In 2001, Ross Anderson wrote an iconic paper which caused the birth of the field of security economics. Besides introducing this now fundamental part of the security profession, it also contains certain interesting insights on the market of security products. Most of all, the question whether bad products come out on top is asked.

Solely based on the stream of news surrounding security incidents, one gets a feeling that insecurity is all around us. Of course, this feeling does not do justice to the details, incidents and successes we do not know. Nevertheless, it is a good indication something goes horribly wrong when the billionth buffer overflow is performed, especially when one realizes that we came up with techniques of killing the majority of this class of attack.

Looking for an Expert Opinion
Probably one of the most problematic factors when concerned with buying software — or anything else, for that matter — is a lack of expert knowledge about the product you are about to buy. Most consumers are not security engineers, and those that are probably do not know the innermost details of the product at hand. From that perspective, you are acting with incomplete information.

The essence of asymmetric information is nicely captured in an example where we know half of the products is bad. If  the good product is worth € 200,- and the rotten apple € 100,-, it is not unimaginable that the market price will become € 150,-. However, at that price, no sane salesman would offer one of the good products, causing both the quality as the price of the products on the market to go down. In other words, when information is scarce, bad products come out alive, while good products die.

Who Feels the Pain?
Another recurring problem within the field of security is the difference between the person suffering and the one paying. If the organisation that has to invest in the security of a product does not feel the pain of a security breach, it is not opportune to make the investments for them.

The effects of cost-incentives can also be seen with certifications paid for by the vendor of the product, instead of the buying party. For example, if you were going to buy a house, you would rather commission a constructional review yourself, than rely on a report supplied by the seller.

Tragedy of the Commons
Another example of a mismatch between incentives is the “tragedy of the commons”-effect caused by botnets. If your machine is a node in a botnet, you probably have the best anti-virus protection imaginable. Essentially, you have become a node in the network of a criminal, who fights a turf war with his peers and, thus, wants to keep out all other malware. If you were to get a different infection, this could slow down or damage the asset this criminal just added to his network. Additionally, why would you care: if he is DDoS’ing large corporations, you are probably unaffected.

The tragedy is, of course, with the commons. If everyone acts this way, the Internet would vastly become filled with botnets attacking each other, making the whole unbelievable slow. However, due to the marginal impact of one individual, this is hard to stop.

Security Economics: Being Secure Is Hard
Probably the most difficult problem faced by security experts is the economical side of the game, not the technological end. Security still is a game to be played between many different parties with many different goals. This boiling pan of incentives, costs and payouts still is the largest challenge in practice.

Tagged with:

Leave a Reply

Your email address will not be published. Required fields are marked *