1 / 25

Economics of Dependability and Security

Economics of Dependability and Security. Ross Anderson Cambridge University. Financial Times 25/9/5. Infosec now an ‘Arms Race’ no-one can stop ‘Today indeed it seems we have a deficit of computer security. But it seems inevitable that tomorrow we will have too much’

brooklyn
Download Presentation

Economics of Dependability and Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Economics of Dependability and Security Ross Anderson Cambridge University

  2. Financial Times 25/9/5 • Infosec now an ‘Arms Race’ no-one can stop • ‘Today indeed it seems we have a deficit of computer security. But it seems inevitable that tomorrow we will have too much’ • Decision-makers rely on data ‘systematically skewed in the direction of exaggerated harm and understated cost of prevention’ • ‘Over-protecting ourselves today will cost us tomorrow dearly in the unborn or delayed generations of innovation’ • See www.infosecon.net

  3. Economics and Security • Over the last five years, we have started to apply economic analysis to information security • Economic analysis often explains security failure better then technical analysis! • Information security mechanisms are used increasingly to support business models rather than to manage risk • Economic analysis is critical for understanding competitive advantage • It’s also vital for good public policy on security

  4. Traditional View of Infosec • People used to think that the Internet was insecure because of lack of features – not enough crypto / authentication / filtering • So engineers worked on providing better, cheaper security features – AES, PKI, firewalls … • About 1999, we started to realize that this is not enough

  5. Incentives and Infosec • Electronic banking: UK banks were less liable for fraud then US banks, so they got careless and ended up suffering more fraud and error • Distributed denial of service: viruses now don’t attack the infected machine so much as using it to attack others • Health records: hospitals, not patients, buy IT systems, so they protect hospitals’ interests rather than patient privacy • Why is Microsoft software so insecure, despite its market dominance?

  6. New View of Infosec • Systems are often insecure because the people who could fix them have no incentive to • Bank customers suffer when bank staff get careless about fraud; patients suffer when hospital systems put administrators’ convenience before patent privacy; Amazon’s website suffers when infected PCs attack it • Security is often what economists call an ‘externality’ – like environmental pollution • This may justify government intervention

  7. New Uses of Infosec • Xerox started using authentication in ink cartridges to tie them to the printer • Followed by HP, Lexmark … and Lexmark’s case against SCC (and Dell – US and Europe drifting apart!) • Accessory control now spreading to more and more industries (games, phones, cars, …)

  8. IT Economics and Security 1 • The high fixed/low marginal costs, network effects and switching costs in information industries all tend to lead to dominant-firm markets with big first-mover advantage • So time-to-market is critical • Microsoft philosophy of ‘we’ll ship it Tuesday and get it right by version 3’ is not perverse behaviour by Bill Gates but quite rational • Whichever company had won in the PC OS business would have done the same

  9. IT Economics and Security 2 • When building a network monopoly, it is also critical to appeal to the vendors of complementary products • E.g., application software developers in the case of PC versus Apple, or now of Symbian versus WinCE, or music sites in WMP versus RealPlayer • Lack of security in earlier versions of Windows makes it easier to develop applications • Similarly, choice of security technologies that dump support costs on the user (SSL, PKI, …)

  10. Security and Liability • Why did digital signatures not take off (e.g. SET protocol)? • Industry thought: legal uncertainty. So EU passed electronic signature law • But customers and merchants resisted transfer of liability by bankers for disputed transactions • Customers best to stick with credit cards, as any fraud is the bank’s problem • Similar resistance to phone-based payment – people prefer prepayment plans because of uncertainty, premium-rate rip-offs

  11. Privacy • Most people say they value privacy, but act otherwise • Privacy technology ventures have mostly failed (Zero Knowledge, Securicor, …) • Research – people care about privacy when buying clothes, but not cameras • Analysis – some items relate to personal image , and it’s here that the privacy sensitivity focuses • Issue for mobile phone industry – phone viruses worse for image than PC viruses • See the privacy economics page – at http://www.heinz.cmu.edu/~acquisti/

  12. How are Incentives Skewed? • If you are DirNSA and have a nice new hack on Windows, do you tell Bill? • Tell – protect 300m Americans • Don’t tell – be able to hack 400m Europeans, 1000m Chinese,… • If the Chinese hack US systems, they keep quiet. If you hack their systems, you can brag about it to the President

  13. Skewed Incentives (2) • Within corporate sector, large companies tend to spend too much on security and small companies too little • Research shows adverse selection effect: • The most risk-averse people end up as corporate security managers • More risk-loving people may be sales or engineering staff, or small-business entrepreneurs • Also: due-diligence effects, government regulation, insurance market issues

  14. Economics of Rights Management (1) • What happens when you link a concentrated industry (platforms) with a less concentrated industry (music)? • Varian’s analysis – most of the resulting surplus goes to the platform owner • So don’t be surprised at music industry complaints about Apple, or DG Competition action against WMP

  15. Economics of Rights Management (2) • IRM – Information Rights Management – changes ownership of a file from the machine owner to the file creator • Files are encrypted and associated with rights management information • The file creator can specify that a file can only be read by Mr. X, and only till date Y • Now shipping in Office – and heavily promoted! • What will be the effect on the typical business that uses PCs?

  16. Economics of Rights Management (3) • At present, a company with 100 PCs pays maybe $500 per seat for Office • Remember Shapiro-Varian result – value of software company = total switching costs • So – cost of retraining everyone to use Linux, converting files etc is maybe $50,000 • But once many of the documents can’t be converted without the creators’ permission, the switching cost is much higher • Lock-in is the key

  17. Specific issues for Janet • Janet can threaten to disconnect member organisations, but that’s about it • There is no control at any finer granularity • Like a country with ICBMs but no soldiers • Do you punish a mild diplomatic insult with a 1-in-a-million probability of a nuke?

  18. Janet issues (2) • Janet charges by institution size, as that’s easiest • Downstream, some institutions charge out by bandwidth (e.g. Cambridge). This hits some research, and causes pressure on colleges to block P2P, Skype … • Janet is actually not as bandwidth constrained as a typical ISP – costs are basically upstream but there’s US presence • But: public-sector so risk-averse

  19. Janet Issues (3) • What if bandwidth-hungry departments (like Cambridge Computer Lab) go to NTL or Demon? • Normally ISPs peer with firms of about the same size, but not with firms that could be their customers • Everyone peers with Janet at present • Does this create fragility if some HEIs or even departments opt out?

  20. The Information Society • More and more goods contain software • More and more industries are starting to become like the software industry • The good: flexibility, rapid response • The bad: frustration, poor service • The ugly: monopolies • How will the law evolve to cope?

  21. Property • The enlightenment idea - that the core mission of government wasn’t defending faith, but defending property rights • 18th-19th century: rapid evolution of property and contract law • Realization that these are not absolute! • Abolition of slavery, laws on compulsory purchase, railway regulation, labour contracts, tenancy contracts, …

  22. Intellectual Property • Huge expansion as software etc have become more important - 7+ directives since 1991 • As with `ordinary’ property and contract in about 1850, we’re hitting serious conflicts • Competition law - legal protection of DRM mechanisms leads to enforcement of illegal contracts and breaches of the Treaty of Rome; judgment against Microsoft • Environmental law - recycling of ink cartridges mandated, after printer vendors use crypto to stop it

  23. Intellectual Property (2) • Privacy law – DRM mechanisms collect usage data to segment markets • Trade law – exemption for online services may undermine the Single Market • Employment law – French courts strike down a major’s standard record contract • IPR Enforcement Directive 2 – will criminalize patent infringement and incitement to infringe IP, unlike in the USA where BSA leading push for reduced civil damages in patent cases • With IPRED 1 and Lexmark, may make the EU more hostile to tech innovation than America

  24. Conclusions • More government involvement in info policy, and related issues such as IP, is inevitable • However, policy is often confused and contradictory at all levels • We need to figure out how to balance competing social goals, as we have in the physical world • The specific problem for academic networking is that fifteen years ago, a university was the best place to get online. Not any more. • We need mature economic thinking about risk and about the service provision chain!

  25. More … • WEIS 2006 (Workshop on Economics and Information Security), Cambridge, June 26-28 2006 • Economics and Security Resource Page – www.cl.cam.ac.uk/~rja14/econsec.html (or follow link from my home page) • Foundation for Information Policy Research – www.fipr.org

More Related