Economics of Economics of Dependability and Dependability and

SecuritySecurity

Ross AndersonRoss Anderson

Cambridge UniversityCambridge University

Financial Times 25/9/5Financial Times 25/9/5

Infosec now an ‘Arms Race’ no-one can stopInfosec now an ‘Arms Race’ no-one can stop ‘‘Today indeed it seems we have a deficit of Today indeed it seems we have a deficit of

computer security. But it seems inevitable that computer security. But it seems inevitable that tomorrow we will have too much’tomorrow we will have too much’

Decision-makers rely on data ‘systematically Decision-makers rely on data ‘systematically skewed in the direction of exaggerated harm and skewed in the direction of exaggerated harm and understated cost of prevention’understated cost of prevention’

‘‘Over-protecting ourselves today will cost us Over-protecting ourselves today will cost us tomorrow dearly in the unborn or delayed tomorrow dearly in the unborn or delayed generations of innovation’generations of innovation’

See www.infosecon.netSee www.infosecon.net

Economics and SecurityEconomics and Security

Over the last five years, we have started to apply Over the last five years, we have started to apply economic analysis to information securityeconomic analysis to information security

Economic analysis often explains security failure Economic analysis often explains security failure better then technical analysis!better then technical analysis!

Information security mechanisms are used Information security mechanisms are used increasingly to support business models rather increasingly to support business models rather than to manage riskthan to manage risk

Economic analysis is critical for understanding Economic analysis is critical for understanding competitive advantagecompetitive advantage

It’s also vital for good public policy on securityIt’s also vital for good public policy on security

Traditional View of InfosecTraditional View of Infosec

People used to think that the Internet was People used to think that the Internet was insecure because of lack of features – not insecure because of lack of features – not enough crypto / authentication / filteringenough crypto / authentication / filtering

So engineers worked on providing better, So engineers worked on providing better, cheaper security features – AES, PKI, cheaper security features – AES, PKI, firewalls …firewalls …

About 1999, we started to realize that this About 1999, we started to realize that this is not enoughis not enough

Incentives and InfosecIncentives and Infosec

Electronic banking: UK banks were less liable for Electronic banking: UK banks were less liable for fraud then US banks, so they got careless and fraud then US banks, so they got careless and ended up suffering more fraud and errorended up suffering more fraud and error

Distributed denial of service: viruses now don’t Distributed denial of service: viruses now don’t attack the infected machine so much as using it attack the infected machine so much as using it to attack othersto attack others

Health records: hospitals, not patients, buy IT Health records: hospitals, not patients, buy IT systems, so they protect hospitals’ interests systems, so they protect hospitals’ interests rather than patient privacyrather than patient privacy

Why is Microsoft software so insecure, despite Why is Microsoft software so insecure, despite its market dominance?its market dominance?

New View of InfosecNew View of Infosec

Systems are often insecure because the people Systems are often insecure because the people who could fix them have no incentive towho could fix them have no incentive to

Bank customers suffer when bank staff get Bank customers suffer when bank staff get careless about fraud; patients suffer when careless about fraud; patients suffer when hospital systems put administrators’ hospital systems put administrators’ convenience before patent privacy; Amazon’s convenience before patent privacy; Amazon’s website suffers when infected PCs attack itwebsite suffers when infected PCs attack it

Security is often what economists call an Security is often what economists call an ‘externality’ – like environmental pollution‘externality’ – like environmental pollution

This may justify government interventionThis may justify government intervention

New Uses of InfosecNew Uses of Infosec

Xerox started using authentication in ink Xerox started using authentication in ink cartridges to tie them to the printercartridges to tie them to the printer

Followed by HP, Lexmark … and Followed by HP, Lexmark … and Lexmark’s case against SCC (and Dell – Lexmark’s case against SCC (and Dell – US and Europe drifting apart!)US and Europe drifting apart!)

Accessory control now spreading to more Accessory control now spreading to more and more industries (games, phones, cars, and more industries (games, phones, cars, …)…)

IT Economics and Security 1IT Economics and Security 1

The high fixed/low marginal costs, network The high fixed/low marginal costs, network effects and switching costs in information effects and switching costs in information industries all tend to lead to dominant-firm industries all tend to lead to dominant-firm markets with big first-mover advantagemarkets with big first-mover advantage

So time-to-market is criticalSo time-to-market is critical Microsoft philosophy of ‘we’ll ship it Tuesday and Microsoft philosophy of ‘we’ll ship it Tuesday and

get it right by version 3’ is not perverse get it right by version 3’ is not perverse behaviour by Bill Gates but quite rationalbehaviour by Bill Gates but quite rational

Whichever company had won in the PC OS Whichever company had won in the PC OS business would have done the samebusiness would have done the same

IT Economics and Security 2IT Economics and Security 2

When building a network monopoly, it is also When building a network monopoly, it is also critical to appeal to the vendors of critical to appeal to the vendors of complementary productscomplementary products

E.g., application software developers in the case E.g., application software developers in the case of PC versus Apple, or now of Symbian versus of PC versus Apple, or now of Symbian versus WinCE, or music sites in WMP versus WinCE, or music sites in WMP versus RealPlayerRealPlayer

Lack of security in earlier versions of Windows Lack of security in earlier versions of Windows makes it easier to develop applicationsmakes it easier to develop applications

Similarly, choice of security technologies that Similarly, choice of security technologies that dump support costs on the user (SSL, PKI, …)dump support costs on the user (SSL, PKI, …)

Security and LiabilitySecurity and Liability

Why did digital signatures not take off (e.g. SET Why did digital signatures not take off (e.g. SET protocol)?protocol)?

Industry thought: legal uncertainty. So EU Industry thought: legal uncertainty. So EU passed electronic signature lawpassed electronic signature law

But customers and merchants resisted transfer But customers and merchants resisted transfer of liability by bankers for disputed transactionsof liability by bankers for disputed transactions

Customers best to stick with credit cards, as any Customers best to stick with credit cards, as any fraud is the bank’s problemfraud is the bank’s problem

Similar resistance to phone-based payment – Similar resistance to phone-based payment – people prefer prepayment plans because of people prefer prepayment plans because of uncertainty, premium-rate rip-offsuncertainty, premium-rate rip-offs

PrivacyPrivacy Most people say they value privacy, but act Most people say they value privacy, but act

otherwiseotherwise Privacy technology ventures have mostly failed Privacy technology ventures have mostly failed

(Zero Knowledge, Securicor, …)(Zero Knowledge, Securicor, …) Research – people care about privacy when Research – people care about privacy when

buying clothes, but not camerasbuying clothes, but not cameras Analysis – some items relate to personal image , Analysis – some items relate to personal image ,

and it’s here that the privacy sensitivity focusesand it’s here that the privacy sensitivity focuses Issue for mobile phone industry – phone viruses Issue for mobile phone industry – phone viruses

worse for image than PC virusesworse for image than PC viruses See the privacy economics page – at See the privacy economics page – at

http://www.heinz.cmu.edu/~acquisti/http://www.heinz.cmu.edu/~acquisti/

How are Incentives Skewed?How are Incentives Skewed?

If you are DirNSA and have a nice new If you are DirNSA and have a nice new hack on Windows, do you tell Bill?hack on Windows, do you tell Bill?

Tell – protect 300m AmericansTell – protect 300m Americans Don’t tell – be able to hack 400m Don’t tell – be able to hack 400m

Europeans, 1000m Chinese,…Europeans, 1000m Chinese,… If the Chinese hack US systems, they If the Chinese hack US systems, they

keep quiet. If you hack their systems, you keep quiet. If you hack their systems, you can brag about it to the Presidentcan brag about it to the President

Skewed Incentives (2)Skewed Incentives (2)

Within corporate sector, large companies tend to Within corporate sector, large companies tend to spend too much on security and small spend too much on security and small companies too littlecompanies too little

Research shows adverse selection effect:Research shows adverse selection effect: The most risk-averse people end up as corporate The most risk-averse people end up as corporate

security managerssecurity managers More risk-loving people may be sales or engineering More risk-loving people may be sales or engineering

staff, or small-business entrepreneursstaff, or small-business entrepreneurs Also: due-diligence effects, government Also: due-diligence effects, government

regulation, insurance market issuesregulation, insurance market issues

Economics of Rights Economics of Rights Management (1)Management (1)

What happens when you link a What happens when you link a concentrated industry (platforms) with a concentrated industry (platforms) with a less concentrated industry (music)?less concentrated industry (music)?

Varian’s analysis – most of the resulting Varian’s analysis – most of the resulting surplus goes to the platform ownersurplus goes to the platform owner

So don’t be surprised at music industry So don’t be surprised at music industry complaints about Apple, or DG complaints about Apple, or DG Competition action against WMPCompetition action against WMP

Economics of Rights Economics of Rights Management (2)Management (2)

IRM – Information Rights Management – IRM – Information Rights Management – changes ownership of a file from the machine changes ownership of a file from the machine owner to the file creatorowner to the file creator

Files are encrypted and associated with rights Files are encrypted and associated with rights management informationmanagement information

The file creator can specify that a file can only The file creator can specify that a file can only be read by Mr. X, and only till date Ybe read by Mr. X, and only till date Y

Now shipping in Office – and heavily promoted!Now shipping in Office – and heavily promoted! What will be the effect on the typical business What will be the effect on the typical business

that uses PCs?that uses PCs?

Economics of Rights Economics of Rights Management (3)Management (3)

At present, a company with 100 PCs pays At present, a company with 100 PCs pays maybe $500 per seat for Officemaybe $500 per seat for Office

Remember Shapiro-Varian result – value of Remember Shapiro-Varian result – value of software company = total switching costssoftware company = total switching costs

So – cost of retraining everyone to use Linux, So – cost of retraining everyone to use Linux, converting files etc is maybe $50,000converting files etc is maybe $50,000

But once many of the documents can’t be But once many of the documents can’t be converted without the creators’ permission, the converted without the creators’ permission, the switching cost is much higherswitching cost is much higher

Lock-in is the keyLock-in is the key

Specific issues for JanetSpecific issues for Janet

Janet can threaten to disconnect member Janet can threaten to disconnect member organisations, but that’s about itorganisations, but that’s about it

There is no control at any finer granularityThere is no control at any finer granularity Like a country with ICBMs but no soldiersLike a country with ICBMs but no soldiers Do you punish a mild diplomatic insult with Do you punish a mild diplomatic insult with

a 1-in-a-million probability of a nuke?a 1-in-a-million probability of a nuke?

Janet issues (2)Janet issues (2)

Janet charges by institution size, as that’s Janet charges by institution size, as that’s easiesteasiest

Downstream, some institutions charge out by Downstream, some institutions charge out by bandwidth (e.g. Cambridge). This hits some bandwidth (e.g. Cambridge). This hits some research, and causes pressure on colleges to research, and causes pressure on colleges to block P2P, Skype …block P2P, Skype …

Janet is actually not as bandwidth constrained Janet is actually not as bandwidth constrained as a typical ISP – costs are basically upstream as a typical ISP – costs are basically upstream but there’s US presencebut there’s US presence

But: public-sector so risk-averseBut: public-sector so risk-averse

Janet Issues (3)Janet Issues (3)

What if bandwidth-hungry departments What if bandwidth-hungry departments (like Cambridge Computer Lab) go to NTL (like Cambridge Computer Lab) go to NTL or Demon?or Demon?

Normally ISPs peer with firms of about the Normally ISPs peer with firms of about the same size, but not with firms that could be same size, but not with firms that could be their customerstheir customers

Everyone peers with Janet at presentEveryone peers with Janet at present Does this create fragility if some HEIs or Does this create fragility if some HEIs or

even departments opt out?even departments opt out?

The Information SocietyThe Information Society

More and more goods contain softwareMore and more goods contain software More and more industries are starting to More and more industries are starting to

become like the software industrybecome like the software industry The good: flexibility, rapid responseThe good: flexibility, rapid response The bad: frustration, poor serviceThe bad: frustration, poor service The ugly: monopoliesThe ugly: monopolies How will the law evolve to cope?How will the law evolve to cope?

PropertyProperty

The enlightenment idea - that the core The enlightenment idea - that the core mission of government wasn’t defending mission of government wasn’t defending faith, but defending property rightsfaith, but defending property rights

18th-19th century: rapid evolution of 18th-19th century: rapid evolution of property and contract lawproperty and contract law

Realization that these are not absolute!Realization that these are not absolute! Abolition of slavery, laws on compulsory Abolition of slavery, laws on compulsory

purchase, railway regulation, labour purchase, railway regulation, labour contracts, tenancy contracts, …contracts, tenancy contracts, …

Intellectual PropertyIntellectual Property

Huge expansion as software etc have become Huge expansion as software etc have become more important - 7+ directives since 1991more important - 7+ directives since 1991

As with `ordinary’ property and contract in about As with `ordinary’ property and contract in about 1850, we’re hitting serious conflicts1850, we’re hitting serious conflicts

Competition law - legal protection of DRM Competition law - legal protection of DRM mechanisms leads to enforcement of illegal mechanisms leads to enforcement of illegal contracts and breaches of the Treaty of Rome; contracts and breaches of the Treaty of Rome; judgment against Microsoftjudgment against Microsoft

Environmental law - recycling of ink cartridges Environmental law - recycling of ink cartridges mandated, after printer vendors use crypto to mandated, after printer vendors use crypto to stop itstop it

Intellectual Property (2)Intellectual Property (2) Privacy law – DRM mechanisms collect usage Privacy law – DRM mechanisms collect usage

data to segment marketsdata to segment markets Trade law – exemption for online services may Trade law – exemption for online services may

undermine the Single Marketundermine the Single Market Employment law – French courts strike down a Employment law – French courts strike down a

major’s standard record contractmajor’s standard record contract IPR Enforcement Directive 2 – will criminalize IPR Enforcement Directive 2 – will criminalize

patent infringement and incitement to infringe IP, patent infringement and incitement to infringe IP, unlike in the USA where BSA leading push for unlike in the USA where BSA leading push for reduced civil damages in patent casesreduced civil damages in patent cases

With IPRED 1 and Lexmark, may make the EU With IPRED 1 and Lexmark, may make the EU more hostile to tech innovation than Americamore hostile to tech innovation than America

ConclusionsConclusions

More government involvement in info policy, and More government involvement in info policy, and related issues such as IP, is inevitablerelated issues such as IP, is inevitable

However, policy is often confused and However, policy is often confused and contradictory at all levelscontradictory at all levels

We need to figure out how to balance competing We need to figure out how to balance competing social goals, as we have in the physical worldsocial goals, as we have in the physical world

The specific problem for academic networking is The specific problem for academic networking is that fifteen years ago, a university was the best that fifteen years ago, a university was the best place to get online. Not any more.place to get online. Not any more.

We need mature economic thinking about risk We need mature economic thinking about risk and about the service provision chain!and about the service provision chain!

More …More …

WEIS 2006 (Workshop on Economics and WEIS 2006 (Workshop on Economics and Information Security), Cambridge, June Information Security), Cambridge, June 26-28 200626-28 2006

Economics and Security Resource Page – Economics and Security Resource Page – www.www.clcl.cam.ac..cam.ac.ukuk/~rja14//~rja14/econsececonsec.html.html (or (or follow link from my home page) follow link from my home page)

Foundation for Information Policy Foundation for Information Policy Research – Research – www.www.fiprfipr.org.org