Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Economic Perspective on Security Ross Anderson Cambridge University.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "An Economic Perspective on Security Ross Anderson Cambridge University."— Presentation transcript:

1 An Economic Perspective on Security Ross Anderson Cambridge University

2 Economics and Security Over the last four years, we have started to apply economic analysis to information security Over the last four years, we have started to apply economic analysis to information security Economic analysis often explains security failure better then technical analysis! Economic analysis often explains security failure better then technical analysis! Information security mechanisms are used increasingly to support business models rather than to manage risk Information security mechanisms are used increasingly to support business models rather than to manage risk Economic analysis is also vital for the public policy aspects of security Economic analysis is also vital for the public policy aspects of security It is critical for understanding competitive advantage It is critical for understanding competitive advantage

3 Traditional View of Infosec People used to think that the Internet was insecure because of lack of features – crypto, authentication, filtering People used to think that the Internet was insecure because of lack of features – crypto, authentication, filtering So engineers worked on providing better, cheaper security features – AES, PKI, firewalls … So engineers worked on providing better, cheaper security features – AES, PKI, firewalls … About 1999, we started to realize that this is not enough About 1999, we started to realize that this is not enough

4 Incentives and Infosec Electronic banking: UK banks were less liable for fraud, so ended up suffering more internal fraud and more errors Electronic banking: UK banks were less liable for fraud, so ended up suffering more internal fraud and more errors Distributed denial of service: viruses now don’t attack the infected machine so much as using it to attack others Distributed denial of service: viruses now don’t attack the infected machine so much as using it to attack others Health records: hospitals, not patients, buy IT systems, so they protect hospitals’ interests rather than patient privacy Health records: hospitals, not patients, buy IT systems, so they protect hospitals’ interests rather than patient privacy Why is Microsoft software so insecure, despite market dominance? Why is Microsoft software so insecure, despite market dominance?

5 New View of Infosec Systems are often insecure because the people who could fix them have no incentive to Systems are often insecure because the people who could fix them have no incentive to Bank customers suffer when bank systems allow fraud; patients suffer when hospital systems break privacy; Amazon’s website suffers when infected PCs attack it Bank customers suffer when bank systems allow fraud; patients suffer when hospital systems break privacy; Amazon’s website suffers when infected PCs attack it Security is often what economists call an ‘externality’ – like environmental pollution Security is often what economists call an ‘externality’ – like environmental pollution This may justify government intervention This may justify government intervention

6 New Uses of Infosec Xerox started using authentication in ink cartridges to tie them to the printer Xerox started using authentication in ink cartridges to tie them to the printer Followed by HP, Lexmark … and Lexmark’s case against SCC Followed by HP, Lexmark … and Lexmark’s case against SCC Motorola started authenticating mobile phone batteries to the phone Motorola started authenticating mobile phone batteries to the phone BMW now has a car prototype that authenticates its major components BMW now has a car prototype that authenticates its major components

7 IT Economics (1) The first distinguishing characteristic of many IT product and service markets is network effects The first distinguishing characteristic of many IT product and service markets is network effects Metcalfe’s law – the value of a network is the square of the number of users Metcalfe’s law – the value of a network is the square of the number of users Real networks – phones, fax, email Real networks – phones, fax, email Virtual networks – PC architecture versus MAC, or Symbian versus WinCE Virtual networks – PC architecture versus MAC, or Symbian versus WinCE Network effects tend to lead to dominant firm markets where the winner takes all Network effects tend to lead to dominant firm markets where the winner takes all

8 IT Economics (2) Second common feature of IT product and service markets is high fixed costs and low marginal costs Second common feature of IT product and service markets is high fixed costs and low marginal costs Competition can drive down prices to marginal cost of production Competition can drive down prices to marginal cost of production This can make it hard to recover capital investment, unless stopped by patent, brand, compatibility … This can make it hard to recover capital investment, unless stopped by patent, brand, compatibility … These effects can also lead to dominant-firm market structures These effects can also lead to dominant-firm market structures

9 IT Economics (3) Third common feature of IT markets is that switching from one product or service to another is expensive Third common feature of IT markets is that switching from one product or service to another is expensive E.g. switching from Windows to Linux means retraining staff, rewriting apps E.g. switching from Windows to Linux means retraining staff, rewriting apps Shapiro-Varian theorem: the net present value of a software company is the total switching costs Shapiro-Varian theorem: the net present value of a software company is the total switching costs This is why so much effort is starting to go into accessory control – manage the switching costs in your favour This is why so much effort is starting to go into accessory control – manage the switching costs in your favour

10 IT Economics and Security High fixed/low marginal costs, network effects and switching costs all tend to lead to dominant- firm markets with big first-mover advantage High fixed/low marginal costs, network effects and switching costs all tend to lead to dominant- firm markets with big first-mover advantage So time-to-market is critical So time-to-market is critical Microsoft philosophy of ‘we’ll ship it Tuesday and get it right by version 3’ is not perverse behaviour by Bill Gates but quite rational Microsoft philosophy of ‘we’ll ship it Tuesday and get it right by version 3’ is not perverse behaviour by Bill Gates but quite rational Whichever company had won in the PC OS business would have done the same Whichever company had won in the PC OS business would have done the same

11 IT Economics and Security 2 When building a network monopoly, it is also critical to appeal to the vendors of complementary products When building a network monopoly, it is also critical to appeal to the vendors of complementary products E.g., application software developers in the case of PC versus Apple, or now of Symbian versus WinCE, or WinMP versus Real E.g., application software developers in the case of PC versus Apple, or now of Symbian versus WinCE, or WinMP versus Real Lack of security in earlier versions of Windows makes it easier to develop applications Lack of security in earlier versions of Windows makes it easier to develop applications Similarly, choice of security technologies that dump support costs on the user (SSL, PKI, …) Similarly, choice of security technologies that dump support costs on the user (SSL, PKI, …)

12 Why are many security products ineffective? Akerlof’s Nobel-prizewinning paper, ‘The Market for Lemons’ provides key insight – asymmetric information Akerlof’s Nobel-prizewinning paper, ‘The Market for Lemons’ provides key insight – asymmetric information Suppose a town has 100 used cars for sale: 50 good ones worth $2000 and 50 lemons worth $1000 Suppose a town has 100 used cars for sale: 50 good ones worth $2000 and 50 lemons worth $1000 What is the equilibrium price of used cars in this town? What is the equilibrium price of used cars in this town? If $1500, no good cars will be offered for sale … If $1500, no good cars will be offered for sale … Fix: brands (e.g. ‘Volvo certified used car’) Fix: brands (e.g. ‘Volvo certified used car’)

13 Security and Liability Why did digital signatures not take off (e.g. SET protocol)? Why did digital signatures not take off (e.g. SET protocol)? Industry thought: legal uncertainty. So EU passed electronic signature law Industry thought: legal uncertainty. So EU passed electronic signature law Recent research: customers and merchants resist transfer of liability by bankers for disputed transactions Recent research: customers and merchants resist transfer of liability by bankers for disputed transactions Best to stick with credit cards, as any fraud is the bank’s problem Best to stick with credit cards, as any fraud is the bank’s problem Similar resistance to phone-based payment – people prefer prepayment plans because of uncertainty Similar resistance to phone-based payment – people prefer prepayment plans because of uncertainty

14 Privacy Most people say they value privacy, but act otherwise Most people say they value privacy, but act otherwise Privacy technology ventures have mostly failed Privacy technology ventures have mostly failed Latest research – people care about privacy when buying clothes, but not cameras Latest research – people care about privacy when buying clothes, but not cameras Analysis – some items relate to personal image, and it’s here that the privacy sensitivity focuses Analysis – some items relate to personal image, and it’s here that the privacy sensitivity focuses Issue for mobile phone industry – phone viruses worse for image than PC viruses Issue for mobile phone industry – phone viruses worse for image than PC viruses

15 How Much to Spend? How much should the average company spend on information security? How much should the average company spend on information security? Governments, vendors say: much much more than at present! Governments, vendors say: much much more than at present! But hey - they’ve been saying this for 20 years But hey - they’ve been saying this for 20 years Measurements of security return-on- investment suggest about 20% p.a. Measurements of security return-on- investment suggest about 20% p.a. So current expenditure may be about right So current expenditure may be about right

16 How are Incentives Skewed? If you are DirNSA and have a nice new hack on NT, do you tell Bill? If you are DirNSA and have a nice new hack on NT, do you tell Bill? Tell – protect 300m Americans Tell – protect 300m Americans Don’t tell – be able to hack 400m Europeans, 1000m Chinese,… Don’t tell – be able to hack 400m Europeans, 1000m Chinese,… If the Chinese hack US systems, they keep quiet. If you hack their systems, you can brag about it to the President If the Chinese hack US systems, they keep quiet. If you hack their systems, you can brag about it to the President

17 Skewed Incentives (2) Within corporate sector, large companies tend to spend too much on security and small companies too little Within corporate sector, large companies tend to spend too much on security and small companies too little Research shows adverse selection effect Research shows adverse selection effect The most risk-averse people end up as corporate security managers The most risk-averse people end up as corporate security managers More risk-loving people may be sales or engineering staff, or small business entrepreneurs More risk-loving people may be sales or engineering staff, or small business entrepreneurs Also: due-diligence effects, government regulation, insurance market issues Also: due-diligence effects, government regulation, insurance market issues

18 Why Bill wasn’t interested in security While Microsoft was growing, the two critical factors were speed, and appeal to application developers While Microsoft was growing, the two critical factors were speed, and appeal to application developers Security markets were over-hyped and driven by artificial factors Security markets were over-hyped and driven by artificial factors Issues like privacy and liability were more complex than they seemed Issues like privacy and liability were more complex than they seemed The public couldn’t tell good security from bad anyway The public couldn’t tell good security from bad anyway

19 Why is Bill now changing his mind? ‘Trusted Computing’ initiative ranges from TCG to the IRM mechanisms in Office 2003 ‘Trusted Computing’ initiative ranges from TCG to the IRM mechanisms in Office 2003 TCG – put a TPM (smartcard) chip in every PC motherboard, PDA, mobile phone TCG – put a TPM (smartcard) chip in every PC motherboard, PDA, mobile phone This will do remote attestation of what the machine is and what software it’s running This will do remote attestation of what the machine is and what software it’s running On top of this will be layers of software providing new security functionality, of a kind that would otherwise be easily circumvented, such as DRM and IRM On top of this will be layers of software providing new security functionality, of a kind that would otherwise be easily circumvented, such as DRM and IRM

20 Why is Bill now changing his mind? (2) IRM – Information Rights Management – changes ownership of a file from the machine owner to the file creator IRM – Information Rights Management – changes ownership of a file from the machine owner to the file creator Files are encrypted and associated with rights management information Files are encrypted and associated with rights management information The file creator can specify that a file can only be read by Mr. X, and only till date Y The file creator can specify that a file can only be read by Mr. X, and only till date Y Now shipping in Office 2003 Now shipping in Office 2003 What will be the effect on the typical business that uses PCs? What will be the effect on the typical business that uses PCs?

21 Why is Bill now changing his mind? (3) At present, a company with 100 PCs pays maybe $500 per seat for Office At present, a company with 100 PCs pays maybe $500 per seat for Office Remember – value of software company = total switching costs Remember – value of software company = total switching costs So – cost of retraining everyone to use Linux, converting files etc is maybe $50,000 So – cost of retraining everyone to use Linux, converting files etc is maybe $50,000 But once many of the documents can’t be converted without the creators’ permission, the switching cost is much higher But once many of the documents can’t be converted without the creators’ permission, the switching cost is much higher Lock-in is the key Lock-in is the key

22 Strategic issues TCG initiative started by Intel as they believed that control of the ‘home hub’ was vital TCG initiative started by Intel as they believed that control of the ‘home hub’ was vital They made 90% of their profits from PC processors, and controlled 90% of the market They made 90% of their profits from PC processors, and controlled 90% of the market Innovations such as PCI, USB and now TC are designed to grow the overall size of the PC market Innovations such as PCI, USB and now TC are designed to grow the overall size of the PC market They are determined not to lose control of the home to the Sony Playstation They are determined not to lose control of the home to the Sony Playstation

23 Strategic Issues (2) Who will control users’ data? Who will control users’ data? Microsoft view – everything will be on an MS platform (your WP files, presentations, address book, pictures, movies, music) Microsoft view – everything will be on an MS platform (your WP files, presentations, address book, pictures, movies, music) European Commission view – this is illegal anticompetitive behaviour European Commission view – this is illegal anticompetitive behaviour Proposed anti-trust remedy – force MS to unbundle Media Player, or to include other media players in its Windows distribution Proposed anti-trust remedy – force MS to unbundle Media Player, or to include other media players in its Windows distribution

24 The Information Society More and more goods contain software More and more goods contain software More and more industries are starting to become like the software industry More and more industries are starting to become like the software industry The good: flexibility, rapid response The good: flexibility, rapid response The bad: frustration, poor service The bad: frustration, poor service The ugly: monopolies The ugly: monopolies How will law evolve to cope? How will law evolve to cope?

25 Property The enlightenment idea - that the core mission of government wasn’t enforcing faith, but defending property rights The enlightenment idea - that the core mission of government wasn’t enforcing faith, but defending property rights 18th-19th century: rapid evolution of property and contract law 18th-19th century: rapid evolution of property and contract law Realisation that these are not absolute! Realisation that these are not absolute! Abolition of slavery, laws on compulsory purchase, railway regulation, labour contracts, tenancy contracts, … Abolition of slavery, laws on compulsory purchase, railway regulation, labour contracts, tenancy contracts, …

26 `Intellectual Property’ Huge expansion as software etc have become more important - 7+ directives since 1991 Huge expansion as software etc have become more important - 7+ directives since 1991 As with `ordinary’ property and contract in about 1850, we’re hitting serious conflicts As with `ordinary’ property and contract in about 1850, we’re hitting serious conflicts Competition law - legal protection of DRM mechanisms leads to enforcement of illegal contracts and breaches of the Treaty of Rome Competition law - legal protection of DRM mechanisms leads to enforcement of illegal contracts and breaches of the Treaty of Rome Environmental law - recycling of ink cartridges mandated, after printer vendors use tamper resistance and cryptography to stop it Environmental law - recycling of ink cartridges mandated, after printer vendors use tamper resistance and cryptography to stop it

27 `Intellectual Property’ (2) Privacy law - DRM mechanisms collect usage data to segment markets Privacy law - DRM mechanisms collect usage data to segment markets Trade law - RFID set to become `region coding for blue jeans’, undermining the Single Market Trade law - RFID set to become `region coding for blue jeans’, undermining the Single Market Employment law - French courts strike down a major’s standard record contract Employment law - French courts strike down a major’s standard record contract Internal failure of copyright law - most copyrighted material now locked up, so you need to go to the secondhand shop (which DRM will prevent in future) Internal failure of copyright law - most copyrighted material now locked up, so you need to go to the secondhand shop (which DRM will prevent in future)

28 Conclusions More government involvement in issues such as DRM is inevitable More government involvement in issues such as DRM is inevitable However, at present the Commission is rowing in absolutely the wrong direction However, at present the Commission is rowing in absolutely the wrong direction The `Internet’, or more properly the Information Society, is stuck in about 1850 The `Internet’, or more properly the Information Society, is stuck in about 1850 We need to figure out how to balance competing social goals, as we have in the physical world We need to figure out how to balance competing social goals, as we have in the physical world Simply pushing for harsher enforcement of rules from 1850 won’t work in the 21st century Simply pushing for harsher enforcement of rules from 1850 won’t work in the 21st century

29 More … WEIS 2004 (Workshop on Economics and Information Security), Harvard, 2-4/6/2005 WEIS 2004 (Workshop on Economics and Information Security), Harvard, 2-4/6/2005 Economics and Security Resource Page – www.cl.cam.ac.uk/~rja14/econsec.html (or follow link from my home page) Economics and Security Resource Page – www.cl.cam.ac.uk/~rja14/econsec.html (or follow link from my home page) www.cl.cam.ac.uk/~rja14/econsec.html Foundation for Information Policy Research – www.fipr.org Foundation for Information Policy Research – www.fipr.orgwww.fipr.org

Download ppt "An Economic Perspective on Security Ross Anderson Cambridge University."

Similar presentations

ECONOMICS.

ECONOMICS.
Vista, TC and Competition Policy Ross Anderson Cambridge University and Foundation for Information Policy Research.

Vista, TC and Competition Policy Ross Anderson Cambridge University and Foundation for Information Policy Research.
Competition and ‘Trusted Computing’ Ross Anderson Cambridge University and Foundation for Information Policy Research.

Competition and ‘Trusted Computing’ Ross Anderson Cambridge University and Foundation for Information Policy Research.
Who benefits from stronger Digital Rights Management? Ross Anderson Cambridge University and Foundation for Information Policy Research.

Who benefits from stronger Digital Rights Management? Ross Anderson Cambridge University and Foundation for Information Policy Research.
Chapter 1  Introduction 1 Chapter 1: Introduction “Begin at the beginning,” the King said, very gravely, “and go on till you come to the end: then stop.”

Chapter 1  Introduction 1 Chapter 1: Introduction “Begin at the beginning,” the King said, very gravely, “and go on till you come to the end: then stop.”
Web App Security – The Good, the Bad and the Ugly Ross Anderson Cambridge University.

Web App Security – The Good, the Bad and the Ugly Ross Anderson Cambridge University.
Information Security Economics – and Beyond Ross Anderson Tyler Moore Cambridge University.

Information Security Economics – and Beyond Ross Anderson Tyler Moore Cambridge University.
Copyright © 2008 by Nelson, a division of Thomson Canada Limited ENTREPRENEURSHIP A PROCESS PERSPECTIVE Robert A. Baron Scott A. Shane A. Rebecca Reuber.

Copyright © 2008 by Nelson, a division of Thomson Canada Limited ENTREPRENEURSHIP A PROCESS PERSPECTIVE Robert A. Baron Scott A. Shane A. Rebecca Reuber.
The Economics of Information Security: A Survey and Open Questions Ross Anderson, Tyler Moore Cambridge University.

The Economics of Information Security: A Survey and Open Questions Ross Anderson, Tyler Moore Cambridge University.
Security Economics Ross Anderson Cambridge University.

Security Economics Ross Anderson Cambridge University.
Security Economics Ross Anderson Cambridge University.

Security Economics Ross Anderson Cambridge University.
The Economics and Psychology of Security Ross Anderson Cambridge University.

The Economics and Psychology of Security Ross Anderson Cambridge University.
Information Security Economics – and Beyond Ross Anderson Cambridge University.

Information Security Economics – and Beyond Ross Anderson Cambridge University.
Economics of Dependability and Security Economics of Dependability and Security Ross Anderson Cambridge University.

Economics of Dependability and Security Economics of Dependability and Security Ross Anderson Cambridge University.
The Economics of Information Security Ross Anderson Cambridge University.

The Economics of Information Security Ross Anderson Cambridge University.
Information Society – Future Prospects Ross Anderson Cambridge University and Foundation for Information Policy Research.

Information Society – Future Prospects Ross Anderson Cambridge University and Foundation for Information Policy Research.
Computers in Society The Computer Industry: Open Source.

Computers in Society The Computer Industry: Open Source.
System Security for Cyborgs Ross Anderson Cambridge.

System Security for Cyborgs Ross Anderson Cambridge.
Towards a Science of Security and Human Behaviour Ross Anderson Cambridge University.

Towards a Science of Security and Human Behaviour Ross Anderson Cambridge University.
Security Economics Ross Anderson Cambridge University.

Security Economics Ross Anderson Cambridge University.

Similar presentations

Ads by Google