Transcript The Economics of Information Security Ross Anderson Cambridge University Economics and Security  Over the last four years, we have started to apply economic analysis.

The Economics of
Information Security
Ross Anderson
Cambridge University
Economics and Security
 Over the last four years, we have started to
apply economic analysis to information
security
 Economic analysis often explains security
failure better then technical analysis!
 Information security mechanisms are used
increasingly to support business models
rather than to manage risk
 Economic analysis is also vital for the
public policy aspects of security
 It is critical for understanding competitive
advantage
Traditional View of Infosec
 People used to think that the Internet
was insecure because of lack of
features – crypto, authentication,
filtering
 So engineers worked on providing
better, cheaper security features –
AES, PKI, firewalls …
 About 1999, we started to realize that
this is not enough
Incentives and Infosec
 Electronic banking: UK banks were less
liable for fraud, so ended up suffering
more internal fraud and more errors
 Distributed denial of service: viruses now
don’t attack the infected machine so much
as using it to attack others
 Health records: hospitals, not patients, buy
IT systems, so they protect hospitals’
interests rather than patient privacy
 Why is Microsoft software so insecure,
despite market dominance?
New View of Infosec
 Systems are often insecure because the
people who could fix them have no
incentive to
 Bank customers suffer when bank systems
allow fraud; patients suffer when hospital
systems break privacy; Amazon’s website
suffers when infected PCs attack it
 Security is often what economists call an
‘externality’ – like environmental pollution
 This is an excuse for government
intervention
New Uses of Infosec
 Xerox started using authentication in
ink cartridges to tie them to the
printer
 Followed by HP, Lexmark … and
Lexmark’s case against SCC
 Motorola started authenticating
mobile phone batteries to the phone
 BMW now has a car prototype that
authenticates its major components
IT Economics (1)
 The first distinguishing characteristic of
many IT product and service markets is
network effects
 Metcalfe’s law – the value of a network is
the square of the number of users
 Real networks – phones, fax, email
 Virtual networks – PC architecture versus
MAC, or Symbian versus WinCE
 Network effects tend to lead to dominant
firm markets where the winner takes all
IT Economics (2)
 Second common feature of IT product and
service markets is high fixed costs and low
marginal costs
 Competition can drive down prices to
marginal cost of production
 This can make it hard to recover capital
investment, unless stopped by patent,
brand, compatibility …
 These effects can also lead to dominantfirm market structures
IT Economics (3)
 Third common feature of IT markets is that
switching from one product or service to
another is expensive
 E.g. switching from Windows to Linux
means retraining staff, rewriting apps
 Shapiro-Varian theorem: the net present
value of a software company is the total
switching costs
 This is why so much effort is starting to go
into accessory control – manage the
switching costs in your favour
IT Economics and Security
 High fixed/low marginal costs, network
effects and switching costs all tend to lead
to dominant-firm markets with big firstmover advantage
 So time-to-market is critical
 Microsoft philosophy of ‘we’ll ship it
Tuesday and get it right by version 3’ is
not perverse behaviour by Bill Gates but
driven by economics
 Whichever company had won in the PC OS
business would have done the same
IT Economics and Security 2
 When building a network monopoly, it is
also critical to appeal to the vendors of
complementary products
 E.g., application software developers in
the case of PC versus Apple, or now of
Symbian versus CE
 Lack of security in earlier versions of
Windows makes it easier to develop
applications
 Similarly, motive for choice of security
technologies that dump the support costs
on the user (e.g. SSL, PKI, …)
Why are many security
products ineffective?
 Akerlof’s Nobel-prizewinning paper, ‘The
Market for Lemons’ provides key insight –
asymmetric information
 Suppose a town has 100 used cars for
sale: 50 good ones worth $2000 and 50
lemons worth $1000
 What is the equilibrium price of used cars
in this town?
 If $1500, no good cars will be offered for
sale …
 Fix: brands (e.g. ‘Volvo certified used car’)
Security and Liability
 Why did digital signatures not take off (e.g.
SET protocol)?
 Industry thought: legal uncertainty. So EU
passed electronic signature law
 Recent research: customers and
merchants resist transfer of liability by
bankers for disputed transactions
 Best to stick with credit cards, as any
fraud is the bank’s problem
 Similar resistance to phone-based
payment – people prefer prepayment plans
because of uncertainty
Privacy
 Most people say they value privacy, but act
otherwise
 Privacy technology ventures have mostly
failed
 Latest research – people care about
privacy when buying clothes, but not
cameras
 Analysis – some items relate to personal
image , and it’s here that the privacy
sensitivity focuses
 Issue for mobile phone industry – phone
viruses worse for image than PC viruses
How Much to Spend?
 How much should the average company
spend on information security?
 Governments, vendors: much much more
than at present
 They’ve been saying this for 20 years!
 Measurements of security ROI suggest
about 20% p.a.
 So current expenditure maybe about right
 No room for huge growth selling firewalls…
How are Incentives Skewed?
 If you are DirNSA and have a nice
new hack on NT, do you tell Bill?
 Tell – protect 300m Americans
 Don’t tell – be able to hack 400m
Europeans, 1000m Chinese,…
 If the Chinese hack US systems, they
keep quiet. If you hack their systems,
you can brag about it to the President
Skewed Incentives (2)
 Within corporate sector, large companies
tend to spend too much on security and
small companies too little
 Research shows adverse selection effect
 The most risk-averse people end up as
corporate security managers
 More risk-loving people may be sales or
engineering staff, or small business
entrepreneurs
 Also: due-diligence effects, government
regulation, insurance market issues
Why Bill wasn’t interested in
security
 While Microsoft was growing, the two
critical factors were speed, and
appeal to application developers
 Security markets were over-hyped
and driven by artificial factors
 Issues like privacy and liability were
more complex than they seemed
 The public couldn’t tell good security
from bad anyway
Why is Bill now changing his
mind?
 ‘Trusted Computing’ initiative ranges from
TCG to the IRM mechanisms in Office 2003
 TCG – put a TPM (smartcard) chip in every
PC motherboard, PDA, mobile phone
 This will do remote attestation of what the
machine is and what software it’s running
 On top of this will be layers of software
providing new security functionality, of a
kind that would otherwise be easily
circumvented, such as DRM and IRM
Why is Bill now changing his
mind? (2)
 IRM – Information Rights Management –
changes ownership of a file from the
machine owner to the file creator
 Files are encrypted and associated with
rights management information
 The file creator can specify that a file can
only be read by Mr. X, and only till date Y
 Now shipping in Office 2003
 What will be the effect on the typical
business that uses PCs?
Why is Bill now changing his
mind? (3)
 At present, a company with 100 PCs pays
maybe $500 per seat for Office
 Remember – value of software company =
total switching costs
 So – cost of retraining everyone to use
Linux, converting files etc is maybe
$50,000
 But once many of the documents can’t be
converted without the creators’ permission,
the switching cost is much higher
 Lock-in is the key
Strategic issues
 TCG initiative started by Intel as they
believed that control of the ‘home hub’
was vital
 They made 90% of their profits from PC
processors, and controlled 90% of the
market
 Innovations such as PCI, USB and now TC
are designed to grow the overall size of
the PC market
 They are determined not to lose control of
the home to the Sony Playstation
Strategic Issues (2)
 Who will control users’ data?
 Microsoft view – everything will be on an
MS platform (your WP files, presentations,
address book, pictures, movies, music)
 European Commission view – this is illegal
anticompetitive behaviour
 Proposed anti-trust remedy – force MS to
unbundle Media Player, or to include other
media players in its Windows distribution
Competitive issue
 Microsoft vision is to control a framework
into which all user data is drawn, and in
which it is then managed
 This could extend Microsoft’s market
power from the PC platform to PDAs,
phones, music systems,…
 If this works it is bad news for market
competition, and bad news for vendors of
phones, consumer electronics …
 Is there any alternative framework play?
Alternative Vision
 The ‘Trusted Computing’ view of the
universe makes the ‘home hub’ the
centre of the digital world, and
assumes it to be a PC
 The Sony view of the world is similar,
except that the hub is a Playstation
 Matsushita – it’s a souped-up PVR
 However, maybe the mobile phone is
a better hub than the PC!
Alternative Vision …
 There are many, many more mobile
phones in the world than PCs
 The mobile phone is private – kids take it
to bed
 People rely on it when under stress
 It is their antidote to the complexity of life
 It is how they shape their social world
 By comparison, a PC is used in turn by all
family members, and visitors – rather like a
toilet
The Big Issue, 2004-2006
 With encryption and broadband, the data
can be anywhere
 What matters is where the trust is located
 Trust can be based on the PC, in a PVR, in
a mobile phone, maybe even in an ID card
…
 There are all sorts of crossover
technologies possible (e.g., bluetooth
mouse as TPM)
 But the power struggle will be fierce, and
the players will try to control compatibility.
 Could/should governments intervene?
The Irish Presidency Issue
 The EU IPR Enforcement Directive
(IPRED) will greatly increase lock-in
 The EU Parliament watered it down in
the legal and industry committees;
Commission/council reinstated it
 By making reverse engineering harder
it will harm small companies and
growth
 By facilitating market segmentation it
will undermine the Single Market
More …
 WEIS 2004 (Workshop on Economics
and Information Security), University
of Minnesota, 13-14 May 2004
 Economics and Security Resource
Page –
www.cl.cam.ac.uk/~rja14/econsec.ht
ml (or follow link from my home
page)
 EU IPRED – see www.fipr.org