Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security Economics – and Beyond Ross Anderson Cambridge University.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Information Security Economics – and Beyond Ross Anderson Cambridge University."— Presentation transcript:

1 Information Security Economics – and Beyond Ross Anderson Cambridge University

2 Prague May 27th 2009 Traditional View of Infosec People used to think that the Internet was insecure because of lack of features – crypto, authentication, filtering People used to think that the Internet was insecure because of lack of features – crypto, authentication, filtering So we all worked on providing better, cheaper security features – AES, PKI, firewalls … So we all worked on providing better, cheaper security features – AES, PKI, firewalls … About 1999, some of us started to realize that this is not enough About 1999, some of us started to realize that this is not enough

3 Prague May 27th 2009 Economics and Security Since 2000, we have started to apply economic analysis to IT security and dependability Since 2000, we have started to apply economic analysis to IT security and dependability It often explains failure better! It often explains failure better! Electronic banking: UK banks were less liable for fraud, so ended up suffering more internal fraud and more errors Electronic banking: UK banks were less liable for fraud, so ended up suffering more internal fraud and more errors Distributed denial of service: viruses now don’t attack the infected machine so much as using it to attack others Distributed denial of service: viruses now don’t attack the infected machine so much as using it to attack others Why is Microsoft software so insecure, despite market dominance? Why is Microsoft software so insecure, despite market dominance?

4 Prague May 27th 2009 New View of Infosec Systems are often insecure because the people who guard them, or who could fix them, have insufficient incentives Systems are often insecure because the people who guard them, or who could fix them, have insufficient incentives Bank customers suffer when poorly-designed bank systems make fraud and phishing easier Bank customers suffer when poorly-designed bank systems make fraud and phishing easier Casino websites suffer when infected PCs run DDoS attacks on them Casino websites suffer when infected PCs run DDoS attacks on them Insecurity is often what economists call an ‘externality’ – a side-effect, like environmental pollution Insecurity is often what economists call an ‘externality’ – a side-effect, like environmental pollution

5 Prague May 27th 2009 New Uses of Infosec Xerox started using authentication in ink cartridges to tie them to the printer – and its competitors soon followed Xerox started using authentication in ink cartridges to tie them to the printer – and its competitors soon followed Carmakers make ‘chipping’ harder, and plan to authenticate major components Carmakers make ‘chipping’ harder, and plan to authenticate major components DRM: Apple grabs control of music download, MS accused of making a play to control distribution of HD video content DRM: Apple grabs control of music download, MS accused of making a play to control distribution of HD video content

6 Prague May 27th 2009 IT Economics (1) The first distinguishing characteristic of many IT product and service markets is network effects The first distinguishing characteristic of many IT product and service markets is network effects Metcalfe’s law – the value of a network is the square of the number of users Metcalfe’s law – the value of a network is the square of the number of users Real networks – phones, fax, email Real networks – phones, fax, email Virtual networks – PC architecture versus MAC, or Symbian versus WinCE Virtual networks – PC architecture versus MAC, or Symbian versus WinCE Network effects tend to lead to dominant firm markets where the winner takes all Network effects tend to lead to dominant firm markets where the winner takes all

7 Prague May 27th 2009 IT Economics (2) Second common feature of IT product and service markets is high fixed costs and low marginal costs Second common feature of IT product and service markets is high fixed costs and low marginal costs Competition can drive down prices to marginal cost of production Competition can drive down prices to marginal cost of production This can make it hard to recover capital investment, unless stopped by patent, brand, compatibility … This can make it hard to recover capital investment, unless stopped by patent, brand, compatibility … These effects can also lead to dominant-firm market structures These effects can also lead to dominant-firm market structures

8 Prague May 27th 2009 IT Economics (3) Third common feature of IT markets is that switching from one product or service to another is expensive Third common feature of IT markets is that switching from one product or service to another is expensive E.g. switching from Windows to Linux means retraining staff, rewriting apps E.g. switching from Windows to Linux means retraining staff, rewriting apps Shapiro-Varian theorem: the net present value of a software company is the total switching costs Shapiro-Varian theorem: the net present value of a software company is the total switching costs So major effort goes into managing switching costs – once you have $3000 worth of songs on a $300 iPod, you’re locked into iPods So major effort goes into managing switching costs – once you have $3000 worth of songs on a $300 iPod, you’re locked into iPods

9 Prague May 27th 2009 IT Economics and Security High fixed/low marginal costs, network effects and switching costs all tend to lead to dominant- firm markets with big first-mover advantage High fixed/low marginal costs, network effects and switching costs all tend to lead to dominant- firm markets with big first-mover advantage So time-to-market is critical So time-to-market is critical Microsoft philosophy of ‘we’ll ship it Tuesday and get it right by version 3’ is not perverse behaviour by Bill Gates but quite rational Microsoft philosophy of ‘we’ll ship it Tuesday and get it right by version 3’ is not perverse behaviour by Bill Gates but quite rational Whichever company had won in the PC OS business would have done the same Whichever company had won in the PC OS business would have done the same

10 Prague May 27th 2009 IT Economics and Security (2) When building a network monopoly, you must appeal to vendors of complementary products When building a network monopoly, you must appeal to vendors of complementary products That’s application software developers in the case of PC vs Apple, then Symbian vs Windows/Palm, then Facebook vs Myspace That’s application software developers in the case of PC vs Apple, then Symbian vs Windows/Palm, then Facebook vs Myspace Lack of security in earlier versions of Windows made it easier to develop applications Lack of security in earlier versions of Windows made it easier to develop applications So did the choice of security technologies that dump costs on the user (SSL, not SET) So did the choice of security technologies that dump costs on the user (SSL, not SET) Once you’ve a monopoly, lock it all down! Once you’ve a monopoly, lock it all down!

11 Prague May 27th 2009 Why are so many security products ineffective? Akerlof’s Nobel-prizewinning paper, ‘The Market for Lemons’ introduced asymmetric information Akerlof’s Nobel-prizewinning paper, ‘The Market for Lemons’ introduced asymmetric information Suppose a town has 100 used cars for sale: 50 good ones worth $2000 and 50 lemons worth $1000 Suppose a town has 100 used cars for sale: 50 good ones worth $2000 and 50 lemons worth $1000 What is the equilibrium price of used cars? What is the equilibrium price of used cars? If $1500, no good cars will be offered for sale … If $1500, no good cars will be offered for sale … Started the study of asymmetric information Started the study of asymmetric information Security products are often a ‘lemons market’ Security products are often a ‘lemons market’

12 Prague May 27th 2009 Products worse then useless Adverse selection and moral hazard matter (why do Volvo drivers have more accidents?) Adverse selection and moral hazard matter (why do Volvo drivers have more accidents?) Application to trust: Ben Edelman, ‘Adverse selection on online trust certifications’ (WEIS 06) Application to trust: Ben Edelman, ‘Adverse selection on online trust certifications’ (WEIS 06) Websites with a TRUSTe certification are more than twice as likely to be malicious Websites with a TRUSTe certification are more than twice as likely to be malicious The top Google ad is about twice as likely as the top free search result to be malicious (other search engines worse …) The top Google ad is about twice as likely as the top free search result to be malicious (other search engines worse …) Conclusion: ‘Don’t click on ads’ Conclusion: ‘Don’t click on ads’

13 Prague May 27th 2009 Privacy Most people say they value privacy, but act otherwise. Most privacy ventures failed Most people say they value privacy, but act otherwise. Most privacy ventures failed Why is there this privacy gap? Why is there this privacy gap? Odlyzko – technology makes price discrimination both easier and more attractive Odlyzko – technology makes price discrimination both easier and more attractive Acquisti – people care about privacy when buying clothes, but not cameras (phone viruses worse for image than PC viruses?) Acquisti – people care about privacy when buying clothes, but not cameras (phone viruses worse for image than PC viruses?) Leads in to research in behavioural economics (interface between economics and psychology) Leads in to research in behavioural economics (interface between economics and psychology)

14 Prague May 27th 2009 Conflict theory Does the defence of a country or a system depend on the least effort, on the best effort, or on the sum of efforts? Does the defence of a country or a system depend on the least effort, on the best effort, or on the sum of efforts? The last is optimal; the first is really awful The last is optimal; the first is really awful Software is a mix: it depends on the worst effort of the least careful programmer, the best effort of the security architect, and the sum of efforts of the testers Software is a mix: it depends on the worst effort of the least careful programmer, the best effort of the security architect, and the sum of efforts of the testers Moral: hire fewer better programmers, more testers, top architects Moral: hire fewer better programmers, more testers, top architects

15 Prague May 27th 2009 Open versus Closed? Are open-source systems more dependable? It’s easier for the attackers to find vulnerabilities, but also easier for the defenders to find and fix them Are open-source systems more dependable? It’s easier for the attackers to find vulnerabilities, but also easier for the defenders to find and fix them Theorem: openness helps both equally if bugs are random and standard dependability model assumptions apply Theorem: openness helps both equally if bugs are random and standard dependability model assumptions apply Statistics: bugs are correlated in a number of real systems (‘Milk or Wine?’) Statistics: bugs are correlated in a number of real systems (‘Milk or Wine?’) Trade-off: the gains from this, versus the risks to systems whose owners don’t patch Trade-off: the gains from this, versus the risks to systems whose owners don’t patch

16 Prague May 27th 2009 Security metrics Insurance markets – can be dysfunctional because of correlated risk Insurance markets – can be dysfunctional because of correlated risk Vulnerability markets – in theory can elicit information about cost of attack Vulnerability markets – in theory can elicit information about cost of attack iDefense, Tipping Point, … iDefense, Tipping Point, … Further: derivatives, bug auctions, … Further: derivatives, bug auctions, … Stock markets – in theory can elicit information about costs of compromise Stock markets – in theory can elicit information about costs of compromise Stock prices drop a few percent after a breach disclosure Stock prices drop a few percent after a breach disclosure

17 Prague May 27th 2009 How Much to Spend? How much should the average company spend on information security? How much should the average company spend on information security? Governments, vendors say: much much more than at present Governments, vendors say: much much more than at present But they’ve been saying this for 20 years! But they’ve been saying this for 20 years! Measurements of security return-on- investment suggest about 20% p.a. overall Measurements of security return-on- investment suggest about 20% p.a. overall So the total expenditure may be about right. Are there any better metrics? So the total expenditure may be about right. Are there any better metrics?

18 Prague May 27th 2009 Skewed Incentives Why do large companies spend too much on security and small companies too little? Why do large companies spend too much on security and small companies too little? Research shows an adverse selection effect Research shows an adverse selection effect Corporate security managers tend to be risk- averse people, often from accounting / finance Corporate security managers tend to be risk- averse people, often from accounting / finance More risk-loving people may become sales or engineering staff, or small-firm entrepreneurs More risk-loving people may become sales or engineering staff, or small-firm entrepreneurs There’s also due-diligence, government regulation, and insurance to think of There’s also due-diligence, government regulation, and insurance to think of

19 Prague May 27th 2009 Skewed Incentives (2) If you are DirNSA and have a nice new hack on XP and Vista, do you tell Bill? If you are DirNSA and have a nice new hack on XP and Vista, do you tell Bill? Tell – protect 300m Americans Tell – protect 300m Americans Don’t tell – be able to hack 400m Europeans, 1000m Chinese,… Don’t tell – be able to hack 400m Europeans, 1000m Chinese,… If the Chinese hack US systems, they keep quiet. If you hack their systems, you can brag about it to the President If the Chinese hack US systems, they keep quiet. If you hack their systems, you can brag about it to the President So offence can be favoured over defence So offence can be favoured over defence

20 Prague May 27th 2009 Security and Policy Our ENISA report, ‘Security Economics and the Single Market’, has 15 recommendations: Our ENISA report, ‘Security Economics and the Single Market’, has 15 recommendations: Security breach disclosure law Security breach disclosure law EU-wide data on financial fraud EU-wide data on financial fraud Data on which ISPs host malware Data on which ISPs host malware Takedown penalties and putback rights Takedown penalties and putback rights Networked devices to be secure by default Networked devices to be secure by default … See link from my web page See link from my web page

21 Prague May 27th 2009 Security and Sociology There’s a lot of interest in using social network models to analyse systems There’s a lot of interest in using social network models to analyse systems Barabási and Albert showed that a scale-free network could be attacked efficiently by targeting its high-order nodes Barabási and Albert showed that a scale-free network could be attacked efficiently by targeting its high-order nodes Think: rulers target Saxon landlords / Ukrainian kulaks / Tutsi schoolteachers /… Think: rulers target Saxon landlords / Ukrainian kulaks / Tutsi schoolteachers /… Can we use evolutionary game theory ideas to figure out how networks evolve? Can we use evolutionary game theory ideas to figure out how networks evolve? Idea: run many simulations between different attack / defence strategies Idea: run many simulations between different attack / defence strategies

22 Prague May 27th 2009 Security and Sociology (2) Vertex-order attacks with: Black – normal (scale- free) replenishment Green – defenders replace high-order nodes with rings Cyan – they use cliques (c.f. system biology …) Application: traffic analysis (see my Google tech talk)

23 Prague May 27th 2009 Psychology and Security Phishing only started in 2004, but in 2006 it cost the UK £35m and the USA perhaps $200m Phishing only started in 2004, but in 2006 it cost the UK £35m and the USA perhaps $200m Banks react to phishing by ‘blame and train’ efforts towards customers Banks react to phishing by ‘blame and train’ efforts towards customers But we know from the safety-critical world that this doesn’t work But we know from the safety-critical world that this doesn’t work We really need to know a lot more about the interaction between security and psychology We really need to know a lot more about the interaction between security and psychology

24 Prague May 27th 2009 Psychology and Security (2) Security usability research is just taking off (3 SOUPS workshops so far) Security usability research is just taking off (3 SOUPS workshops so far) Most products don’t work well or at all! Most products don’t work well or at all! We train people to keep on clicking ‘OK’ until they can get their work done – and ‘learned helplessness’ goes much wider We train people to keep on clicking ‘OK’ until they can get their work done – and ‘learned helplessness’ goes much wider Systems designed by geeks for geeks also discriminate against women, the elderly and the less educated Systems designed by geeks for geeks also discriminate against women, the elderly and the less educated

25 Prague May 27th 2009 Psychology and Security (3) Social psychology has long been relevant to us! Social psychology has long been relevant to us! Solomon Asch showed most people would deny the evidence of their eyes to conform to a group Solomon Asch showed most people would deny the evidence of their eyes to conform to a group Stanley Milgram showed that 60% of people will do downright immoral things if ordered to Stanley Milgram showed that 60% of people will do downright immoral things if ordered to Philip Zimbardo’s Stanford Prisoner Experiment showed roles and group dynamics were enough Philip Zimbardo’s Stanford Prisoner Experiment showed roles and group dynamics were enough The disturbing case of ‘Officer Scott’ The disturbing case of ‘Officer Scott’ How can systems resist abuse of authority? How can systems resist abuse of authority?

26 Prague May 27th 2009 Psychology and Security (4) Why does terrorism work? Why does terrorism work? Heuristics and biases (Kahneman and Tversky) – availability heuristic; anchoring; loss aversion in uncertainty Heuristics and biases (Kahneman and Tversky) – availability heuristic; anchoring; loss aversion in uncertainty Also: wariness of hostile intent; violation of moral sentiments; mortality salience; credence given to images; reaction against out-group; sensitivity to change Also: wariness of hostile intent; violation of moral sentiments; mortality salience; credence given to images; reaction against out-group; sensitivity to change The good news: biases affect novel events more, and so can be largely overcome by experience The good news: biases affect novel events more, and so can be largely overcome by experience

27 Prague May 27th 2009 The Research Agenda The online world and the physical world are merging, and this will cause major dislocation for many years The online world and the physical world are merging, and this will cause major dislocation for many years Security economics gives us some of the tools we need to understand what’s going on Security economics gives us some of the tools we need to understand what’s going on Sociology gives some cool and useful stuff too Sociology gives some cool and useful stuff too And security psychology is not just usability and phishing – it might bring us fundamental insights, just as security economics has And security psychology is not just usability and phishing – it might bring us fundamental insights, just as security economics has

28 Prague May 27th 2009 More … See www.ross-anderson.com for a survey article, our ENISA report, and my security economics resource page See www.ross-anderson.com for a survey article, our ENISA report, and my security economics resource pagewww.ross-anderson.com WEIS – Workshop on Economics and Information Security – UCL, June 24–5 WEIS – Workshop on Economics and Information Security – UCL, June 24–5 Workshop on Security and Human Behaviour – in Cambridge in 2010 Workshop on Security and Human Behaviour – in Cambridge in 2010 ‘Security Engineering – A Guide to Building Dependable Distributed Systems’ ‘Security Engineering – A Guide to Building Dependable Distributed Systems’

29 Prague May 27th 2009

Download ppt "Information Security Economics – and Beyond Ross Anderson Cambridge University."

Similar presentations

Vista, TC and Competition Policy Ross Anderson Cambridge University and Foundation for Information Policy Research.

Vista, TC and Competition Policy Ross Anderson Cambridge University and Foundation for Information Policy Research.
Competition and ‘Trusted Computing’ Ross Anderson Cambridge University and Foundation for Information Policy Research.

Competition and ‘Trusted Computing’ Ross Anderson Cambridge University and Foundation for Information Policy Research.
Chapter 1 We’ve Got Problems…. Four Horsemen  … of the electronic apocalypse  Spam --- unsolicited bulk email o Over 70% of email traffic  Bugs ---

Chapter 1 We’ve Got Problems…. Four Horsemen  … of the electronic apocalypse  Spam --- unsolicited bulk o Over 70% of traffic  Bugs ---
Omicron Consulting 1700 Market Street Philadelphia, PA 19103 Omicron Consulting 1700 Market Street Philadelphia, PA 19103 Should You Upgrade to Windows.

Omicron Consulting 1700 Market Street Philadelphia, PA Omicron Consulting 1700 Market Street Philadelphia, PA Should You Upgrade to Windows.
Web App Security – The Good, the Bad and the Ugly Ross Anderson Cambridge University.

Web App Security – The Good, the Bad and the Ugly Ross Anderson Cambridge University.
© 2009 Pearson Education Canada 20/1 Chapter 20 Asymmetric Information and Market Behaviour.

© 2009 Pearson Education Canada 20/1 Chapter 20 Asymmetric Information and Market Behaviour.
Information Security Economics – and Beyond Ross Anderson Tyler Moore Cambridge University.

Information Security Economics – and Beyond Ross Anderson Tyler Moore Cambridge University.
Software Diversity for Information Security Gaurav Kataria Carnegie Mellon University.

Software Diversity for Information Security Gaurav Kataria Carnegie Mellon University.
Social Media Intro to Business & Marketing. The most three most trusted forms of advertising are: Recommendations from people I know - 90% Consumer opinions.

Social Media Intro to Business & Marketing. The most three most trusted forms of advertising are: Recommendations from people I know - 90% Consumer opinions.
-0- Competing on Internet time [Extra EVR] Competing on Internet time Lessons from NETSCAPE and its battle with MICROSOFT Suh, Il-Seok December 13, 2005.

-0- Competing on Internet time [Extra EVR] Competing on Internet time Lessons from NETSCAPE and its battle with MICROSOFT Suh, Il-Seok December 13, 2005.
Network and Server Basics. 6/1/20152 Learning Objectives After viewing this presentation, you will be able to: Understand the benefits of a client/server.

Network and Server Basics. 6/1/20152 Learning Objectives After viewing this presentation, you will be able to: Understand the benefits of a client/server.
The Economics of Information Security: A Survey and Open Questions Ross Anderson, Tyler Moore Cambridge University.

The Economics of Information Security: A Survey and Open Questions Ross Anderson, Tyler Moore Cambridge University.
Security Economics Ross Anderson Cambridge University.

Security Economics Ross Anderson Cambridge University.
Security Economics Ross Anderson Cambridge University.

Security Economics Ross Anderson Cambridge University.
The Economics and Psychology of Security Ross Anderson Cambridge University.

The Economics and Psychology of Security Ross Anderson Cambridge University.
Economics of Dependability and Security Economics of Dependability and Security Ross Anderson Cambridge University.

Economics of Dependability and Security Economics of Dependability and Security Ross Anderson Cambridge University.
The Economics of Information Security Ross Anderson Cambridge University.

The Economics of Information Security Ross Anderson Cambridge University.
13. The Economics of Information and Uncertainty Risk aversion Asymmetric information (pages 333-342) Risk aversion Asymmetric information (pages 333-342)

13. The Economics of Information and Uncertainty Risk aversion Asymmetric information (pages ) Risk aversion Asymmetric information (pages )
Information Society – Future Prospects Ross Anderson Cambridge University and Foundation for Information Policy Research.

Information Society – Future Prospects Ross Anderson Cambridge University and Foundation for Information Policy Research.
An Economic Perspective on Security Ross Anderson Cambridge University.

An Economic Perspective on Security Ross Anderson Cambridge University.

Similar presentations

Ads by Google