Title: Security Economics
1Security Economics
- Ross Anderson
- Cambridge University
2Economics and Security
- The link between economics and security atrophied
after WW2 - Since 2000, we have started to apply economic
analysis to IT security and dependability - Economic analysis often explains failure better
then technical analysis! - Infosec mechanisms are used increasingly to
support business models (DRM, accessory control)
rather than to manage risk - Economic analysis is also vital for the public
policy aspects of security - It has broader importance too
3The Classical View
- When production factors were just land, labour
and capital, a country can maybe grow fastest by
capturing more land and labour - Before the gains from trade were understood, big
empires mean big markets - Richer countries can afford bigger navies
- But the invention of the atomic bomb seemed to
decouple national survival from national economic
performance - The political-economy and international-relations
communities drifted apart
4Traditional View of Infosec
- People used to think that the Internet was
insecure because of lack of features crypto,
authentication, filtering - So engineers worked on providing better, cheaper
security features AES, PKI, firewalls - About 1999, we started to realize that this is
not enough
5Incentives and Infosec
- Electronic banking UK banks were less liable for
fraud, so ended up suffering more internal fraud
and more errors - Distributed denial of service viruses now dont
attack the infected machine so much as using it
to attack others - Health records hospitals, not patients, buy IT
systems, so they protect hospitals interests
rather than patient privacy - Why is Microsoft software so insecure, despite
market dominance?
6New View of Infosec
- Systems are often insecure because the people who
could fix them have no incentive to - Bank customers suffer when bank systems allow
fraud patients suffer when hospital systems
break privacy Amazons website suffers when
infected PCs attack it - Security is often what economists call an
externality like environmental pollution - Since about 2002, this has been used to justify
government intervention in infosec
7New Uses of Infosec
- Xerox started using authentication in ink
cartridges to tie them to the printer - Followed by HP, Lexmark and Lexmarks case
against SCC - Motorola started authenticating mobile phone
batteries to the phone - BMW now has a car prototype that authenticates
its major components
8IT Economics (1)
- The first distinguishing characteristic of many
IT product and service markets is network effects - Metcalfes law the value of a network is the
square of the number of users - Real networks phones, fax, email
- Virtual networks PC architecture versus MAC, or
Symbian versus WinCE - Network effects tend to lead to dominant firm
markets where the winner takes all
9IT Economics (2)
- Second common feature of IT product and service
markets is high fixed costs and low marginal
costs - Competition can drive down prices to marginal
cost of production - This can make it hard to recover capital
investment, unless stopped by patent, brand,
compatibility - These effects can also lead to dominant-firm
market structures
10IT Economics (3)
- Third common feature of IT markets is that
switching from one product or service to another
is expensive - E.g. switching from Windows to Linux means
retraining staff, rewriting apps - Shapiro-Varian theorem the net present value of
a software company is the total switching costs - This is why so much effort is starting to go into
accessory control manage the switching costs in
your favour
11IT Economics and Security
- High fixed/low marginal costs, network effects
and switching costs all tend to lead to
dominant-firm markets with big first-mover
advantage - So time-to-market is critical
- Microsoft philosophy of well ship it Tuesday
and get it right by version 3 is not perverse
behaviour by Bill Gates but quite rational - Whichever company had won in the PC OS business
would have done the same
12IT Economics and Security 2
- When building a network monopoly, it is also
critical to appeal to the vendors of
complementary products - E.g., application software developers in the case
of PC versus Apple, or now of Symbian versus
WinCE, or WinMP versus Real - Lack of security in earlier versions of Windows
made it easier to develop applications - So did the choice of security technologies that
dump most costs on the user (SSL, PKI, )
13Why are many security products ineffective?
- Akerlofs Nobel-prizewinning paper, The Market
for Lemons provides key insight asymmetric
information - Suppose a town has 100 used cars for sale 50
good ones worth 2000 and 50 lemons worth 1000 - What is the equilibrium price of used cars in
this town? - If 1500, no good cars will be offered for sale
- Fix brands (e.g. Volvo certified used car)
analogy led to Common Criteria etc
14Security and Liability
- Why did digital signatures not take off?
- Industry thought legal uncertainty. So EU passed
electronic signature law - Recent research customers and merchants resist
transfer of liability by bankers for disputed
transactions - Best to stick with credit cards, as that way
fraud is still largely the banks problem - Similar resistance to phone-based payment
people prefer prepayment plans because of
uncertainty
15Privacy
- Most people say they value privacy, but act
otherwise - Privacy technology ventures have mostly failed
- Acquisti et al people care about privacy when
buying clothes, but not cameras (some items
relate to your image, so are privacy sensitive) - Issue for mobile phone industry phone viruses
worse for image than PC viruses - Issue for the database state the Blair
project of NPfIT, Childrens Databases, ID cards - Alternative models include externality people
who go ex-directory
16How Much to Spend?
- How much should the average company spend on
information security? - Governments, vendors say much much more than at
present! - But hey - theyve been saying this for 20 years
- Measurements of security return-on-investment
suggest about 20 p.a. - So current expenditure may be about right
17How are Incentives Skewed?
- If you are DirNSA and have a nice new hack on NT,
do you tell Bill? - Tell protect 300m Americans
- Dont tell be able to hack 400m Europeans,
1000m Chinese, - If the Chinese hack US systems, they keep quiet.
If you hack their systems, you can brag about it
to the President
18Skewed Incentives (2)
- Within corporate sector, large companies tend to
spend too much on security and small companies
too little - Research shows adverse selection effect
- The most risk-averse people end up as corporate
security managers - More risk-loving people may be sales or
engineering staff, or entrepreneurs - Also due-diligence effects, government
regulation, insurance market issues
19Large Project Failure
- Maybe 30 of large projects fail
- But we build much bigger failures nowadays than
30 years ago so - Why do more public-sector projects fail?
- Consider what the incentives are on project
managers versus ministers and what sort of
people will become successful project managers
versus ministers!
20Games on Networks
- The topology of a network can be important!
- Barabási and Albert showed that a scale-free
network could be attacked efficiently by
targeting its high-order nodes - Think rulers target Saxon landlords / Ukrainian
kulaks / Tutsi schoolteachers / - Can we use evolutionary game theory ideas to
figure out how networks evolve? - Idea run many simulations between different
attack / defence strategies
21Games on Networks (2)
- Vertex-order attacks with
- Black normal (scale-free) node replenishment
- Green defenders replace high-order nodes with
rings - Cyan they use cliques (c.f. system biology )
22Open versus Closed?
- Are open-source systems more dependable? Its
easier for the attackers to find vulnerabilities,
but also easier for the defenders to find and fix
them - Theory openness helps both equally if bugs are
random and standard dependability model
assumptions apply - Statistics bugs are correlated in a number of
real systems (Milk or Wine?) - Trade-off the gains from this, versus the risks
to systems whose owners dont patch
23Why Bill wasnt interested in security
- While Microsoft was growing, the two critical
factors were speed, and appeal to application
developers - Security markets were over-hyped and driven by
artificial factors - Issues like privacy and liability were more
complex than they seemed - The public couldnt tell good security from bad
anyway
24Why is Bill now changing his mind?
- Trusted Computing initiative ranges from TCG to
the IRM mechanisms in Office 2003 - TCG put a TPM (smartcard) chip in every PC
motherboard, PDA, mobile phone - This will do remote attestation of what the
machine is and what software its running - On top of this will be layers of software
providing new security functionality, of a kind
that would otherwise be easily circumvented, such
as DRM and IRM
25Why is Bill now changing his mind? (2)
- IRM Information Rights Management changes
ownership of a file from the machine owner to the
file creator - Files are encrypted and associated with rights
management information - The file creator can specify that a file can only
be read by Mr. X, and only till date Y - Now shipping in Office 2003
- What will be the effect on the typical business
that uses PCs?
26Why is Bill now changing his mind? (3)
- At present, a company with 100 PCs pays maybe
500 per seat for Office - Remember value of software company total
switching costs - So cost of retraining everyone to use Linux,
converting files etc is maybe 50,000 - But once many of the documents cant be converted
without the creators permission, the switching
cost is much higher - Lock-in is the key
27Strategic issues
- TCG initiative started by Intel as they believed
that control of the home hub was vital - They made 90 of their profits from PC
processors, and controlled 90 of the market - Innovations such as PCI, USB and now TC are
designed to grow the overall size of the PC
market - They are determined not to lose control of the
home to the Sony Playstation
28Strategic Issues (2)
- Who will control users data?
- Microsoft view everything will be on an MS
platform (your WP files, presentations, address
book, pictures, movies, music) - European Commission view this is illegal
anticompetitive behaviour - Proposed anti-trust remedy force MS to unbundle
Media Player, or to include other media players
in its Windows distribution
29The Information Society
- More and more goods contain software
- More and more industries are starting to become
like the software industry - The good flexibility, rapid response
- The bad frustration, poor service
- The ugly monopolies
- How will law evolve to cope?
30Property
- The Edinburgh enlightenment the core mission of
government wasnt enforcing faith, but defending
property rights - 18th-19th century rapid evolution of property
and contract law - Realisation that these are not absolute!
- Abolition of slavery, laws on compulsory
purchase, railway regulation, labour contracts,
tenancy contracts,
31Intellectual Property
- Huge expansion as software etc have become more
important - 7 directives since 1991 - As with ordinary property and contract in
18501950, were hitting serious conflicts - Competition law - legal protection of DRM
mechanisms leads to enforcement of illegal
contracts and breaches of the Treaty of Rome - Environmental law - recycling of ink cartridges
mandated, after printer vendors use tamper
resistance and cryptography to stop it - Many more
32Conclusions
- The Information Society has evolved from the
Wild West of 1850 to maybe 1920 - We need to figure out how to balance competing
social goals, as we have in the physical world - This means government involvement in the Internet
- Security economics provides some of the tools
needed to understand whats going on and to
analyse policy options - It may also provide some broader insights into
issues from dependability to terrorism
33More
- Economics and Security Resource Page
www.cl.cam.ac.uk/rja14/econsec.html (or follow
link from www.ross-anderson.com) - WEIS Annual Workshop on Economics and
Information Security next at CMU, June 78 2006 - Foundation for Information Policy Research
www.fipr.org