Why Information Security is Hard An Economic Perspective

Why Information Security is Hard -An Economic Perspective Ross Anderson University of Cambridge

Abstract n Common view: n n Security is just a difficult technical issue Anderson’s view: n It is at least as hard because of economic disincentives

Summary n The paper uses the language of economics to describe Why Information Security is often not implemented n Why Information Security is often implemented for motives other than protection n

Simple Economics n n Look at all decisions and designs in terms of a Costs and Benefits To maximize returns: Do what costs least or brings biggest returns n Ultimately measured in $$ n

A Matter of Questions n Economic Who n When n Why n Where n n Technical What n How n

Who Suffers? n Who has primary responsibility when bank fraud occurs? In US – the bank n In Europe – the customer n n Guess which has the more effective security system

Who Suffers? n Disincentive: n n n The party funding the security measure is not the party suffering the consequence of a breach Why should the funding party spend a lot if no liability? Would virus protection be more effective if mail client vendors had to pay user’s costs of a virus?

Who Pays? n Who pays for protecting a shared resource? Users want to get as much of it as they can n Aren’t motivated to spend to protect it n Resource manager wants to maximize use (and revenue), so he should pay n Example – Network vendor should prevent DOS attacks and not expect users to pay for the protection n

When Should Security be Added? n n All software engineers know – when the product is developed But what are the real costs? Time to Market n Complexity n

Economics Term: NETWORK EXTERNALITIES n n n The change in value of a resource when the number of consumers of the resource changes Example: Metcalfe’s Law – value of a network increases as the square of the number of nodes A product has more underlying value if it has more users

When – Time to Market n The preceding implies a high value for getting to market first Dominate n Low marginal costs once established n Set up barriers – high switching costs n n Adding security features increases time to market and risks missing the window of opportunity

When – Time to Market n Users would probably pay more if product were more secure n n I. e. incremental development costs are OK But lost opportunity costs are too high to vendor n A disincentive to building security in from the start

When - Complexity n Security features in OS or Network make life more difficult for developers n n n Think of capability like record locking – necessary, but makes application more complicated Developers are a primary target for OS and Network vendors Thus arises an implicit agreement to pass security costs on to the users n Not absolutely required for applications

Why Have Security? Economic Reasons n Add security features for the benefit of the vendor, not the user Lock-in users n Maximize revenue n Protect on-going revenue n Get market data n

Why? – Lock-in Users n Use proprietary security measures Vendor can control n Can create revenue n Block or hinder competition n Users get familiar – harder to switch n n Probably reduces reliability and stability

Why – Maximize Revenue n Use as a high price upgrade feature Incremental cost is low to nothing n But can charge a lot for it n Non-IT example: Airline fares n IT example: Basic product vs. “Gold” version n

Why – Protect Revenue n n Use security to prevent reverse engineering Use security measures to prevent add-on generic products n E. g. printer cartridges

Why – Protect and Gather Data n RFID Helps prevent theft n Creates revenue (e. g. toll tags) n Track inventory and shipments n n n (IBM “you’re on the road to Fresno” ad) But n Big privacy threat Can track car movements n Can track people (see movie “Minority Report”) n

Why – Get Market Data n MS Passport – a good example of a bad example Purported purpose – to provide a single point of security to many Web sites n But Passport tracks your surfing n And shares your data n And provides bad guys with a single point of attack n

Where is the Advantage? (Economics of “War”) n In security matters today, attackers have the advantage n Easier to find one flaw than find and patch them all n n Attacker only needs one Can model investment in attack and defense n Estimate bug count and investment in finding n Attacker’s advantage is large n Like trying to defend in Iraq n Attack can come anywhere – defense must be everywhere

Another Who Question Who Determines Security Quality? n n International Standards for Security exist But like ISO 9000, they appear to be more about process than content No absolute standard n Customer says what is wanted in security n Vendor verifies product meets requirements n n Current working standard is called “Common Criteria”

Who Pays for Evaluation? n n Should be customer, but this is big expense if each customer does it Current practice is that vendor pays an evaluator This leads to shopping for “easy” evaluators An Application Vendor may actually consider an evaluated product to have less value n If A. V. embeds the security product in his product and it fails, A. V. is more likely liable if security product is certified

Conclusion n Why do IT vendors not provide great security? n Economics! Create Monopoly n Maximize revenue n Reduce risk n n n Economics promotes insecurity Ultimately the problem is more political than technical

Final Analysis n n n The author’s arguments make sense but are strictly qualitative The paper provides little in the way of suggestions to solve the problems it describes It’s purpose is to provide us (especially techies) with a different, more complete and more realistic way to view security issues