Presentation is loading. Please wait.

Presentation is loading. Please wait.

Economics, Policy and Information Security Economics, Policy and Information Security Ross Anderson Cambridge University.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Economics, Policy and Information Security Economics, Policy and Information Security Ross Anderson Cambridge University."— Presentation transcript:

1 Economics, Policy and Information Security Economics, Policy and Information Security Ross Anderson Cambridge University

2 Financial Times 25/9/5 Infosec now an ‘Arms Race’ no-one can stop Infosec now an ‘Arms Race’ no-one can stop ‘Today indeed it seems we have a deficit of computer security. But it seems inevitable that tomorrow we will have too much’ ‘Today indeed it seems we have a deficit of computer security. But it seems inevitable that tomorrow we will have too much’ Decision-makers rely on data ‘systematically skewed in the direction of exaggerated harm and understated cost of prevention’ Decision-makers rely on data ‘systematically skewed in the direction of exaggerated harm and understated cost of prevention’ ‘Over-protecting ourselves today will cost us tomorrow dearly in the unborn or delayed generations of innovation’ ‘Over-protecting ourselves today will cost us tomorrow dearly in the unborn or delayed generations of innovation’ See www.infosecon.net See www.infosecon.net

3 Economics and Security Over the last five years, we have started to apply economic analysis to information security Over the last five years, we have started to apply economic analysis to information security Economic analysis often explains security failure better then technical analysis! Economic analysis often explains security failure better then technical analysis! Information security mechanisms are used increasingly to support business models rather than to manage risk Information security mechanisms are used increasingly to support business models rather than to manage risk Economic analysis is critical for understanding competitive advantage Economic analysis is critical for understanding competitive advantage It’s also vital for good public policy on security It’s also vital for good public policy on security

4 Traditional View of Infosec People used to think that the Internet was insecure because of lack of features – not enough crypto / authentication / filtering People used to think that the Internet was insecure because of lack of features – not enough crypto / authentication / filtering So engineers worked on providing better, cheaper security features – AES, PKI, firewalls … So engineers worked on providing better, cheaper security features – AES, PKI, firewalls … About 1999, we started to realize that this is not enough About 1999, we started to realize that this is not enough

5 Incentives and Infosec Electronic banking: UK banks were less liable for fraud then US banks, so they got careless and ended up suffering more fraud and error Electronic banking: UK banks were less liable for fraud then US banks, so they got careless and ended up suffering more fraud and error Distributed denial of service: viruses now don’t attack the infected machine so much as using it to attack others Distributed denial of service: viruses now don’t attack the infected machine so much as using it to attack others Health records: hospitals, not patients, buy IT systems, so they protect hospitals’ interests rather than patient privacy Health records: hospitals, not patients, buy IT systems, so they protect hospitals’ interests rather than patient privacy Why is Microsoft software so insecure, despite its market dominance? Why is Microsoft software so insecure, despite its market dominance?

6 New View of Infosec Systems are often insecure because the people who could fix them have no incentive to Systems are often insecure because the people who could fix them have no incentive to Bank customers suffer when bank staff get careless about fraud; patients suffer when hospital systems put administrators’ convenience before patent privacy; Amazon’s website suffers when infected PCs attack it Bank customers suffer when bank staff get careless about fraud; patients suffer when hospital systems put administrators’ convenience before patent privacy; Amazon’s website suffers when infected PCs attack it Security is often what economists call an ‘externality’ – like environmental pollution Security is often what economists call an ‘externality’ – like environmental pollution This may justify government intervention This may justify government intervention

7 New Uses of Infosec Xerox started using authentication in ink cartridges to tie them to the printer Xerox started using authentication in ink cartridges to tie them to the printer Followed by HP, Lexmark … and Lexmark’s case against SCC (and Dell – US and Europe drifting apart!) Followed by HP, Lexmark … and Lexmark’s case against SCC (and Dell – US and Europe drifting apart!) Accessory control now spreading to more and more industries (games, phones, cars, …) Accessory control now spreading to more and more industries (games, phones, cars, …)

8 IT Economics and Security 1 The high fixed/low marginal costs, network effects and switching costs in information industries all tend to lead to dominant-firm markets with big first-mover advantage The high fixed/low marginal costs, network effects and switching costs in information industries all tend to lead to dominant-firm markets with big first-mover advantage So time-to-market is critical So time-to-market is critical Microsoft philosophy of ‘we’ll ship it Tuesday and get it right by version 3’ is not perverse behaviour by Bill Gates but quite rational Microsoft philosophy of ‘we’ll ship it Tuesday and get it right by version 3’ is not perverse behaviour by Bill Gates but quite rational Whichever company had won in the PC OS business would have done the same Whichever company had won in the PC OS business would have done the same

9 IT Economics and Security 2 When building a network monopoly, it is also critical to appeal to the vendors of complementary products When building a network monopoly, it is also critical to appeal to the vendors of complementary products E.g., application software developers in the case of PC versus Apple, or now of Symbian versus WinCE, or music sites in WMP versus RealPlayer E.g., application software developers in the case of PC versus Apple, or now of Symbian versus WinCE, or music sites in WMP versus RealPlayer Lack of security in earlier versions of Windows makes it easier to develop applications Lack of security in earlier versions of Windows makes it easier to develop applications Similarly, choice of security technologies that dump support costs on the user (SSL, PKI, …) Similarly, choice of security technologies that dump support costs on the user (SSL, PKI, …)

10 Security and Liability Why did digital signatures not take off (e.g. SET protocol)? Why did digital signatures not take off (e.g. SET protocol)? Industry thought: legal uncertainty. So EU passed electronic signature law Industry thought: legal uncertainty. So EU passed electronic signature law But customers and merchants resisted transfer of liability by bankers for disputed transactions But customers and merchants resisted transfer of liability by bankers for disputed transactions Customers best to stick with credit cards, as any fraud is the bank’s problem Customers best to stick with credit cards, as any fraud is the bank’s problem Similar resistance to phone-based payment – people prefer prepayment plans because of uncertainty, premium-rate rip-offs Similar resistance to phone-based payment – people prefer prepayment plans because of uncertainty, premium-rate rip-offs

11 Privacy Most people say they value privacy, but act otherwise Most people say they value privacy, but act otherwise Privacy technology ventures have mostly failed (Zero Knowledge, Securicor, …) Privacy technology ventures have mostly failed (Zero Knowledge, Securicor, …) Latest research – people care about privacy when buying clothes, but not cameras Latest research – people care about privacy when buying clothes, but not cameras Analysis – some items relate to personal image, and it’s here that the privacy sensitivity focuses Analysis – some items relate to personal image, and it’s here that the privacy sensitivity focuses Issue for mobile phone industry – phone viruses worse for image than PC viruses Issue for mobile phone industry – phone viruses worse for image than PC viruses http://www.heinz.cmu.edu/~acquisti/economics- privacy.htm http://www.heinz.cmu.edu/~acquisti/economics- privacy.htm

12 How are Incentives Skewed? If you are DirNSA and have a nice new hack on Windows, do you tell Bill? If you are DirNSA and have a nice new hack on Windows, do you tell Bill? Tell – protect 300m Americans Tell – protect 300m Americans Don’t tell – be able to hack 400m Europeans, 1000m Chinese,… Don’t tell – be able to hack 400m Europeans, 1000m Chinese,… If the Chinese hack US systems, they keep quiet. If you hack their systems, you can brag about it to the President If the Chinese hack US systems, they keep quiet. If you hack their systems, you can brag about it to the President

13 Skewed Incentives (2) Within corporate sector, large companies tend to spend too much on security and small companies too little Within corporate sector, large companies tend to spend too much on security and small companies too little Research shows adverse selection effect: Research shows adverse selection effect: The most risk-averse people end up as corporate security managers The most risk-averse people end up as corporate security managers More risk-loving people may be sales or engineering staff, or small-business entrepreneurs More risk-loving people may be sales or engineering staff, or small-business entrepreneurs Also: due-diligence effects, government regulation, insurance market issues Also: due-diligence effects, government regulation, insurance market issues

14 Economics of Rights Management (1) What happens when you link a concentrated industry (platforms) with a less concentrated industry (music)? What happens when you link a concentrated industry (platforms) with a less concentrated industry (music)? Varian’s analysis – most of the resulting surplus goes to the platform owner Varian’s analysis – most of the resulting surplus goes to the platform owner So don’t be surprised at music industry complaints about Apple, or DG Competition action against WMP So don’t be surprised at music industry complaints about Apple, or DG Competition action against WMP

15 Economics of Rights Management (2) IRM – Information Rights Management – changes ownership of a file from the machine owner to the file creator IRM – Information Rights Management – changes ownership of a file from the machine owner to the file creator Files are encrypted and associated with rights management information Files are encrypted and associated with rights management information The file creator can specify that a file can only be read by Mr. X, and only till date Y The file creator can specify that a file can only be read by Mr. X, and only till date Y Now shipping in Office – and heavily promoted! Now shipping in Office – and heavily promoted! What will be the effect on the typical business that uses PCs? What will be the effect on the typical business that uses PCs?

16 Economics of Rights Management (3) At present, a company with 100 PCs pays maybe $500 per seat for Office At present, a company with 100 PCs pays maybe $500 per seat for Office Remember Shapiro-Varian result – value of software company = total switching costs Remember Shapiro-Varian result – value of software company = total switching costs So – cost of retraining everyone to use Linux, converting files etc is maybe $50,000 So – cost of retraining everyone to use Linux, converting files etc is maybe $50,000 But once many of the documents can’t be converted without the creators’ permission, the switching cost is much higher But once many of the documents can’t be converted without the creators’ permission, the switching cost is much higher Lock-in is the key Lock-in is the key

17 The Information Society More and more goods contain software More and more goods contain software More and more industries are starting to become like the software industry More and more industries are starting to become like the software industry The good: flexibility, rapid response The good: flexibility, rapid response The bad: frustration, poor service The bad: frustration, poor service The ugly: monopolies The ugly: monopolies How will the law evolve to cope? How will the law evolve to cope?

18 Property The enlightenment idea - that the core mission of government wasn’t defending faith, but defending property rights The enlightenment idea - that the core mission of government wasn’t defending faith, but defending property rights 18th-19th century: rapid evolution of property and contract law 18th-19th century: rapid evolution of property and contract law Realization that these are not absolute! Realization that these are not absolute! Abolition of slavery, laws on compulsory purchase, railway regulation, labour contracts, tenancy contracts, … Abolition of slavery, laws on compulsory purchase, railway regulation, labour contracts, tenancy contracts, …

19 Intellectual Property Huge expansion as software etc have become more important - 7+ directives since 1991 Huge expansion as software etc have become more important - 7+ directives since 1991 As with `ordinary’ property and contract in about 1850, we’re hitting serious conflicts As with `ordinary’ property and contract in about 1850, we’re hitting serious conflicts Competition law - legal protection of DRM mechanisms leads to enforcement of illegal contracts and breaches of the Treaty of Rome; judgment against Microsoft Competition law - legal protection of DRM mechanisms leads to enforcement of illegal contracts and breaches of the Treaty of Rome; judgment against Microsoft Environmental law - recycling of ink cartridges mandated, after printer vendors use crypto to stop it Environmental law - recycling of ink cartridges mandated, after printer vendors use crypto to stop it

20 Intellectual Property (2) Privacy law – DRM mechanisms collect usage data to segment markets Privacy law – DRM mechanisms collect usage data to segment markets Trade law – exemption for online services may undermine the Single Market Trade law – exemption for online services may undermine the Single Market Employment law – French courts strike down a major’s standard record contract Employment law – French courts strike down a major’s standard record contract IPR Enforcement Directive 2 – will criminalize patent infringement and incitement to infringe IP, unlike in the USA where BSA leading push for reduced civil damages in patent cases IPR Enforcement Directive 2 – will criminalize patent infringement and incitement to infringe IP, unlike in the USA where BSA leading push for reduced civil damages in patent cases With IPRED 1 and Lexmark, may make the EU more hostile to tech innovation than America With IPRED 1 and Lexmark, may make the EU more hostile to tech innovation than America

21 Conclusions More government involvement in infosec, and related issues such as DRM, is inevitable More government involvement in infosec, and related issues such as DRM, is inevitable However, policy is often confused and contradictory at all levels However, policy is often confused and contradictory at all levels We need to figure out how to balance competing social goals, as we have in the physical world, and underpin that balance with legislation We need to figure out how to balance competing social goals, as we have in the physical world, and underpin that balance with legislation And we mustn’t end up being more hostile to technology business than the USA And we mustn’t end up being more hostile to technology business than the USA Mature economic analysis is essential! Mature economic analysis is essential!

22 More … WEIS 2006 (Workshop on Economics and Information Security), Cambridge, June 26-28 2006 WEIS 2006 (Workshop on Economics and Information Security), Cambridge, June 26-28 2006 Economics and Security Resource Page – www.cl.cam.ac.uk/~rja14/econsec.html (or follow link from my home page) Economics and Security Resource Page – www.cl.cam.ac.uk/~rja14/econsec.html (or follow link from my home page) www.cl.cam.ac.uk/~rja14/econsec.html Foundation for Information Policy Research – www.fipr.org Foundation for Information Policy Research – www.fipr.orgwww.fipr.org

Download ppt "Economics, Policy and Information Security Economics, Policy and Information Security Ross Anderson Cambridge University."

Similar presentations

Vista, TC and Competition Policy Ross Anderson Cambridge University and Foundation for Information Policy Research.

Vista, TC and Competition Policy Ross Anderson Cambridge University and Foundation for Information Policy Research.
Competition and ‘Trusted Computing’ Ross Anderson Cambridge University and Foundation for Information Policy Research.

Competition and ‘Trusted Computing’ Ross Anderson Cambridge University and Foundation for Information Policy Research.
Who benefits from stronger Digital Rights Management? Ross Anderson Cambridge University and Foundation for Information Policy Research.

Who benefits from stronger Digital Rights Management? Ross Anderson Cambridge University and Foundation for Information Policy Research.
Chapter 6 E-commerce Payment Systems. Traditional Payment Systems Cash Checking Transfers Credit Card Accounts Stored Value Accounts Accumulating Balance.

Chapter 6 E-commerce Payment Systems. Traditional Payment Systems Cash Checking Transfers Credit Card Accounts Stored Value Accounts Accumulating Balance.
Web App Security – The Good, the Bad and the Ugly Ross Anderson Cambridge University.

Web App Security – The Good, the Bad and the Ugly Ross Anderson Cambridge University.
Information Security Economics – and Beyond Ross Anderson Tyler Moore Cambridge University.

Information Security Economics – and Beyond Ross Anderson Tyler Moore Cambridge University.
GCSE ICT Computers and the Law. Computer crime The growth of use of computerised payment systems – particularly the use of credit cards and debit cards.

GCSE ICT Computers and the Law. Computer crime The growth of use of computerised payment systems – particularly the use of credit cards and debit cards.
The Economics of Information Security: A Survey and Open Questions Ross Anderson, Tyler Moore Cambridge University.

The Economics of Information Security: A Survey and Open Questions Ross Anderson, Tyler Moore Cambridge University.
1.7.6.G1 © Family Economics & Financial Education –March 2008 – Financial Institutions – Online Banking Funded by a grant from Take Charge America, Inc.

1.7.6.G1 © Family Economics & Financial Education –March 2008 – Financial Institutions – Online Banking Funded by a grant from Take Charge America, Inc.
Security Economics Ross Anderson Cambridge University.

Security Economics Ross Anderson Cambridge University.
Security Economics Ross Anderson Cambridge University.

Security Economics Ross Anderson Cambridge University.
The Economics and Psychology of Security Ross Anderson Cambridge University.

The Economics and Psychology of Security Ross Anderson Cambridge University.
Information Security Economics – and Beyond Ross Anderson Cambridge University.

Information Security Economics – and Beyond Ross Anderson Cambridge University.
Economics of Dependability and Security Economics of Dependability and Security Ross Anderson Cambridge University.

Economics of Dependability and Security Economics of Dependability and Security Ross Anderson Cambridge University.
The Economics of Information Security Ross Anderson Cambridge University.

The Economics of Information Security Ross Anderson Cambridge University.
Information Society – Future Prospects Ross Anderson Cambridge University and Foundation for Information Policy Research.

Information Society – Future Prospects Ross Anderson Cambridge University and Foundation for Information Policy Research.
An Economic Perspective on Security Ross Anderson Cambridge University.

An Economic Perspective on Security Ross Anderson Cambridge University.
Security of Computerized Medical Information: Threats from Authorized Users James G. Anderson, Ph.D. Purdue University.

Security of Computerized Medical Information: Threats from Authorized Users James G. Anderson, Ph.D. Purdue University.
Towards a Science of Security and Human Behaviour Ross Anderson Cambridge University.

Towards a Science of Security and Human Behaviour Ross Anderson Cambridge University.
Security Economics Ross Anderson Cambridge University.

Security Economics Ross Anderson Cambridge University.

Similar presentations

Ads by Google