The Economics of Information Security

1
The Economics of Information Security

• Ross Anderson
• Cambridge University

2
Economics and Security

• Over the last four years, we have started to
  apply economic analysis to information security
• Economic analysis often explains security failure
  better then technical analysis!
• Information security mechanisms are used
  increasingly to support business models rather
  than to manage risk
• Economic analysis is also vital for the public
  policy aspects of security
• It is critical for understanding competitive
  advantage

3
Traditional View of Infosec

• People used to think that the Internet was
  insecure because of lack of features crypto,
  authentication, filtering
• So engineers worked on providing better, cheaper
  security features AES, PKI, firewalls
• About 1999, we started to realize that this is
  not enough

4
Incentives and Infosec

• Electronic banking UK banks were less liable for
  fraud, so ended up suffering more internal fraud
  and more errors
• Distributed denial of service viruses now dont
  attack the infected machine so much as using it
  to attack others
• Health records hospitals, not patients, buy IT
  systems, so they protect hospitals interests
  rather than patient privacy
• Why is Microsoft software so insecure, despite
  market dominance?

5
New View of Infosec

• Systems are often insecure because the people who
  could fix them have no incentive to
• Bank customers suffer when bank systems allow
  fraud patients suffer when hospital systems
  break privacy Amazons website suffers when
  infected PCs attack it
• Security is often what economists call an
  externality like environmental pollution
• This is an excuse for government intervention

6
New Uses of Infosec

• Xerox started using authentication in ink
  cartridges to tie them to the printer
• Followed by HP, Lexmark and Lexmarks case
  against SCC
• Motorola started authenticating mobile phone
  batteries to the phone
• BMW now has a car prototype that authenticates
  its major components

7
IT Economics (1)

• The first distinguishing characteristic of many
  IT product and service markets is network effects
• Metcalfes law the value of a network is the
  square of the number of users
• Real networks phones, fax, email
• Virtual networks PC architecture versus MAC, or
  Symbian versus WinCE
• Network effects tend to lead to dominant firm
  markets where the winner takes all

8
IT Economics (2)

• Second common feature of IT product and service
  markets is high fixed costs and low marginal
  costs
• Competition can drive down prices to marginal
  cost of production
• This can make it hard to recover capital
  investment, unless stopped by patent, brand,
  compatibility
• These effects can also lead to dominant-firm
  market structures

9
IT Economics (3)

• Third common feature of IT markets is that
  switching from one product or service to another
  is expensive
• E.g. switching from Windows to Linux means
  retraining staff, rewriting apps
• Shapiro-Varian theorem the net present value of
  a software company is the total switching costs
• This is why so much effort is starting to go into
  accessory control manage the switching costs in
  your favour

10
IT Economics and Security

• High fixed/low marginal costs, network effects
  and switching costs all tend to lead to
  dominant-firm markets with big first-mover
  advantage
• So time-to-market is critical
• Microsoft philosophy of well ship it Tuesday
  and get it right by version 3 is not perverse
  behaviour by Bill Gates but driven by economics
• Whichever company had won in the PC OS business
  would have done the same

11
IT Economics and Security 2

• When building a network monopoly, it is also
  critical to appeal to the vendors of
  complementary products
• E.g., application software developers in the case
  of PC versus Apple, or now of Symbian versus CE
• Lack of security in earlier versions of Windows
  makes it easier to develop applications
• Similarly, motive for choice of security
  technologies that dump the support costs on the
  user (e.g. SSL, PKI, )

12
Why are many security products ineffective?

• Akerlofs Nobel-prizewinning paper, The Market
  for Lemons provides key insight asymmetric
  information
• Suppose a town has 100 used cars for sale 50
  good ones worth 2000 and 50 lemons worth 1000
• What is the equilibrium price of used cars in
  this town?
• If 1500, no good cars will be offered for sale
• Fix brands (e.g. Volvo certified used car)

13
Security and Liability

• Why did digital signatures not take off (e.g. SET
  protocol)?
• Industry thought legal uncertainty. So EU passed
  electronic signature law
• Recent research customers and merchants resist
  transfer of liability by bankers for disputed
  transactions
• Best to stick with credit cards, as any fraud is
  the banks problem
• Similar resistance to phone-based payment
  people prefer prepayment plans because of
  uncertainty

14
Privacy

• Most people say they value privacy, but act
  otherwise
• Privacy technology ventures have mostly failed
• Latest research people care about privacy when
  buying clothes, but not cameras
• Analysis some items relate to personal image ,
  and its here that the privacy sensitivity
  focuses
• Issue for mobile phone industry phone viruses
  worse for image than PC viruses

15
How Much to Spend?

• How much should the average company spend on
  information security?
• Governments, vendors much much more than at
  present
• Theyve been saying this for 20 years!
• Measurements of security ROI suggest about 20
  p.a.
• So current expenditure maybe about right
• No room for huge growth selling firewalls

16
How are Incentives Skewed?

• If you are DirNSA and have a nice new hack on NT,
  do you tell Bill?
• Tell protect 300m Americans
• Dont tell be able to hack 400m Europeans,
  1000m Chinese,
• If the Chinese hack US systems, they keep quiet.
  If you hack their systems, you can brag about it
  to the President

17
Skewed Incentives (2)

• Within corporate sector, large companies tend to
  spend too much on security and small companies
  too little
• Research shows adverse selection effect
• The most risk-averse people end up as corporate
  security managers
• More risk-loving people may be sales or
  engineering staff, or small business
  entrepreneurs
• Also due-diligence effects, government
  regulation, insurance market issues

18
Why Bill wasnt interested in security

• While Microsoft was growing, the two critical
  factors were speed, and appeal to application
  developers
• Security markets were over-hyped and driven by
  artificial factors
• Issues like privacy and liability were more
  complex than they seemed
• The public couldnt tell good security from bad
  anyway

19
Why is Bill now changing his mind?

• Trusted Computing initiative ranges from TCG to
  the IRM mechanisms in Office 2003
• TCG put a TPM (smartcard) chip in every PC
  motherboard, PDA, mobile phone
• This will do remote attestation of what the
  machine is and what software its running
• On top of this will be layers of software
  providing new security functionality, of a kind
  that would otherwise be easily circumvented, such
  as DRM and IRM

20
Why is Bill now changing his mind? (2)

• IRM Information Rights Management changes
  ownership of a file from the machine owner to the
  file creator
• Files are encrypted and associated with rights
  management information
• The file creator can specify that a file can only
  be read by Mr. X, and only till date Y
• Now shipping in Office 2003
• What will be the effect on the typical business
  that uses PCs?

21
Why is Bill now changing his mind? (3)

• At present, a company with 100 PCs pays maybe
  500 per seat for Office
• Remember value of software company total
  switching costs
• So cost of retraining everyone to use Linux,
  converting files etc is maybe 50,000
• But once many of the documents cant be converted
  without the creators permission, the switching
  cost is much higher
• Lock-in is the key

22
Strategic issues

• TCG initiative started by Intel as they believed
  that control of the home hub was vital
• They made 90 of their profits from PC
  processors, and controlled 90 of the market
• Innovations such as PCI, USB and now TC are
  designed to grow the overall size of the PC
  market
• They are determined not to lose control of the
  home to the Sony Playstation

23
Strategic Issues (2)

• Who will control users data?
• Microsoft view everything will be on an MS
  platform (your WP files, presentations, address
  book, pictures, movies, music)
• European Commission view this is illegal
  anticompetitive behaviour
• Proposed anti-trust remedy force MS to unbundle
  Media Player, or to include other media players
  in its Windows distribution

24
Competitive issue

• Microsoft vision is to control a framework into
  which all user data is drawn, and in which it is
  then managed
• This could extend Microsofts market power from
  the PC platform to PDAs, phones, music systems,
• If this works it is bad news for market
  competition, and bad news for vendors of phones,
  consumer electronics
• Is there any alternative framework play?

25
Alternative Vision

• The Trusted Computing view of the universe
  makes the home hub the centre of the digital
  world, and assumes it to be a PC
• The Sony view of the world is similar, except
  that the hub is a Playstation
• Matsushita its a souped-up PVR
• However, maybe the mobile phone is a better hub
  than the PC!

26
Alternative Vision

• There are many, many more mobile phones in the
  world than PCs
• The mobile phone is private kids take it to bed
• People rely on it when under stress
• It is their antidote to the complexity of life
• It is how they shape their social world
• By comparison, a PC is used in turn by all family
  members, and visitors rather like a toilet

27
The Big Issue, 2004-2006

• With encryption and broadband, the data can be
  anywhere
• What matters is where the trust is located
• Trust can be based on the PC, in a PVR, in a
  mobile phone, maybe even in an ID card
• There are all sorts of crossover technologies
  possible (e.g., bluetooth mouse as TPM)
• But the power struggle will be fierce, and the
  players will try to control compatibility.
• Could/should governments intervene?

28
The Irish Presidency Issue

• The EU IPR Enforcement Directive (IPRED) will
  greatly increase lock-in
• The EU Parliament watered it down in the legal
  and industry committees Commission/council
  reinstated it
• By making reverse engineering harder it will harm
  small companies and growth
• By facilitating market segmentation it will
  undermine the Single Market

29
More

• WEIS 2004 (Workshop on Economics and Information
  Security), University of Minnesota, 13-14 May
  2004
• Economics and Security Resource Page
  www.cl.cam.ac.uk/rja14/econsec.html (or follow
  link from my home page)
• EU IPRED see www.fipr.org