Economics, Policy and Information Security Economics, Policy and Information Security Ross Anderson Cambridge University.

Slides:



Advertisements
Similar presentations
Vista, TC and Competition Policy Ross Anderson Cambridge University and Foundation for Information Policy Research.
Advertisements

Competition and ‘Trusted Computing’ Ross Anderson Cambridge University and Foundation for Information Policy Research.
Who benefits from stronger Digital Rights Management? Ross Anderson Cambridge University and Foundation for Information Policy Research.
Chapter 6 E-commerce Payment Systems. Traditional Payment Systems Cash Checking Transfers Credit Card Accounts Stored Value Accounts Accumulating Balance.
Web App Security – The Good, the Bad and the Ugly Ross Anderson Cambridge University.
Information Security Economics – and Beyond Ross Anderson Tyler Moore Cambridge University.
GCSE ICT Computers and the Law. Computer crime The growth of use of computerised payment systems – particularly the use of credit cards and debit cards.
The Economics of Information Security: A Survey and Open Questions Ross Anderson, Tyler Moore Cambridge University.
1.7.6.G1 © Family Economics & Financial Education –March 2008 – Financial Institutions – Online Banking Funded by a grant from Take Charge America, Inc.
Security Economics Ross Anderson Cambridge University.
Security Economics Ross Anderson Cambridge University.
The Economics and Psychology of Security Ross Anderson Cambridge University.
Information Security Economics – and Beyond Ross Anderson Cambridge University.
Economics of Dependability and Security Economics of Dependability and Security Ross Anderson Cambridge University.
The Economics of Information Security Ross Anderson Cambridge University.
Information Society – Future Prospects Ross Anderson Cambridge University and Foundation for Information Policy Research.
An Economic Perspective on Security Ross Anderson Cambridge University.
Security of Computerized Medical Information: Threats from Authorized Users James G. Anderson, Ph.D. Purdue University.
Towards a Science of Security and Human Behaviour Ross Anderson Cambridge University.
Security Economics Ross Anderson Cambridge University.
2009 SCADA Security Scientific Symposium The Economics of Control System Security Ross Anderson Cambridge University.
Chapter 1  Introduction 1 Chapter 1: Introduction “Begin at the beginning,” the King said, very gravely, “and go on till you come to the end: then stop.”
Security Engineering Security Computer Science Tripos part 2 Ross Anderson.
Information Security – Where Computer Science, Economics and Psychology Meet Ross Anderson Cambridge University.
Security Economics and Public Policy Ross Anderson Cambridge University.
The Security State Ross Anderson Cambridge University.
Opening a bank account.
The Economics of Security and Privacy Ross Anderson Cambridge University.
 Economics – explains the choices we make and how those choices change as we cope with scarcity  Scarcity – the idea that there is a short supply or.
E-Commerce: Regulatory, Ethical, and Social Environments
Electronic Banking BY Bahaa Abas Noor abo han. Definition * e-banking is defined as: …the automated delivery of new and traditional banking products and.
Issues Raised by ICT.
The Social Context of Computing Foundation Computing Never underestimate the power of human stupidity.
Mini Lesson 1  Resources  All the things people can use to make goods (products) ▪ Goods include: food, clothing, houses, furniture, cars, computers,
Electronic Payment Systems
Nine Elements of Digital Citizenship BH. Nine elements is identified to create a digital citizenship. Digital Access: full electronic participation in.
C4- Social, Legal, and Ethical Issues in the Digital Firm
Not only Safe but Competitive Presentation to Copy Protection Technical Working Group October 22, 2003 Far East Engineering Corp, Tokyo Japan Makoto Saito/Rie.
Security Awareness: Applying Practical Security in Your World Chapter 1: Introduction to Security.
Slide 1 Tomorrow’s Technology and You Chapter 10 Computer Security.
Deepak Maheshwari Director – Corporate Affairs Microsoft India.
PAPER AC 1 : E-BUSINESS AND CYBER LAWS. MEANING OF E-BUSINESS  E-business, is the application of information and communication technologies (ICT) which.
Online and Electronic Fraud – Incentives and Regulation Ross Anderson Cambridge.
Component 4: Introduction to Information and Computer Science Unit 2: Internet and the World Wide Web 1 Component 4/Unit 2Health IT Workforce Curriculum.
Electronic Commerce and Economic Policy. Policy Issues Antitrust Policies –Promotion of competition –Regulation of uncompetitive markets Information Policies.
CYBER CRIME.
© Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers. ® CISO Executive Network Executive Breakfast.
Security of the Distributed Electronic Patient Record: A Case-Based Approach James G. Anderson, Ph.D. Purdue University.
LEGAL CHALLENGES & STRATEGIES IN E-PROCUREMENT IN CONSTRUCTION
Protecting Your Business! SBA Ft. Lauderdale November 15, 2006 Gregory Levine, Sr. Director Marketing.
Social contexts of IS Ch. 3 – Boddy et al.
Why the Data Protection Act was brought in  The 1998 Data Protection Act was passed by Parliament to control the way information is handled and to give.
Technological Change Technological change (TC) is a term that is used to describe the overall process of invention, innovation and diffusion of technology.
DIS 605 BY DOROBIN AGOTI REG NO: D61/71443/2008 ICT INNOVATION, LEGAL AND PIRACY ISSUES.
IB Business Management
Mario Čagalj Sveučilište u Splitu 2014/15. Sigurnost računala i podataka.
Global Edition Chapter Twenty Sustainable Marketing Social Responsibility and Ethics Copyright ©2014 by Pearson Education.
ABA China Inside and Out September , Beijing The interface between competition law and intellectual property Nicholas Banasevic, DG Competition,
Society & Computers PowerPoint
Networking E-commerce. E-commerce ► A general term used to describe the buying and selling of products or services over the Internet. ► This covers a.
1 Law, Ethical Impacts, and Internet Security. 2 Legal Issues vs. Ethical Issues Ethics — the branch of philosophy that deals with what is considered.
Protecting Yourself from Fraud including Identity Theft Advanced Level.
ELECTRONIC PAYMENT SYSTEM
Date: March. 30, Monday Evening.
إدارة الأعمال الإلكترونية عمادة التعلم الإلكتروني والتعليم عن بعد
E-Commerce: Regulatory, Ethical, and Social Environments
Richard Purcell Corporate Privacy Officer Microsoft Corporation
Information Security Economics – and Beyond
Protecting Yourself from Fraud including Identity Theft
Towards a Science of Security and Human Behaviour
Presentation transcript:

Economics, Policy and Information Security Economics, Policy and Information Security Ross Anderson Cambridge University

Financial Times 25/9/5 Infosec now an ‘Arms Race’ no-one can stop Infosec now an ‘Arms Race’ no-one can stop ‘Today indeed it seems we have a deficit of computer security. But it seems inevitable that tomorrow we will have too much’ ‘Today indeed it seems we have a deficit of computer security. But it seems inevitable that tomorrow we will have too much’ Decision-makers rely on data ‘systematically skewed in the direction of exaggerated harm and understated cost of prevention’ Decision-makers rely on data ‘systematically skewed in the direction of exaggerated harm and understated cost of prevention’ ‘Over-protecting ourselves today will cost us tomorrow dearly in the unborn or delayed generations of innovation’ ‘Over-protecting ourselves today will cost us tomorrow dearly in the unborn or delayed generations of innovation’ See See

Economics and Security Over the last five years, we have started to apply economic analysis to information security Over the last five years, we have started to apply economic analysis to information security Economic analysis often explains security failure better then technical analysis! Economic analysis often explains security failure better then technical analysis! Information security mechanisms are used increasingly to support business models rather than to manage risk Information security mechanisms are used increasingly to support business models rather than to manage risk Economic analysis is critical for understanding competitive advantage Economic analysis is critical for understanding competitive advantage It’s also vital for good public policy on security It’s also vital for good public policy on security

Traditional View of Infosec People used to think that the Internet was insecure because of lack of features – not enough crypto / authentication / filtering People used to think that the Internet was insecure because of lack of features – not enough crypto / authentication / filtering So engineers worked on providing better, cheaper security features – AES, PKI, firewalls … So engineers worked on providing better, cheaper security features – AES, PKI, firewalls … About 1999, we started to realize that this is not enough About 1999, we started to realize that this is not enough

Incentives and Infosec Electronic banking: UK banks were less liable for fraud then US banks, so they got careless and ended up suffering more fraud and error Electronic banking: UK banks were less liable for fraud then US banks, so they got careless and ended up suffering more fraud and error Distributed denial of service: viruses now don’t attack the infected machine so much as using it to attack others Distributed denial of service: viruses now don’t attack the infected machine so much as using it to attack others Health records: hospitals, not patients, buy IT systems, so they protect hospitals’ interests rather than patient privacy Health records: hospitals, not patients, buy IT systems, so they protect hospitals’ interests rather than patient privacy Why is Microsoft software so insecure, despite its market dominance? Why is Microsoft software so insecure, despite its market dominance?

New View of Infosec Systems are often insecure because the people who could fix them have no incentive to Systems are often insecure because the people who could fix them have no incentive to Bank customers suffer when bank staff get careless about fraud; patients suffer when hospital systems put administrators’ convenience before patent privacy; Amazon’s website suffers when infected PCs attack it Bank customers suffer when bank staff get careless about fraud; patients suffer when hospital systems put administrators’ convenience before patent privacy; Amazon’s website suffers when infected PCs attack it Security is often what economists call an ‘externality’ – like environmental pollution Security is often what economists call an ‘externality’ – like environmental pollution This may justify government intervention This may justify government intervention

New Uses of Infosec Xerox started using authentication in ink cartridges to tie them to the printer Xerox started using authentication in ink cartridges to tie them to the printer Followed by HP, Lexmark … and Lexmark’s case against SCC (and Dell – US and Europe drifting apart!) Followed by HP, Lexmark … and Lexmark’s case against SCC (and Dell – US and Europe drifting apart!) Accessory control now spreading to more and more industries (games, phones, cars, …) Accessory control now spreading to more and more industries (games, phones, cars, …)

IT Economics and Security 1 The high fixed/low marginal costs, network effects and switching costs in information industries all tend to lead to dominant-firm markets with big first-mover advantage The high fixed/low marginal costs, network effects and switching costs in information industries all tend to lead to dominant-firm markets with big first-mover advantage So time-to-market is critical So time-to-market is critical Microsoft philosophy of ‘we’ll ship it Tuesday and get it right by version 3’ is not perverse behaviour by Bill Gates but quite rational Microsoft philosophy of ‘we’ll ship it Tuesday and get it right by version 3’ is not perverse behaviour by Bill Gates but quite rational Whichever company had won in the PC OS business would have done the same Whichever company had won in the PC OS business would have done the same

IT Economics and Security 2 When building a network monopoly, it is also critical to appeal to the vendors of complementary products When building a network monopoly, it is also critical to appeal to the vendors of complementary products E.g., application software developers in the case of PC versus Apple, or now of Symbian versus WinCE, or music sites in WMP versus RealPlayer E.g., application software developers in the case of PC versus Apple, or now of Symbian versus WinCE, or music sites in WMP versus RealPlayer Lack of security in earlier versions of Windows makes it easier to develop applications Lack of security in earlier versions of Windows makes it easier to develop applications Similarly, choice of security technologies that dump support costs on the user (SSL, PKI, …) Similarly, choice of security technologies that dump support costs on the user (SSL, PKI, …)

Security and Liability Why did digital signatures not take off (e.g. SET protocol)? Why did digital signatures not take off (e.g. SET protocol)? Industry thought: legal uncertainty. So EU passed electronic signature law Industry thought: legal uncertainty. So EU passed electronic signature law But customers and merchants resisted transfer of liability by bankers for disputed transactions But customers and merchants resisted transfer of liability by bankers for disputed transactions Customers best to stick with credit cards, as any fraud is the bank’s problem Customers best to stick with credit cards, as any fraud is the bank’s problem Similar resistance to phone-based payment – people prefer prepayment plans because of uncertainty, premium-rate rip-offs Similar resistance to phone-based payment – people prefer prepayment plans because of uncertainty, premium-rate rip-offs

Privacy Most people say they value privacy, but act otherwise Most people say they value privacy, but act otherwise Privacy technology ventures have mostly failed (Zero Knowledge, Securicor, …) Privacy technology ventures have mostly failed (Zero Knowledge, Securicor, …) Latest research – people care about privacy when buying clothes, but not cameras Latest research – people care about privacy when buying clothes, but not cameras Analysis – some items relate to personal image, and it’s here that the privacy sensitivity focuses Analysis – some items relate to personal image, and it’s here that the privacy sensitivity focuses Issue for mobile phone industry – phone viruses worse for image than PC viruses Issue for mobile phone industry – phone viruses worse for image than PC viruses privacy.htm privacy.htm

How are Incentives Skewed? If you are DirNSA and have a nice new hack on Windows, do you tell Bill? If you are DirNSA and have a nice new hack on Windows, do you tell Bill? Tell – protect 300m Americans Tell – protect 300m Americans Don’t tell – be able to hack 400m Europeans, 1000m Chinese,… Don’t tell – be able to hack 400m Europeans, 1000m Chinese,… If the Chinese hack US systems, they keep quiet. If you hack their systems, you can brag about it to the President If the Chinese hack US systems, they keep quiet. If you hack their systems, you can brag about it to the President

Skewed Incentives (2) Within corporate sector, large companies tend to spend too much on security and small companies too little Within corporate sector, large companies tend to spend too much on security and small companies too little Research shows adverse selection effect: Research shows adverse selection effect: The most risk-averse people end up as corporate security managers The most risk-averse people end up as corporate security managers More risk-loving people may be sales or engineering staff, or small-business entrepreneurs More risk-loving people may be sales or engineering staff, or small-business entrepreneurs Also: due-diligence effects, government regulation, insurance market issues Also: due-diligence effects, government regulation, insurance market issues

Economics of Rights Management (1) What happens when you link a concentrated industry (platforms) with a less concentrated industry (music)? What happens when you link a concentrated industry (platforms) with a less concentrated industry (music)? Varian’s analysis – most of the resulting surplus goes to the platform owner Varian’s analysis – most of the resulting surplus goes to the platform owner So don’t be surprised at music industry complaints about Apple, or DG Competition action against WMP So don’t be surprised at music industry complaints about Apple, or DG Competition action against WMP

Economics of Rights Management (2) IRM – Information Rights Management – changes ownership of a file from the machine owner to the file creator IRM – Information Rights Management – changes ownership of a file from the machine owner to the file creator Files are encrypted and associated with rights management information Files are encrypted and associated with rights management information The file creator can specify that a file can only be read by Mr. X, and only till date Y The file creator can specify that a file can only be read by Mr. X, and only till date Y Now shipping in Office – and heavily promoted! Now shipping in Office – and heavily promoted! What will be the effect on the typical business that uses PCs? What will be the effect on the typical business that uses PCs?

Economics of Rights Management (3) At present, a company with 100 PCs pays maybe $500 per seat for Office At present, a company with 100 PCs pays maybe $500 per seat for Office Remember Shapiro-Varian result – value of software company = total switching costs Remember Shapiro-Varian result – value of software company = total switching costs So – cost of retraining everyone to use Linux, converting files etc is maybe $50,000 So – cost of retraining everyone to use Linux, converting files etc is maybe $50,000 But once many of the documents can’t be converted without the creators’ permission, the switching cost is much higher But once many of the documents can’t be converted without the creators’ permission, the switching cost is much higher Lock-in is the key Lock-in is the key

The Information Society More and more goods contain software More and more goods contain software More and more industries are starting to become like the software industry More and more industries are starting to become like the software industry The good: flexibility, rapid response The good: flexibility, rapid response The bad: frustration, poor service The bad: frustration, poor service The ugly: monopolies The ugly: monopolies How will the law evolve to cope? How will the law evolve to cope?

Property The enlightenment idea - that the core mission of government wasn’t defending faith, but defending property rights The enlightenment idea - that the core mission of government wasn’t defending faith, but defending property rights 18th-19th century: rapid evolution of property and contract law 18th-19th century: rapid evolution of property and contract law Realization that these are not absolute! Realization that these are not absolute! Abolition of slavery, laws on compulsory purchase, railway regulation, labour contracts, tenancy contracts, … Abolition of slavery, laws on compulsory purchase, railway regulation, labour contracts, tenancy contracts, …

Intellectual Property Huge expansion as software etc have become more important - 7+ directives since 1991 Huge expansion as software etc have become more important - 7+ directives since 1991 As with `ordinary’ property and contract in about 1850, we’re hitting serious conflicts As with `ordinary’ property and contract in about 1850, we’re hitting serious conflicts Competition law - legal protection of DRM mechanisms leads to enforcement of illegal contracts and breaches of the Treaty of Rome; judgment against Microsoft Competition law - legal protection of DRM mechanisms leads to enforcement of illegal contracts and breaches of the Treaty of Rome; judgment against Microsoft Environmental law - recycling of ink cartridges mandated, after printer vendors use crypto to stop it Environmental law - recycling of ink cartridges mandated, after printer vendors use crypto to stop it

Intellectual Property (2) Privacy law – DRM mechanisms collect usage data to segment markets Privacy law – DRM mechanisms collect usage data to segment markets Trade law – exemption for online services may undermine the Single Market Trade law – exemption for online services may undermine the Single Market Employment law – French courts strike down a major’s standard record contract Employment law – French courts strike down a major’s standard record contract IPR Enforcement Directive 2 – will criminalize patent infringement and incitement to infringe IP, unlike in the USA where BSA leading push for reduced civil damages in patent cases IPR Enforcement Directive 2 – will criminalize patent infringement and incitement to infringe IP, unlike in the USA where BSA leading push for reduced civil damages in patent cases With IPRED 1 and Lexmark, may make the EU more hostile to tech innovation than America With IPRED 1 and Lexmark, may make the EU more hostile to tech innovation than America

Conclusions More government involvement in infosec, and related issues such as DRM, is inevitable More government involvement in infosec, and related issues such as DRM, is inevitable However, policy is often confused and contradictory at all levels However, policy is often confused and contradictory at all levels We need to figure out how to balance competing social goals, as we have in the physical world, and underpin that balance with legislation We need to figure out how to balance competing social goals, as we have in the physical world, and underpin that balance with legislation And we mustn’t end up being more hostile to technology business than the USA And we mustn’t end up being more hostile to technology business than the USA Mature economic analysis is essential! Mature economic analysis is essential!

More … WEIS 2006 (Workshop on Economics and Information Security), Cambridge, June WEIS 2006 (Workshop on Economics and Information Security), Cambridge, June Economics and Security Resource Page – (or follow link from my home page) Economics and Security Resource Page – (or follow link from my home page) Foundation for Information Policy Research – Foundation for Information Policy Research –