Transcript Why Information Security is Hard

Why Information Security is
Hard
-An Economic Perspective
Ross Anderson
University of Cambridge
Abstract

Common view:


Security is just a difficult technical issue
Anderson’s view:

It is at least as hard because of economic
disincentives
Summary

The paper uses the language of
economics to describe


Why Information Security is often not
implemented
Why Information Security is often
implemented for motives other than
protection
Simple Economics


Look at all decisions and designs in terms
of a Costs and Benefits
To maximize returns:


Do what costs least or brings biggest returns
Ultimately measured in $$
A Matter of Questions

Economic





Who
When
Why
Where
Technical


What
How
Who Suffers?

Who has primary responsibility when bank
fraud occurs?



In US – the bank
In Europe – the customer
Guess which has the more effective
security system
Who Suffers?

Disincentive:



The party funding the security measure is not
the party suffering the consequence of a
breach
Why should the funding party spend a lot
if no liability?
Would virus protection be more effective if
mail client vendors had to pay user’s costs
of a virus?
Who Pays?

Who pays for protecting a shared
resource?




Users want to get as much of it as they can
Aren’t motivated to spend to protect it
Resource manager wants to maximize use
(and revenue), so he should pay
Example – Network vendor should prevent
DOS attacks and not expect users to pay for
the protection
When Should Security be Added?


All software engineers know – when the
product is developed
But what are the real costs?


Time to Market
Complexity
Economics Term:
NETWORK EXTERNALITIES



The change in value of a resource when
the number of consumers of the resource
changes
Example: Metcalfe’s Law – value of a
network increases as the square of the
number of nodes
A product has more underlying value if it
has more users
When – Time to Market

The preceding implies a high value for
getting to market first




Dominate
Low marginal costs once established
Set up barriers – high switching costs
Adding security features increases time to
market and risks missing the window of
opportunity
When – Time to Market

Users would probably pay more if product
were more secure


I.e. incremental development costs are OK
But lost opportunity costs are too high to
vendor

A disincentive to building security in from the
start
When - Complexity

Security features in OS or Network make life
more difficult for developers



Think of capability like record locking – necessary, but
makes application more complicated
Developers are a primary target for OS and
Network vendors
Thus arises an implicit agreement to pass
security costs on to the users

Not absolutely required for applications
Why Have Security?
Economic Reasons

Add security features for the benefit of the
vendor, not the user




Lock-in users
Maximize revenue
Protect on-going revenue
Get market data
Why? – Lock-in Users

Use proprietary security measures





Vendor can control
Can create revenue
Block or hinder competition
Users get familiar – harder to switch
Probably reduces reliability and stability
Why – Maximize Revenue

Use as a high price upgrade feature




Incremental cost is low to nothing
But can charge a lot for it
Non-IT example: Airline fares
IT example: Basic product vs. “Gold” version
Why – Protect Revenue


Use security to prevent reverse
engineering
Use security measures to prevent add-on
generic products

E.g. printer cartridges
Why – Protect and Gather Data

RFID



Helps prevent theft
Creates revenue (e.g. toll tags)
Track inventory and shipments


(IBM “you’re on the road to Fresno” ad)
But

Big privacy threat
Can track car movements
 Can track people (see movie “Minority Report”)

Why – Get Market Data

MS Passport – a good example of a bad
example




Purported purpose – to provide a single point
of security to many Web sites
But Passport tracks your surfing
And shares your data
And provides bad guys with a single point of
attack
Where is the Advantage?
(Economics of “War”)

In security matters today, attackers have the
advantage
 Easier to find one flaw than find and patch
them all


Attacker only needs one
Can model investment in attack and defense
 Estimate bug count and investment in finding
 Attacker’s advantage is large
 Like trying to defend in Iraq

Attack can come anywhere – defense must be everywhere
Another Who Question
Who Determines Security Quality?


International Standards for Security exist
But like ISO 9000, they appear to be more
about process than content




No absolute standard
Customer says what is wanted in security
Vendor verifies product meets requirements
Current working standard is called
“Common Criteria”
Who Pays for Evaluation?




Should be customer, but this is big
expense if each customer does it
Current practice is that vendor pays an
evaluator
This leads to shopping for “easy”
evaluators
An Application Vendor may actually
consider an evaluated product to have less
value

If A.V. embeds the security product in his product and
it fails, A.V. is more likely liable if security product is
certified
Conclusion

Why do IT vendors not provide great
security?

Economics!
Create Monopoly
 Maximize revenue
 Reduce risk



Economics promotes insecurity
Ultimately the problem is more political
than technical
Final Analysis



The author’s arguments make sense but
are strictly qualitative
The paper provides little in the way of
suggestions to solve the problems it
describes
It’s purpose is to provide us (especially
techies) with a different, more complete
and more realistic way to view security
issues