Why Information Security is Hard
Download
Report
Transcript Why Information Security is Hard
Why Information Security is
Hard
-An Economic Perspective
Ross Anderson
University of Cambridge
Abstract
Common view:
Security is just a difficult technical issue
Anderson’s view:
It is at least as hard because of economic
disincentives
Summary
The paper uses the language of
economics to describe
Why Information Security is often not
implemented
Why Information Security is often
implemented for motives other than
protection
Simple Economics
Look at all decisions and designs in terms
of a Costs and Benefits
To maximize returns:
Do what costs least or brings biggest returns
Ultimately measured in $$
A Matter of Questions
Economic
Who
When
Why
Where
Technical
What
How
Who Suffers?
Who has primary responsibility when bank
fraud occurs?
In US – the bank
In Europe – the customer
Guess which has the more effective
security system
Who Suffers?
Disincentive:
The party funding the security measure is not
the party suffering the consequence of a
breach
Why should the funding party spend a lot
if no liability?
Would virus protection be more effective if
mail client vendors had to pay user’s costs
of a virus?
Who Pays?
Who pays for protecting a shared
resource?
Users want to get as much of it as they can
Aren’t motivated to spend to protect it
Resource manager wants to maximize use
(and revenue), so he should pay
Example – Network vendor should prevent
DOS attacks and not expect users to pay for
the protection
When Should Security be Added?
All software engineers know – when the
product is developed
But what are the real costs?
Time to Market
Complexity
Economics Term:
NETWORK EXTERNALITIES
The change in value of a resource when
the number of consumers of the resource
changes
Example: Metcalfe’s Law – value of a
network increases as the square of the
number of nodes
A product has more underlying value if it
has more users
When – Time to Market
The preceding implies a high value for
getting to market first
Dominate
Low marginal costs once established
Set up barriers – high switching costs
Adding security features increases time to
market and risks missing the window of
opportunity
When – Time to Market
Users would probably pay more if product
were more secure
I.e. incremental development costs are OK
But lost opportunity costs are too high to
vendor
A disincentive to building security in from the
start
When - Complexity
Security features in OS or Network make life
more difficult for developers
Think of capability like record locking – necessary, but
makes application more complicated
Developers are a primary target for OS and
Network vendors
Thus arises an implicit agreement to pass
security costs on to the users
Not absolutely required for applications
Why Have Security?
Economic Reasons
Add security features for the benefit of the
vendor, not the user
Lock-in users
Maximize revenue
Protect on-going revenue
Get market data
Why? – Lock-in Users
Use proprietary security measures
Vendor can control
Can create revenue
Block or hinder competition
Users get familiar – harder to switch
Probably reduces reliability and stability
Why – Maximize Revenue
Use as a high price upgrade feature
Incremental cost is low to nothing
But can charge a lot for it
Non-IT example: Airline fares
IT example: Basic product vs. “Gold” version
Why – Protect Revenue
Use security to prevent reverse
engineering
Use security measures to prevent add-on
generic products
E.g. printer cartridges
Why – Protect and Gather Data
RFID
Helps prevent theft
Creates revenue (e.g. toll tags)
Track inventory and shipments
(IBM “you’re on the road to Fresno” ad)
But
Big privacy threat
Can track car movements
Can track people (see movie “Minority Report”)
Why – Get Market Data
MS Passport – a good example of a bad
example
Purported purpose – to provide a single point
of security to many Web sites
But Passport tracks your surfing
And shares your data
And provides bad guys with a single point of
attack
Where is the Advantage?
(Economics of “War”)
In security matters today, attackers have the
advantage
Easier to find one flaw than find and patch
them all
Attacker only needs one
Can model investment in attack and defense
Estimate bug count and investment in finding
Attacker’s advantage is large
Like trying to defend in Iraq
Attack can come anywhere – defense must be everywhere
Another Who Question
Who Determines Security Quality?
International Standards for Security exist
But like ISO 9000, they appear to be more
about process than content
No absolute standard
Customer says what is wanted in security
Vendor verifies product meets requirements
Current working standard is called
“Common Criteria”
Who Pays for Evaluation?
Should be customer, but this is big
expense if each customer does it
Current practice is that vendor pays an
evaluator
This leads to shopping for “easy”
evaluators
An Application Vendor may actually
consider an evaluated product to have less
value
If A.V. embeds the security product in his product and
it fails, A.V. is more likely liable if security product is
certified
Conclusion
Why do IT vendors not provide great
security?
Economics!
Create Monopoly
Maximize revenue
Reduce risk
Economics promotes insecurity
Ultimately the problem is more political
than technical
Final Analysis
The author’s arguments make sense but
are strictly qualitative
The paper provides little in the way of
suggestions to solve the problems it
describes
It’s purpose is to provide us (especially
techies) with a different, more complete
and more realistic way to view security
issues