The Economics of Information Security Ross Anderson Cambridge University Economics and Security Over the last four years, we have started to apply economic analysis.
Download
Report
Transcript The Economics of Information Security Ross Anderson Cambridge University Economics and Security Over the last four years, we have started to apply economic analysis.
The Economics of
Information Security
Ross Anderson
Cambridge University
Economics and Security
Over the last four years, we have started to
apply economic analysis to information
security
Economic analysis often explains security
failure better then technical analysis!
Information security mechanisms are used
increasingly to support business models
rather than to manage risk
Economic analysis is also vital for the
public policy aspects of security
It is critical for understanding competitive
advantage
Traditional View of Infosec
People used to think that the Internet
was insecure because of lack of
features – crypto, authentication,
filtering
So engineers worked on providing
better, cheaper security features –
AES, PKI, firewalls …
About 1999, we started to realize that
this is not enough
Incentives and Infosec
Electronic banking: UK banks were less
liable for fraud, so ended up suffering
more internal fraud and more errors
Distributed denial of service: viruses now
don’t attack the infected machine so much
as using it to attack others
Health records: hospitals, not patients, buy
IT systems, so they protect hospitals’
interests rather than patient privacy
Why is Microsoft software so insecure,
despite market dominance?
New View of Infosec
Systems are often insecure because the
people who could fix them have no
incentive to
Bank customers suffer when bank systems
allow fraud; patients suffer when hospital
systems break privacy; Amazon’s website
suffers when infected PCs attack it
Security is often what economists call an
‘externality’ – like environmental pollution
This is an excuse for government
intervention
New Uses of Infosec
Xerox started using authentication in
ink cartridges to tie them to the
printer
Followed by HP, Lexmark … and
Lexmark’s case against SCC
Motorola started authenticating
mobile phone batteries to the phone
BMW now has a car prototype that
authenticates its major components
IT Economics (1)
The first distinguishing characteristic of
many IT product and service markets is
network effects
Metcalfe’s law – the value of a network is
the square of the number of users
Real networks – phones, fax, email
Virtual networks – PC architecture versus
MAC, or Symbian versus WinCE
Network effects tend to lead to dominant
firm markets where the winner takes all
IT Economics (2)
Second common feature of IT product and
service markets is high fixed costs and low
marginal costs
Competition can drive down prices to
marginal cost of production
This can make it hard to recover capital
investment, unless stopped by patent,
brand, compatibility …
These effects can also lead to dominantfirm market structures
IT Economics (3)
Third common feature of IT markets is that
switching from one product or service to
another is expensive
E.g. switching from Windows to Linux
means retraining staff, rewriting apps
Shapiro-Varian theorem: the net present
value of a software company is the total
switching costs
This is why so much effort is starting to go
into accessory control – manage the
switching costs in your favour
IT Economics and Security
High fixed/low marginal costs, network
effects and switching costs all tend to lead
to dominant-firm markets with big firstmover advantage
So time-to-market is critical
Microsoft philosophy of ‘we’ll ship it
Tuesday and get it right by version 3’ is
not perverse behaviour by Bill Gates but
driven by economics
Whichever company had won in the PC OS
business would have done the same
IT Economics and Security 2
When building a network monopoly, it is
also critical to appeal to the vendors of
complementary products
E.g., application software developers in
the case of PC versus Apple, or now of
Symbian versus CE
Lack of security in earlier versions of
Windows makes it easier to develop
applications
Similarly, motive for choice of security
technologies that dump the support costs
on the user (e.g. SSL, PKI, …)
Why are many security
products ineffective?
Akerlof’s Nobel-prizewinning paper, ‘The
Market for Lemons’ provides key insight –
asymmetric information
Suppose a town has 100 used cars for
sale: 50 good ones worth $2000 and 50
lemons worth $1000
What is the equilibrium price of used cars
in this town?
If $1500, no good cars will be offered for
sale …
Fix: brands (e.g. ‘Volvo certified used car’)
Security and Liability
Why did digital signatures not take off (e.g.
SET protocol)?
Industry thought: legal uncertainty. So EU
passed electronic signature law
Recent research: customers and
merchants resist transfer of liability by
bankers for disputed transactions
Best to stick with credit cards, as any
fraud is the bank’s problem
Similar resistance to phone-based
payment – people prefer prepayment plans
because of uncertainty
Privacy
Most people say they value privacy, but act
otherwise
Privacy technology ventures have mostly
failed
Latest research – people care about
privacy when buying clothes, but not
cameras
Analysis – some items relate to personal
image , and it’s here that the privacy
sensitivity focuses
Issue for mobile phone industry – phone
viruses worse for image than PC viruses
How Much to Spend?
How much should the average company
spend on information security?
Governments, vendors: much much more
than at present
They’ve been saying this for 20 years!
Measurements of security ROI suggest
about 20% p.a.
So current expenditure maybe about right
No room for huge growth selling firewalls…
How are Incentives Skewed?
If you are DirNSA and have a nice
new hack on NT, do you tell Bill?
Tell – protect 300m Americans
Don’t tell – be able to hack 400m
Europeans, 1000m Chinese,…
If the Chinese hack US systems, they
keep quiet. If you hack their systems,
you can brag about it to the President
Skewed Incentives (2)
Within corporate sector, large companies
tend to spend too much on security and
small companies too little
Research shows adverse selection effect
The most risk-averse people end up as
corporate security managers
More risk-loving people may be sales or
engineering staff, or small business
entrepreneurs
Also: due-diligence effects, government
regulation, insurance market issues
Why Bill wasn’t interested in
security
While Microsoft was growing, the two
critical factors were speed, and
appeal to application developers
Security markets were over-hyped
and driven by artificial factors
Issues like privacy and liability were
more complex than they seemed
The public couldn’t tell good security
from bad anyway
Why is Bill now changing his
mind?
‘Trusted Computing’ initiative ranges from
TCG to the IRM mechanisms in Office 2003
TCG – put a TPM (smartcard) chip in every
PC motherboard, PDA, mobile phone
This will do remote attestation of what the
machine is and what software it’s running
On top of this will be layers of software
providing new security functionality, of a
kind that would otherwise be easily
circumvented, such as DRM and IRM
Why is Bill now changing his
mind? (2)
IRM – Information Rights Management –
changes ownership of a file from the
machine owner to the file creator
Files are encrypted and associated with
rights management information
The file creator can specify that a file can
only be read by Mr. X, and only till date Y
Now shipping in Office 2003
What will be the effect on the typical
business that uses PCs?
Why is Bill now changing his
mind? (3)
At present, a company with 100 PCs pays
maybe $500 per seat for Office
Remember – value of software company =
total switching costs
So – cost of retraining everyone to use
Linux, converting files etc is maybe
$50,000
But once many of the documents can’t be
converted without the creators’ permission,
the switching cost is much higher
Lock-in is the key
Strategic issues
TCG initiative started by Intel as they
believed that control of the ‘home hub’
was vital
They made 90% of their profits from PC
processors, and controlled 90% of the
market
Innovations such as PCI, USB and now TC
are designed to grow the overall size of
the PC market
They are determined not to lose control of
the home to the Sony Playstation
Strategic Issues (2)
Who will control users’ data?
Microsoft view – everything will be on an
MS platform (your WP files, presentations,
address book, pictures, movies, music)
European Commission view – this is illegal
anticompetitive behaviour
Proposed anti-trust remedy – force MS to
unbundle Media Player, or to include other
media players in its Windows distribution
Competitive issue
Microsoft vision is to control a framework
into which all user data is drawn, and in
which it is then managed
This could extend Microsoft’s market
power from the PC platform to PDAs,
phones, music systems,…
If this works it is bad news for market
competition, and bad news for vendors of
phones, consumer electronics …
Is there any alternative framework play?
Alternative Vision
The ‘Trusted Computing’ view of the
universe makes the ‘home hub’ the
centre of the digital world, and
assumes it to be a PC
The Sony view of the world is similar,
except that the hub is a Playstation
Matsushita – it’s a souped-up PVR
However, maybe the mobile phone is
a better hub than the PC!
Alternative Vision …
There are many, many more mobile
phones in the world than PCs
The mobile phone is private – kids take it
to bed
People rely on it when under stress
It is their antidote to the complexity of life
It is how they shape their social world
By comparison, a PC is used in turn by all
family members, and visitors – rather like a
toilet
The Big Issue, 2004-2006
With encryption and broadband, the data
can be anywhere
What matters is where the trust is located
Trust can be based on the PC, in a PVR, in
a mobile phone, maybe even in an ID card
…
There are all sorts of crossover
technologies possible (e.g., bluetooth
mouse as TPM)
But the power struggle will be fierce, and
the players will try to control compatibility.
Could/should governments intervene?
The Irish Presidency Issue
The EU IPR Enforcement Directive
(IPRED) will greatly increase lock-in
The EU Parliament watered it down in
the legal and industry committees;
Commission/council reinstated it
By making reverse engineering harder
it will harm small companies and
growth
By facilitating market segmentation it
will undermine the Single Market
More …
WEIS 2004 (Workshop on Economics
and Information Security), University
of Minnesota, 13-14 May 2004
Economics and Security Resource
Page –
www.cl.cam.ac.uk/~rja14/econsec.ht
ml (or follow link from my home
page)
EU IPRED – see www.fipr.org