Why information security is hard - an economic perspective
10 Dec 2001-pp 358-365
TL;DR: The author puts forward a contrary view: information insecurity is at least as much due to perverse incentives as it is due to technical measures.
Abstract: According to one common view, information security comes down to technical measures. Given better access control policy models, formal proofs of cryptographic protocols, approved firewalls, better ways of detecting intrusions and malicious code, and better tools for system evaluation and assurance, the problems can be solved. The author puts forward a contrary view: information insecurity is at least as much due to perverse incentives. Many of the problems can be explained more clearly and convincingly using the language of microeconomics: network externalities, asymmetric information, moral hazard, adverse selection, liability dumping and the tragedy of the commons.
Citations
More filters
TL;DR: In this article, an economic model that determines the optimal amount to invest to protect a given set of information is presented, taking into account the vulnerability of the information to a security breach and the potential loss should such a breach occur.
Abstract: This article presents an economic model that determines the optimal amount to invest to protect a given set of information. The model takes into account the vulnerability of the information to a security breach and the potential loss should such a breach occur. It is shown that for a given potential loss, a firm should not necessarily focus its investments on information sets with the highest vulnerability. Since extremely vulnerable information sets may be inordinately expensive to protect, a firm may be better off concentrating its efforts on information sets with midrange vulnerabilities. The analysis further suggests that to maximize the expected benefit from investment to protect information, a firm should spend only a small fraction of the expected loss due to a security breach.
1,017 citations
01 Jan 2004
TL;DR: An economic model is presented that determines the optimal amount to invest to protect a given set of information and takes into account the vulnerability of the information to a security breach and the potential loss should such a breach occur.
Abstract: This article presents an economic model that determines the optimal amount to invest to protect a given set of information. The model takes into account the vulnerability of the information to a security breach and the potential loss should such a breach occur. It is shown that for a given potential loss, a firm should not necessarily focus its investments on information sets with the highest vulnerability. Since extremely vulnerable information sets may be inordinately expensive to protect, a firm may be better off concentrating its efforts on information sets with midrange vulnerabilities. The analysis further suggests that to maximize the expected benefit from investment to protect information, a firm should spend only a small fraction of the expected loss due to a security breach.
855 citations
TL;DR: The economics of information security has recently become a thriving and fast-moving discipline and provides valuable insights into more general areas such as the design of peer-to-peer systems, the optimal balance of effort by programmers and testers, why privacy gets eroded, and the politics of digital rights management.
Abstract: The economics of information security has recently become a thriving and fast-moving discipline. As distributed systems are assembled from machines belonging to principals with divergent interests, we find that incentives are becoming as important as technical design in achieving dependability. The new field provides valuable insights not just into "security" topics (such as bugs, spam, phishing, and law enforcement strategy) but into more general areas such as the design of peer-to-peer systems, the optimal balance of effort by programmers and testers, why privacy gets eroded, and the politics of digital rights management.
737 citations
Cites background or methods from "Why information security is hard - ..."
...are building their market position; later, once they have captured a lucrative market, they add excessive security in order to lock their customers in tightly [ 6 ]....
[...]
...prevented. Although vendors are capable of creating more secure software, the economics of the software industry provide them with little incentive to do so [ 6 ]....
[...]
...lemons’ [ 6 ]. In a Nobel prizewinning work, economist George Akerlof employed the used car market as a metaphor for a market with asymmetric information [16]....
[...]
TL;DR: Stock market participants appear to discriminate across types of breaches when assessing their economic impact on affected firms, consistent with the argument that the economic consequences of information security breaches vary according to the nature of the underlying assets affected by the breach.
Abstract: This study examines the economic effect of information security breaches reported in newspapers or publicly traded US corporations. We find limited evidence of an overall negative stock market reaction to public announcements of information security breaches. However, further investigation reveals that the nature of the breach affects this result. We find a highly significant negative market reaction for information security breaches involving unauthorized access to confidential data, but no significant reaction when the breach does not involve confidential information. Thus, stock market participants appear to discriminate across types of breaches when assessing their economic impact on affected firms. These findings are consistent with the argument that the economic consequences of information security breaches vary according to the nature of the underlying assets affected by the breach.
686 citations
Cites background from "Why information security is hard - ..."
...Recent conceptual/theoretical studies by Anderson [2] and Gordon and Loeb [20] provide insights into the economics of information security, but do not investigate the actual magnitude of losses associated with information security breaches....
[...]
08 Sep 2009
TL;DR: It is argued that users' rejection of the security advice they receive is entirely rational from an economic perspective, and most security advice simply offers a poor cost-benefit tradeoff to users and is rejected.
Abstract: It is often suggested that users are hopelessly lazy and unmotivated on security questions. They chose weak passwords, ignore security warnings, and are oblivious to certificates errors. We argue that users' rejection of the security advice they receive is entirely rational from an economic perspective. The advice offers to shield them from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort. Looking at various examples of security advice we find that the advice is complex and growing, but the benefit is largely speculative or moot. For example, much of the advice concerning passwords is outdated and does little to address actual treats, and fully 100% of certificate error warnings appear to be false positives. Further, if users spent even a minute a day reading URLs to avoid phishing, the cost (in terms of user time) would be two orders of magnitude greater than all phishing losses. Thus we find that most security advice simply offers a poor cost-benefit tradeoff to users and is rejected. Security advice is a daily burden, applied to the whole population, while an upper bound on the benefit is the harm suffered by the fraction that become victims annually. When that fraction is small, designing security advice that is beneficial is very hard. For example, it makes little sense to burden all users with a daily task to spare 0.01% of them a modest annual pain.
543 citations
References
More filters
TL;DR: In this paper, the authors present a struggling attempt to give structure to the statement: "Business in under-developed countries is difficult"; in particular, a structure is given for determining the economic costs of dishonesty.
Abstract: This paper relates quality and uncertainty. The existence of goods of many grades poses interesting and important problems for the theory of markets. On the one hand, the interaction of quality differences and uncertainty may explain important institutions of the labor market. On the other hand, this paper presents a struggling attempt to give structure to the statement: “Business in under-developed countries is difficult”; in particular, a structure is given for determining the economic costs of dishonesty. Additional applications of the theory include comments on the structure of money markets, on the notion of “insurability,” on the liquidity of durables, and on brand-name goods.
17,764 citations
"Why information security is hard - ..." refers background in this paper
...Infosec people frequently complain about this in many markets for the products and components we use; the above insight, due to Akerlof [ 1 ], explains why it happens....
[...]
TL;DR: A layered behavioral model is used to analyze how three of these problems—the thin spread of application domain knowledge, fluctuating and conflicting requirements, and communication bottlenecks and breakdowns—affected software productivity and quality through their impact on cognitive, social, and organizational processes.
Abstract: The problems of designing large software systems were studied through interviewing personnel from 17 large projects. A layered behavioral model is used to analyze how three of these problems—the thin spread of application domain knowledge, fluctuating and conflicting requirements, and communication bottlenecks and breakdowns—affected software productivity and quality through their impact on cognitive, social, and organizational processes.
2,210 citations
Book•
01 Jan 2006
TL;DR: The Varian approach as mentioned in this paper gives students tools they can use on exams, in the rest of their classes, and in their careers after graduation, and is still the most modern presentation of the subject.
Abstract: This best-selling text is still the most modern presentation of the subject. The Varian approach gives students tools they can use on exams, in the rest of their classes, and in their careers after graduation.
2,047 citations
"Why information security is hard - ..." refers background in this paper
...In fact, one of the main results of network economic theory is that the net present value of the customer base should equal the total costs of their switching their business to a competitor [19]....
[...]
Book•
01 Jan 2001
TL;DR: In almost 600 pages of riveting detail, Ross Anderson warns us not to be seduced by the latest defensive technologies, never to underestimate human ingenuity, and always use common sense in defending valuables.
Abstract: Gigantically comprehensive and carefully researched, Security Engineering makes it clear just how difficult it is to protect information systems from corruption, eavesdropping, unauthorized use, and general malice. Better, Ross Anderson offers a lot of thoughts on how information can be made more secure (though probably not absolutely secure, at least not forever) with the help of both technologies and management strategies. His work makes fascinating reading and will no doubt inspire considerable doubt--fear is probably a better choice of words--in anyone with information to gather, protect, or make decisions about. Be aware: This is absolutely not a book solely about computers, with yet another explanation of Alice and Bob and how they exchange public keys in order to exchange messages in secret. Anderson explores, for example, the ingenious ways in which European truck drivers defeat their vehicles' speed-logging equipment. In another section, he shows how the end of the cold war brought on a decline in defenses against radio-frequency monitoring (radio frequencies can be used to determine, at a distance, what's going on in systems--bank teller machines, say), and how similar technology can be used to reverse-engineer the calculations that go on inside smart cards. In almost 600 pages of riveting detail, Anderson warns us not to be seduced by the latest defensive technologies, never to underestimate human ingenuity, and always use common sense in defending valuables. A terrific read for security professionals and general readers alike. --David Wall Topics covered: How some people go about protecting valuable things (particularly, but not exclusively, information) and how other people go about getting it anyway. Mostly, this takes the form of essays (about, for example, how the U.S. Air Force keeps its nukes out of the wrong hands) and stories (one of which tells of an art thief who defeated the latest technology by hiding in a closet). Sections deal with technologies, policies, psychology, and legal matters.
1,852 citations
"Why information security is hard - ..." refers background in this paper
...In mobile phones, much of the profit is made on batteries, and authentication can be used to spot competitors’ products so they can be drained more quickly [3]....
[...]
...Some examples are documented in my book, Security Engineering [3]....
[...]
[...]
01 Jun 2003
TL;DR: Although written by heavyweights in the field of economics and information management, the authors present a well written and thoughtful treatment of a subject that non-academics and academics alike should enjoy and refer to often.
Abstract: A book title cannot be more timely or accurate. Information rules society and it always has. The key difference is, that in our generation, the manner in which information is managed is more apparent to the everyday person and as more information becomes readily available the curse is that information can overload and intimidate us with little or no effort. Prior to the personal computer the everyday person could more easily manage the flow—such is not the case today. Throw into this fray the fact that information is a force in economics and the everyday person may become bewildered and perplexed. Many of these concerns are addressed in this excellent new book that focuses on the information economy and its effect on society and culture. Two better authors could not have been found—Carl Shapiro is the Transamerica professor of business strategy in the Haas School of Business and department of economics, University of California, Berkeley and Hal Varian is Dean of the school of information Management and Systems, University of California, Berkeley. Early on the authors state that “the thesis of this book is that durable economic principles can guide you in today’s frenetic business environment” pg. 1. In ten engaging chapters, key concepts such as pricing, versioning, rights management, recognizing and managing lock-in, networks, cooperation and compatibility, standards, and information policy are dissected, discussed, and explained. Most chapters end with lessons that reflect key points made in the chapter. The first chapter presents the foundation of the thesis of the book—the material is relatively general in nature—and sets the stage for the following nine interesting chapters. In discussing pricing, the authors cite the case of Encyclopedia Britannica and its inability to compete with the more popular and less expensive Microsoft product, Encarta. An associated concept, “versioning” is discussed and the authors show how a business can offer information products in different versions for differing markets to the benefit of the bottom line. The heady and confusion issue of copyright management, especially as related to internet economy is examined in chapter four of the book. Another issue of concern, lock-in, which results from switching from one technology to another, is discussed in chapters five and six. In chapter seven the authors discuss how the old industrial economy was driven by economies of scale whereas the information economy is driven by economics of networks. The last three chapters push the envelope and advise the reader how to affect real changes in their relationship with the information economy. The last chapter is key in that it discusses current government information policies in light of advice provided earlier in the book. This book may be one of the best to examine the theory and implications of the information economy. Although written by heavyweights in the field of economics and information management, the authors present a well written and thoughtful treatment of a subject that non-academics and academics alike should enjoy and refer to often. More importantly, this book offers direct advice that could well affect the bottom line of many entrepreneurs and existing companies.
1,307 citations
"Why information security is hard - ..." refers methods in this paper
...I got useful comments on early drafts of some of this material from Avi Rubin, Hal Finney, Jack Lang, Andrew Odlyzko and Hal Varian....
[...]
...A good introduction to network economics is by Shapiro and Varian [17]....
[...]
...Varian pointed out that this was also a case of incentive failure [20]....
[...]
...A typical tenthcentury Saxon village had community mechanisms to deal with this problem; the world of computer security still doesn’t. Varian’s proposal is that the costs of distributed denial-of-service attacks should fall on the operators of the networks from which the flood- ing traffic originates; they can then exert pressure on their users to install suitable defensive software, or, for that matter, supply it themselves as part of the subscription package....
[...]