Security Economics - PowerPoint PPT Presentation

1 / 17
About This Presentation
Title:

Security Economics

Description:

... hospitals, not patients, buy IT systems, so they protect ... Alternative models include externality people who go ex-directory. How Much to Spend? ... – PowerPoint PPT presentation

Number of Views:19
Avg rating:3.0/5.0
Slides: 18
Provided by: clCa
Category:

less

Transcript and Presenter's Notes

Title: Security Economics


1
Security Economics
  • Ross Anderson
  • Cambridge University

2
Economics and Security
  • The link between economics and security atrophied
    after WW2
  • Over the last six years, we have started to apply
    economic analysis to information security
  • Economic analysis often explains security failure
    better then technical analysis!
  • Information security mechanisms are used
    increasingly to support business models (DRM,
    accessory control) rather than to manage risk
  • So economic analysis is vital in several ways for
    the public policy aspects of security

3
Traditional View of Infosec
  • People used to think that the Internet was
    insecure because of lack of features crypto,
    authentication, filtering
  • So engineers worked on providing better, cheaper
    security features AES, PKI, firewalls
  • About 1999, we started to realize that this is
    not enough

4
Incentives and Infosec
  • Electronic banking UK banks were less liable for
    fraud, so ended up suffering more internal fraud
    and more errors
  • Distributed denial of service viruses now dont
    attack the infected machine so much as using it
    to attack others
  • Health records hospitals, not patients, buy IT
    systems, so they protect hospitals interests
    rather than patient privacy
  • Why is Microsoft software so insecure, despite
    market dominance?

5
New View of Infosec
  • Systems are often insecure because the people who
    could fix them have no incentive to
  • Bank customers suffer when bank systems allow
    fraud patients suffer when hospital systems
    break privacy Amazons website suffers when
    infected PCs attack it
  • Security is often what economists call an
    externality like environmental pollution

6
Financial Times 25/9/5
  • Infosec now an Arms Race no-one can stop
  • Today indeed it seems we have a deficit of
    computer security. But it seems inevitable that
    tomorrow we will have too much
  • Decision-makers rely on data systematically
    skewed in the direction of exaggerated harm and
    understated cost of prevention
  • Over-protecting ourselves today will cost us
    tomorrow dearly in the unborn or delayed
    generations of innovation
  • See www.infosecon.net

7
New Uses of Infosec
  • Xerox started using authentication in ink
    cartridges to tie them to the printer
  • Motorola started authenticating mobile phone
    batteries to the phone
  • BMW now has a car prototype that authenticates
    its major components
  • Usual purposes locking in customers, grabbing
    power in the supply chain may be unlawful

8
IT Economics and Security
  • High fixed/low marginal costs, network effects
    and switching costs all tend to lead to
    dominant-firm markets with big first-mover
    advantage
  • So time-to-market is critical
  • Microsoft philosophy of well ship it Tuesday
    and get it right by version 3 is not perverse
    attitude of Bill Gates, but quite rational
  • Whichever company had won in the PC OS business
    would have done the same

9
IT Economics and Security 2
  • When building a network monopoly, it is also
    critical to appeal to the vendors of
    complementary products
  • E.g., application software developers in the case
    of PC versus Apple, or now of Symbian versus
    WinCE, or WinMP versus Real
  • Lack of security in earlier versions of Windows
    makes it easier to develop applications
  • Once you have your monopoly, increase security
    unreasonably in order to lock customers in

10
Privacy
  • Most people say they value privacy, but act
    otherwise
  • Privacy technology ventures have mostly failed
  • Acquisti et al people care about privacy when
    buying clothes, but not cameras (some items
    relate to your image, so are privacy sensitive)
  • Issue for mobile phone industry phone viruses
    worse for image than PC viruses
  • Issue for the database state the Blair
    project of NPfIT, Childrens Databases, ID cards
  • Alternative models include externality people
    who go ex-directory

11
How Much to Spend?
  • How much should the average company spend on
    information security?
  • Governments, vendors say much much more than at
    present!
  • But hey - theyve been saying this for 20 years
  • Measurements of security return-on-investment
    suggest about 20 p.a.
  • So current expenditure may be about right

12
How are Incentives Skewed?
  • If you are DirNSA and have a nice new hack on NT,
    do you tell Bill?
  • Tell protect 300m Americans
  • Dont tell be able to hack 400m Europeans,
    1000m Chinese,
  • If the Chinese hack US systems, they keep quiet.
    If you hack their systems, you can brag about it
    to the President

13
Skewed Incentives (2)
  • Within corporate sector, large companies tend to
    spend too much on security and small companies
    too little
  • Research shows adverse selection effect
  • The most risk-averse people end up as corporate
    security managers
  • More risk-loving people may be sales or
    engineering staff, or entrepreneurs
  • Also due-diligence effects, insurance market
    failures, information asymmetry in organisations

14
Open versus Closed?
  • Are open-source systems more dependable? Its
    easier for the attackers to find vulnerabilities,
    but also easier for the defenders to find and fix
    them
  • Theory openness helps both equally if bugs are
    random and standard dependability model
    assumptions apply
  • Statistics bugs are correlated in a number of
    real systems
  • So for some systems at least, its definitely
    better to report and fix vulnerabilities than
    keep quiet about them. This is an empirical
    question!

15
Large Project Failure
  • Maybe 30 of large projects fail
  • But we build much bigger failures nowadays than
    30 years ago so
  • Why do more public-sector projects fail?
  • Consider what the incentives are on project
    managers versus ministers and what sort of
    people will become successful project managers
    versus ministers!

16
The Information Society
  • More and more goods contain software
  • More and more industries are starting to become
    like the software industry
  • The good flexibility, rapid response
  • The bad frustration, poor service
  • The ugly monopolies
  • How will law evolve to cope?

17
More
  • Our security group blog www.lightbluetouchpaper.
    org
  • Economics and Security Resource Page
    www.cl.cam.ac.uk/rja14/econsec.html (or follow
    link from my home page)
  • Foundation for Information Policy Research
    www.fipr.org
Write a Comment
User Comments (0)
About PowerShow.com