Presentation is loading. Please wait.

Presentation is loading. Please wait.

Economics and computer security

Published byHadian Sugiarto Modified over 4 years ago

Similar presentations

Presentation on theme: "Economics and computer security"— Presentation transcript:

1 Economics and computer security
Hal R. Varian UC Berkeley

2 Outline Assignment of liability Role of insurance
Efficiency and coordination costs Implications of weakest link technology 10/1/2019

3 Assignment of liability
Want to reduce expected cost of accidents Parties can affect the probability of accidents happening Want to set up incentives to get the right parties invest effort in reducing expected costs of accidents Liability: who has to pay and how much if accident occurs. Sets incentives to reduce expected costs. Basic principles Least cost avoider: assign liability to the party that is best positioned to reduce expected costs Due care standard: set a due care standard, no liability if you meet the due care standard, otherwise pay accident cost Ross Anderson’s paper on ATM machines In England: consumer has to prove bank wrong In US: bank has to prove consumer wrong 10/1/2019

4 Least cost avoider ECost = Prob(e1+e2) A – c1 e1 – c2 e2
ECost = expected cost Prob(e1+e2) = prob accident occurs A = cost of accident/event e1, e2 = effort to reduce prob of accident c1, c2 = cost of effort Observe: you want the party with the lowest effort cost to exert all the effort This drives the other party’s effort to zero, but that’s OK in this case 10/1/2019

5 Due care standard EC = Prob(e1,e2) A – c1 e1 – c2 e2
Find efforts that minimize expected costs, (e1*,e2*) Set due care standards equal to this effort level No liability if you meet due care standard Otherwise, pay fine equal to cost A if accident occurs See Steven Shavell, Economic Analysis of Accident Law 10/1/2019

6 Computer security Sometimes the effort cost is so extreme (e.g., technical knowledge) that liability goes to one party Other times due care standard is plausible Due care standard determined by courts, but guided by industry practices Could be very important role for security community Better to be proactive than just let these standards evolve Should there be a FASB-like board? 10/1/2019

7 Example: ATM machines Ross Anderson: “Why cryptosystems fail”
Suppose there is a dispute between you and your bank about your ATM usage England: bank is right unless you can prove them wrong US: you are right unless the bank can prove you wrong Two different default assignments of liability 10/1/2019

8 Result of ATM liability assignment
US: banks invest in risk reduction technology England: banks typically do not invest in such technology Credit card and phone card risk management Role of competition: debit cards American banks put cameras in place, English banks didn’t Competition can play similar role Credit cards: US has $50 liability, financial sector invested heavily in risk management technology. Cellular phones. Debit cards: originally had $500 liability, was widely publicized, so several banks announced that liability would be capped at $50, to compete with credit cards. Very important principle: e.g., liability assignment for copyright violations. Due care. 10/1/2019

9 Role of insurance Two major risk management institutions
Stock market Insurance market Why do corporations buy insurance? Value of shares depend on portfolio value Shareholders can diversify risk themselves Particularly good question in case of computer security Risk management institutions 10/1/2019

10 Why do corporations buy insurance?
Answer: risk management services Insurance companies are well placed to recommend actions require compliance disseminate best practices insurance contract is incentive compatible! Especially valuable services for rare events Chinese doctor: pay while you are well 10/1/2019

11 Examples Expert certification Could do more Prediction
Year 2000 problem Could do more CERT patches requirement for insurance SATAN test Prediction insurance companies will move into computer security (supplemented by expert advisors) 10/1/2019

12 Insurance: moral hazard
Want the insured to bear some risk full insurance has bad incentives deductible/co-pay is much better Want to structure incentives to reduce risk liability assignments – as discussed deductible – moral hazard 10/1/2019

13 Adverse selection Those who need insurance most buy it
Pool that purchases insurance is not representative of entire population Adverse selection can destroy market argument for social insurance e.g., infrastructure protection above and beyond that covered by private incentives 10/1/2019

14 Infrastructure as public good
Private good v public good excludability rivalry Public good aspect to security national defense ; police services How to pay for security? individual or social choice? 10/1/2019

15 Private or public? Gated communities or private walls? 10/1/2019
Police force or bodyguards? Even armies could be privatized, it would just be expensive! 10/1/2019

16 Costs Production costs Countervailing effects
economies of scale in protection? Countervailing effects decision costs: social v private decisions coordination/complexity management costs effectiveness of measures clarity of who is responsible genetic diversity Economies of scale: make it large Countervailing effects: make it small. 10/1/2019

17 Total effort v weakest link
Public goods usually involve total effort Security often has weakest-link character makes public good more costly private incentives leadership is critical coordination is critical Social optimum: invest until the sum of the benefits across individuals = incremental cost Private optimum: free riding---let the other guy do it Weakest link: invest until the sum of the benefits = sum of the incremental costs. Less of public good, cause it is more expensive. Free rider problem: efforts aren’t substitutes, their complements. If everyone is critical, incentives are somewhat better than if they can substitute for each other. Free rider problem isn’t as severe. 10/1/2019

18 Why systems fail? Ross Anderson paper “Why cryptosystems fail”
What to do about human failure? get incentives right (e.g., liability assignments) outside monitors and auditors (insurance) follow procedures (banking) standards setting role of military (e.g., aviation) Great opportunity for military, since they know a lot about following procedure, discipline, etc. If primary problem with security is technological, not so clear that military has good internal tools to deal with it. If primary problem is the human factor/organizational/discipline/follow procedures problems, military is in very good position for dealing with this internally and for training for civilian sector. 10/1/2019

Download ppt "Economics and computer security"

Similar presentations

Saving and Investing Tools Carl Johnson Financial Literacy Jenks High School.

Saving and Investing Tools Carl Johnson Financial Literacy Jenks High School.
Fall 2008 Version Professor Dan C. Jones FINA 4355 Class Problem.

Fall 2008 Version Professor Dan C. Jones FINA 4355 Class Problem.
EVOLUTION OF DISCLOSURE REGULATION RATIONALES: PRELUDE TO A NEW THEORY.

EVOLUTION OF DISCLOSURE REGULATION RATIONALES: PRELUDE TO A NEW THEORY.
Unit 5 Microeconomics: Money and Finance Chapters 11.1 Economics Mr. Biggs.

Unit 5 Microeconomics: Money and Finance Chapters 11.1 Economics Mr. Biggs.
© 2009 Pearson Education Canada 20/1 Chapter 20 Asymmetric Information and Market Behaviour.

© 2009 Pearson Education Canada 20/1 Chapter 20 Asymmetric Information and Market Behaviour.
Health Insurance October 19, 2006 Insurance is defined as a means of protecting against risk. Risk is a state in which multiple outcomes are possible and.

Health Insurance October 19, 2006 Insurance is defined as a means of protecting against risk. Risk is a state in which multiple outcomes are possible and.
Revsine/Collins/Johnson/Mittelstaedt: Chapter 1 The Economic and Institutional Setting for Financial Reporting Copyright © 2009 by The McGraw-Hill Companies,

Revsine/Collins/Johnson/Mittelstaedt: Chapter 1 The Economic and Institutional Setting for Financial Reporting Copyright © 2009 by The McGraw-Hill Companies,
Supply, Demand, and Equilibrium Today: An introduction to supply and demand, and how they relate to equilibrium.

Supply, Demand, and Equilibrium Today: An introduction to supply and demand, and how they relate to equilibrium.
Asymmetric Information

Asymmetric Information
Managerial Economics and Organizational Architecture, 5e Chapter 3: Markets, Organizations, and the Role of Knowledge Copyright © 2009 by The McGraw-Hill.

Managerial Economics and Organizational Architecture, 5e Chapter 3: Markets, Organizations, and the Role of Knowledge Copyright © 2009 by The McGraw-Hill.
Chapter 11. The Economics of Financial Intermediation The role of financial intermediaries Asymmetric Information The role of financial intermediaries.

Chapter 11. The Economics of Financial Intermediation The role of financial intermediaries Asymmetric Information The role of financial intermediaries.
Saks Gloweli Capital Saks Gloweli Capital is the Banking and Finance division of Saks Gloweli Consulting. It offers clients a range of financial advisory.

Saks Gloweli Capital Saks Gloweli Capital is the Banking and Finance division of Saks Gloweli Consulting. It offers clients a range of financial advisory.
Insurance Fundamentals for Policymakers. Four assignments: Insurance Principles Insurance Coverages: Property and Casualty Insurance Coverages: Life and.

Insurance Fundamentals for Policymakers. Four assignments: Insurance Principles Insurance Coverages: Property and Casualty Insurance Coverages: Life and.
Money and Banking Lecture 02.

Money and Banking Lecture 02.
Corporate Governance Introduction More general thing than financial contracting –Shleifer and Vishny: “corporate governance deals with the ways in which.

Corporate Governance Introduction More general thing than financial contracting –Shleifer and Vishny: “corporate governance deals with the ways in which.
An Economic Analysis of Financial Structure

An Economic Analysis of Financial Structure
Chapter 8 An Economic Analysis of Financial Structure.

Chapter 8 An Economic Analysis of Financial Structure.
Overview of the Financial System

Overview of the Financial System
FREE ENTERPRISE IN THE UNITED STATES

FREE ENTERPRISE IN THE UNITED STATES
Copyright © 2014 Pearson Canada Inc. Chapter 8 AN ECONOMIC ANALYSIS OF FINANCIAL STRUCTURE Mishkin/Serletis The Economics of Money, Banking, and Financial.

Copyright © 2014 Pearson Canada Inc. Chapter 8 AN ECONOMIC ANALYSIS OF FINANCIAL STRUCTURE Mishkin/Serletis The Economics of Money, Banking, and Financial.

Similar presentations

Ads by Google