Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mario Čagalj Sveučilište u Splitu 2014/15. Sigurnost računala i podataka.

Published byVictoria Walsh Modified over 9 years ago

Similar presentations

Presentation on theme: "Mario Čagalj Sveučilište u Splitu 2014/15. Sigurnost računala i podataka."— Presentation transcript:

1 Mario Čagalj Sveučilište u Splitu 2014/15. Sigurnost računala i podataka

2 Why Information Security is Hard An Economic Perspective Ross Anderson

3 Introduction Common view Information security comes down to technical measures (better technical solutions) In this presentation Information security is at least as much due to tricky incentives Many of the security problems can be explained more clearly using the language of microeconomics 3

4 Summary Use the language of economics to describe Why Information Security is often not implemented Why Information Security is often implemented for motives other than protection 4

5 Simple Economics Look at all decisions and designs in terms of a Costs and Benefits To maximize returns: Do what costs least or brings biggest returns Ultimately measured in $$ 5

6 A Matter of Questions Economic Who When Why Where Technical What How 6

7 Who Suffers? Who has primary responsibility when bank fraud occurs? In US – the bank In Europe – the customer Guess which has the more effective security system 7

8 Who Suffers? Disincentive: The party funding the security measure is not the party suffering the consequence of a breach Why should the funding party spend a lot if no liability? Would virus protection be more effective if mail client vendors had to pay user’s costs of a virus? 8

9 Who Pays? Who pays for protecting a shared resource? Users want to get as much of it as they can Aren’t motivated to spend to protect it Resource manager wants to maximize use (and revenue), so he should pay Example – Network vendor should prevent DoS attacks and not expect users to pay for the protection 9

10 When Should Security be Added? All software engineers know – when the product is developed But what are the real costs? Time to Market Complexity 10

11 Economics Term: Network Externalities The change in value of a resource when the number of consumers of the resource changes Example: Metcalfe’s Law – value of a network increases as the square of the number of nodes (N 2 ) A product has more underlying value if it has more users 11

12 When – Time to Market The preceding implies a high value for getting to market first Dominate Low marginal costs once established Set up barriers – high switching costs Adding security features increases time to market and risks missing the window of opportunity 12

13 When – Time to Market Users would probably pay more if product were more secure I.e. incremental development costs are OK But lost opportunity costs are too high to vendor A disincentive to building security in from the start 13

14 When - Complexity Security features in OS or Network make life more difficult for developers Think of capability like record locking – necessary, but makes application more complicated Developers are a primary target for OS and Network vendors Thus arises an implicit agreement to pass security costs on to the users Not absolutely required for applications 14

15 Why Have Security? Economic Reasons Add security features for the benefit of the vendor, not the user Lock-in users Maximize revenue Protect on-going revenue Get market data 15

16 Why? – Lock-in Users Use proprietary security measures Vendor can control Can create revenue Block or hinder competition Users get familiar – harder to switch Probably reduces reliability and stability 16

17 Why – Maximize Revenue Use as a high price upgrade feature Incremental cost is low to nothing But can charge a lot for it Non-IT example: Airline fares IT example: Basic product vs. “Gold” version 17

18 Why – Protect Revenue Use security to prevent reverse engineering Use security measures to prevent add-on generic products E.g. printer cartridges 18

19 Why – Protect and Gather Data RFID Helps prevent theft Creates revenue (e.g. toll tags) Track inventory and shipments (IBM “you’re on the road to Fresno” ad) But Big privacy threat Can track car movements Can track people (see movie “Minority Report”) 19

20 Why – Get Market Data MS Passport – a good example of a bad example Purported purpose – to provide a single point of security to many Web sites But Passport tracks your surfing And shares your data And provides bad guys with a single point of attack 20

21 Where is the Advantage? (Economics of “War”) In security matters today, attackers have the advantage Easier to find one flaw than find and patch them all Attacker only needs one Can model investment in attack and defense Estimate bug count and investment in finding Attacker’s advantage is large Like trying to defend in Iraq Attack can come anywhere – defense must be everywhere 21

22 Another Who Question Who Determines Security Quality? International Standards for Security exist But like ISO 9000, they appear to be more about process than content No absolute standard Customer says what is wanted in security Vendor verifies product meets requirements Current working standard is called “Common Criteria” 22

23 Who Pays for Evaluation? Should be customer, but this is big expense if each customer does it Current practice is that vendor pays an evaluator This leads to shopping for “easy” evaluators An Application Vendor may actually consider an evaluated product to have less value If A.V. embeds the security product in his product and it fails, A.V. is more likely liable if security product is certified 23

24 Conclusion Why do IT vendors not provide great security? Economics! Create Monopoly Maximize revenue Reduce risk Economics promotes insecurity Ultimately the problem is more political than technical 24

Download ppt "Mario Čagalj Sveučilište u Splitu 2014/15. Sigurnost računala i podataka."

Similar presentations

Available & Effective charging solution for electric cars Advanced mobile charging systems.

Available & Effective charging solution for electric cars Advanced mobile charging systems.
Offshore Transmission Giles Stevens Head of offshore electricity transmission.

Offshore Transmission Giles Stevens Head of offshore electricity transmission.
Chapter 1 We’ve Got Problems…. Four Horsemen  … of the electronic apocalypse  Spam --- unsolicited bulk email o Over 70% of email traffic  Bugs ---

Chapter 1 We’ve Got Problems…. Four Horsemen  … of the electronic apocalypse  Spam --- unsolicited bulk o Over 70% of traffic  Bugs ---
CHAPTER 8 PRICING Study Objectives

CHAPTER 8 PRICING Study Objectives
Contracts and Communication John G. Huisman Fleissner Davis and Johnson www.noogalaw.com.

Contracts and Communication John G. Huisman Fleissner Davis and Johnson
A helpful and intuitive guide for presenters to effectively deliver a investor targeted pitch.

A helpful and intuitive guide for presenters to effectively deliver a investor targeted pitch.
Beyond “I Fought The Law” Educating Law Enforcement about Privacy Services Adam Shostack.

Beyond “I Fought The Law” Educating Law Enforcement about Privacy Services Adam Shostack.
Developing a Business Case for Records Management Projects Presented by: Lauren Nathanson, CRM May 20, 2010.

Developing a Business Case for Records Management Projects Presented by: Lauren Nathanson, CRM May 20, 2010.
Security Economics Ross Anderson Cambridge University.

Security Economics Ross Anderson Cambridge University.
Chapter 1  Introduction 1 Overview  What is a secure computer system?  Concerns of a secure system o Data: Privacy, Integrity, Availability o Users:

Chapter 1  Introduction 1 Overview  What is a secure computer system?  Concerns of a secure system o Data: Privacy, Integrity, Availability o Users:
System Security for Cyborgs Ross Anderson Cambridge.

System Security for Cyborgs Ross Anderson Cambridge.
Computer Security and Liability Roxana Hernandez-Pastrana Ryan Herring Jinghua Luo Kevin Mack Shahram Rezaei Dec. 6, 2005.

Computer Security and Liability Roxana Hernandez-Pastrana Ryan Herring Jinghua Luo Kevin Mack Shahram Rezaei Dec. 6, 2005.
1 IS371 WEEK 8 Last and Final Assignment Application Development Alternatives to Application Development Instructor Online Evaluations.

1 IS371 WEEK 8 Last and Final Assignment Application Development Alternatives to Application Development Instructor Online Evaluations.
© 2005 McGraw-Hill Ryerson Limited © 2003 The McGraw-Hill Companies, Inc. All rights reserved.

© 2005 McGraw-Hill Ryerson Limited © 2003 The McGraw-Hill Companies, Inc. All rights reserved.
Health Informatics Series

Health Informatics Series
McGraw-Hill/Irwin Copyright © 2010 by the McGraw-Hill Companies, Inc. All rights reserved.

McGraw-Hill/Irwin Copyright © 2010 by the McGraw-Hill Companies, Inc. All rights reserved.
Chapter Thirteen Maintaining and Upgrading a Network.

Chapter Thirteen Maintaining and Upgrading a Network.
SM3121 Software Technology Mark Green School of Creative Media.

SM3121 Software Technology Mark Green School of Creative Media.
Why Cryptosystems Fail Ross Anderson Presented by Su Zhang 1.

Why Cryptosystems Fail Ross Anderson Presented by Su Zhang 1.
VENDORS, CONSULTANTS AND USERS

VENDORS, CONSULTANTS AND USERS

Similar presentations

Ads by Google