The Economics of Security - A talk by Ross Anderson in 2011 AusCERT

The following is a personal summary of a conference/lecture given by Mr. Anderson in the most recent AusCERT event. This summary is just a collection of un-connected (and wrongly interpreted?) thoughts. It does not replace the pleasure to listen to the lecture itself.
I listened to the audio via the Risky Business podcast. Here is the link to the mp3 file. The topic of the talk was "the economics of security".

The Economics of Security

system engineering is not enough
10000 years ago human beings invented agriculture. Soon after, human organisations, driven by people, created the civil service function. This was organised by individuals at the local level, this is why it was kept simple. As an example, he mentions a system that is still being run in Bombay to deliver packed lunches (with more than 20000 people in the system). Now this has become a complex system. The world is changing. We now have people plus software, and this is the novelty. Software adds complexity.

Facebook has reached 600 million users. How do you deal with competition among members? with conflict? All this is a new scenario.

Initially security was seen as an external boundary problem. By that time, all the systems related were under the same chief executive. Today the world works differently, there is a market and a supposed equilibrium. A traditional system engineering approach is required, but unfortunately this is not enough to manage this security effectively.

First thought: In the UK, banks are more protected than customers in case of a conflict between them. In the US, the situation is the opposite. So, we would think that security in US banks would be higher. However, it is the other way round.

Second thought: Will Internet users pay an antivirus (AV) to protect, not their PCs, but other systems such as Amazon clouds and the like?

the role of incentives
Things need to be very dependable. Things go wrong because the incentives are not right e.g. the triode customer, merchant and bank or why should an electricity company invest in extra capacity (to offer a more dependable service) if that would also benefit a competitor electricity company?

Third thought: Security and Insecurity are often an externality - it is not a result of a direct effort but a side effect of what people do globally.

Can governments do something about cybercrime? It seems so. See the recommendations below.

the economics of information related markets
The distinguishing features:
- The network effect, the more people use it, the more useful it is for each user - e.g. email and fax - the winner in the market gets all - after the tipping point.
- Fixed costs are high and marginal costs very low.
- Information likes to be free - At the margin information products cost zero - you need to find a distinguishing feature that is not price (e.g. compatibility).
- Switching costs - your price should consider them and adjust to that - this is why many security mechanisms are there to control users and not to protect users - e.g. lock-in mechanisms.

With all this, the likelihood of a monopoly is really really high.

enticing users through iterations
Getting it right in version 3 - this is how the world turns - the vendor need to be quick and to follow a recurring pattern in their value proposal. This is why, in every platform market, vendors first launch the platform, as open as possible, even if it is insecure... to make it easy for people to build apps there. Then they lock it out later.
Mr Anderson mentions that exactly the same happens with payment networks e.g. this is why we use SSL and not SET. it was very quickly deployed (even if it is suboptimal).

asymmetric information
The example of 100 cars, 50 are great and 50 are lemons - the good ones cost 2000 and the bad ones 1000. Will the price in the market be 1500? Nope, no one would buy a good one for 1500. In second-hand markets, nobody knows if it is a lemon or not - this affect the security product market e.g. how could we tell the difference between a good and a not so good encryption product? We can't. This is why the IT market went through the path of providing a pile of features, basing sales on a long list of irrelevant features.

adverse selection
E.g. sick people buy more insurance. If we apply this fact to trust, we see that websites with any sort of certification are twice as likely to be malicious that those with no seal at all e.g. in google, the paid search result is twice as probable to be malicious than the non-paid top result. This means that certification schemes work in rather unexpected ways.

In conclusion, without the proper incentive, there is no right security.

what do we then need as citizens?
Security breach notification laws, publication of fraud and malware statistics, sheding light on who is good and who is bad. There is a clear a role for governments on this topic. Google and similar names do not publish those data to avoid lawsuits (only 3 out of the 27 EU members publish those statistics),

An additional measure could be the issuance of cybersecurity checks/certifications in products before they are released (e.g. do they offer the possiblity to be regularly updated in an easy manner?).

Together with security engineering, we need to touch upon adjacent knowledge fields such as game theory, psychology and business to understand security.

In terms of security resilience, we need to collect long term network performance data and to create regulation to build extra capacity (a big issue will be who pays for it?) so that we provide the appropriate incentives to deploy measures such as  BGPsec or DNSsec.

We find more details on Mr Anderson's recommendations in an ENISA paper titled "resilience of the internet interconnection ecosystem" (or in the executive summary). The headlines are the following:

1 - Incident Investigation - An independent body should thoroughly investigate all major incidents and report publicly on the causes, effects and lessons to be learned.
2 - Data Collection of Network Performance Measurements
3 - Research into Resilience Metrics and Measurement Frameworks
4 - Development and Deployment of Secure Inter‐domain Routing
5 - Research into AS Incentives that Improve Resilience
6 - Promotion and Sharing of Good Practice on Internet Interconnections
7 - Independent Testing of Equipment and Protocols
8 - Conduct Regular Cyber Exercises on the Interconnection Infrastructure
9 - Transit Market Failure

Happy reading!

Security economics: Keeping the house protected and open
Tweet this post to your friend economists ;-)