July 5, 2011

Information security researchers from academia, industry, and the U.S. intelligence community are collaborating to build a pilot “prediction market” capable of anticipating major information security events before they occur.

A prediction market is similar to a regular stock exchange, except the “stocks” are simple statements that the exchange’s members are encouraged to evaluate. Traders will buy and sell “shares” of a stock based on the strength of their confidence about the future outcome—with an overall goal of increasing the value of their portfolios, which will in turn earn them some sort of financial reward. Traders may choose to buy or sell additional shares of a stock, and that buying and selling activity pushes the stock price up or down, just as in a real market.

This is an excerpt from a story I wrote for MIT Technology Review. Read the rest of the piece here.

22 thoughts on “A Futures Market for Computer Security

  1. Oper207

    keep the great work up brian nice artice. Keep the bad guys running.

  2. Patrick

    This idea was raised after 9/11 to try to predict the next attacks.
    It never got off the ground.

    1. Uzzi

      1991,” The Popcorn Report: Faith Popcorn on the Future of Your Company, Your World, Your Life” anyone? 😎

      1999, ” The Fortune Sellers: The Big Business of Buying and Selling Predictions.” 😀

  3. Charlie Griffith

    Interesting to read from Krebs here that “futures” in cyber intelligence can become a financially movable commodity with fluctuating values creating incentives for….[?]

    I guess we should never underestimate Marketing’s ingenuity in setting a price tag on even the most “cloudy” of concepts. Market cornering potentials here? Ponzi schemes lurking for the imaginative? Disinformation-broadcasting techniques with price tags?

    “Cyber screwing” viewable now with a crawling superscript just above eyelevel in a nearby brokerage office?

    Good luck dipping one’s toes in this noxious stream.

  4. Russ

    “Artificial Manipulations of Computer Security Futures Market By Clandestine Blackhats Go Undiscovered for Months”. That’s where I’d invest my bitcoins.

    C’mon everybody! Pump and dump!

  5. Jim J.

    Typical Wall Street P.T. Barnum born every minute scheme.

  6. Alfonso De Gregorio

    Hi Brian,

    Thanks for your MIT Technology Review article on the prediction markets of computer security.

    The initiative you have written about has a precedent in Europe I’d like to point out.

    At BeeWise, we are aimed towards building a financial instrument useful in establishing information symmetry between buyers and sellers, providing software manufacturers incentives to build security in, and hedging against information security risks.

    As a matter of fact, BeeWise is the first testbed for a security-event futures exchange.

    Please, find out more with my Metricon 5.5 presentation at http://blog.beewise.org

    This initiative will work only with the contribution of all security stakeholders that will join the (play-money/real-money) trading activities or will speak about how BeeWise can contribute in improving the security posture of our society in today’s highly connected environment.

    Thanks again for your articles!

    BeeWise, Security Event Futures

  7. JBV

    @Previous commenters:

    Are you all trying to be clever or haven’t any of you read the whole article?

    Prediction markets aren’t open to the public. They don’t use Chronopay or WebMoney or bitcoins. They’re a pseudo-scientific means of measuring opinions of invited participants who have some expertise on a particular subject. They’re more accurate than opinion polls, but not perfect.

    It would be fascinating to see what hackers would predict about the future of cyberattacks or what botmasters would have to say about spam. To my knowledge, no one has invited these folks to participate … yet.

  8. AlphaCentauri

    I should think that the difference between using this technique to predict presidential elections and using it to predict terrorism and cybercrime is that no one is going to invite the criminals and terrorists to participate. You’re going to get the same information from the same people you already identify as experts, but you want to use them to predict events that are of concern precisely because they are likely to fail to conform to previous patterns of events.

    Remember the big put options on the airlines that were targeted on 9/11, which were never executed because trading on the stock markets was stopped for several days? No one could ever identify who had placed the orders once they came to light, but that lack of transparency at the time they were placed didn’t raise any questions. We need a better way to find out in advance where the bad guys are betting their money.

  9. Jason

    Prediction markets actually work. When predicting involves money, you’d be shocked how accurate it is in predicting events. The IEM (Iowa Electronic Markets) have been 74% better at predicting outcomes of US elections, for example, than the polls (and better at predicting 100 days in advance). It’s one thing to say I’m going to vote for such and such because I think he can win vs. I’m putting $100 on this guy because I believe he will win.

    The advantage is that it’s not just your opinion and it doesn’t matter what happens so you’re not as careful with it. You’re putting money behind your opinion. Your opinion is more likely to be thought out when it’s your pocketbook at risk.

  10. Charlie Griffith


    ….”Prediction markets aren’t open to the public…”

    ……those mentioned so far may not be, but those won’t be alone…those quivering seeds will flourish in the manure along Wall Street…for a while.

    ..another optimistic commenter, Alfonso de Gregorio mentioned the “h” word..”hedging”…..doing that in the “Cloud” just has to be akin to a 15th Cent. galleon in the Sargasso Sea, or, becalmed in the Bermuda Triangle…just waiting for that “new” dimension.

    ….ya doin that fancy hedgin’ with other peoples’ cash?

    …Johnny Depp?…new material here!…Call your office.

  11. Jim J.

    Alfonso De Gregorio

    Thanks for the spam……and in market gibberish to boot.

    1. KFritz

      You’ve shown bad manners. You forgot to thanks his Remoras for clicking ‘like.’

  12. KFritz

    Please somebody, correct me if I’m wrong. A stock is an investment of money in a company, a productive enterprise. A predictive market bets on some company or event, but invests nothing in any productive enterprise. The markets are not much alike.

    1. KFritz

      Addendum: in a futures’ exchange, participants agree to purchase a product in the future at a price set in the present. Again, a tangible product is purchased, unlike a predictive market.

      Again, please correct me if incorrect.

  13. Fred

    It will be beneficial for both Security researchers and up comers to enter the market with peace of mind. it will help to maintain the “Uncertainty” thing in security field.

  14. AlphaCentauri

    It’s one thing to be accurate about whether candidate A or B will win a presidential election. There’s going to be an election, and somebody has to win. Yes, survey subjects will stop saying what they wish would happen and start saying what they believe will happen when they have skin in the game, but it’s still about choosing the most likely of several well-defined scenarios.

    A predictive market for terrorist attack scenarios, as mentioned above, is a more apt comparison to predicting cyberattacks than a predictive market for a presidential race. To bet on future terrorist attacks and cybercrimes is to use your imagination to think of an attack that would succeed because we aren’t already anticipating it. An attacker won’t likely succeed at getting explosives on a plane in electronic devices, gels/liquids, shoes, or underwear, because it’s already been tried and airport security has been tightened to anticipate such methods. A successful attack would likely involve something new and unexpected. You won’t likely succeed at — well, it’s hard to think of a similar example for cybersecurity because the current lack of comprehensive security allows attackers to breeze through defenses pretty much at will, it seems. But still, the most effective attack would be one using an exploit no one knows about yet.

    If someone accurately predicted a highly damaging attack on the US, they would risk being accused of actually facilitating the attack by having given the attackers an idea they might not have thought of by themselves.

    Suppose you predicted that someone would fly a plane into a particular hydroelectric dam, and then it really happened, killing thousands of people downstream and destroying entire towns? Suppose you provided enough information about how they might go about it to be useful at trying to thwart such an attack — but also enough information to tell potential terrorists the best way to do it, if they didn’t already know? What would all the angry, grieving victims and their relatives think about you?

    People might accuse the predictive market itself of helping criminals think of ways to attack us, or they might suspect those who profited by their accurate prediction had surreptitiously supplied information to potential attackers. It wouldn’t have to have any basis in fact, when people were going through the stages of grief and got to anger. There are easier ways to make money than to appear to be the one who made it possible for a successful attack to occur.

  15. Alex Smith

    For the complete security of your computer download “Immunet” antivirus softwares. This latest software has all the advance features like cloud based protection, low disk and memory usage and many more. All these features increases your PC’s speed and its life as well.

  16. Jim J.

    Well Alex, I checked the Immunet site. Seems the Free version only occupies disk space. If I want performance, a purchase is necessary.

    Sheez, this forum is becoming spam haven.

  17. Anon

    What is up with the shit comments on this forum? By the way, great find, Brian!

  18. Amelia @ Ethical Hacking

    Internet security should be a priority area of focus. Even the biggest IT companies with the strictest security measures don’t seem to be able to shield themselves from these attacks.

    “It would be fascinating to see what hackers would predict about the future of cyberattacks or what botmasters would have to say about spam. To my knowledge, no one has invited these folks to participate … yet.” — Good point, JBV.

Comments are closed.