What the gambling industry isn't telling us about its use of data
https://www.newstatesman.com/business/co...s-use-data
EXCERPT: In the past week, the New York Times and the BBC have reported that customers of Sky Bet, the UK’s most popular gambling app, were concerned that the data held by the company and third-party data providers had been used to identify them as “high-value”, but also that their patterns of play had included loss-chasing behaviour or periods in which they had given up gambling.
Both of the gamblers interviewed had incurred tens of thousands of pounds’ worth of debt by the time they approached Ravi Naik, a solicitor and founder of the digital rights agency AWO. Naik has filed a number of data subject access requests and legal motions with different gambling operators and the companies they work with to try to reveal more about how they use gamblers’ data – especially those who are at risk of addiction.
“Our clients’ experience is that companies are not being transparent”, Naik told me. “They have had to go through a convoluted process to try to understand what third-party companies are using their information […] our clients have to ask company one, who will tell you about companies three and four, who will tell you about companies six and seven – and then they have to get separate identifiers from each one to try to piece it all together […] It is really beyond most people, hence why our clients had to instruct lawyers.”
These webs of data use make it hard to say who is making decisions about gamblers’ behaviour, and why. For example, companies are supposed to check whether a gambler can afford their losses. To do this, Naik explains, “companies provide what they call a 'traffic lighting' system, with a 'green light' indication as to whether somebody can afford to bet. We had one client who clearly could not afford to bet, but who was greenlit. Our client had no clarity over who’s determining that – who’s deciding what’s a green light and a red light? Our client could not know the thresholds, nor challenge the decisions made.”
This is not the first time that gambling data requests have raised concerns.... (MORE - details)
Blackjack: A Game Model for Applying AI to Cybersecurity
https://towardsdatascience.com/blackjack...6746f46aa5
EXCERPTS: . . . Cybersecurity is not a static game. The rules constantly change. There are many different types of players, and each has its own objectives, strategies, and tactics. When an organization adapts its defenses, attackers improve their offenses, requiring the organization to further improve its defenses. The result is an endless escalation game.
This is very different than most traditional applications of machine learning, which make predictions, classify data, and detect anomalies with data that does not include an adversary. In cybersecurity each action a security manager takes may inform an attacker and may result in an unpredictable change in the next attack. To move from fundamental models of machine learning towards AI, we will need to go beyond pattern detection to understand this escalation game. If we apply game theory to explore strategic decisions in multiagent games, we can begin to apply AI.
[...] When exploring existing game models that are similar to cybersecurity, the common models seem inadequate. What type of game is cybersecurity? The challenge of finding a model is because cybersecurity is played very differently by different players. It is not a simple decision of whether the game is finite or infinite, since for some players it is finite, but for others the goal is to stay in the game. Casino games can be helpful in applying game theory to real world problems. Consider the game of blackjack [...see article for descriptive account...]
[...] In blackjack, we see both conflict and cooperation. We see players competing with a short-term perspective with a goal of winning. We also see dealers competing with a long-term perspective with a goal of staying in the game. And we see the house cooperating to create an environment that sustains game play. But the goal of this article is not about applying game theory to blackjack, so how does this relate to cybersecurity?
Cybersecurity and the Blackjack Model. To look at cybersecurity from the perspective of blackjack, consider how the players relate to one another. The equivalent of the house is the organization. Organizations exist to create value for shareholders, to maintain a profit, and to create opportunities for people to apply their skills and expertise together towards a common purpose. This is very similar to the house in our blackjack model. The purpose of most organizations is not to defend against cyber-attacks. Instead, organizations manage risk by ensuring that cyber-attacks do not prevent them from carrying out their primary functions.
The security manager is the equivalent of the dealer. The security manager may be an executive, like a chief information security officer in larger organizations, or an information technology leader who is the person accountable for cybersecurity. The security manager, like the dealer, follows established best practices. The security manager cooperates with the organization to ensure that there are sufficient resources to invest in the security practices that will preserve the organization’s objectives. The security manager competes with attackers on a regular basis. Like the dealer, the security manager competes one-on-one against each attacker and recognizes that there will be some wins, and some losses. Ultimately, the security manager stays in the game by following best practices and ensuring that, although attackers may win some of the skirmishes, they ultimately do not negatively impact the organization.
Attackers in cyber conflict are like the individual players in blackjack. Each sits at the table and is willing to place a bet on an attack that may result in a win. For the attacker, the win may be the initial compromise of an organization’s network. It may be the theft of intellectual property. It could be the encryption of the organizations data to coerce a ransom payment. Attackers generally play a finite game. What distinguishes them is that the cost of an attack may be very low compared to the investment required by an organization to defend against it. In addition, attacks are numerous, and the ability to attribute them is limited, so prosecution is rare. Attackers can maintain an asymmetric advantage and face little risk, since there are few down-sides for them.
So we see that there are interesting similarities between the game of blackjack and cyber conflict and cooperation. But these parallels are not yet enough to start applying AI. To move towards a model that will be useful in AI, we will need some way to calculate which decisions are the best decisions for each player... (MORE - details)
https://www.newstatesman.com/business/co...s-use-data
EXCERPT: In the past week, the New York Times and the BBC have reported that customers of Sky Bet, the UK’s most popular gambling app, were concerned that the data held by the company and third-party data providers had been used to identify them as “high-value”, but also that their patterns of play had included loss-chasing behaviour or periods in which they had given up gambling.
Both of the gamblers interviewed had incurred tens of thousands of pounds’ worth of debt by the time they approached Ravi Naik, a solicitor and founder of the digital rights agency AWO. Naik has filed a number of data subject access requests and legal motions with different gambling operators and the companies they work with to try to reveal more about how they use gamblers’ data – especially those who are at risk of addiction.
“Our clients’ experience is that companies are not being transparent”, Naik told me. “They have had to go through a convoluted process to try to understand what third-party companies are using their information […] our clients have to ask company one, who will tell you about companies three and four, who will tell you about companies six and seven – and then they have to get separate identifiers from each one to try to piece it all together […] It is really beyond most people, hence why our clients had to instruct lawyers.”
These webs of data use make it hard to say who is making decisions about gamblers’ behaviour, and why. For example, companies are supposed to check whether a gambler can afford their losses. To do this, Naik explains, “companies provide what they call a 'traffic lighting' system, with a 'green light' indication as to whether somebody can afford to bet. We had one client who clearly could not afford to bet, but who was greenlit. Our client had no clarity over who’s determining that – who’s deciding what’s a green light and a red light? Our client could not know the thresholds, nor challenge the decisions made.”
This is not the first time that gambling data requests have raised concerns.... (MORE - details)
Blackjack: A Game Model for Applying AI to Cybersecurity
https://towardsdatascience.com/blackjack...6746f46aa5
EXCERPTS: . . . Cybersecurity is not a static game. The rules constantly change. There are many different types of players, and each has its own objectives, strategies, and tactics. When an organization adapts its defenses, attackers improve their offenses, requiring the organization to further improve its defenses. The result is an endless escalation game.
This is very different than most traditional applications of machine learning, which make predictions, classify data, and detect anomalies with data that does not include an adversary. In cybersecurity each action a security manager takes may inform an attacker and may result in an unpredictable change in the next attack. To move from fundamental models of machine learning towards AI, we will need to go beyond pattern detection to understand this escalation game. If we apply game theory to explore strategic decisions in multiagent games, we can begin to apply AI.
[...] When exploring existing game models that are similar to cybersecurity, the common models seem inadequate. What type of game is cybersecurity? The challenge of finding a model is because cybersecurity is played very differently by different players. It is not a simple decision of whether the game is finite or infinite, since for some players it is finite, but for others the goal is to stay in the game. Casino games can be helpful in applying game theory to real world problems. Consider the game of blackjack [...see article for descriptive account...]
[...] In blackjack, we see both conflict and cooperation. We see players competing with a short-term perspective with a goal of winning. We also see dealers competing with a long-term perspective with a goal of staying in the game. And we see the house cooperating to create an environment that sustains game play. But the goal of this article is not about applying game theory to blackjack, so how does this relate to cybersecurity?
Cybersecurity and the Blackjack Model. To look at cybersecurity from the perspective of blackjack, consider how the players relate to one another. The equivalent of the house is the organization. Organizations exist to create value for shareholders, to maintain a profit, and to create opportunities for people to apply their skills and expertise together towards a common purpose. This is very similar to the house in our blackjack model. The purpose of most organizations is not to defend against cyber-attacks. Instead, organizations manage risk by ensuring that cyber-attacks do not prevent them from carrying out their primary functions.
The security manager is the equivalent of the dealer. The security manager may be an executive, like a chief information security officer in larger organizations, or an information technology leader who is the person accountable for cybersecurity. The security manager, like the dealer, follows established best practices. The security manager cooperates with the organization to ensure that there are sufficient resources to invest in the security practices that will preserve the organization’s objectives. The security manager competes with attackers on a regular basis. Like the dealer, the security manager competes one-on-one against each attacker and recognizes that there will be some wins, and some losses. Ultimately, the security manager stays in the game by following best practices and ensuring that, although attackers may win some of the skirmishes, they ultimately do not negatively impact the organization.
Attackers in cyber conflict are like the individual players in blackjack. Each sits at the table and is willing to place a bet on an attack that may result in a win. For the attacker, the win may be the initial compromise of an organization’s network. It may be the theft of intellectual property. It could be the encryption of the organizations data to coerce a ransom payment. Attackers generally play a finite game. What distinguishes them is that the cost of an attack may be very low compared to the investment required by an organization to defend against it. In addition, attacks are numerous, and the ability to attribute them is limited, so prosecution is rare. Attackers can maintain an asymmetric advantage and face little risk, since there are few down-sides for them.
So we see that there are interesting similarities between the game of blackjack and cyber conflict and cooperation. But these parallels are not yet enough to start applying AI. To move towards a model that will be useful in AI, we will need some way to calculate which decisions are the best decisions for each player... (MORE - details)