Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Economics of Information Security: A Survey and Open Questions Ross Anderson, Tyler Moore Cambridge University.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "The Economics of Information Security: A Survey and Open Questions Ross Anderson, Tyler Moore Cambridge University."— Presentation transcript:

1 The Economics of Information Security: A Survey and Open Questions Ross Anderson, Tyler Moore Cambridge University

2 Economics and Security The link between economics and security atrophied after WW2 The link between economics and security atrophied after WW2 Since 2000, information security economics has become a hot topic, with 100 researchers and now two annual workshops (WEIS, WESII) Since 2000, information security economics has become a hot topic, with 100 researchers and now two annual workshops (WEIS, WESII) Economic analysis often explains failure better then technical analysis! Economic analysis often explains failure better then technical analysis! Infosec mechanisms are used increasingly to support business models (DRM, lock-in, …) Infosec mechanisms are used increasingly to support business models (DRM, lock-in, …) Research is now spilling over to dependability, conventional security, trust and risk Research is now spilling over to dependability, conventional security, trust and risk

3 Traditional View of Infosec People used to think that the Internet was insecure because of lack of features – crypto, authentication, filtering People used to think that the Internet was insecure because of lack of features – crypto, authentication, filtering So engineers worked on providing better, cheaper security features – AES, PKI, firewalls … So engineers worked on providing better, cheaper security features – AES, PKI, firewalls … About 1999, we started to realize that this is not enough About 1999, we started to realize that this is not enough

4 Incentives and Infosec Electronic banking: UK banks were less liable for fraud, so ended up suffering more internal fraud and more errors Electronic banking: UK banks were less liable for fraud, so ended up suffering more internal fraud and more errors Distributed denial of service: viruses now don’t attack the infected machine so much as using it to attack others Distributed denial of service: viruses now don’t attack the infected machine so much as using it to attack others Health records: hospitals, not patients, buy IT systems, so they protect hospitals’ interests rather than patient privacy Health records: hospitals, not patients, buy IT systems, so they protect hospitals’ interests rather than patient privacy Why is Microsoft software so insecure, despite market dominance? Why is Microsoft software so insecure, despite market dominance?

5 New View of Infosec Systems are often insecure because the people who could fix them have no incentive to Systems are often insecure because the people who could fix them have no incentive to Bank customers suffer when bank systems allow fraud; patients suffer when hospital systems break privacy; Amazon’s website suffers when infected PCs attack it Bank customers suffer when bank systems allow fraud; patients suffer when hospital systems break privacy; Amazon’s website suffers when infected PCs attack it People connecting an insecure PC to the net don’t pay full costs, so we under-invest in antivirus software (Varian) People connecting an insecure PC to the net don’t pay full costs, so we under-invest in antivirus software (Varian) The move of businesses online led to massive liability dumping (Bohm et al) The move of businesses online led to massive liability dumping (Bohm et al)

6 New Uses of Infosec Xerox started using authentication in ink cartridges to tie them to the printer (1996) Xerox started using authentication in ink cartridges to tie them to the printer (1996) Followed by HP, Lexmark … and Lexmark’s case against SCC Followed by HP, Lexmark … and Lexmark’s case against SCC Motorola started authenticating mobile phone batteries to the phone in 1998 Motorola started authenticating mobile phone batteries to the phone in 1998 The use of security technology to manipulate switching costs and tie products is now widespread The use of security technology to manipulate switching costs and tie products is now widespread Vista will make compatibility control easier for software writers Vista will make compatibility control easier for software writers

7 Platform Security Lifecycle High fixed/low marginal costs, network effects and switching costs all tend to lead to dominant- firm markets with big first-mover advantage High fixed/low marginal costs, network effects and switching costs all tend to lead to dominant- firm markets with big first-mover advantage Microsoft philosophy of ‘we’ll ship it Tuesday and get it right by version 3’ was quite rational Microsoft philosophy of ‘we’ll ship it Tuesday and get it right by version 3’ was quite rational When building a network monopoly, woo complementers by skimping on security, and choosing technology like SSL that dumps the compliance costs on the user When building a network monopoly, woo complementers by skimping on security, and choosing technology like SSL that dumps the compliance costs on the user Once you’re established, lock everything down Once you’re established, lock everything down

8 Other Investment Effects Security may depend on best effort (security architect), weakest-link (careless programmer) or sum-of-efforts (testing) Security may depend on best effort (security architect), weakest-link (careless programmer) or sum-of-efforts (testing) Analysis (Akerlof, Varian) suggests firms should hire more testers, and fewer but better programmers (this is happening!) Analysis (Akerlof, Varian) suggests firms should hire more testers, and fewer but better programmers (this is happening!) Security products can be strategic complements (and tend to be a lemons market anyway) Security products can be strategic complements (and tend to be a lemons market anyway) Security product adoption a hard problem unless you provide early adopters with local benefits Security product adoption a hard problem unless you provide early adopters with local benefits So very many products fail to get adopted So very many products fail to get adopted

9 Security and Liability Why did digital signatures not take off? Why did digital signatures not take off? Industry thought: legal uncertainty. So EU passed electronic signature law Industry thought: legal uncertainty. So EU passed electronic signature law But customers and merchants resist transfer of liability by bankers for disputed transactions But customers and merchants resist transfer of liability by bankers for disputed transactions Best to stick with credit cards, as that way fraud is still largely the bank’s problem Best to stick with credit cards, as that way fraud is still largely the bank’s problem Similar resistance to phone-based payment – people prefer prepayment plans because of uncertainty Similar resistance to phone-based payment – people prefer prepayment plans because of uncertainty

10 Privacy Economics Gap between stated and revealed preferences! Gap between stated and revealed preferences! Odlyzko – technology makes price discrimination both easier and more attractive Odlyzko – technology makes price discrimination both easier and more attractive Varian – interests of consumers and firms not in conflict but information markets fail because of externalities and search costs. Educated consumers opt out more Varian – interests of consumers and firms not in conflict but information markets fail because of externalities and search costs. Educated consumers opt out more Acquisti et al – people care about privacy when buying clothes, but not cameras (some items relate to your image, so are privacy sensitive) Acquisti et al – people care about privacy when buying clothes, but not cameras (some items relate to your image, so are privacy sensitive) Externalities cut both ways, though – to be anonymous, you need to be in a crowd Externalities cut both ways, though – to be anonymous, you need to be in a crowd

11 Open versus Closed? Are open-source systems more dependable? It’s easier for the attackers to find vulnerabilities, but also easier for the defenders to find and fix them Are open-source systems more dependable? It’s easier for the attackers to find vulnerabilities, but also easier for the defenders to find and fix them Theory: openness helps both equally if bugs are random in standard dependability model Theory: openness helps both equally if bugs are random in standard dependability model So maybe we should keep systems closed (Rescorla) – but this is an empirical question So maybe we should keep systems closed (Rescorla) – but this is an empirical question So get the statistics: bugs are correlated in a number of real systems (‘Milk or Wine?’) So get the statistics: bugs are correlated in a number of real systems (‘Milk or Wine?’) Trade-off: the gains from this, versus the risks to systems whose owners don’t patch Trade-off: the gains from this, versus the risks to systems whose owners don’t patch

12 Vulnerability Markets Security isn’t just a lemons market – even the vendor often doesn’t know the quality of his software Security isn’t just a lemons market – even the vendor often doesn’t know the quality of his software Insurance can be problematic because of inter- firm failure correlation Insurance can be problematic because of inter- firm failure correlation Camp and Wolfram (2000), Schechter (2002): try vulnerability markets Camp and Wolfram (2000), Schechter (2002): try vulnerability markets Two traders now exist (but prices secret) Two traders now exist (but prices secret) Alternatives - software quality derivatives (Böhme), bug auctions (Ozment) Alternatives - software quality derivatives (Böhme), bug auctions (Ozment)

13 How Much to Spend? How much should firms spend on information security? How much should firms spend on information security? Governments, vendors say: much much more than at present (But they’ve been saying this for 20 years!) Governments, vendors say: much much more than at present (But they’ve been saying this for 20 years!) Measurements of security return-on-investment suggest current expenditure may be about right Measurements of security return-on-investment suggest current expenditure may be about right But SMEs spend too little, big firms too much, and governments way too much But SMEs spend too little, big firms too much, and governments way too much Adams: it’s the selection of the risk managers Adams: it’s the selection of the risk managers

14 Games on Networks The topology of a network can be important! The topology of a network can be important! Barabási and Albert showed that a scale-free network could be attacked efficiently by targeting its high-order nodes Barabási and Albert showed that a scale-free network could be attacked efficiently by targeting its high-order nodes Think: rulers target Saxon landlords / Ukrainian kulaks / Tutsi schoolteachers /… Think: rulers target Saxon landlords / Ukrainian kulaks / Tutsi schoolteachers /… Can we use evolutionary game theory ideas to figure out how networks evolve? Can we use evolutionary game theory ideas to figure out how networks evolve? Idea: run many simulations between different attack / defence strategies Idea: run many simulations between different attack / defence strategies

15 Games on Networks (2) Vertex-order attacks with: Black – normal (scale- free) node replenishment Green – defenders replace high-order nodes with rings Cyan – they use cliques (c.f. system biology …)

16 The price of anarchy Some technical cases soluble, e.g. routing with linear costs, 4/3 (Roughgarden et al) Some technical cases soluble, e.g. routing with linear costs, 4/3 (Roughgarden et al) Big CS interest in combinatorial auctions for routing (Papadimitiou et al) Big CS interest in combinatorial auctions for routing (Papadimitiou et al) Big practical problem: spam (and phishing) Big practical problem: spam (and phishing) Proposed techie solutions (e.g. puzzles) put the incentive in the wrong place Proposed techie solutions (e.g. puzzles) put the incentive in the wrong place Peer-to-peer systems: clubs? Peer-to-peer systems: clubs?

17 Vista and Competition A live EU concern – workshop on Monday A live EU concern – workshop on Monday IRM – Information Rights Management – changes ownership of a file from the machine owner to the file creator IRM – Information Rights Management – changes ownership of a file from the machine owner to the file creator Files are encrypted and associated with rights management information Files are encrypted and associated with rights management information Switching from Office to OpenOffice in 2010 might involve getting permission from all your correspondents Switching from Office to OpenOffice in 2010 might involve getting permission from all your correspondents Other cases of lock-in harming innovation Other cases of lock-in harming innovation

18 Vista and Competition (2) How should we think of DRM? The music industry wanted it while the computer industry hated it. This is flipping. Microsoft embraced DRM and the music industry’s now wavering How should we think of DRM? The music industry wanted it while the computer industry hated it. This is flipping. Microsoft embraced DRM and the music industry’s now wavering Varian, 2005: what happens when you connect a concentrated industry to a diffuse one? Varian, 2005: what happens when you connect a concentrated industry to a diffuse one? Answer, 2006 – Apple runs away with the money Answer, 2006 – Apple runs away with the money Answer, 2007 – Microsoft appears to be making a play to control high-definition content distribution (Gutmann) Answer, 2007 – Microsoft appears to be making a play to control high-definition content distribution (Gutmann)

19 Large Project Failure Maybe 30% of large projects fail Maybe 30% of large projects fail But we build much bigger failures nowadays than 30 years ago so… But we build much bigger failures nowadays than 30 years ago so… Why do more public-sector projects fail? Why do more public-sector projects fail? Consider what the incentives are on project managers versus ministers – and what sort of people will become successful project managers versus ministers! Consider what the incentives are on project managers versus ministers – and what sort of people will become successful project managers versus ministers!

20 The Information Society More and more goods contain software More and more goods contain software More and more industries are starting to become like the software industry More and more industries are starting to become like the software industry The good: flexibility, rapid response The good: flexibility, rapid response The bad: frustration, poor service The bad: frustration, poor service The ugly: monopolies The ugly: monopolies The world will be full of ‘things that think’ (and that exhibit strategic behaviour) The world will be full of ‘things that think’ (and that exhibit strategic behaviour) How will society evolve to cope? How will society evolve to cope?

21 More … Economics and Security Resource Page – www.cl.cam.ac.uk/~rja14/econsec.html (or follow link from www.ross-anderson.com) Economics and Security Resource Page – www.cl.cam.ac.uk/~rja14/econsec.html (or follow link from www.ross-anderson.com) www.cl.cam.ac.uk/~rja14/econsec.htmlwww.ross-anderson.com www.cl.cam.ac.uk/~rja14/econsec.htmlwww.ross-anderson.com WEIS – Annual Workshop on Economics and Information Security – next at CMU, June 7–8 2006 WEIS – Annual Workshop on Economics and Information Security – next at CMU, June 7–8 2006

Download ppt "The Economics of Information Security: A Survey and Open Questions Ross Anderson, Tyler Moore Cambridge University."

Similar presentations

Vista, TC and Competition Policy Ross Anderson Cambridge University and Foundation for Information Policy Research.

Vista, TC and Competition Policy Ross Anderson Cambridge University and Foundation for Information Policy Research.
Competition and ‘Trusted Computing’ Ross Anderson Cambridge University and Foundation for Information Policy Research.

Competition and ‘Trusted Computing’ Ross Anderson Cambridge University and Foundation for Information Policy Research.
Who benefits from stronger Digital Rights Management? Ross Anderson Cambridge University and Foundation for Information Policy Research.

Who benefits from stronger Digital Rights Management? Ross Anderson Cambridge University and Foundation for Information Policy Research.
Security Issues of E-commerce. Tools to manage the risks.

Security Issues of E-commerce. Tools to manage the risks.
Chapter 1 We’ve Got Problems…. Four Horsemen  … of the electronic apocalypse  Spam --- unsolicited bulk email o Over 70% of email traffic  Bugs ---

Chapter 1 We’ve Got Problems…. Four Horsemen  … of the electronic apocalypse  Spam --- unsolicited bulk o Over 70% of traffic  Bugs ---
Web App Security – The Good, the Bad and the Ugly Ross Anderson Cambridge University.

Web App Security – The Good, the Bad and the Ugly Ross Anderson Cambridge University.
Information Security Economics – and Beyond Ross Anderson Tyler Moore Cambridge University.

Information Security Economics – and Beyond Ross Anderson Tyler Moore Cambridge University.
Network Security An Economics Perspective IS250 Spring 2010 John Chuang.

Network Security An Economics Perspective IS250 Spring 2010 John Chuang.
Introduction E-Commerce is firmly established: –1997: $500M –2001: $50B Amazon.com: –First big online retailer –New business model: no brick-and-mortar.

Introduction E-Commerce is firmly established: –1997: $500M –2001: $50B Amazon.com: –First big online retailer –New business model: no brick-and-mortar.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Security Economics Ross Anderson Cambridge University.

Security Economics Ross Anderson Cambridge University.
Security Economics Ross Anderson Cambridge University.

Security Economics Ross Anderson Cambridge University.
The Economics and Psychology of Security Ross Anderson Cambridge University.

The Economics and Psychology of Security Ross Anderson Cambridge University.
Information Security Economics – and Beyond Ross Anderson Cambridge University.

Information Security Economics – and Beyond Ross Anderson Cambridge University.
Economics of Dependability and Security Economics of Dependability and Security Ross Anderson Cambridge University.

Economics of Dependability and Security Economics of Dependability and Security Ross Anderson Cambridge University.
The Economics of Information Security Ross Anderson Cambridge University.

The Economics of Information Security Ross Anderson Cambridge University.
Information Society – Future Prospects Ross Anderson Cambridge University and Foundation for Information Policy Research.

Information Society – Future Prospects Ross Anderson Cambridge University and Foundation for Information Policy Research.
An Economic Perspective on Security Ross Anderson Cambridge University.

An Economic Perspective on Security Ross Anderson Cambridge University.
System Security for Cyborgs Ross Anderson Cambridge.

System Security for Cyborgs Ross Anderson Cambridge.
Towards a Science of Security and Human Behaviour Ross Anderson Cambridge University.

Towards a Science of Security and Human Behaviour Ross Anderson Cambridge University.

Similar presentations

Ads by Google