170 likes | 364 Views
Security Economics. Ross Anderson Cambridge University. Economics and Security. The link between economics and security atrophied after WW2 Over the last six years, we have started to apply economic analysis to information security
E N D
Security Economics Ross Anderson Cambridge University
Economics and Security • The link between economics and security atrophied after WW2 • Over the last six years, we have started to apply economic analysis to information security • Economic analysis often explains security failure better then technical analysis! • Information security mechanisms are used increasingly to support business models (DRM, accessory control) rather than to manage risk • So economic analysis is vital in several ways for the public policy aspects of security
Traditional View of Infosec • People used to think that the Internet was insecure because of lack of features – crypto, authentication, filtering • So engineers worked on providing better, cheaper security features – AES, PKI, firewalls … • About 1999, we started to realize that this is not enough
Incentives and Infosec • Electronic banking: UK banks were less liable for fraud, so ended up suffering more internal fraud and more errors • Distributed denial of service: viruses now don’t attack the infected machine so much as using it to attack others • Health records: hospitals, not patients, buy IT systems, so they protect hospitals’ interests rather than patient privacy • Why is Microsoft software so insecure, despite market dominance?
New View of Infosec • Systems are often insecure because the people who could fix them have no incentive to • Bank customers suffer when bank systems allow fraud; patients suffer when hospital systems break privacy; Amazon’s website suffers when infected PCs attack it • Security is often what economists call an ‘externality’ – like environmental pollution
Financial Times 25/9/5 • Infosec now an ‘Arms Race’ no-one can stop • ‘Today indeed it seems we have a deficit of computer security. But it seems inevitable that tomorrow we will have too much’ • Decision-makers rely on data ‘systematically skewed in the direction of exaggerated harm and understated cost of prevention’ • ‘Over-protecting ourselves today will cost us tomorrow dearly in the unborn or delayed generations of innovation’ • See www.infosecon.net
New Uses of Infosec • Xerox started using authentication in ink cartridges to tie them to the printer • Motorola started authenticating mobile phone batteries to the phone • BMW now has a car prototype that authenticates its major components • Usual purposes – locking in customers, grabbing power in the supply chain – may be unlawful
IT Economics and Security • High fixed/low marginal costs, network effects and switching costs all tend to lead to dominant-firm markets with big first-mover advantage • So time-to-market is critical • Microsoft philosophy of ‘we’ll ship it Tuesday and get it right by version 3’ is not perverse attitude of Bill Gates, but quite rational • Whichever company had won in the PC OS business would have done the same
IT Economics and Security 2 • When building a network monopoly, it is also critical to appeal to the vendors of complementary products • E.g., application software developers in the case of PC versus Apple, or now of Symbian versus WinCE, or WinMP versus Real • Lack of security in earlier versions of Windows makes it easier to develop applications • Once you have your monopoly, increase security unreasonably in order to lock customers in
Privacy • Most people say they value privacy, but act otherwise • Privacy technology ventures have mostly failed • Acquisti et al – people care about privacy when buying clothes, but not cameras (some items relate to your image, so are privacy sensitive) • Issue for mobile phone industry – phone viruses worse for image than PC viruses • Issue for the ‘database state’ – the Blair project of NPfIT, Children’s Databases, ID cards… • Alternative models include externality – people who go ex-directory
How Much to Spend? • How much should the average company spend on information security? • Governments, vendors say: much much more than at present! • But hey - they’ve been saying this for 20 years • Measurements of security return-on-investment suggest about 20% p.a. • So current expenditure may be about right
How are Incentives Skewed? • If you are DirNSA and have a nice new hack on NT, do you tell Bill? • Tell – protect 300m Americans • Don’t tell – be able to hack 400m Europeans, 1000m Chinese,… • If the Chinese hack US systems, they keep quiet. If you hack their systems, you can brag about it to the President
Skewed Incentives (2) • Within corporate sector, large companies tend to spend too much on security and small companies too little • Research shows adverse selection effect • The most risk-averse people end up as corporate security managers • More risk-loving people may be sales or engineering staff, or entrepreneurs • Also: due-diligence effects, insurance market failures, information asymmetry in organisations
Open versus Closed? • Are open-source systems more dependable? It’s easier for the attackers to find vulnerabilities, but also easier for the defenders to find and fix them • Theory: openness helps both equally if bugs are random and standard dependability model assumptions apply • Statistics: bugs are correlated in a number of real systems • So for some systems at least, it’s definitely better to report and fix vulnerabilities than keep quiet about them. This is an empirical question!
Large Project Failure • Maybe 30% of large projects fail • But we build much bigger failures nowadays than 30 years ago so… • Why do more public-sector projects fail? • Consider what the incentives are on project managers versus ministers – and what sort of people will become successful project managers versus ministers!
The Information Society • More and more goods contain software • More and more industries are starting to become like the software industry • The good: flexibility, rapid response • The bad: frustration, poor service • The ugly: monopolies • How will law evolve to cope?
More … • Our security group blog – www.lightbluetouchpaper.org • Economics and Security Resource Page – www.cl.cam.ac.uk/~rja14/econsec.html (or follow link from my home page) • Foundation for Information Policy Research – www.fipr.org