SECURITY ECONOMICS
7CCSMSEM Security Management Dr. Jose M. Such
Useful Books
• Security Engineering: Chapter 7 Economics • Available online:
• https://www.cl.cam.ac.uk/~rja14/book.html
Introduction
• Information systems are rarely stand alone
• Even isolated networks are networks of interconnected
devices
• What does this mean from the point of view of risk management? And what role does economics play in risk management?
Global Information Infrastructure
• Networks and systems required for commerce both nationally and globally
• Provide instant communications at low costs
• Access to information is ubiquitous
• Communities are not geographically confined or potentially affiliated
• Anonymous
• Enabler for globalisation
National Information Infrastructure
• Structure that the nation state depends on for everyday operations
• NII combine to form GII
• Normally under the control and jurisdiction of a single nation state
• Other nation states may depend on their operations
• What constitutes the critical infrastructure?
Critical National Infrastructure
• Can be difficult to identify
• Government, but what parts?
• Military, but what parts?
• Finance, transfer clearance, ATM network….
• Who has ownership and control?
• How do you disseminate threat information to companies
in CNI that may be owned by foreign nationals?
• http://www.cpni.gov.uk
Critical National Infrastructure
• Or how does a country trust a CNI foreign provider?
The Upside
• The links with information are immediate • Instant information
• Governments pushing more services online • Greater access
• Great transparency
• Trading is international for the home user • Cheap communications infrastructure
• Cost of services pushed down
• Transmission of events in real time
The Downside
• No overall responsibility
• Connected nature makes it possible to launch an attack to
anywhere from anywhere
• Interdependency is a problem
• An attack on one is an attack on all
Why does security fail?
• Those guarding have no incentives to protect what we think is important.
• Guards don’t suffer a point of failure • Risks are dumped on others
• Security is a power relationship
• Used to advance own interests • System lock-in
Is Network insecurity the same as air pollution?
• Insecure machines connected to the Internet have costs for all
• Who should bear all the cost?
• Individuals, vendors, regulators, authorities?
• Security Economics can be used to help understand
Market for Lemons
• Introduced by Akerlof (Noble prize winner) in 1970 to explain asymmetric information in economics.
• Suppose that there are 100 used cars for sale in a town: 50 well-maintained cars worth $2000 each, and 50 ’lemons’ worth $1000.
• The sellers know which is which, but the buyers don’t.
• What is the market price of a used car?
• You might think $1500; but at that price no good cars will be offered for sale. So the market price will be close to $1000.
• This is one reason poor security products predominate
Can you decide?
• Poor security products dominate when users can’t tell the difference
• Race to the bottom on price
Hidden information/action
• Hidden information – adverse selection (AS)
• In the case of insurance, adverse selection is the tendency of those
in dangerous jobs or high-risk lifestyles to get life insurance. • Hidden action – moral hazard (MH)
• Moral hazard is a situation in which one party gets involved in a risky event knowing that it is protected against the risk
• Volvos are safe cars but have higher accident rates • Do bad drivers buy them? – AS
• Do you drive badly because you think you are safer? – MH
• Consider AV products?
• Buy an AV because you normally visit riskier websites
• Visiting less secure websites because you think AV will protect you
Economics of Security and Dependability
• Bank ATM Fraud
• USA: Banks have burden of proof
• UK: Customers did, yet banks suffered more fraud and spent more on security
• Moral Hazard? UK bank staff knew that customer complaints would not be taken seriously, so they became lazy and careless, leading to an epidemic of fraud
• Why spend on AV when attacks target someone else?
• System security failing because the people guarding a system were not the people who suffered the costs of failure, or of particular types of failure.
Weakest Link, or Sum of Efforts?
• Hal Varian work applying previous theory to effort applied in securing systems.
• Total effort. Reliability depends on the sum of the efforts exerted by the individuals.
• Weakest link. Reliability depends on the minimum effort. • Best shot. Reliability depends on the maximum effort.
How should you structure your dev team?
How should you structure your dev team?
• Program correctness can depend on minimum effort • Most careless programmer
• Software vulnerability testing may depend on sum of all testers’ efforts
• Security depends on best effort
• Actions taken by individual champion, architect/designer
• More agents
• Less reliability in min. effort case • More reliability in total effort case
Why was Windows insecure?
• Why are there still so many bugs when Windows is so dominant?
• Why no comparable effort in commodity platforms compared to defence or healthcare?
• Technically we know how to build good systems, so why don’t we?
• Product insecure at first then improve, why?
• Win95->Win98->WinXP->Vista->Win7->Win8->Win10
What is the software market like
• Low marginal but high fixed costs
• Network effects
• Technical lock-in
• Race to dominate, the dominant firm gets all the money
• MS 1990’s philosophy “ship it Tuesday and get it right by V3” is rational
• 2010’s philosophy “put an Android app in the marketplace as soon as possible”
Conclusion
“The incentive for any agent to invest in security is an increasing function of how many others have already done so. Once a critical mass has invested, then all others will want to do the same.”
(Kunreuther and Heal)