1. Security Economics Ross Anderson Cambridge University

2. Economics and Security The link between economics and security atrophied after WW2 The link between economics and security atrophied after WW2 Over the last six years, we have started to apply economic analysis to information security Over the last six years, we have started to apply economic analysis to information security Economic analysis often explains security failure better then technical analysis! Economic analysis often explains security failure better then technical analysis! Information security mechanisms are used increasingly to support business models (DRM, accessory control) rather than to manage risk Information security mechanisms are used increasingly to support business models (DRM, accessory control) rather than to manage risk So economic analysis is vital in several ways for the public policy aspects of security So economic analysis is vital in several ways for the public policy aspects of security

3. Traditional View of Infosec People used to think that the Internet was insecure because of lack of features – crypto, authentication, filtering People used to think that the Internet was insecure because of lack of features – crypto, authentication, filtering So engineers worked on providing better, cheaper security features – AES, PKI, firewalls … So engineers worked on providing better, cheaper security features – AES, PKI, firewalls … About 1999, we started to realize that this is not enough About 1999, we started to realize that this is not enough

4. Incentives and Infosec Electronic banking: UK banks were less liable for fraud, so ended up suffering more internal fraud and more errors Electronic banking: UK banks were less liable for fraud, so ended up suffering more internal fraud and more errors Distributed denial of service: viruses now don’t attack the infected machine so much as using it to attack others Distributed denial of service: viruses now don’t attack the infected machine so much as using it to attack others Health records: hospitals, not patients, buy IT systems, so they protect hospitals’ interests rather than patient privacy Health records: hospitals, not patients, buy IT systems, so they protect hospitals’ interests rather than patient privacy Why is Microsoft software so insecure, despite market dominance? Why is Microsoft software so insecure, despite market dominance?

5. New View of Infosec Systems are often insecure because the people who could fix them have no incentive to Systems are often insecure because the people who could fix them have no incentive to Bank customers suffer when bank systems allow fraud; patients suffer when hospital systems break privacy; Amazon’s website suffers when infected PCs attack it Bank customers suffer when bank systems allow fraud; patients suffer when hospital systems break privacy; Amazon’s website suffers when infected PCs attack it Security is often what economists call an ‘externality’ – like environmental pollution Security is often what economists call an ‘externality’ – like environmental pollution

6. Financial Times 25/9/5 Infosec now an ‘Arms Race’ no-one can stop Infosec now an ‘Arms Race’ no-one can stop ‘Today indeed it seems we have a deficit of computer security. But it seems inevitable that tomorrow we will have too much’ ‘Today indeed it seems we have a deficit of computer security. But it seems inevitable that tomorrow we will have too much’ Decision-makers rely on data ‘systematically skewed in the direction of exaggerated harm and understated cost of prevention’ Decision-makers rely on data ‘systematically skewed in the direction of exaggerated harm and understated cost of prevention’ ‘Over-protecting ourselves today will cost us tomorrow dearly in the unborn or delayed generations of innovation’ ‘Over-protecting ourselves today will cost us tomorrow dearly in the unborn or delayed generations of innovation’ See www.infosecon.net See www.infosecon.net

7. New Uses of Infosec Xerox started using authentication in ink cartridges to tie them to the printer Xerox started using authentication in ink cartridges to tie them to the printer Motorola started authenticating mobile phone batteries to the phone Motorola started authenticating mobile phone batteries to the phone BMW now has a car prototype that authenticates its major components BMW now has a car prototype that authenticates its major components Usual purposes – locking in customers, grabbing power in the supply chain – may be unlawful Usual purposes – locking in customers, grabbing power in the supply chain – may be unlawful

8. IT Economics and Security High fixed/low marginal costs, network effects and switching costs all tend to lead to dominant- firm markets with big first-mover advantage High fixed/low marginal costs, network effects and switching costs all tend to lead to dominant- firm markets with big first-mover advantage So time-to-market is critical So time-to-market is critical Microsoft philosophy of ‘we’ll ship it Tuesday and get it right by version 3’ is not perverse attitude of Bill Gates, but quite rational Microsoft philosophy of ‘we’ll ship it Tuesday and get it right by version 3’ is not perverse attitude of Bill Gates, but quite rational Whichever company had won in the PC OS business would have done the same Whichever company had won in the PC OS business would have done the same

9. IT Economics and Security 2 When building a network monopoly, it is also critical to appeal to the vendors of complementary products When building a network monopoly, it is also critical to appeal to the vendors of complementary products E.g., application software developers in the case of PC versus Apple, or now of Symbian versus WinCE, or WinMP versus Real E.g., application software developers in the case of PC versus Apple, or now of Symbian versus WinCE, or WinMP versus Real Lack of security in earlier versions of Windows makes it easier to develop applications Lack of security in earlier versions of Windows makes it easier to develop applications Once you have your monopoly, increase security unreasonably in order to lock customers in Once you have your monopoly, increase security unreasonably in order to lock customers in

10. Privacy Most people say they value privacy, but act otherwise Most people say they value privacy, but act otherwise Privacy technology ventures have mostly failed Privacy technology ventures have mostly failed Acquisti et al – people care about privacy when buying clothes, but not cameras (some items relate to your image, so are privacy sensitive) Acquisti et al – people care about privacy when buying clothes, but not cameras (some items relate to your image, so are privacy sensitive) Issue for mobile phone industry – phone viruses worse for image than PC viruses Issue for mobile phone industry – phone viruses worse for image than PC viruses Issue for the ‘database state’ – the Blair project of NPfIT, Children’s Databases, ID cards… Issue for the ‘database state’ – the Blair project of NPfIT, Children’s Databases, ID cards… Alternative models include externality – people who go ex-directory Alternative models include externality – people who go ex-directory

11. How Much to Spend? How much should the average company spend on information security? How much should the average company spend on information security? Governments, vendors say: much much more than at present! Governments, vendors say: much much more than at present! But hey - they’ve been saying this for 20 years But hey - they’ve been saying this for 20 years Measurements of security return-on- investment suggest about 20% p.a. Measurements of security return-on- investment suggest about 20% p.a. So current expenditure may be about right So current expenditure may be about right

12. How are Incentives Skewed? If you are DirNSA and have a nice new hack on NT, do you tell Bill? If you are DirNSA and have a nice new hack on NT, do you tell Bill? Tell – protect 300m Americans Tell – protect 300m Americans Don’t tell – be able to hack 400m Europeans, 1000m Chinese,… Don’t tell – be able to hack 400m Europeans, 1000m Chinese,… If the Chinese hack US systems, they keep quiet. If you hack their systems, you can brag about it to the President If the Chinese hack US systems, they keep quiet. If you hack their systems, you can brag about it to the President

13. Skewed Incentives (2) Within corporate sector, large companies tend to spend too much on security and small companies too little Within corporate sector, large companies tend to spend too much on security and small companies too little Research shows adverse selection effect Research shows adverse selection effect The most risk-averse people end up as corporate security managers The most risk-averse people end up as corporate security managers More risk-loving people may be sales or engineering staff, or entrepreneurs More risk-loving people may be sales or engineering staff, or entrepreneurs Also: due-diligence effects, insurance market failures, information asymmetry in organisations Also: due-diligence effects, insurance market failures, information asymmetry in organisations

14. Open versus Closed? Are open-source systems more dependable? It’s easier for the attackers to find vulnerabilities, but also easier for the defenders to find and fix them Are open-source systems more dependable? It’s easier for the attackers to find vulnerabilities, but also easier for the defenders to find and fix them Theory: openness helps both equally if bugs are random and standard dependability model assumptions apply Theory: openness helps both equally if bugs are random and standard dependability model assumptions apply Statistics: bugs are correlated in a number of real systems Statistics: bugs are correlated in a number of real systems So for some systems at least, it’s definitely better to report and fix vulnerabilities than keep quiet about them. This is an empirical question! So for some systems at least, it’s definitely better to report and fix vulnerabilities than keep quiet about them. This is an empirical question!

15. Large Project Failure Maybe 30% of large projects fail Maybe 30% of large projects fail But we build much bigger failures nowadays than 30 years ago so… But we build much bigger failures nowadays than 30 years ago so… Why do more public-sector projects fail? Why do more public-sector projects fail? Consider what the incentives are on project managers versus ministers – and what sort of people will become successful project managers versus ministers! Consider what the incentives are on project managers versus ministers – and what sort of people will become successful project managers versus ministers!

16. The Information Society More and more goods contain software More and more goods contain software More and more industries are starting to become like the software industry More and more industries are starting to become like the software industry The good: flexibility, rapid response The good: flexibility, rapid response The bad: frustration, poor service The bad: frustration, poor service The ugly: monopolies The ugly: monopolies How will law evolve to cope? How will law evolve to cope?

17. More … Our security group blog – www.lightbluetouchpaper.org Our security group blog – www.lightbluetouchpaper.org www.lightbluetouchpaper.org Economics and Security Resource Page – www.cl.cam.ac.uk/~rja14/econsec.html (or follow link from my home page) Economics and Security Resource Page – www.cl.cam.ac.uk/~rja14/econsec.html (or follow link from my home page) www.cl.cam.ac.uk/~rja14/econsec.html Foundation for Information Policy Research – www.fipr.org Foundation for Information Policy Research – www.fipr.orgwww.fipr.org