The Economics of Information Security: A Survey and Open Questions

1
The Economics of Information Security A Survey
and Open Questions

• Ross Anderson, Tyler Moore
• Cambridge University

2
Economics and Security

• The link between economics and security atrophied
  after WW2
• Since 2000, information security economics has
  become a hot topic, with 100 researchers and now
  two annual workshops (WEIS, WESII)
• Economic analysis often explains failure better
  then technical analysis!
• Infosec mechanisms are used increasingly to
  support business models (DRM, lock-in, )
• Research is now spilling over to dependability,
  conventional security, trust and risk

3
Traditional View of Infosec

• People used to think that the Internet was
  insecure because of lack of features crypto,
  authentication, filtering
• So engineers worked on providing better, cheaper
  security features AES, PKI, firewalls
• About 1999, we started to realize that this is
  not enough

4
Incentives and Infosec

• Electronic banking UK banks were less liable for
  fraud, so ended up suffering more internal fraud
  and more errors
• Distributed denial of service viruses now dont
  attack the infected machine so much as using it
  to attack others
• Health records hospitals, not patients, buy IT
  systems, so they protect hospitals interests
  rather than patient privacy
• Why is Microsoft software so insecure, despite
  market dominance?

5
New View of Infosec

• Systems are often insecure because the people who
  could fix them have no incentive to
• Bank customers suffer when bank systems allow
  fraud patients suffer when hospital systems
  break privacy Amazons website suffers when
  infected PCs attack it
• People connecting an insecure PC to the net dont
  pay full costs, so we under-invest in antivirus
  software (Varian)
• The move of businesses online led to massive
  liability dumping (Bohm et al)

6
New Uses of Infosec

• Xerox started using authentication in ink
  cartridges to tie them to the printer (1996)
• Followed by HP, Lexmark and Lexmarks case
  against SCC
• Motorola started authenticating mobile phone
  batteries to the phone in 1998
• The use of security technology to manipulate
  switching costs and tie products is now
  widespread
• Vista will make compatibility control easier for
  software writers

7
Platform Security Lifecycle

• High fixed/low marginal costs, network effects
  and switching costs all tend to lead to
  dominant-firm markets with big first-mover
  advantage
• Microsoft philosophy of well ship it Tuesday
  and get it right by version 3 was quite rational
• When building a network monopoly, woo
  complementers by skimping on security, and
  choosing technology like SSL that dumps the
  compliance costs on the user
• Once youre established, lock everything down

8
Other Investment Effects

• Security may depend on best effort (security
  architect), weakest-link (careless programmer) or
  sum-of-efforts (testing)
• Analysis (Akerlof, Varian) suggests firms should
  hire more testers, and fewer but better
  programmers (this is happening!)
• Security products can be strategic complements
  (and tend to be a lemons market anyway)
• Security product adoption a hard problem unless
  you provide early adopters with local benefits
• So very many products fail to get adopted

9
Security and Liability

• Why did digital signatures not take off?
• Industry thought legal uncertainty. So EU passed
  electronic signature law
• But customers and merchants resist transfer of
  liability by bankers for disputed transactions
• Best to stick with credit cards, as that way
  fraud is still largely the banks problem
• Similar resistance to phone-based payment
  people prefer prepayment plans because of
  uncertainty

10
Privacy Economics

• Gap between stated and revealed preferences!
• Odlyzko technology makes price discrimination
  both easier and more attractive
• Varian interests of consumers and firms not in
  conflict but information markets fail because of
  externalities and search costs. Educated
  consumers opt out more
• Acquisti et al people care about privacy when
  buying clothes, but not cameras (some items
  relate to your image, so are privacy sensitive)
• Externalities cut both ways, though to be
  anonymous, you need to be in a crowd

11
Open versus Closed?

• Are open-source systems more dependable? Its
  easier for the attackers to find vulnerabilities,
  but also easier for the defenders to find and fix
  them
• Theory openness helps both equally if bugs are
  random in standard dependability model
• So maybe we should keep systems closed (Rescorla)
  but this is an empirical question
• So get the statistics bugs are correlated in a
  number of real systems (Milk or Wine?)
• Trade-off the gains from this, versus the risks
  to systems whose owners dont patch

12
Vulnerability Markets

• Security isnt just a lemons market even the
  vendor often doesnt know the quality of his
  software
• Insurance can be problematic because of
  inter-firm failure correlation
• Camp and Wolfram (2000), Schechter (2002) try
  vulnerability markets
• Two traders now exist (but prices secret)
• Alternatives - software quality derivatives
  (Böhme), bug auctions (Ozment)

13
How Much to Spend?

• How much should firms spend on information
  security?
• Governments, vendors say much much more than at
  present (But theyve been saying this for 20
  years!)
• Measurements of security return-on-investment
  suggest current expenditure may be about right
• But SMEs spend too little, big firms too much,
  and governments way too much
• Adams its the selection of the risk managers

14
Games on Networks

• The topology of a network can be important!
• Barabási and Albert showed that a scale-free
  network could be attacked efficiently by
  targeting its high-order nodes
• Think rulers target Saxon landlords / Ukrainian
  kulaks / Tutsi schoolteachers /
• Can we use evolutionary game theory ideas to
  figure out how networks evolve?
• Idea run many simulations between different
  attack / defence strategies

15
Games on Networks (2)

• Vertex-order attacks with
• Black normal (scale-free) node replenishment
• Green defenders replace high-order nodes with
  rings
• Cyan they use cliques (c.f. system biology )

16
The price of anarchy

• Some technical cases soluble, e.g. routing with
  linear costs, 4/3 (Roughgarden et al)
• Big CS interest in combinatorial auctions for
  routing (Papadimitiou et al)
• Big practical problem spam (and phishing)
• Proposed techie solutions (e.g. puzzles) put the
  incentive in the wrong place
• Peer-to-peer systems clubs?

17
Vista and Competition

• A live EU concern workshop on Monday
• IRM Information Rights Management changes
  ownership of a file from the machine owner to the
  file creator
• Files are encrypted and associated with rights
  management information
• Switching from Office to OpenOffice in 2010 might
  involve getting permission from all your
  correspondents
• Other cases of lock-in harming innovation

18
Vista and Competition (2)

• How should we think of DRM? The music industry
  wanted it while the computer industry hated it.
  This is flipping. Microsoft embraced DRM and the
  music industrys now wavering
• Varian, 2005 what happens when you connect a
  concentrated industry to a diffuse one?
• Answer, 2006 Apple runs away with the money
• Answer, 2007 Microsoft appears to be making a
  play to control high-definition content
  distribution (Gutmann)

19
Large Project Failure

• Maybe 30 of large projects fail
• But we build much bigger failures nowadays than
  30 years ago so
• Why do more public-sector projects fail?
• Consider what the incentives are on project
  managers versus ministers and what sort of
  people will become successful project managers
  versus ministers!

20
The Information Society

• More and more goods contain software
• More and more industries are starting to become
  like the software industry
• The good flexibility, rapid response
• The bad frustration, poor service
• The ugly monopolies
• The world will be full of things that think
  (and that exhibit strategic behaviour)
• How will society evolve to cope?

21
More

• Economics and Security Resource Page
  www.cl.cam.ac.uk/rja14/econsec.html (or follow
  link from www.ross-anderson.com)
• WEIS Annual Workshop on Economics and
  Information Security next at CMU, June 78 2006