Sigurnost računala i podataka

1. Sigurnost računala i podataka MarioČagalj Sveučilište u Splitu

2. Why Information Security is Hard An Economic Perspective Ross Anderson

3. Introduction • Common view • Information security comes down to technical measures (better technical solutions) • In this presentation • Information security is at least as much due to tricky incentives • Many of the security problems can be explained more clearly using the language of microeconomics

4. Summary • Use the language of economics to describe • Why Information Security is often not implemented • Why Information Security is often implemented for motives other than protection

5. Simple Economics • Look at all decisions and designs in terms of a Costs and Benefits • To maximize returns: • Do what costs least or brings biggest returns • Ultimately measured in $$

6. A Matter of Questions • Economic • Who • When • Why • Where • Technical • What • How

7. Who Suffers? • Who has primary responsibility when bank fraud occurs? • In US – the bank • In Europe – the customer • Guess which has the more effective security system

8. Who Suffers? • Disincentive: • The party funding the security measure is not the party suffering the consequence of a breach • Why should the funding party spend a lot if no liability? • Would virus protection be more effective if mail client vendors had to pay user’s costs of a virus?

9. Who Pays? • Who pays for protecting a shared resource? • Users want to get as much of it as they can • Aren’t motivated to spend to protect it • Resource manager wants to maximize use (and revenue), so he should pay • Example – Network vendor should prevent DoS attacks and not expect users to pay for the protection

10. When Should Security be Added? • All software engineers know – when the product is developed • But what are the real costs? • Time to Market • Complexity

11. Economics Term:Network Externalities • The change in value of a resource when the number of consumers of the resource changes • Example: Metcalfe’s Law – value of a network increases as the square of the number of nodes (N2) • A product has more underlying value if it has more users

12. When – Time to Market • The preceding implies a high value for getting to market first • Dominate • Low marginal costs once established • Set up barriers – high switching costs • Adding security features increases time to market and risks missing the window of opportunity

13. When – Time to Market • Users would probably pay more if product were more secure • I.e. incremental development costs are OK • But lost opportunity costs are too high to vendor • A disincentive to building security in from the start

14. When - Complexity • Security features in OS or Network make life more difficult for developers • Think of capability like record locking – necessary, but makes application more complicated • Developers are a primary target for OS and Network vendors • Thus arises an implicit agreement to pass security costs on to the users • Not absolutely required for applications

15. Why Have Security?Economic Reasons • Add security features for the benefit of the vendor, not the user • Lock-in users • Maximize revenue • Protect on-going revenue • Get market data

16. Why? – Lock-in Users • Use proprietary security measures • Vendor can control • Can create revenue • Block or hinder competition • Users get familiar – harder to switch • Probably reduces reliability and stability

17. Why – Maximize Revenue • Use as a high price upgrade feature • Incremental cost is low to nothing • But can charge a lot for it • Non-IT example: Airline fares • IT example: Basic product vs. “Gold” version

18. Why – Protect Revenue • Use security to prevent reverse engineering • Use security measures to prevent add-on generic products • E.g. printer cartridges

19. Why – Protect and Gather Data • RFID • Helps prevent theft • Creates revenue (e.g. toll tags) • Track inventory and shipments • (IBM “you’re on the road to Fresno” ad) • But • Big privacy threat • Can track car movements • Can track people (see movie “Minority Report”)

20. Why – Get Market Data • MS Passport – a good example of a bad example • Purported purpose – to provide a single point of security to many Web sites • But Passport tracks your surfing • And shares your data • And provides bad guys with a single point of attack

21. Where is the Advantage?(Economics of “War”) • In security matters today, attackers have the advantage • Easier to find one flaw than find and patch them all • Attacker only needs one • Can model investment in attack and defense • Estimate bug count and investment in finding • Attacker’s advantage is large • Like trying to defend in Iraq • Attack can come anywhere – defense must be everywhere

22. Another Who QuestionWho Determines Security Quality? • International Standards for Security exist • But like ISO 9000, they appear to be more about process than content • No absolute standard • Customer says what is wanted in security • Vendor verifies product meets requirements • Current working standard is called “Common Criteria”

23. Who Pays for Evaluation? • Should be customer, but this is big expense if each customer does it • Current practice is that vendor pays an evaluator • This leads to shopping for “easy” evaluators • An Application Vendor may actually consider an evaluated product to have less value • If A.V. embeds the security product in his product and it fails, A.V. is more likely liable if security product is certified

24. Conclusion • Why do IT vendors not provide great security? • Economics! • Create Monopoly • Maximize revenue • Reduce risk • Economics promotes insecurity • Ultimately the problem is more political than technical