Security Economics Ross Anderson Cambridge University Economics and
Security Economics Ross Anderson Cambridge University
Economics and Security n n n The link between economics and security atrophied after WW 2 Since 2000, we have started to apply economic analysis to IT security and dependability Economic analysis often explains failure better then technical analysis! Infosec mechanisms are used increasingly to support business models (DRM, accessory control) rather than to manage risk Economic analysis is also vital for the public policy aspects of security It has broader importance too
The Classical View n n n When production factors were just land, labour and capital, a country can maybe grow fastest by capturing more land labour Before the gains from trade were understood, big empires mean big markets Richer countries can afford bigger navies But – the invention of the atomic bomb seemed to decouple national survival from national economic performance The political-economy and international-relations communities drifted apart
Traditional View of Infosec n n n People used to think that the Internet was insecure because of lack of features – crypto, authentication, filtering So engineers worked on providing better, cheaper security features – AES, PKI, firewalls … About 1999, we started to realize that this is not enough
Incentives and Infosec n n Electronic banking: UK banks were less liable for fraud, so ended up suffering more internal fraud and more errors Distributed denial of service: viruses now don’t attack the infected machine so much as using it to attack others Health records: hospitals, not patients, buy IT systems, so they protect hospitals’ interests rather than patient privacy Why is Microsoftware so insecure, despite market dominance?
New View of Infosec n n Systems are often insecure because the people who could fix them have no incentive to Bank customers suffer when bank systems allow fraud; patients suffer when hospital systems break privacy; Amazon’s website suffers when infected PCs attack it Security is often what economists call an ‘externality’ – like environmental pollution Since about 2002, this has been used to justify government intervention in infosec
New Uses of Infosec n n Xerox started using authentication in ink cartridges to tie them to the printer Followed by HP, Lexmark … and Lexmark’s case against SCC Motorola started authenticating mobile phone batteries to the phone BMW now has a car prototype that authenticates its major components
IT Economics (1) n n n The first distinguishing characteristic of many IT product and service markets is network effects Metcalfe’s law – the value of a network is the square of the number of users Real networks – phones, fax, email Virtual networks – PC architecture versus MAC, or Symbian versus Win. CE Network effects tend to lead to dominant firm markets where the winner takes all
IT Economics (2) n n Second common feature of IT product and service markets is high fixed costs and low marginal costs Competition can drive down prices to marginal cost of production This can make it hard to recover capital investment, unless stopped by patent, brand, compatibility … These effects can also lead to dominant-firm market structures
IT Economics (3) n n Third common feature of IT markets is that switching from one product or service to another is expensive E. g. switching from Windows to Linux means retraining staff, rewriting apps Shapiro-Varian theorem: the net present value of a software company is the total switching costs This is why so much effort is starting to go into accessory control – manage the switching costs in your favour
IT Economics and Security n n High fixed/low marginal costs, network effects and switching costs all tend to lead to dominantfirm markets with big first-mover advantage So time-to-market is critical Microsoft philosophy of ‘we’ll ship it Tuesday and get it right by version 3’ is not perverse behaviour by Bill Gates but quite rational Whichever company had won in the PC OS business would have done the same
IT Economics and Security 2 n n When building a network monopoly, it is also critical to appeal to the vendors of complementary products E. g. , application software developers in the case of PC versus Apple, or now of Symbian versus Win. CE, or Win. MP versus Real Lack of security in earlier versions of Windows made it easier to develop applications So did the choice of security technologies that dump most costs on the user (SSL, PKI, …)
Why are many security products ineffective? n n n Akerlof’s Nobel-prizewinning paper, ‘The Market for Lemons’ provides key insight – asymmetric information Suppose a town has 100 used cars for sale: 50 good ones worth $2000 and 50 lemons worth $1000 What is the equilibrium price of used cars in this town? If $1500, no good cars will be offered for sale … Fix: brands (e. g. ‘Volvo certified used car’) – analogy led to Common Criteria etc
Security and Liability n n n Why did digital signatures not take off? Industry thought: legal uncertainty. So EU passed electronic signature law Recent research: customers and merchants resist transfer of liability by bankers for disputed transactions Best to stick with credit cards, as that way fraud is still largely the bank’s problem Similar resistance to phone-based payment – people prefer prepayment plans because of uncertainty
Privacy n n n Most people say they value privacy, but act otherwise Privacy technology ventures have mostly failed Acquisti et al – people care about privacy when buying clothes, but not cameras (some items relate to your image, so are privacy sensitive) Issue for mobile phone industry – phone viruses worse for image than PC viruses Issue for the ‘database state’ – the Blair project of NPf. IT, Children’s Databases, ID cards… Alternative models include externality – people who go ex-directory
How Much to Spend? n n n How much should the average company spend on information security? Governments, vendors say: much more than at present! But hey - they’ve been saying this for 20 years Measurements of security return-oninvestment suggest about 20% p. a. So current expenditure may be about right
How are Incentives Skewed? n n If you are Dir. NSA and have a nice new hack on NT, do you tell Bill? Tell – protect 300 m Americans Don’t tell – be able to hack 400 m Europeans, 1000 m Chinese, … If the Chinese hack US systems, they keep quiet. If you hack their systems, you can brag about it to the President
Skewed Incentives (2) n n n Within corporate sector, large companies tend to spend too much on security and small companies too little Research shows adverse selection effect The most risk-averse people end up as corporate security managers More risk-loving people may be sales or engineering staff, or entrepreneurs Also: due-diligence effects, government regulation, insurance market issues
Large Project Failure n n Maybe 30% of large projects fail But we build much bigger failures nowadays than 30 years ago so… Why do more public-sector projects fail? Consider what the incentives are on project managers versus ministers – and what sort of people will become successful project managers versus ministers!
Games on Networks n n n The topology of a network can be important! Barabási and Albert showed that a scale-free network could be attacked efficiently by targeting its high-order nodes Think: rulers target Saxon landlords / Ukrainian kulaks / Tutsi schoolteachers /… Can we use evolutionary game theory ideas to figure out how networks evolve? Idea: run many simulations between different attack / defence strategies
Games on Networks (2) Vertex-order attacks with: n Black – normal (scalefree) node replenishment n Green – defenders replace high-order nodes with rings n Cyan – they use cliques (c. f. system biology …)
Open versus Closed? n n Are open-source systems more dependable? It’s easier for the attackers to find vulnerabilities, but also easier for the defenders to find and fix them Theory: openness helps both equally if bugs are random and standard dependability model assumptions apply Statistics: bugs are correlated in a number of real systems (‘Milk or Wine? ’) Trade-off: the gains from this, versus the risks to systems whose owners don’t patch
Why Bill wasn’t interested in security n n While Microsoft was growing, the two critical factors were speed, and appeal to application developers Security markets were over-hyped and driven by artificial factors Issues like privacy and liability were more complex than they seemed The public couldn’t tell good security from bad anyway
Why is Bill now changing his mind? n n ‘Trusted Computing’ initiative ranges from TCG to the IRM mechanisms in Office 2003 TCG – put a TPM (smartcard) chip in every PC motherboard, PDA, mobile phone This will do remote attestation of what the machine is and what software it’s running On top of this will be layers of software providing new security functionality, of a kind that would otherwise be easily circumvented, such as DRM and IRM
Why is Bill now changing his mind? (2) n n n IRM – Information Rights Management – changes ownership of a file from the machine owner to the file creator Files are encrypted and associated with rights management information The file creator can specify that a file can only be read by Mr. X, and only till date Y Now shipping in Office 2003 What will be the effect on the typical business that uses PCs?
Why is Bill now changing his mind? (3) n n n At present, a company with 100 PCs pays maybe $500 per seat for Office Remember – value of software company = total switching costs So – cost of retraining everyone to use Linux, converting files etc is maybe $50, 000 But once many of the documents can’t be converted without the creators’ permission, the switching cost is much higher Lock-in is the key
Strategic issues n n TCG initiative started by Intel as they believed that control of the ‘home hub’ was vital They made 90% of their profits from PC processors, and controlled 90% of the market Innovations such as PCI, USB and now TC are designed to grow the overall size of the PC market They are determined not to lose control of the home to the Sony Playstation
Strategic Issues (2) n n Who will control users’ data? Microsoft view – everything will be on an MS platform (your WP files, presentations, address book, pictures, movies, music) European Commission view – this is illegal anticompetitive behaviour Proposed anti-trust remedy – force MS to unbundle Media Player, or to include other media players in its Windows distribution
The Information Society n n n More and more goods contain software More and more industries are starting to become like the software industry The good: flexibility, rapid response The bad: frustration, poor service The ugly: monopolies How will law evolve to cope?
Property n n The Edinburgh enlightenment – the core mission of government wasn’t enforcing faith, but defending property rights 18 th-19 th century: rapid evolution of property and contract law Realisation that these are not absolute! Abolition of slavery, laws on compulsory purchase, railway regulation, labour contracts, tenancy contracts, …
`Intellectual Property’ n n n Huge expansion as software etc have become more important - 7+ directives since 1991 As with `ordinary’ property and contract in 1850– 1950, we’re hitting serious conflicts Competition law - legal protection of DRM mechanisms leads to enforcement of illegal contracts and breaches of the Treaty of Rome Environmental law - recycling of ink cartridges mandated, after printer vendors use tamper resistance and cryptography to stop it Many more
Conclusions n n n The Information Society has evolved from the ‘Wild West’ of 1850 to maybe 1920 We need to figure out how to balance competing social goals, as we have in the physical world This means government involvement in the Internet Security economics provides some of the tools needed to understand what’s going on and to analyse policy options It may also provide some broader insights into issues from dependability to terrorism
More … n n n Economics and Security Resource Page – www. cl. cam. ac. uk/~rja 14/econsec. html (or follow link from www. ross-anderson. com) WEIS – Annual Workshop on Economics and Information Security – next at CMU, June 7– 8 2006 Foundation for Information Policy Research – www. fipr. org
- Slides: 33