The Economics of Information Security: A Survey and Open Questions Ross Anderson, Tyler Moore Cambridge University.
Download ReportTranscript The Economics of Information Security: A Survey and Open Questions Ross Anderson, Tyler Moore Cambridge University.
The Economics of Information Security: A Survey and Open Questions Ross Anderson, Tyler Moore Cambridge University Economics and Security The link between economics and security atrophied after WW2 Since 2000, information security economics has become a hot topic, with 100 researchers and now two annual workshops (WEIS, WESII) Economic analysis often explains failure better then technical analysis! Infosec mechanisms are used increasingly to support business models (DRM, lock-in, …) Research is now spilling over to dependability, conventional security, trust and risk Traditional View of Infosec People used to think that the Internet was insecure because of lack of features – crypto, authentication, filtering So engineers worked on providing better, cheaper security features – AES, PKI, firewalls … About 1999, we started to realize that this is not enough Incentives and Infosec Electronic banking: UK banks were less liable for fraud, so ended up suffering more internal fraud and more errors Distributed denial of service: viruses now don’t attack the infected machine so much as using it to attack others Health records: hospitals, not patients, buy IT systems, so they protect hospitals’ interests rather than patient privacy Why is Microsoft software so insecure, despite market dominance? New View of Infosec Systems are often insecure because the people who could fix them have no incentive to Bank customers suffer when bank systems allow fraud; patients suffer when hospital systems break privacy; Amazon’s website suffers when infected PCs attack it People connecting an insecure PC to the net don’t pay full costs, so we under-invest in antivirus software (Varian) The move of businesses online led to massive liability dumping (Bohm et al) New Uses of Infosec Xerox started using authentication in ink cartridges to tie them to the printer (1996) Followed by HP, Lexmark … and Lexmark’s case against SCC Motorola started authenticating mobile phone batteries to the phone in 1998 The use of security technology to manipulate switching costs and tie products is now widespread Vista will make compatibility control easier for software writers Platform Security Lifecycle High fixed/low marginal costs, network effects and switching costs all tend to lead to dominantfirm markets with big first-mover advantage Microsoft philosophy of ‘we’ll ship it Tuesday and get it right by version 3’ was quite rational When building a network monopoly, woo complementers by skimping on security, and choosing technology like SSL that dumps the compliance costs on the user Once you’re established, lock everything down Other Investment Effects Security may depend on best effort (security architect), weakest-link (careless programmer) or sum-of-efforts (testing) Analysis (Akerlof, Varian) suggests firms should hire more testers, and fewer but better programmers (this is happening!) Security products can be strategic complements (and tend to be a lemons market anyway) Security product adoption a hard problem unless you provide early adopters with local benefits So very many products fail to get adopted Security and Liability Why did digital signatures not take off? Industry thought: legal uncertainty. So EU passed electronic signature law But customers and merchants resist transfer of liability by bankers for disputed transactions Best to stick with credit cards, as that way fraud is still largely the bank’s problem Similar resistance to phone-based payment – people prefer prepayment plans because of uncertainty Privacy Economics Gap between stated and revealed preferences! Odlyzko – technology makes price discrimination both easier and more attractive Varian – interests of consumers and firms not in conflict but information markets fail because of externalities and search costs. Educated consumers opt out more Acquisti et al – people care about privacy when buying clothes, but not cameras (some items relate to your image, so are privacy sensitive) Externalities cut both ways, though – to be anonymous, you need to be in a crowd Open versus Closed? Are open-source systems more dependable? It’s easier for the attackers to find vulnerabilities, but also easier for the defenders to find and fix them Theory: openness helps both equally if bugs are random in standard dependability model So maybe we should keep systems closed (Rescorla) – but this is an empirical question So get the statistics: bugs are correlated in a number of real systems (‘Milk or Wine?’) Trade-off: the gains from this, versus the risks to systems whose owners don’t patch Vulnerability Markets Security isn’t just a lemons market – even the vendor often doesn’t know the quality of his software Insurance can be problematic because of interfirm failure correlation Camp and Wolfram (2000), Schechter (2002): try vulnerability markets Two traders now exist (but prices secret) Alternatives - software quality derivatives (Böhme), bug auctions (Ozment) How Much to Spend? How much should firms spend on information security? Governments, vendors say: much much more than at present (But they’ve been saying this for 20 years!) Measurements of security return-on-investment suggest current expenditure may be about right But SMEs spend too little, big firms too much, and governments way too much Adams: it’s the selection of the risk managers Games on Networks The topology of a network can be important! Barabási and Albert showed that a scale-free network could be attacked efficiently by targeting its high-order nodes Think: rulers target Saxon landlords / Ukrainian kulaks / Tutsi schoolteachers /… Can we use evolutionary game theory ideas to figure out how networks evolve? Idea: run many simulations between different attack / defence strategies Games on Networks (2) Vertex-order attacks with: Black – normal (scalefree) node replenishment Green – defenders replace high-order nodes with rings Cyan – they use cliques (c.f. system biology …) The price of anarchy Some technical cases soluble, e.g. routing with linear costs, 4/3 (Roughgarden et al) Big CS interest in combinatorial auctions for routing (Papadimitiou et al) Big practical problem: spam (and phishing) Proposed techie solutions (e.g. puzzles) put the incentive in the wrong place Peer-to-peer systems: clubs? Vista and Competition A live EU concern – workshop on Monday IRM – Information Rights Management – changes ownership of a file from the machine owner to the file creator Files are encrypted and associated with rights management information Switching from Office to OpenOffice in 2010 might involve getting permission from all your correspondents Other cases of lock-in harming innovation Vista and Competition (2) How should we think of DRM? The music industry wanted it while the computer industry hated it. This is flipping. Microsoft embraced DRM and the music industry’s now wavering Varian, 2005: what happens when you connect a concentrated industry to a diffuse one? Answer, 2006 – Apple runs away with the money Answer, 2007 – Microsoft appears to be making a play to control high-definition content distribution (Gutmann) Large Project Failure Maybe 30% of large projects fail But we build much bigger failures nowadays than 30 years ago so… Why do more public-sector projects fail? Consider what the incentives are on project managers versus ministers – and what sort of people will become successful project managers versus ministers! The Information Society More and more goods contain software More and more industries are starting to become like the software industry The good: flexibility, rapid response The bad: frustration, poor service The ugly: monopolies The world will be full of ‘things that think’ (and that exhibit strategic behaviour) How will society evolve to cope? More … Economics and Security Resource Page – www.cl.cam.ac.uk/~rja14/econsec.html (or follow link from www.ross-anderson.com) WEIS – Annual Workshop on Economics and Information Security – next at CMU, June 7–8 2006