I was working at Homeland Security with a lot of people that dedicated their lives to protecting this country, risking their lives and when I put this formula up, you know a lot of them said you're a heretic. Security is not a cost. Security is an asset. Security is an asset. I said no, it's only an asset if a dollar in security is a reduction in losses. And otherwise it's a waste of money. Because what you're trying to do is preserve overall health and wealth for society. And that wasn't a diss. Actually a lot of people in Homeland Security really like this. They're like that's really good, that's really clear. So we have a function. Now let's start looking at some other economic tricks and tools that we can take. So now let's just map. So we'll take a vertical element and we'll look at our losses and map those versus our security investment. Zero in security. We have no firewalls. Nothing, everything's wide open. How much are our losses going to be? Going to be a lot, right? We're going to get rated of everything all the time. Now if we just do the basics, right, like what are the two or three basics that we should do in security? Firewalls, IDS, patches, antivirus. You do the basics, you get a huge payoff. It's going to be down. This is a hypothetical curve, but I'm taking this through the reasoning. But then if we start tightening up our security, can we ever get perfect security? Right, we never get perfect security. So it becomes asymptotic at the bottom. You could spend an infinite amount. You could spend billions of dollars in security investments to protect a million-dollar company and it still wouldn't be secure if you're using electronics. So the reality is, we've got to figure out where we want to be and we've got to figure out how our projects stack up. So in the federal context, for exemplary, as an example, I looked at the issue and I said, the biggest payoff, if I talk to the smart engineers at IETF or at DH&S, Homeland Security Science and Technology, other places, they'd say, look, you've got to improve internet protocols. Because if you don't tighten up DNS and DNS is getting attacked, the security piece that ICANN is involved in, our role is to help protect the domain name system. It's in our charter. But if you improve the protocols of the network itself, then you can increase things. Because I tell people, I tell you, I'd say, look, we could spend a trillion dollars on cybersecurity, but if we don't implement DNSSEC and if we don't develop BGPSEC or Border Gateway Protocols Secure and get it rolled out and tighten up SMTP and other protocols, then it's just like, instead of putting our fingers in a dike, we're putting our fingers in a fishnet. Now, how much water do you stop by putting your fingers into a huge fishnet? You only slow down a little water around your hands. You don't really stop the problem. The system is wide open. Anyway, I'd argue from a federal standpoint for U.S. government and other governments around the world, same problem. Focusing on the protocols is the best single investment we can do and rolling out DNS, BGP, etc., according to the experts. We'll talk about the patches, the values of that, IDS, data loss protection. So, what we're trying to do here is get people for us to start thinking, what is the payoff? What's the money we're going to put in and what's the payoff we're going to get? So, let's look at the chart again. It's called a Pareto curve in economics. It's like the most optimal set of investments that you could make. And the curve function moves down when we improve the protocols. Because the security across everything gets a little bit tighter. So, what we're trying to do here is get people for us to start thinking that we're going to be paying for the buck. Because that curve drops not just for your company, or my company, or my home, or your employer, or this country, or that is for everyone in the world. Everyone on the internet. Huge payoff. Economics is a deterrent, so we've got to deter the hackers. So, what we've got to do is drop the benefit function to the extent we can. All right? Make it harder to use those credit cards. And the FBI had a good presentation on that at Black Hat. Make it more expensive. The security investment of the hacker is obfuscation and anonymity. They're trying to stay secure by you not finding them, okay? And they have to spend a lot of money, a lot of energy and effort on that. And then what's their loss? The loss is going to jail. Or losing your money. Or getting sued and tied up in courts. So, this is the economics of deterrence. How do we figure out how do we change these dynamics? How do we raise the bar? Anyway, we went over the point since, so we kind of reviewed it. The model can be used to calculate the value of a network. You just got to go get all that transaction data. You can optimize your investments once you figure out and analyze and get that data. You can also use it to set up policies for supply chain and other problems. Here's some of the, there's a big drawback on the model we're going to get to in a second, but there's a lot of benefits. Here, right? It's down to every single keystroke that you use in transactions. It's scalable. You can scale it to internet or any huge network. It's subsettable. Because we used, we did a trick here. We're using net economic value. We're able to sum up all of our stuff and have no double counting. And by the way, us is not just individuals. It's corporations, governments, anybody. It's anyone that transacts on the net is a user by the definition of this model. Or Sally or Sam. It's any entity that contracts. So it's subsettable when you set theory. It's accurate. It's very similar to P&L concepts. So you can get financial people to understand it when you go to your CFO and others. It leverages traditional cost accounting techniques so we can amortize. If you paid your virus checker annually, for example, we can amortize that monthly. We can use all those traditional cost accounting techniques. It's testable. And it's as simple as it can be, and it's a foundation for derivative models. We took the model, we applied it to deterrents. We applied it to security. You can apply it to a whole range of different issues. There's only one problem. There's a really big problem. And then as the model is only as good as the data is you put into it, right? So you've got to get the data or estimate the data. And we did that for Corey with his book purchases and other online transaction purchases. Think about your companies. Think about your organizations. So in the net message that wraps it all together is very simply, it's all about T. It's all about the transactions to do network economics and looking at security. And it's including the transactions you want to avoid. The hacker is doing a transaction you want to avoid stealing your money or your IPS. It's not about N, it's not about the numbers. So that's the model overall. And if there's any questions, I'm happy to take them. Yes, please. And there's a mic up here if you want to come up to the mic or if you just want to raise your hand. For the Twitter example, I had a question. And I agree having more people is clutter on Facebook and Twitter. But the one thing that I found with either of those, the more people in my network the higher, when I have a question the higher the probability that I'll get a good answer. So is there a way to balance or factor into the equation of the value of the particular type of transaction because to me the tire that blew off my lawn mower, somebody said spray starter fluid in it, hit it with a lighter and it'll blow it back on the rim and thank God it worked. So to me there was good value in having that extra person who gave me that insightful information. But I would agree the inverse, all the updates I'm eating toast, stuff like that. So let's decompose this. So what I'm hearing you say is that so you pose a question out there and the more followers you have or people are connected to you the higher the quality the answer comes if you pose a question. So let's decompose that in terms of the model. What's the cost transaction and what's the benefit transaction? The benefit is a better answer coming back, right? So that's valuable to you. You got to blow the whatever was that, the spray can get going. So you got a better benefit because you had a bigger in, a bigger number of users in your network which might take you a little more time in general. So what you're saying is I can handle some of that noise traffic, you know, or maybe I'll ignore a lot of noise traffic and I'm just going to go drop out what I want and look for an answer so I want a bigger pot and pool. And actually it's a great observation and I think it shows how the model can help us step through it. And for me it's true like Twitter, I'm happy to have a ton of followers on Twitter because I don't respond to every single direct message. Right, you filter. But I do when I send stuff out I get good feedback, you know, or I have good pointers and articles. So I thought does someone else have a question about the security model? Okay. Well great. Well that's it. If you want to get a hold of me there's my contact coordinates. The slides will be on slideshare.net. They're not on your DVD because these just slides just got tweaked before I did the presentation this morning. They're on slideshare.net on our Beckstrom's Law DEFCON and thank you very much and I'm happy to answer questions afterwards in the room. Hey folks before you get too far please go this way. Thank you. Thank you very much.