1 / 29

The Economics of Information Security

The Economics of Information Security. Ross Anderson Cambridge University. Economics and Security. Over the last four years, we have started to apply economic analysis to information security Economic analysis often explains security failure better then technical analysis!

christopher
Download Presentation

The Economics of Information Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Economics of Information Security Ross Anderson Cambridge University

  2. Economics and Security • Over the last four years, we have started to apply economic analysis to information security • Economic analysis often explains security failure better then technical analysis! • Information security mechanisms are used increasingly to support business models rather than to manage risk • Economic analysis is also vital for the public policy aspects of security • It is critical for understanding competitive advantage

  3. Traditional View of Infosec • People used to think that the Internet was insecure because of lack of features – crypto, authentication, filtering • So engineers worked on providing better, cheaper security features – AES, PKI, firewalls … • About 1999, we started to realize that this is not enough

  4. Incentives and Infosec • Electronic banking: UK banks were less liable for fraud, so ended up suffering more internal fraud and more errors • Distributed denial of service: viruses now don’t attack the infected machine so much as using it to attack others • Health records: hospitals, not patients, buy IT systems, so they protect hospitals’ interests rather than patient privacy • Why is Microsoft software so insecure, despite market dominance?

  5. New View of Infosec • Systems are often insecure because the people who could fix them have no incentive to • Bank customers suffer when bank systems allow fraud; patients suffer when hospital systems break privacy; Amazon’s website suffers when infected PCs attack it • Security is often what economists call an ‘externality’– like environmental pollution • This is an excuse for government intervention

  6. New Uses of Infosec • Xerox started using authentication in ink cartridges to tie them to the printer • Followed by HP, Lexmark … and Lexmark’s case against SCC • Motorola started authenticating mobile phone batteries to the phone • BMW now has a car prototype that authenticates its major components

  7. IT Economics (1) • The first distinguishing characteristic of many IT product and service markets is network effects • Metcalfe’s law – the value of a network is the square of the number of users • Real networks – phones, fax, email • Virtual networks – PC architecture versus MAC, or Symbian versus WinCE • Network effects tend to lead to dominant firm markets where the winner takes all

  8. IT Economics (2) • Second common feature of IT product and service markets is high fixed costs and low marginal costs • Competition can drive down prices to marginal cost of production • This can make it hard to recover capital investment, unless stopped by patent, brand, compatibility … • These effects can also lead to dominant-firm market structures

  9. IT Economics (3) • Third common feature of IT markets is that switching from one product or service to another is expensive • E.g. switching from Windows to Linux means retraining staff, rewriting apps • Shapiro-Varian theorem: the net present value of a software company is the total switching costs • This is why so much effort is starting to go into accessory control – manage the switching costs in your favour

  10. IT Economics and Security • High fixed/low marginal costs, network effects and switching costs all tend to lead to dominant-firm markets with big first-mover advantage • So time-to-market is critical • Microsoft philosophy of ‘we’ll ship it Tuesday and get it right by version 3’ is not perverse behaviour by Bill Gates but driven by economics • Whichever company had won in the PC OS business would have done the same

  11. IT Economics and Security 2 • When building a network monopoly, it is also critical to appeal to the vendors of complementary products • E.g., application software developers in the case of PC versus Apple, or now of Symbian versus CE • Lack of security in earlier versions of Windows makes it easier to develop applications • Similarly, motive for choice of security technologies that dump the support costs on the user (e.g. SSL, PKI, …)

  12. Why are many security products ineffective? • Akerlof’s Nobel-prizewinning paper, ‘The Market for Lemons’ provides key insight – asymmetric information • Suppose a town has 100 used cars for sale: 50 good ones worth $2000 and 50 lemons worth $1000 • What is the equilibrium price of used cars in this town? • If $1500, no good cars will be offered for sale … • Fix: brands (e.g. ‘Volvo certified used car’)

  13. Security and Liability • Why did digital signatures not take off (e.g. SET protocol)? • Industry thought: legal uncertainty. So EU passed electronic signature law • Recent research: customers and merchants resist transfer of liability by bankers for disputed transactions • Best to stick with credit cards, as any fraud is the bank’s problem • Similar resistance to phone-based payment – people prefer prepayment plans because of uncertainty

  14. Privacy • Most people say they value privacy, but act otherwise • Privacy technology ventures have mostly failed • Latest research – people care about privacy when buying clothes, but not cameras • Analysis – some items relate to personal image , and it’s here that the privacy sensitivity focuses • Issue for mobile phone industry – phone viruses worse for image than PC viruses

  15. How Much to Spend? • How much should the average company spend on information security? • Governments, vendors: much much more than at present • They’ve been saying this for 20 years! • Measurements of security ROI suggest about 20% p.a. • So current expenditure maybe about right • No room for huge growth selling firewalls…

  16. How are Incentives Skewed? • If you are DirNSA and have a nice new hack on NT, do you tell Bill? • Tell – protect 300m Americans • Don’t tell – be able to hack 400m Europeans, 1000m Chinese,… • If the Chinese hack US systems, they keep quiet. If you hack their systems, you can brag about it to the President

  17. Skewed Incentives (2) • Within corporate sector, large companies tend to spend too much on security and small companies too little • Research shows adverse selection effect • The most risk-averse people end up as corporate security managers • More risk-loving people may be sales or engineering staff, or small business entrepreneurs • Also: due-diligence effects, government regulation, insurance market issues

  18. Why Bill wasn’t interested in security • While Microsoft was growing, the two critical factors were speed, and appeal to application developers • Security markets were over-hyped and driven by artificial factors • Issues like privacy and liability were more complex than they seemed • The public couldn’t tell good security from bad anyway

  19. Why is Bill now changing his mind? • ‘Trusted Computing’ initiative ranges from TCG to the IRM mechanisms in Office 2003 • TCG – put a TPM (smartcard) chip in every PC motherboard, PDA, mobile phone • This will do remote attestation of what the machine is and what software it’s running • On top of this will be layers of software providing new security functionality, of a kind that would otherwise be easily circumvented, such as DRM and IRM

  20. Why is Bill now changing his mind? (2) • IRM – Information Rights Management – changes ownership of a file from the machine owner to the file creator • Files are encrypted and associated with rights management information • The file creator can specify that a file can only be read by Mr. X, and only till date Y • Now shipping in Office 2003 • What will be the effect on the typical business that uses PCs?

  21. Why is Bill now changing his mind? (3) • At present, a company with 100 PCs pays maybe $500 per seat for Office • Remember – value of software company = total switching costs • So – cost of retraining everyone to use Linux, converting files etc is maybe $50,000 • But once many of the documents can’t be converted without the creators’ permission, the switching cost is much higher • Lock-in is the key

  22. Strategic issues • TCG initiative started by Intel as they believed that control of the ‘home hub’ was vital • They made 90% of their profits from PC processors, and controlled 90% of the market • Innovations such as PCI, USB and now TC are designed to grow the overall size of the PC market • They are determined not to lose control of the home to the Sony Playstation

  23. Strategic Issues (2) • Who will control users’ data? • Microsoft view – everything will be on an MS platform (your WP files, presentations, address book, pictures, movies, music) • European Commission view – this is illegal anticompetitive behaviour • Proposed anti-trust remedy – force MS to unbundle Media Player, or to include other media players in its Windows distribution

  24. Competitive issue • Microsoft vision is to control a framework into which all user data is drawn, and in which it is then managed • This could extend Microsoft’s market power from the PC platform to PDAs, phones, music systems,… • If this works it is bad news for market competition, and bad news for vendors of phones, consumer electronics … • Is there any alternative framework play?

  25. Alternative Vision • The ‘Trusted Computing’ view of the universe makes the ‘home hub’ the centre of the digital world, and assumes it to be a PC • The Sony view of the world is similar, except that the hub is a Playstation • Matsushita – it’s a souped-up PVR • However, maybe the mobile phone is a better hub than the PC!

  26. Alternative Vision … • There are many, many more mobile phones in the world than PCs • The mobile phone is private – kids take it to bed • People rely on it when under stress • It is their antidote to the complexity of life • It is how they shape their social world • By comparison, a PC is used in turn by all family members, and visitors – rather like a toilet

  27. The Big Issue, 2004-2006 • With encryption and broadband, the data can be anywhere • What matters is where the trust is located • Trust can be based on the PC, in a PVR, in a mobile phone, maybe even in an ID card … • There are all sorts of crossover technologies possible (e.g., bluetooth mouse as TPM) • But the power struggle will be fierce, and the players will try to control compatibility. • Could/should governments intervene?

  28. The Irish Presidency Issue • The EU IPR Enforcement Directive (IPRED) will greatly increase lock-in • The EU Parliament watered it down in the legal and industry committees; Commission/council reinstated it • By making reverse engineering harder it will harm small companies and growth • By facilitating market segmentation it will undermine the Single Market

  29. More … • WEIS 2004 (Workshop on Economics and Information Security), University of Minnesota, 13-14 May 2004 • Economics and Security Resource Page –www.cl.cam.ac.uk/~rja14/econsec.html (or follow link from my home page) • EU IPRED – see www.fipr.org

More Related