the economics of information security: a survey and open questions ross anderson, tyler moore...
Post on 19-Dec-2015
216 views
TRANSCRIPT
The Economics of The Economics of Information Security: Information Security:
A Survey and Open A Survey and Open QuestionsQuestions
Ross Anderson, Tyler MooreRoss Anderson, Tyler Moore
Cambridge UniversityCambridge University
Economics and SecurityEconomics and Security The link between economics and security The link between economics and security
atrophied after WW2atrophied after WW2 Since 2000, information security economics has Since 2000, information security economics has
become a hot topic, with 100 researchers and become a hot topic, with 100 researchers and now two annual workshops (WEIS, WESII) now two annual workshops (WEIS, WESII)
Economic analysis often explains failure better Economic analysis often explains failure better then technical analysis!then technical analysis!
Infosec mechanisms are used increasingly to Infosec mechanisms are used increasingly to support business models (DRM, lock-in, …)support business models (DRM, lock-in, …)
Research is now spilling over to dependability, Research is now spilling over to dependability, conventional security, trust and riskconventional security, trust and risk
Traditional View of InfosecTraditional View of Infosec
People used to think that the Internet was People used to think that the Internet was insecure because of lack of features – insecure because of lack of features – crypto, authentication, filteringcrypto, authentication, filtering
So engineers worked on providing better, So engineers worked on providing better, cheaper security features – AES, PKI, cheaper security features – AES, PKI, firewalls …firewalls …
About 1999, we started to realize that this About 1999, we started to realize that this is not enoughis not enough
Incentives and InfosecIncentives and Infosec
Electronic banking: UK banks were less liable for Electronic banking: UK banks were less liable for fraud, so ended up suffering more internal fraud fraud, so ended up suffering more internal fraud and more errorsand more errors
Distributed denial of service: viruses now don’t Distributed denial of service: viruses now don’t attack the infected machine so much as using it attack the infected machine so much as using it to attack othersto attack others
Health records: hospitals, not patients, buy IT Health records: hospitals, not patients, buy IT systems, so they protect hospitals’ interests systems, so they protect hospitals’ interests rather than patient privacyrather than patient privacy
Why is Microsoft software so insecure, despite Why is Microsoft software so insecure, despite market dominance?market dominance?
New View of InfosecNew View of Infosec
Systems are often insecure because the people Systems are often insecure because the people who could fix them have no incentive towho could fix them have no incentive to
Bank customers suffer when bank systems allow Bank customers suffer when bank systems allow fraud; patients suffer when hospital systems fraud; patients suffer when hospital systems break privacy; Amazon’s website suffers when break privacy; Amazon’s website suffers when infected PCs attack itinfected PCs attack it
People connecting an insecure PC to the net People connecting an insecure PC to the net don’t pay full costs, so we under-invest in don’t pay full costs, so we under-invest in antivirus software (Varian)antivirus software (Varian)
The move of businesses online led to massive The move of businesses online led to massive liability dumping (Bohm et al)liability dumping (Bohm et al)
New Uses of InfosecNew Uses of Infosec
Xerox started using authentication in ink Xerox started using authentication in ink cartridges to tie them to the printer (1996)cartridges to tie them to the printer (1996)
Followed by HP, Lexmark … and Lexmark’s Followed by HP, Lexmark … and Lexmark’s case against SCCcase against SCC
Motorola started authenticating mobile phone Motorola started authenticating mobile phone batteries to the phone in 1998batteries to the phone in 1998
The use of security technology to manipulate The use of security technology to manipulate switching costs and tie products is now switching costs and tie products is now widespreadwidespread
Vista will make compatibility control easier for Vista will make compatibility control easier for software writerssoftware writers
Platform Security LifecyclePlatform Security Lifecycle
High fixed/low marginal costs, network effects High fixed/low marginal costs, network effects and switching costs all tend to lead to dominant-and switching costs all tend to lead to dominant-firm markets with big first-mover advantagefirm markets with big first-mover advantage
Microsoft philosophy of ‘we’ll ship it Tuesday and Microsoft philosophy of ‘we’ll ship it Tuesday and get it right by version 3’ was quite rationalget it right by version 3’ was quite rational
When building a network monopoly, woo When building a network monopoly, woo complementers by skimping on security, and complementers by skimping on security, and choosing technology like SSL that dumps the choosing technology like SSL that dumps the compliance costs on the usercompliance costs on the user
Once you’re established, lock everything downOnce you’re established, lock everything down
Other Investment EffectsOther Investment Effects
Security may depend on best effort (security Security may depend on best effort (security architect), weakest-link (careless programmer) architect), weakest-link (careless programmer) or sum-of-efforts (testing)or sum-of-efforts (testing)
Analysis (Akerlof, Varian) suggests firms should Analysis (Akerlof, Varian) suggests firms should hire more testers, and fewer but better hire more testers, and fewer but better programmers (this is happening!)programmers (this is happening!)
Security products can be strategic complements Security products can be strategic complements (and tend to be a lemons market anyway)(and tend to be a lemons market anyway)
Security product adoption a hard problem unless Security product adoption a hard problem unless you provide early adopters with local benefitsyou provide early adopters with local benefits
So very many products fail to get adoptedSo very many products fail to get adopted
Security and LiabilitySecurity and Liability
Why did digital signatures not take off?Why did digital signatures not take off? Industry thought: legal uncertainty. So EU Industry thought: legal uncertainty. So EU
passed electronic signature lawpassed electronic signature law But customers and merchants resist transfer of But customers and merchants resist transfer of
liability by bankers for disputed transactionsliability by bankers for disputed transactions Best to stick with credit cards, as that way fraud Best to stick with credit cards, as that way fraud
is still largely the bank’s problemis still largely the bank’s problem Similar resistance to phone-based payment – Similar resistance to phone-based payment –
people prefer prepayment plans because of people prefer prepayment plans because of uncertaintyuncertainty
Privacy EconomicsPrivacy Economics
Gap between stated and revealed preferences!Gap between stated and revealed preferences! Odlyzko – technology makes price discrimination Odlyzko – technology makes price discrimination
both easier and more attractiveboth easier and more attractive Varian – interests of consumers and firms not in Varian – interests of consumers and firms not in
conflict but information markets fail because of conflict but information markets fail because of externalities and search costs. Educated externalities and search costs. Educated consumers opt out moreconsumers opt out more
Acquisti et al – people care about privacy when Acquisti et al – people care about privacy when buying clothes, but not cameras (some items buying clothes, but not cameras (some items relate to your image, so are privacy sensitive)relate to your image, so are privacy sensitive)
Externalities cut both ways, though – to be Externalities cut both ways, though – to be anonymous, you need to be in a crowdanonymous, you need to be in a crowd
Open versus Closed?Open versus Closed?
Are open-source systems more dependable? It’s Are open-source systems more dependable? It’s easier for the attackers to find vulnerabilities, but easier for the attackers to find vulnerabilities, but also easier for the defenders to find and fix themalso easier for the defenders to find and fix them
Theory: openness helps both equally if bugs are Theory: openness helps both equally if bugs are random in standard dependability modelrandom in standard dependability model
So maybe we should keep systems closed So maybe we should keep systems closed (Rescorla) – but this is an empirical question(Rescorla) – but this is an empirical question
So get the statistics: bugs are correlated in a So get the statistics: bugs are correlated in a number of real systems (‘Milk or Wine?’)number of real systems (‘Milk or Wine?’)
Trade-off: the gains from this, versus the risks to Trade-off: the gains from this, versus the risks to systems whose owners don’t patchsystems whose owners don’t patch
Vulnerability MarketsVulnerability Markets
Security isn’t just a lemons market – even the Security isn’t just a lemons market – even the vendor often doesn’t know the quality of his vendor often doesn’t know the quality of his softwaresoftware
Insurance can be problematic because of inter-Insurance can be problematic because of inter-firm failure correlationfirm failure correlation
Camp and Wolfram (2000), Schechter (2002): Camp and Wolfram (2000), Schechter (2002): try vulnerability marketstry vulnerability markets
Two traders now exist (but prices secret)Two traders now exist (but prices secret) Alternatives - software quality derivatives Alternatives - software quality derivatives
(Böhme), bug auctions (Ozment)(Böhme), bug auctions (Ozment)
How Much to Spend?How Much to Spend?
How much should firms spend on information How much should firms spend on information security?security?
Governments, vendors say: much much more Governments, vendors say: much much more than at present (But they’ve been saying this for than at present (But they’ve been saying this for 20 years!)20 years!)
Measurements of security return-on-investment Measurements of security return-on-investment suggest current expenditure may be about rightsuggest current expenditure may be about right
But SMEs spend too little, big firms too much, But SMEs spend too little, big firms too much, and governments way too muchand governments way too much
Adams: it’s the selection of the risk managersAdams: it’s the selection of the risk managers
Games on NetworksGames on Networks
The topology of a network can be important!The topology of a network can be important! Barabási and Albert showed that a scale-free Barabási and Albert showed that a scale-free
network could be attacked efficiently by targeting network could be attacked efficiently by targeting its high-order nodesits high-order nodes
Think: rulers target Saxon landlords / Ukrainian Think: rulers target Saxon landlords / Ukrainian kulaks / Tutsi schoolteachers /…kulaks / Tutsi schoolteachers /…
Can we use evolutionary game theory ideas to Can we use evolutionary game theory ideas to figure out how networks evolve?figure out how networks evolve?
Idea: run many simulations between different Idea: run many simulations between different attack / defence strategiesattack / defence strategies
Games on Networks (2)Games on Networks (2)
Vertex-order attacks with:Vertex-order attacks with: Black – normal (scale-Black – normal (scale-
free) node free) node replenishmentreplenishment
Green – defenders Green – defenders replace high-order replace high-order nodes with ringsnodes with rings
Cyan – they use Cyan – they use cliques (c.f. system cliques (c.f. system biology …)biology …)
The price of anarchyThe price of anarchy
Some technical cases soluble, e.g. routing Some technical cases soluble, e.g. routing with linear costs, 4/3 (Roughgarden et al)with linear costs, 4/3 (Roughgarden et al)
Big CS interest in combinatorial auctions Big CS interest in combinatorial auctions for routing (Papadimitiou et al)for routing (Papadimitiou et al)
Big practical problem: spam (and phishing)Big practical problem: spam (and phishing) Proposed techie solutions (e.g. puzzles) Proposed techie solutions (e.g. puzzles)
put the incentive in the wrong placeput the incentive in the wrong place Peer-to-peer systems: clubs?Peer-to-peer systems: clubs?
Vista and CompetitionVista and Competition
A live EU concern – workshop on MondayA live EU concern – workshop on Monday IRM – Information Rights Management – IRM – Information Rights Management –
changes ownership of a file from the machine changes ownership of a file from the machine owner to the file creatorowner to the file creator
Files are encrypted and associated with rights Files are encrypted and associated with rights management informationmanagement information
Switching from Office to OpenOffice in 2010 Switching from Office to OpenOffice in 2010 might involve getting permission from all your might involve getting permission from all your correspondentscorrespondents
Other cases of lock-in harming innovationOther cases of lock-in harming innovation
Vista and Competition (2)Vista and Competition (2)
How should we think of DRM? The music How should we think of DRM? The music industry wanted it while the computer industry industry wanted it while the computer industry hated it. This is flipping. Microsoft embraced hated it. This is flipping. Microsoft embraced DRM and the music industry’s now waveringDRM and the music industry’s now wavering
Varian, 2005: what happens when you connect a Varian, 2005: what happens when you connect a concentrated industry to a diffuse one?concentrated industry to a diffuse one?
Answer, 2006 – Apple runs away with the moneyAnswer, 2006 – Apple runs away with the money Answer, 2007 – Microsoft appears to be making Answer, 2007 – Microsoft appears to be making
a play to control high-definition content a play to control high-definition content distribution (Gutmann)distribution (Gutmann)
Large Project FailureLarge Project Failure
Maybe 30% of large projects fail Maybe 30% of large projects fail But we build much bigger failures But we build much bigger failures
nowadays than 30 years ago so…nowadays than 30 years ago so… Why do more public-sector projects fail?Why do more public-sector projects fail? Consider what the incentives are on Consider what the incentives are on
project managers versus ministers – and project managers versus ministers – and what sort of people will become successful what sort of people will become successful project managers versus ministers!project managers versus ministers!
The Information SocietyThe Information Society
More and more goods contain softwareMore and more goods contain software More and more industries are starting to become More and more industries are starting to become
like the software industrylike the software industry The good: flexibility, rapid responseThe good: flexibility, rapid response The bad: frustration, poor serviceThe bad: frustration, poor service The ugly: monopoliesThe ugly: monopolies The world will be full of ‘things that think’ (and The world will be full of ‘things that think’ (and
that exhibit strategic behaviour)that exhibit strategic behaviour) How will society evolve to cope?How will society evolve to cope?
More …More …
Economics and Security Resource Page – Economics and Security Resource Page – www.www.clcl.cam.ac..cam.ac.ukuk/~rja14//~rja14/econsececonsec.html.html (or (or follow link from follow link from www.www.rossross--andersonanderson.com.com) )
WEIS – Annual Workshop on Economics WEIS – Annual Workshop on Economics and Information Security – next at CMU, and Information Security – next at CMU, June 7–8 2006June 7–8 2006