Mario Čagalj Sveučilište u Splitu 2014/15. Sigurnost računala i podataka
Why Information Security is Hard An Economic Perspective Ross Anderson
Introduction Common view Information security comes down to technical measures (better technical solutions) In this presentation Information security is at least as much due to tricky incentives Many of the security problems can be explained more clearly using the language of microeconomics 3
Summary Use the language of economics to describe Why Information Security is often not implemented Why Information Security is often implemented for motives other than protection 4
Simple Economics Look at all decisions and designs in terms of a Costs and Benefits To maximize returns: Do what costs least or brings biggest returns Ultimately measured in $$ 5
A Matter of Questions Economic Who When Why Where Technical What How 6
Who Suffers? Who has primary responsibility when bank fraud occurs? In US – the bank In Europe – the customer Guess which has the more effective security system 7
Who Suffers? Disincentive: The party funding the security measure is not the party suffering the consequence of a breach Why should the funding party spend a lot if no liability? Would virus protection be more effective if mail client vendors had to pay user’s costs of a virus? 8
Who Pays? Who pays for protecting a shared resource? Users want to get as much of it as they can Aren’t motivated to spend to protect it Resource manager wants to maximize use (and revenue), so he should pay Example – Network vendor should prevent DoS attacks and not expect users to pay for the protection 9
When Should Security be Added? All software engineers know – when the product is developed But what are the real costs? Time to Market Complexity 10
Economics Term: Network Externalities The change in value of a resource when the number of consumers of the resource changes Example: Metcalfe’s Law – value of a network increases as the square of the number of nodes (N 2 ) A product has more underlying value if it has more users 11
When – Time to Market The preceding implies a high value for getting to market first Dominate Low marginal costs once established Set up barriers – high switching costs Adding security features increases time to market and risks missing the window of opportunity 12
When – Time to Market Users would probably pay more if product were more secure I.e. incremental development costs are OK But lost opportunity costs are too high to vendor A disincentive to building security in from the start 13
When - Complexity Security features in OS or Network make life more difficult for developers Think of capability like record locking – necessary, but makes application more complicated Developers are a primary target for OS and Network vendors Thus arises an implicit agreement to pass security costs on to the users Not absolutely required for applications 14
Why Have Security? Economic Reasons Add security features for the benefit of the vendor, not the user Lock-in users Maximize revenue Protect on-going revenue Get market data 15
Why? – Lock-in Users Use proprietary security measures Vendor can control Can create revenue Block or hinder competition Users get familiar – harder to switch Probably reduces reliability and stability 16
Why – Maximize Revenue Use as a high price upgrade feature Incremental cost is low to nothing But can charge a lot for it Non-IT example: Airline fares IT example: Basic product vs. “Gold” version 17
Why – Protect Revenue Use security to prevent reverse engineering Use security measures to prevent add-on generic products E.g. printer cartridges 18
Why – Protect and Gather Data RFID Helps prevent theft Creates revenue (e.g. toll tags) Track inventory and shipments (IBM “you’re on the road to Fresno” ad) But Big privacy threat Can track car movements Can track people (see movie “Minority Report”) 19
Why – Get Market Data MS Passport – a good example of a bad example Purported purpose – to provide a single point of security to many Web sites But Passport tracks your surfing And shares your data And provides bad guys with a single point of attack 20
Where is the Advantage? (Economics of “War”) In security matters today, attackers have the advantage Easier to find one flaw than find and patch them all Attacker only needs one Can model investment in attack and defense Estimate bug count and investment in finding Attacker’s advantage is large Like trying to defend in Iraq Attack can come anywhere – defense must be everywhere 21
Another Who Question Who Determines Security Quality? International Standards for Security exist But like ISO 9000, they appear to be more about process than content No absolute standard Customer says what is wanted in security Vendor verifies product meets requirements Current working standard is called “Common Criteria” 22
Who Pays for Evaluation? Should be customer, but this is big expense if each customer does it Current practice is that vendor pays an evaluator This leads to shopping for “easy” evaluators An Application Vendor may actually consider an evaluated product to have less value If A.V. embeds the security product in his product and it fails, A.V. is more likely liable if security product is certified 23
Conclusion Why do IT vendors not provide great security? Economics! Create Monopoly Maximize revenue Reduce risk Economics promotes insecurity Ultimately the problem is more political than technical 24