1. The Economics of Information Security Ross Anderson Cambridge University

2. Economics and Security  Over the last four years, we have started to apply economic analysis to information security  Economic analysis often explains security failure better then technical analysis!  Information security mechanisms are used increasingly to support business models rather than to manage risk  Economic analysis is also vital for the public policy aspects of security  It is critical for understanding competitive advantage

3. Traditional View of Infosec  People used to think that the Internet was insecure because of lack of features – crypto, authentication, filtering  So engineers worked on providing better, cheaper security features – AES, PKI, firewalls …  About 1999, we started to realize that this is not enough

4. Incentives and Infosec  Electronic banking: UK banks were less liable for fraud, so ended up suffering more internal fraud and more errors  Distributed denial of service: viruses now don ’ t attack the infected machine so much as using it to attack others  Health records: hospitals, not patients, buy IT systems, so they protect hospitals ’ interests rather than patient privacy  Why is Microsoft software so insecure, despite market dominance?

5. New View of Infosec  Systems are often insecure because the people who could fix them have no incentive to  Bank customers suffer when bank systems allow fraud; patients suffer when hospital systems break privacy; Amazon ’ s website suffers when infected PCs attack it  Security is often what economists call an ‘ externality ’ – like environmental pollution  This is an excuse for government intervention

6. New Uses of Infosec  Xerox started using authentication in ink cartridges to tie them to the printer  Followed by HP, Lexmark … and Lexmark ’ s case against SCC  Motorola started authenticating mobile phone batteries to the phone  BMW now has a car prototype that authenticates its major components

7. IT Economics (1)  The first distinguishing characteristic of many IT product and service markets is network effects  Metcalfe ’ s law – the value of a network is the square of the number of users  Real networks – phones, fax, email  Virtual networks – PC architecture versus MAC, or Symbian versus WinCE  Network effects tend to lead to dominant firm markets where the winner takes all

8. IT Economics (2)  Second common feature of IT product and service markets is high fixed costs and low marginal costs  Competition can drive down prices to marginal cost of production  This can make it hard to recover capital investment, unless stopped by patent, brand, compatibility …  These effects can also lead to dominant-firm market structures

9. IT Economics (3)  Third common feature of IT markets is that switching from one product or service to another is expensive  E.g. switching from Windows to Linux means retraining staff, rewriting apps  Shapiro-Varian theorem: the net present value of a software company is the total switching costs  This is why so much effort is starting to go into accessory control – manage the switching costs in your favour

10. IT Economics and Security  High fixed/low marginal costs, network effects and switching costs all tend to lead to dominant-firm markets with big first-mover advantage  So time-to-market is critical  Microsoft philosophy of ‘ we ’ ll ship it Tuesday and get it right by version 3 ’ is not perverse behaviour by Bill Gates but driven by economics  Whichever company had won in the PC OS business would have done the same

11. IT Economics and Security 2  When building a network monopoly, it is also critical to appeal to the vendors of complementary products  E.g., application software developers in the case of PC versus Apple, or now of Symbian versus CE  Lack of security in earlier versions of Windows makes it easier to develop applications  Similarly, motive for choice of security technologies that dump the support costs on the user (e.g. SSL, PKI, … )

12. Why are many security products ineffective?  Akerlof ’ s Nobel-prizewinning paper, ‘ The Market for Lemons ’ provides key insight – asymmetric information  Suppose a town has 100 used cars for sale: 50 good ones worth $2000 and 50 lemons worth $1000  What is the equilibrium price of used cars in this town?  If $1500, no good cars will be offered for sale …  Fix: brands (e.g. ‘ Volvo certified used car ’ )

13. Security and Liability  Why did digital signatures not take off (e.g. SET protocol)?  Industry thought: legal uncertainty. So EU passed electronic signature law  Recent research: customers and merchants resist transfer of liability by bankers for disputed transactions  Best to stick with credit cards, as any fraud is the bank ’ s problem  Similar resistance to phone-based payment – people prefer prepayment plans because of uncertainty

14. Privacy  Most people say they value privacy, but act otherwise  Privacy technology ventures have mostly failed  Latest research – people care about privacy when buying clothes, but not cameras  Analysis – some items relate to personal image, and it ’ s here that the privacy sensitivity focuses  Issue for mobile phone industry – phone viruses worse for image than PC viruses

15. How Much to Spend?  How much should the average company spend on information security?  Governments, vendors: much much more than at present  They ’ ve been saying this for 20 years!  Measurements of security ROI suggest about 20% p.a.  So current expenditure maybe about right  No room for huge growth selling firewalls …

16. How are Incentives Skewed?  If you are DirNSA and have a nice new hack on NT, do you tell Bill?  Tell – protect 300m Americans  Don ’ t tell – be able to hack 400m Europeans, 1000m Chinese, …  If the Chinese hack US systems, they keep quiet. If you hack their systems, you can brag about it to the President

17. Skewed Incentives (2)  Within corporate sector, large companies tend to spend too much on security and small companies too little  Research shows adverse selection effect  The most risk-averse people end up as corporate security managers  More risk-loving people may be sales or engineering staff, or small business entrepreneurs  Also: due-diligence effects, government regulation, insurance market issues

18. Why Bill wasn ’ t interested in security  While Microsoft was growing, the two critical factors were speed, and appeal to application developers  Security markets were over-hyped and driven by artificial factors  Issues like privacy and liability were more complex than they seemed  The public couldn ’ t tell good security from bad anyway

19. Why is Bill now changing his mind?  ‘ Trusted Computing ’ initiative ranges from TCG to the IRM mechanisms in Office 2003  TCG – put a TPM (smartcard) chip in every PC motherboard, PDA, mobile phone  This will do remote attestation of what the machine is and what software it ’ s running  On top of this will be layers of software providing new security functionality, of a kind that would otherwise be easily circumvented, such as DRM and IRM

20. Why is Bill now changing his mind? (2)  IRM – Information Rights Management – changes ownership of a file from the machine owner to the file creator  Files are encrypted and associated with rights management information  The file creator can specify that a file can only be read by Mr. X, and only till date Y  Now shipping in Office 2003  What will be the effect on the typical business that uses PCs?

21. Why is Bill now changing his mind? (3)  At present, a company with 100 PCs pays maybe $500 per seat for Office  Remember – value of software company = total switching costs  So – cost of retraining everyone to use Linux, converting files etc is maybe $50,000  But once many of the documents can ’ t be converted without the creators ’ permission, the switching cost is much higher  Lock-in is the key

22. Strategic issues  TCG initiative started by Intel as they believed that control of the ‘ home hub ’ was vital  They made 90% of their profits from PC processors, and controlled 90% of the market  Innovations such as PCI, USB and now TC are designed to grow the overall size of the PC market  They are determined not to lose control of the home to the Sony Playstation

23. Strategic Issues (2)  Who will control users ’ data?  Microsoft view – everything will be on an MS platform (your WP files, presentations, address book, pictures, movies, music)  European Commission view – this is illegal anticompetitive behaviour  Proposed anti-trust remedy – force MS to unbundle Media Player, or to include other media players in its Windows distribution

24. Competitive issue  Microsoft vision is to control a framework into which all user data is drawn, and in which it is then managed  This could extend Microsoft ’ s market power from the PC platform to PDAs, phones, music systems, …  If this works it is bad news for market competition, and bad news for vendors of phones, consumer electronics …  Is there any alternative framework play?

25. Alternative Vision  The ‘ Trusted Computing ’ view of the universe makes the ‘ home hub ’ the centre of the digital world, and assumes it to be a PC  The Sony view of the world is similar, except that the hub is a Playstation  Matsushita – it ’ s a souped-up PVR  However, maybe the mobile phone is a better hub than the PC!

26. Alternative Vision …  There are many, many more mobile phones in the world than PCs  The mobile phone is private – kids take it to bed  People rely on it when under stress  It is their antidote to the complexity of life  It is how they shape their social world  By comparison, a PC is used in turn by all family members, and visitors – rather like a toilet

27. The Big Issue, 2004-2006  With encryption and broadband, the data can be anywhere  What matters is where the trust is located  Trust can be based on the PC, in a PVR, in a mobile phone, maybe even in an ID card …  There are all sorts of crossover technologies possible (e.g., bluetooth mouse as TPM)  But the power struggle will be fierce, and the players will try to control compatibility.  Could/should governments intervene?

28. The Irish Presidency Issue  The EU IPR Enforcement Directive (IPRED) will greatly increase lock-in  The EU Parliament watered it down in the legal and industry committees; Commission/council reinstated it  By making reverse engineering harder it will harm small companies and growth  By facilitating market segmentation it will undermine the Single Market

29. More …  WEIS 2004 (Workshop on Economics and Information Security), University of Minnesota, 13-14 May 2004  Economics and Security Resource Page – www.cl.cam.ac.uk/~rja14/econsec.html (or follow link from my home page) www.cl.cam.ac.uk/~rja14/econsec.html  EU IPRED – see www.fipr.orgwww.fipr.org