Embed Size (px)
Citation preview
An Economic An Economic Perspective on Perspective on
SecuritySecurity
Ross AndersonRoss Anderson
Cambridge UniversityCambridge University
Economics and SecurityEconomics and Security
Over the last four years, we have started to Over the last four years, we have started to apply economic analysis to information securityapply economic analysis to information security
Economic analysis often explains security failure Economic analysis often explains security failure better then technical analysis!better then technical analysis!
Information security mechanisms are used Information security mechanisms are used increasingly to support business models rather increasingly to support business models rather than to manage riskthan to manage risk
Economic analysis is also vital for the public Economic analysis is also vital for the public policy aspects of securitypolicy aspects of security
It is critical for understanding competitive It is critical for understanding competitive advantageadvantage
Traditional View of InfosecTraditional View of Infosec
People used to think that the Internet was People used to think that the Internet was insecure because of lack of features – insecure because of lack of features – crypto, authentication, filteringcrypto, authentication, filtering
So engineers worked on providing better, So engineers worked on providing better, cheaper security features – AES, PKI, cheaper security features – AES, PKI, firewalls …firewalls …
About 1999, we started to realize that this About 1999, we started to realize that this is not enoughis not enough
Incentives and InfosecIncentives and Infosec
Electronic banking: UK banks were less liable for Electronic banking: UK banks were less liable for fraud, so ended up suffering more internal fraud fraud, so ended up suffering more internal fraud and more errorsand more errors
Distributed denial of service: viruses now don’t Distributed denial of service: viruses now don’t attack the infected machine so much as using it attack the infected machine so much as using it to attack othersto attack others
Health records: hospitals, not patients, buy IT Health records: hospitals, not patients, buy IT systems, so they protect hospitals’ interests systems, so they protect hospitals’ interests rather than patient privacyrather than patient privacy
Why is Microsoft software so insecure, despite Why is Microsoft software so insecure, despite market dominance?market dominance?
New View of InfosecNew View of Infosec
Systems are often insecure because the people Systems are often insecure because the people who could fix them have no incentive towho could fix them have no incentive to
Bank customers suffer when bank systems allow Bank customers suffer when bank systems allow fraud; patients suffer when hospital systems fraud; patients suffer when hospital systems break privacy; Amazon’s website suffers when break privacy; Amazon’s website suffers when infected PCs attack itinfected PCs attack it
Security is often what economists call an Security is often what economists call an ‘externality’ – like environmental pollution‘externality’ – like environmental pollution
This may justify government interventionThis may justify government intervention
New Uses of InfosecNew Uses of Infosec
Xerox started using authentication in ink Xerox started using authentication in ink cartridges to tie them to the printercartridges to tie them to the printer
Followed by HP, Lexmark … and Followed by HP, Lexmark … and Lexmark’s case against SCCLexmark’s case against SCC
Motorola started authenticating mobile Motorola started authenticating mobile phone batteries to the phonephone batteries to the phone
BMW now has a car prototype that BMW now has a car prototype that authenticates its major componentsauthenticates its major components
IT Economics (1)IT Economics (1)
The first distinguishing characteristic of many IT The first distinguishing characteristic of many IT product and service markets is network effectsproduct and service markets is network effects
Metcalfe’s law – the value of a network is the Metcalfe’s law – the value of a network is the square of the number of userssquare of the number of users
Real networks – phones, fax, emailReal networks – phones, fax, email Virtual networks – PC architecture versus MAC, Virtual networks – PC architecture versus MAC,
or Symbian versus WinCEor Symbian versus WinCE Network effects tend to lead to dominant firm Network effects tend to lead to dominant firm
markets where the winner takes allmarkets where the winner takes all
IT Economics (2)IT Economics (2)
Second common feature of IT product and Second common feature of IT product and service markets is high fixed costs and low service markets is high fixed costs and low marginal costsmarginal costs
Competition can drive down prices to marginal Competition can drive down prices to marginal cost of productioncost of production
This can make it hard to recover capital This can make it hard to recover capital investment, unless stopped by patent, brand, investment, unless stopped by patent, brand, compatibility …compatibility …
These effects can also lead to dominant-firm These effects can also lead to dominant-firm market structuresmarket structures
IT Economics (3)IT Economics (3)
Third common feature of IT markets is that Third common feature of IT markets is that switching from one product or service to another switching from one product or service to another is expensiveis expensive
E.g. switching from Windows to Linux means E.g. switching from Windows to Linux means retraining staff, rewriting appsretraining staff, rewriting apps
Shapiro-Varian theorem: the net present value of Shapiro-Varian theorem: the net present value of a software company is the total switching costsa software company is the total switching costs
This is why so much effort is starting to go into This is why so much effort is starting to go into accessory control – manage the switching costs accessory control – manage the switching costs in your favourin your favour
IT Economics and SecurityIT Economics and Security
High fixed/low marginal costs, network effects High fixed/low marginal costs, network effects and switching costs all tend to lead to dominant-and switching costs all tend to lead to dominant-firm markets with big first-mover advantagefirm markets with big first-mover advantage
So time-to-market is criticalSo time-to-market is critical Microsoft philosophy of ‘we’ll ship it Tuesday and Microsoft philosophy of ‘we’ll ship it Tuesday and
get it right by version 3’ is not perverse get it right by version 3’ is not perverse behaviour by Bill Gates but quite rationalbehaviour by Bill Gates but quite rational
Whichever company had won in the PC OS Whichever company had won in the PC OS business would have done the samebusiness would have done the same
IT Economics and Security 2IT Economics and Security 2
When building a network monopoly, it is also When building a network monopoly, it is also critical to appeal to the vendors of critical to appeal to the vendors of complementary productscomplementary products
E.g., application software developers in the case E.g., application software developers in the case of PC versus Apple, or now of Symbian versus of PC versus Apple, or now of Symbian versus WinCE, or WinMP versus RealWinCE, or WinMP versus Real
Lack of security in earlier versions of Windows Lack of security in earlier versions of Windows makes it easier to develop applicationsmakes it easier to develop applications
Similarly, choice of security technologies that Similarly, choice of security technologies that dump support costs on the user (SSL, PKI, …)dump support costs on the user (SSL, PKI, …)
Why are many security Why are many security products ineffective?products ineffective?
Akerlof’s Nobel-prizewinning paper, ‘The Market Akerlof’s Nobel-prizewinning paper, ‘The Market for Lemons’ provides key insight – asymmetric for Lemons’ provides key insight – asymmetric informationinformation
Suppose a town has 100 used cars for sale: 50 Suppose a town has 100 used cars for sale: 50 good ones worth $2000 and 50 lemons worth good ones worth $2000 and 50 lemons worth $1000$1000
What is the equilibrium price of used cars in this What is the equilibrium price of used cars in this town?town?
If $1500, no good cars will be offered for sale …If $1500, no good cars will be offered for sale … Fix: brands (e.g. ‘Volvo certified used car’)Fix: brands (e.g. ‘Volvo certified used car’)
Security and LiabilitySecurity and Liability
Why did digital signatures not take off (e.g. SET Why did digital signatures not take off (e.g. SET protocol)?protocol)?
Industry thought: legal uncertainty. So EU passed Industry thought: legal uncertainty. So EU passed electronic signature lawelectronic signature law
Recent research: customers and merchants resist Recent research: customers and merchants resist transfer of liability by bankers for disputed transfer of liability by bankers for disputed transactionstransactions
Best to stick with credit cards, as any fraud is the Best to stick with credit cards, as any fraud is the bank’s problembank’s problem
Similar resistance to phone-based payment – people Similar resistance to phone-based payment – people prefer prepayment plans because of uncertaintyprefer prepayment plans because of uncertainty
PrivacyPrivacy Most people say they value privacy, but act Most people say they value privacy, but act
otherwiseotherwise Privacy technology ventures have mostly failedPrivacy technology ventures have mostly failed Latest research – people care about privacy Latest research – people care about privacy
when buying clothes, but not cameraswhen buying clothes, but not cameras Analysis – some items relate to personal image , Analysis – some items relate to personal image ,
and it’s here that the privacy sensitivity focusesand it’s here that the privacy sensitivity focuses Issue for mobile phone industry – phone viruses Issue for mobile phone industry – phone viruses
worse for image than PC virusesworse for image than PC viruses
How Much to Spend?How Much to Spend?
How much should the average company How much should the average company spend on information security?spend on information security?
Governments, vendors say: much much Governments, vendors say: much much more than at present!more than at present!
But hey - they’ve been saying this for 20 But hey - they’ve been saying this for 20 yearsyears
Measurements of security return-on-Measurements of security return-on-investment suggest about 20% p.a.investment suggest about 20% p.a.
So current expenditure may be about rightSo current expenditure may be about right
How are Incentives Skewed?How are Incentives Skewed?
If you are DirNSA and have a nice new If you are DirNSA and have a nice new hack on NT, do you tell Bill?hack on NT, do you tell Bill?
Tell – protect 300m AmericansTell – protect 300m Americans Don’t tell – be able to hack 400m Don’t tell – be able to hack 400m
Europeans, 1000m Chinese,…Europeans, 1000m Chinese,… If the Chinese hack US systems, they If the Chinese hack US systems, they
keep quiet. If you hack their systems, you keep quiet. If you hack their systems, you can brag about it to the Presidentcan brag about it to the President
Skewed Incentives (2)Skewed Incentives (2)
Within corporate sector, large companies tend to Within corporate sector, large companies tend to spend too much on security and small spend too much on security and small companies too littlecompanies too little
Research shows adverse selection effectResearch shows adverse selection effect The most risk-averse people end up as The most risk-averse people end up as
corporate security managerscorporate security managers More risk-loving people may be sales or More risk-loving people may be sales or
engineering staff, or small business engineering staff, or small business entrepreneursentrepreneurs
Also: due-diligence effects, government Also: due-diligence effects, government regulation, insurance market issuesregulation, insurance market issues
Why Bill wasn’t interested in Why Bill wasn’t interested in securitysecurity
While Microsoft was growing, the two While Microsoft was growing, the two critical factors were speed, and appeal to critical factors were speed, and appeal to application developersapplication developers
Security markets were over-hyped and Security markets were over-hyped and driven by artificial factorsdriven by artificial factors
Issues like privacy and liability were more Issues like privacy and liability were more complex than they seemedcomplex than they seemed
The public couldn’t tell good security from The public couldn’t tell good security from bad anywaybad anyway
Why is Bill now changing his Why is Bill now changing his mind?mind?
‘‘Trusted Computing’ initiative ranges from TCG Trusted Computing’ initiative ranges from TCG to the IRM mechanisms in Office 2003to the IRM mechanisms in Office 2003
TCG – put a TPM (smartcard) chip in every PC TCG – put a TPM (smartcard) chip in every PC motherboard, PDA, mobile phonemotherboard, PDA, mobile phone
This will do remote attestation of what the This will do remote attestation of what the machine is and what software it’s runningmachine is and what software it’s running
On top of this will be layers of software providing On top of this will be layers of software providing new security functionality, of a kind that would new security functionality, of a kind that would otherwise be easily circumvented, such as DRM otherwise be easily circumvented, such as DRM and IRMand IRM
Why is Bill now changing his Why is Bill now changing his mind? (2)mind? (2)
IRM – Information Rights Management – IRM – Information Rights Management – changes ownership of a file from the machine changes ownership of a file from the machine owner to the file creatorowner to the file creator
Files are encrypted and associated with rights Files are encrypted and associated with rights management informationmanagement information
The file creator can specify that a file can only The file creator can specify that a file can only be read by Mr. X, and only till date Ybe read by Mr. X, and only till date Y
Now shipping in Office 2003Now shipping in Office 2003 What will be the effect on the typical business What will be the effect on the typical business
that uses PCs?that uses PCs?
Why is Bill now changing his Why is Bill now changing his mind? (3)mind? (3)
At present, a company with 100 PCs pays At present, a company with 100 PCs pays maybe $500 per seat for Officemaybe $500 per seat for Office
Remember – value of software company = total Remember – value of software company = total switching costsswitching costs
So – cost of retraining everyone to use Linux, So – cost of retraining everyone to use Linux, converting files etc is maybe $50,000converting files etc is maybe $50,000
But once many of the documents can’t be But once many of the documents can’t be converted without the creators’ permission, the converted without the creators’ permission, the switching cost is much higherswitching cost is much higher
Lock-in is the keyLock-in is the key
Strategic issuesStrategic issues
TCG initiative started by Intel as they believed TCG initiative started by Intel as they believed that control of the ‘home hub’ was vitalthat control of the ‘home hub’ was vital
They made 90% of their profits from PC They made 90% of their profits from PC processors, and controlled 90% of the marketprocessors, and controlled 90% of the market
Innovations such as PCI, USB and now TC are Innovations such as PCI, USB and now TC are designed to grow the overall size of the PC designed to grow the overall size of the PC marketmarket
They are determined not to lose control of the They are determined not to lose control of the home to the Sony Playstationhome to the Sony Playstation
Strategic Issues (2)Strategic Issues (2)
Who will control users’ data?Who will control users’ data? Microsoft view – everything will be on an Microsoft view – everything will be on an
MS platform (your WP files, presentations, MS platform (your WP files, presentations, address book, pictures, movies, music)address book, pictures, movies, music)
European Commission view – this is illegal European Commission view – this is illegal anticompetitive behaviouranticompetitive behaviour
Proposed anti-trust remedy – force MS to Proposed anti-trust remedy – force MS to unbundle Media Player, or to include other unbundle Media Player, or to include other media players in its Windows distributionmedia players in its Windows distribution
The Information SocietyThe Information Society
More and more goods contain softwareMore and more goods contain software More and more industries are starting to More and more industries are starting to
become like the software industrybecome like the software industry The good: flexibility, rapid responseThe good: flexibility, rapid response The bad: frustration, poor serviceThe bad: frustration, poor service The ugly: monopoliesThe ugly: monopolies How will law evolve to cope?How will law evolve to cope?
PropertyProperty
The enlightenment idea - that the core The enlightenment idea - that the core mission of government wasn’t enforcing mission of government wasn’t enforcing faith, but defending property rightsfaith, but defending property rights
18th-19th century: rapid evolution of 18th-19th century: rapid evolution of property and contract lawproperty and contract law
Realisation that these are not absolute!Realisation that these are not absolute! Abolition of slavery, laws on compulsory Abolition of slavery, laws on compulsory
purchase, railway regulation, labour purchase, railway regulation, labour contracts, tenancy contracts, …contracts, tenancy contracts, …
`Intellectual Property’`Intellectual Property’
Huge expansion as software etc have become Huge expansion as software etc have become more important - 7+ directives since 1991more important - 7+ directives since 1991
As with `ordinary’ property and contract in about As with `ordinary’ property and contract in about 1850, we’re hitting serious conflicts1850, we’re hitting serious conflicts
Competition law - legal protection of DRM Competition law - legal protection of DRM mechanisms leads to enforcement of illegal mechanisms leads to enforcement of illegal contracts and breaches of the Treaty of Romecontracts and breaches of the Treaty of Rome
Environmental law - recycling of ink cartridges Environmental law - recycling of ink cartridges mandated, after printer vendors use tamper mandated, after printer vendors use tamper resistance and cryptography to stop itresistance and cryptography to stop it
`Intellectual Property’ (2)`Intellectual Property’ (2)
Privacy law - DRM mechanisms collect usage Privacy law - DRM mechanisms collect usage data to segment marketsdata to segment markets
Trade law - RFID set to become `region coding Trade law - RFID set to become `region coding for blue jeans’, undermining the Single Marketfor blue jeans’, undermining the Single Market
Employment law - French courts strike down a Employment law - French courts strike down a major’s standard record contractmajor’s standard record contract
Internal failure of copyright law - most Internal failure of copyright law - most copyrighted material now locked up, so you copyrighted material now locked up, so you need to go to the secondhand shop (which DRM need to go to the secondhand shop (which DRM will prevent in future)will prevent in future)
ConclusionsConclusions
More government involvement in issues such as More government involvement in issues such as DRM is inevitableDRM is inevitable
However, at present the Commission is rowing However, at present the Commission is rowing in absolutely the wrong directionin absolutely the wrong direction
The `Internet’, or more properly the Information The `Internet’, or more properly the Information Society, is stuck in about 1850Society, is stuck in about 1850
We need to figure out how to balance competing We need to figure out how to balance competing social goals, as we have in the physical worldsocial goals, as we have in the physical world
Simply pushing for harsher enforcement of rules Simply pushing for harsher enforcement of rules from 1850 won’t work in the 21st centuryfrom 1850 won’t work in the 21st century
More …More …
WEIS 2004 (Workshop on Economics and WEIS 2004 (Workshop on Economics and Information Security), Harvard, 2-4/6/2005Information Security), Harvard, 2-4/6/2005
Economics and Security Resource Page – Economics and Security Resource Page – www.www.clcl.cam.ac..cam.ac.ukuk/~rja14//~rja14/econsececonsec.html.html (or (or follow link from my home page) follow link from my home page)
Foundation for Information Policy Foundation for Information Policy Research – Research – www.www.fiprfipr.org.org
