Sorry this is so late but I have been in a state of overwhelm. Better late then never. Burce Schneir’s talk at RSA on the economics of security.
What are the Economics of Security.
Their are Trade-Offs (Balance cost and benifits) and Externalities.
What are the costs of failure?
- Proprietary Information Lost
- Regulatory Noncompliance
- Bad Press
- Loose Costomers
The things that don’t matter
“If your security guys have to work over the weekend.”
What are the costs of security?
- pay one of thoes companies
We have a very poor understanding of risk. It is very difficult to explain technical risks to non-technical people. There is real confusion in the media it seems. There is a real lack of real data on risks. You could get some good data of your risk of being mugged way home to hotel tonight? There is no good data on internet crime. CSI computer crimes survey – self selected and things people recognize.
The Problem – low risk – high cost events.
Normally you calculate the value of risk mitigation by the probability of being attacked times damage if you are attacked. This gives dollar of how much to spend to protect self. The math doesn’t work for low risk high cost events. This is what makes counter terroism is really hard to talk about. The poor understanding of risks and costs.
They are using it behind our back.
This is an effective way of dealing with risk. effect of decision not born by decision maker. A lot of the cost of security failures are externalities choice point made tradeoff.
Choice point – spend less on security then data is worth.
There are some costs born by the vendors.
Insecure home computers (my mother has one of those – go home twice a year)
The security of all of us demends on all of us. It is in our best interest that her computer is clean – she doesn’t care (why should she). For her the effects to you are largely an externality.
Badge cloning… RSA solved its security problem… They make it your problem. See this post that explains it all. When you want to manage and externality. We as a group don’t want RSA to do this we have two strategies to prevent this.
1) laws and regulations
To get people who are not affected by the risk of insecurity to address it raise cost of not being secure.
Laws…ATM fraud two different trajectories
US -> assumed to be the responsibility of the BANK
UK -> assumed to be the responsibility of bank customer.
UK banks were not loosing money due to ATM fraud
US banks were.
UK security languished
Point principle. make entity in best position to mitigate the risk responsible for the risk.
UK – customer was responsible but had no ability to improve the situation. All do not use the system.
Banks deal because it was there problem.
Rogers cel phone company – whenever phone is cloned. They charge the customer and they wait to turn phone off sooner or later depending on their ability to pay this bill.
- Economic incentives to get big quickly.
- Fast growing and insecure vs. slow growing and secure.
- High fixed cost and low marginal costs.
- Very different economics.
- Hard to recover capital investment…block – patent, brand, compatability wall…get people into network to recover costs.
- High switching costs. – One browser to another isn’t either. PAIN.
Net present value of software company = switching costs…
this means interesting characteristics.
Then you end up with accessory control. Third party batteries.
So companies are driven to make switching cost higher..less likely go to competitor.
The Market for Lemons.
Markets where lowsy products are sold.
when market with asymetric information…
bad products drive out good products…good used cars $2000 and bad used cars $1000 – equalibrium price $1500…
Software a lot like that.
- It is hard to tell good product from bad product.
- Product for lemons… good ones drive bad out of the market.
- Costomers not able to make intelligent buying decision..
- Make a bad product you can cover with Marketing.
- Monoplistic/ologopily markets…
- features low and prices high…
Address and align interest and capabilities. Entities ability to mitigate being responsible.
Italy…tax fraud as national hobby.
Tired of going after merchants. Any customer w/i of store w/o valid receipt fined. Customer demand receipts. Make the customer CARE!
Sign you see on 7-eleven. your purchase free if you don’t get a receipt. Employee theft. Cash Register created to prevent employee theft. Paper tape. audit of all transactions. The way you commit fraud – transactions that don’t show on register tape. put sign up and hire customer – they for that 15 seconds becomes security guard. Managing externalizes in a way that solves security problem.
Security is a process not a product.
It needs a holistic approach
To understand the security problem and the stake holders.
Understand the security and non-security trade-offs you must align the economic incentives (required – all solutions will work if this is true)
Implement countermeasures to reduce risk.
Iterate as technology changes things
If we think as society we think we need better security. Capabilities change…
Liabilities…moving them around is hard.
Regulations – absorb more of the losses…
This depends on politics..making more expensive for credit card Companies or databrokers… that is what we have to do!
Security monitorinig and loging…SOX.
Banking requires more layers of authentication.
Logging is now popular – cause it is more expensive to not do it.
Failing and audit is expensive for companies.
Are the logs good or not is not the question. What is important is that you have them.
The concern is not what we log and how long we keep the logs.
Saving something is cheaper then throughing it away. More data is collected and cheaper to collect. Much more then needed use for other purposes.
Yahoo and google…better to collect then not to collect.
Only way to deal – make it illegal.
We must make it more profitable not to collect.
Illegal to use for auxiliary purpose (euro model)
Don’t mind produce books that I might like…
Companies will compete on what ever economic playing field you give them.