The economics of information security a survey and open questions
1 / 21

The Economics of Information Security: - PowerPoint PPT Presentation

  • Updated On :

The Economics of Information Security: A Survey and Open Questions Ross Anderson, Tyler Moore Cambridge University Economics and Security The link between economics and security atrophied after WW2

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'The Economics of Information Security: ' - bernad

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
The economics of information security a survey and open questions l.jpg

The Economics of Information Security: A Survey and Open Questions

Ross Anderson, Tyler Moore

Cambridge University

Economics and security l.jpg
Economics and Security

  • The link between economics and security atrophied after WW2

  • Since 2000, information security economics has become a hot topic, with 100 researchers and now two annual workshops (WEIS, WESII)

  • Economic analysis often explains failure better then technical analysis!

  • Infosec mechanisms are used increasingly to support business models (DRM, lock-in, …)

  • Research is now spilling over to dependability, conventional security, trust and risk

Traditional view of infosec l.jpg
Traditional View of Infosec

  • People used to think that the Internet was insecure because of lack of features – crypto, authentication, filtering

  • So engineers worked on providing better, cheaper security features – AES, PKI, firewalls …

  • About 1999, we started to realize that this is not enough

Incentives and infosec l.jpg
Incentives and Infosec

  • Electronic banking: UK banks were less liable for fraud, so ended up suffering more internal fraud and more errors

  • Distributed denial of service: viruses now don’t attack the infected machine so much as using it to attack others

  • Health records: hospitals, not patients, buy IT systems, so they protect hospitals’ interests rather than patient privacy

  • Why is Microsoft software so insecure, despite market dominance?

New view of infosec l.jpg
New View of Infosec

  • Systems are often insecure because the people who could fix them have no incentive to

  • Bank customers suffer when bank systems allow fraud; patients suffer when hospital systems break privacy; Amazon’s website suffers when infected PCs attack it

  • People connecting an insecure PC to the net don’t pay full costs, so we under-invest in antivirus software (Varian)

  • The move of businesses online led to massive liability dumping (Bohm et al)

New uses of infosec l.jpg
New Uses of Infosec

  • Xerox started using authentication in ink cartridges to tie them to the printer (1996)

  • Followed by HP, Lexmark … and Lexmark’s case against SCC

  • Motorola started authenticating mobile phone batteries to the phone in 1998

  • The use of security technology to manipulate switching costs and tie products is now widespread

  • Vista will make compatibility control easier for software writers

Platform security lifecycle l.jpg
Platform Security Lifecycle

  • High fixed/low marginal costs, network effects and switching costs all tend to lead to dominant-firm markets with big first-mover advantage

  • Microsoft philosophy of ‘we’ll ship it Tuesday and get it right by version 3’ was quite rational

  • When building a network monopoly, woo complementers by skimping on security, and choosing technology like SSL that dumps the compliance costs on the user

  • Once you’re established, lock everything down

Other investment effects l.jpg
Other Investment Effects

  • Security may depend on best effort (security architect), weakest-link (careless programmer) or sum-of-efforts (testing)

  • Analysis (Akerlof, Varian) suggests firms should hire more testers, and fewer but better programmers (this is happening!)

  • Security products can be strategic complements (and tend to be a lemons market anyway)

  • Security product adoption a hard problem unless you provide early adopters with local benefits

  • So very many products fail to get adopted

Security and liability l.jpg
Security and Liability

  • Why did digital signatures not take off?

  • Industry thought: legal uncertainty. So EU passed electronic signature law

  • But customers and merchants resist transfer of liability by bankers for disputed transactions

  • Best to stick with credit cards, as that way fraud is still largely the bank’s problem

  • Similar resistance to phone-based payment – people prefer prepayment plans because of uncertainty

Privacy economics l.jpg
Privacy Economics

  • Gap between stated and revealed preferences!

  • Odlyzko – technology makes price discrimination both easier and more attractive

  • Varian – interests of consumers and firms not in conflict but information markets fail because of externalities and search costs. Educated consumers opt out more

  • Acquisti et al – people care about privacy when buying clothes, but not cameras (some items relate to your image, so are privacy sensitive)

  • Externalities cut both ways, though – to be anonymous, you need to be in a crowd

Open versus closed l.jpg
Open versus Closed?

  • Are open-source systems more dependable? It’s easier for the attackers to find vulnerabilities, but also easier for the defenders to find and fix them

  • Theory: openness helps both equally if bugs are random in standard dependability model

  • So maybe we should keep systems closed (Rescorla) – but this is an empirical question

  • So get the statistics: bugs are correlated in a number of real systems (‘Milk or Wine?’)

  • Trade-off: the gains from this, versus the risks to systems whose owners don’t patch

Vulnerability markets l.jpg
Vulnerability Markets

  • Security isn’t just a lemons market – even the vendor often doesn’t know the quality of his software

  • Insurance can be problematic because of inter-firm failure correlation

  • Camp and Wolfram (2000), Schechter (2002): try vulnerability markets

  • Two traders now exist (but prices secret)

  • Alternatives - software quality derivatives (Böhme), bug auctions (Ozment)

How much to spend l.jpg
How Much to Spend?

  • How much should firms spend on information security?

  • Governments, vendors say: much much more than at present (But they’ve been saying this for 20 years!)

  • Measurements of security return-on-investment suggest current expenditure may be about right

  • But SMEs spend too little, big firms too much, and governments way too much

  • Adams: it’s the selection of the risk managers

Games on networks l.jpg
Games on Networks

  • The topology of a network can be important!

  • Barabási and Albert showed that a scale-free network could be attacked efficiently by targeting its high-order nodes

  • Think: rulers target Saxon landlords / Ukrainian kulaks / Tutsi schoolteachers /…

  • Can we use evolutionary game theory ideas to figure out how networks evolve?

  • Idea: run many simulations between different attack / defence strategies

Games on networks 2 l.jpg
Games on Networks (2)

Vertex-order attacks with:

  • Black – normal (scale-free) node replenishment

  • Green – defenders replace high-order nodes with rings

  • Cyan – they use cliques (c.f. system biology …)

The price of anarchy l.jpg
The price of anarchy

  • Some technical cases soluble, e.g. routing with linear costs, 4/3 (Roughgarden et al)

  • Big CS interest in combinatorial auctions for routing (Papadimitiou et al)

  • Big practical problem: spam (and phishing)

  • Proposed techie solutions (e.g. puzzles) put the incentive in the wrong place

  • Peer-to-peer systems: clubs?

Vista and competition l.jpg
Vista and Competition

  • A live EU concern – workshop on Monday

  • IRM – Information Rights Management – changes ownership of a file from the machine owner to the file creator

  • Files are encrypted and associated with rights management information

  • Switching from Office to OpenOffice in 2010 might involve getting permission from all your correspondents

  • Other cases of lock-in harming innovation

Vista and competition 2 l.jpg
Vista and Competition (2)

  • How should we think of DRM? The music industry wanted it while the computer industry hated it. This is flipping. Microsoft embraced DRM and the music industry’s now wavering

  • Varian, 2005: what happens when you connect a concentrated industry to a diffuse one?

  • Answer, 2006 – Apple runs away with the money

  • Answer, 2007 – Microsoft appears to be making a play to control high-definition content distribution (Gutmann)

Large project failure l.jpg
Large Project Failure

  • Maybe 30% of large projects fail

  • But we build much bigger failures nowadays than 30 years ago so…

  • Why do more public-sector projects fail?

  • Consider what the incentives are on project managers versus ministers – and what sort of people will become successful project managers versus ministers!

The information society l.jpg
The Information Society

  • More and more goods contain software

  • More and more industries are starting to become like the software industry

  • The good: flexibility, rapid response

  • The bad: frustration, poor service

  • The ugly: monopolies

  • The world will be full of ‘things that think’ (and that exhibit strategic behaviour)

  • How will society evolve to cope?

Slide21 l.jpg
More …

  • Economics and Security Resource Page – (or follow link from

  • WEIS – Annual Workshop on Economics and Information Security – next at CMU, June 7–8 2006