Presentation is loading. Please wait.

Presentation is loading. Please wait.

Economics of IT & Information Security

Published byMarian Melton Modified over 6 years ago

Similar presentations

Presentation on theme: "Economics of IT & Information Security"— Presentation transcript:

1 Economics of IT & Information Security
Richard Warner, Robert Sloan, 2013, based originally on Ross Anderson’s Crypto 2007 Keynote slides

2 Traditional View of Infosec
People used to think that the Internet was insecure because of lack of features – crypto, authentication, filtering So worked on providing better, cheaper security features – AES, PKI, firewalls … About 1994–2000, some prominent players started to realize that this is not enough

3 People, Law, Economics Trump!
Bruce Schneier, 1994, Applied Cryptography, the book on doing crypto 2000, Secrets and Lies: “I have written this book partly to correct a mistake. Seven years ago I wrote another book … The weak points had nothing to do with [cryptography].” 1970s, Diffie & Hellman invent public-key crypto; 1998, Diffie & Landau publish Privacy on the Line: The politics of Wiretapping and encryption Odlyzko, even Sloan

4 Then came Economics 1994: Anderson publishes about U.K. banks’ economic incentives 2000 lots of stuff 2001–: Econ of Security annual conference

5 Economics and Security
Since c. 2000, started applying economic analysis to IT security and dependability It often explains failure better! Electronic banking: UK banks were less liable for fraud, so ended up suffering more internal fraud and more errors Distributed denial of service: viruses now don’t attack the infected machine so much as using it to attack others: botnets Why was Microsoft software so insecure, despite market dominance, and why did it change?

6 Flip side: which economics
The freshman Intro Microeconomics course’s supply and demand curves from 1950s for Ag. products don’t really explain IT. Need some cool parts of Intermediate Micro, results of 1970s–1990s. Monopoly effects, network effects, etc.

7 New View of Infosec Systems are often insecure because the people who guard them, or who could fix them, have insufficient incentives Bank customers suffer when poorly-designed bank systems make fraud and phishing easier Casino websites suffer when infected PCs run DDoS attacks on them Insecurity is often what economists call an ‘externality’ – a side-effect, like environmental pollution

8 New Uses of Infosec Xerox started using authentication in ink cartridges to tie them to the printer – and its competitors soon followed Carmakers make engine modding harder, and plan to authenticate major components

9 Economic Analysis Informs
Hal Varian (then at Berkeley and NY Times columnist, now Google chief economist): linking two industries benefits the one that is more concentrated. January 2005: Claims recording industry will be unhappy if DRM goes in, because at time only 3 players in DRM with one (Apple) very powerful, music industry more players. Indeed, industry did not like 99 cent tracks. Other two providers of DRM were MS and Sony. Old classic example was deregulating airlines linked the many airlines to the few aircraft producers and airlines started going under.

10 IT Economics (1) The first distinguishing characteristic of many IT product and service markets is network effects: Metcalfe’s law – the value of a network is the square of the number of users: Real networks – phones, fax, Virtual networks – PC architecture versus Mac, or Skype or iCal vs. Google Calendar vs. MS Exchange. Network effects tend to lead to dominant firm markets where the winner takes all

11 IT Economics (2) Second common feature of IT product and service markets is high fixed costs and low marginal costs Competition can drive down prices to marginal cost of production Further, information is experience good every time. This can make it hard to recover capital investment, unless stopped by patent, brand, compatibility … These effects can also lead to dominant-firm market structures Experience good: have to consume some to know its worth. Any new product, and use free samples, testimonials, etc. Browsing, branding, reputation.

12 IT Economics (3) Third common feature of IT markets is that switching from one product or service to another is expensive E.g., switching from Windows to Linux means retraining staff, rewriting apps This lock-in is major part of value of SW companies So major effort goes into managing switching costs–once you have $1500 worth of ebooks on a $139 kindle in kindle format, you’re locked out of the Nook.

13 IT Economics: Free as in Beer?
Increasingly important theme in past 10 years: Consumers receiving valuable services via Internet for no direct payment of cash Google search, Hotmail and Gmail, FB, casual games, all sorts of software, etc. Pay-with-data exchanges And/or pay by accepting advertising If you’re not paying money, you’re the product, not the customer!

14 IT Economics and Security
High fixed/low marginal costs, network effects and switching costs all tend to lead to dominant-firm markets with big first-mover advantage So time-to-market is critical Microsoft philosophy of “we’ll ship it Tuesday and get it right by version 3” is not perverse behavior by Bill Gates & Steve Ballmer but quite rational Whichever company had won in the PC OS business would have done the same

15 IT Economics and Security (2)
When building a network monopoly, you must appeal to vendors of complementary products That was application software developers in the case of PC versus Apple, and today with mobile phone OS’s: iOs vs. Android. Lack of security in earlier versions of Windows made it easier to develop applications So did the choice of security technologies that dump costs on the user (SSL, not SET c. 1998) Once you’ve a monopoly, lock it all down!

16 Privacy economic issues
People have less than perfect information (will talk about lemons markets later at greater length) People have limited computational ability Behavioral economics: even given those limits, people behave in (systematic, predictable) irrational ways.

17 Privacy Most people say they value privacy, but act otherwise. Most privacy ventures failed Why is there this privacy gap? Hirshleifer – privacy is a means of social organization, a legacy of territoriality Varian – you can maybe fix privacy by giving people property rights in personal information Odlyzko – technology makes price discrimination both easier and more attractive Acquisti – Experimental work. One result: overdiscounting—too willing to trade short-term benefit for long-term risk. Hirshleifer, 1980: privacy is NOT about withdrawing from society. It is a means of organizing society arising from territorial behavior. internalized respect for property allows autonomy. Acquisti & Grossklags (2004) showed that subjects care less about the privacy effects of decisions taken in an impersonal context, that they lack sufficient information to make informed privacy choices, and that they indulge in ‘hyperbolic discounting’, being too willing to trade short-term benefits for larger long-term risks.

18 Conflict theory Does the defense of a country or a system depend on the least effort, on the best effort, or on the sum of efforts? The last is optimal; the first is really awful Software is a mix: it depends on the worst effort of the least careful programmer, the best effort of the security architect, and the sum of efforts of the testers Moral: hire fewer better programmers, more testers, top architects

19 Open versus Closed? Are open-source systems more dependable? It’s easier for the attackers to find vulnerabilities, but also easier for the defenders to find and fix them Theorem: openness helps both equally if bugs are random and standard dependability model assumptions apply Statistics: bugs are correlated in a number of real systems (‘Milk or Wine?’) Trade-off: the gains from this, versus the risks to systems whose owners don’t patch Wine improves with age. Not so milk.

20 How Much to Spend? How much should the average company spend on information security? Governments, vendors say: much much more than at present But they’ve been saying this for 20 years! Measurements of security return-on- investment suggest about 20% per annum overall So the total expenditure may be about right. Are there any better metrics? 20% ROI number comes from one thesis back in about 2000.

21 Security metrics Insurance markets – can be dysfunctional because of correlated risk Vulnerability markets – in theory can elicit information about cost of attack Tipping Point Zero Day Initiative for years, as of 2012: Governments, Vupen, Northrop Grumman, Raytheon, various startups (more later) Stock markets – in theory can elicit information about costs of breach Stock prices drop a few percent after a breach disclosure

22 Skewed Incentives Why do large companies spend too much on security and small companies too little? Adverse selection effect? Risk preferences? Corporate security managers tend to be risk- averse people, often from accounting / finance More risk-loving people may become sales or engineering staff, or small-firm entrepreneurs There’s also due-diligence, government regulation, and insurance to think of Adverse selection: The sick will buy health insurance and the healthy won’t in scenarios where Insurance companies cannot by law or by data find this out—information asymetry

23 Skewed Incentives (2) If you are DirNSA and have a nice new hack on Windows 8, do you tell Steve B.? Tell—protect 310 million Americans Don’t tell—be able to hack 500 million Europeans, 1.3 billion Chinese,… If (when?!) the Chinese hack US systems, they keep quiet. If you hack their systems, you can brag about it to the President So offense can be favored over defense

24 Psychology and Security
Phishing only started in 2004, by 2006 already there were significant phishing losses, by claims of $690M worldwide losses Banks initially react to phishing by “blame and train” efforts towards customers – but we know from the safety-critical world that this doesn’t work We really need to know a lot more about the interaction between security and psychology

25 Psychology and Security (2)
Security usability research just beginning (SOUPS) Sloan’s personal suspicion: all but some (small?) fraction of privacy fundamentalists mostly give up in face of not very usable privacy and security software/settings. Most products don’t work well or at all! Train people to keep on clicking ‘OK’ until they can get their work done Systems designed by geeks for geeks discriminate against women, the elderly and the less educated FB privacy settings and Columbia students!

26 Psychology and Security (3)
Social psychology has long studied obedience! Solomon Asch showed most people would deny the evidence of their eyes to conform to a group Stanley Milgram showed that 60% of people will do downright immoral things if ordered to Philip Zimbardo’s Stanford Prisoner Experiment showed roles and group dynamics were enough The disturbing case of ‘Officer Scott’ How can systems resist abuse of authority? Asch: People showed a line and asked which of three other lines was equal to it in length. Would frequently follow obviously wrong group response given by 3+ confederates of experimenter. Officer Scott: Strip Search prank call scam during roughly 1994 to Convinced managers of restaurants and grocery stores to do strip searches of female employees.

27 Risk perception, terrorism, & security
Actual security different from feeling of security Food poisoning: 5,000 US deaths/year Autos: 40,000 US deaths/year 9/11 2,973 deaths once Risk perception biases plus “Availability heuristic” in human’s probability estimation: easy to imagine = probable

28 Psychology and Security (4)
Evolutionary psychology may eventually explain cognitive biases. It is based on the massive modularity hypothesis and the use of FMRI to track brain function ‘Theory of mind’ module central to empathy for others’ mental states This is how we differ from the great apes It helps us lie, and to detect lies told by others So are we really homo sapiens sapiens – or homo sapiens deceptor?

29 Conclusion? The online world and the physical world are merging, and this will cause major dislocation for many years Security economics gives us some of the tools we need to understand what’s going on

Download ppt "Economics of IT & Information Security"

Similar presentations

Security Through Obscurity: When It Works, When It Doesnt Peter P. Swire The Ohio State University DIMACS, Rutgers January 18, 2007.

Security Through Obscurity: When It Works, When It Doesnt Peter P. Swire The Ohio State University DIMACS, Rutgers January 18, 2007.
A Local Mean Field Analysis of Security Investments in Networks Marc Lelarge (INRIA-ENS) Jean Bolot (SPRINT) NetEcon 2008.

A Local Mean Field Analysis of Security Investments in Networks Marc Lelarge (INRIA-ENS) Jean Bolot (SPRINT) NetEcon 2008.
Vista, TC and Competition Policy Ross Anderson Cambridge University and Foundation for Information Policy Research.

Vista, TC and Competition Policy Ross Anderson Cambridge University and Foundation for Information Policy Research.
Competition and ‘Trusted Computing’ Ross Anderson Cambridge University and Foundation for Information Policy Research.

Competition and ‘Trusted Computing’ Ross Anderson Cambridge University and Foundation for Information Policy Research.
Information Security Economics – and Beyond Ross Anderson Tyler Moore Cambridge University.

Information Security Economics – and Beyond Ross Anderson Tyler Moore Cambridge University.
Copyright © 2008 by Nelson, a division of Thomson Canada Limited ENTREPRENEURSHIP A PROCESS PERSPECTIVE Robert A. Baron Scott A. Shane A. Rebecca Reuber.

Copyright © 2008 by Nelson, a division of Thomson Canada Limited ENTREPRENEURSHIP A PROCESS PERSPECTIVE Robert A. Baron Scott A. Shane A. Rebecca Reuber.
The Economics of Information Security: A Survey and Open Questions Ross Anderson, Tyler Moore Cambridge University.

The Economics of Information Security: A Survey and Open Questions Ross Anderson, Tyler Moore Cambridge University.
Security Economics Ross Anderson Cambridge University.

Security Economics Ross Anderson Cambridge University.
The Economics and Psychology of Security Ross Anderson Cambridge University.

The Economics and Psychology of Security Ross Anderson Cambridge University.
Information Security Economics – and Beyond Ross Anderson Cambridge University.

Information Security Economics – and Beyond Ross Anderson Cambridge University.
The Economics of Information Security Ross Anderson Cambridge University.

The Economics of Information Security Ross Anderson Cambridge University.
An Economic Perspective on Security Ross Anderson Cambridge University.

An Economic Perspective on Security Ross Anderson Cambridge University.
Towards a Science of Security and Human Behaviour Ross Anderson Cambridge University.

Towards a Science of Security and Human Behaviour Ross Anderson Cambridge University.
Security Economics Ross Anderson Cambridge University.

Security Economics Ross Anderson Cambridge University.
2009 SCADA Security Scientific Symposium The Economics of Control System Security Ross Anderson Cambridge University.

2009 SCADA Security Scientific Symposium The Economics of Control System Security Ross Anderson Cambridge University.
Economics, Policy and Information Security Economics, Policy and Information Security Ross Anderson Cambridge University.

Economics, Policy and Information Security Economics, Policy and Information Security Ross Anderson Cambridge University.
YOUR INTERNET EXPERIENCE

YOUR INTERNET EXPERIENCE
Security Engineering Security Computer Science Tripos part 2 Ross Anderson.

Security Engineering Security Computer Science Tripos part 2 Ross Anderson.
Information Security – Where Computer Science, Economics and Psychology Meet Ross Anderson Cambridge University.

Information Security – Where Computer Science, Economics and Psychology Meet Ross Anderson Cambridge University.
Security Economics and Public Policy Ross Anderson Cambridge University.

Security Economics and Public Policy Ross Anderson Cambridge University.

Similar presentations

Ads by Google