Mario Čagalj Sveučilište u Splitu 2014/15. Sigurnost računala i podataka
Jan 14, 2016
Mario Čagalj
Sveučilište u Splitu
2014/15.
Sigurnost računala i podataka
Why Information Security is HardAn Economic Perspective
Ross Anderson
IntroductionCommon view
Information security comes down to technical measures (better technical solutions)
In this presentationInformation security is at least as much due to tricky incentivesMany of the security problems can be explained more clearly
using the language of microeconomics
3
SummaryUse the language of economics to describe
Why Information Security is often not implementedWhy Information Security is often implemented for motives
other than protection
4
Simple EconomicsLook at all decisions and designs in terms of a Costs and
Benefits
To maximize returns:Do what costs least or brings biggest returnsUltimately measured in $$
5
A Matter of QuestionsEconomic
WhoWhenWhyWhere
TechnicalWhatHow
6
Who Suffers?Who has primary responsibility when bank fraud occurs?
In US – the bankIn Europe – the customer
Guess which has the more effective security system
7
Who Suffers?Disincentive:
The party funding the security measure is not the party suffering the consequence of a breach
Why should the funding party spend a lot if no liability?Would virus protection be more effective if mail client
vendors had to pay user’s costs of a virus?
8
Who Pays?Who pays for protecting a shared resource?
Users want to get as much of it as they canAren’t motivated to spend to protect itResource manager wants to maximize use (and revenue), so
he should payExample – Network vendor should prevent DoS attacks and
not expect users to pay for the protection
9
When Should Security be Added?All software engineers know – when the product is
developed
But what are the real costs?Time to MarketComplexity
10
Economics Term: Network ExternalitiesThe change in value of a resource when the number of
consumers of the resource changesExample: Metcalfe’s Law – value of a network increases as
the square of the number of nodes (N2)A product has more underlying value if it has more users
11
When – Time to MarketThe preceding implies a high value for getting to market
firstDominateLow marginal costs once establishedSet up barriers – high switching costs
Adding security features increases time to market and risks missing the window of opportunity
12
When – Time to MarketUsers would probably pay more if product were more
secureI.e. incremental development costs are OK
But lost opportunity costs are too high to vendorA disincentive to building security in from the start
13
When - ComplexitySecurity features in OS or Network make life more
difficult for developersThink of capability like record locking – necessary, but makes
application more complicatedDevelopers are a primary target for OS and Network
vendorsThus arises an implicit agreement to pass security costs
on to the usersNot absolutely required for applications
14
Why Have Security?Economic Reasons
Add security features for the benefit of the vendor, not the userLock-in usersMaximize revenueProtect on-going revenueGet market data
15
Why? – Lock-in UsersUse proprietary security measures
Vendor can controlCan create revenueBlock or hinder competitionUsers get familiar – harder to switch
Probably reduces reliability and stability
16
Why – Maximize RevenueUse as a high price upgrade feature
Incremental cost is low to nothingBut can charge a lot for itNon-IT example: Airline faresIT example: Basic product vs. “Gold” version
17
Why – Protect RevenueUse security to prevent reverse engineering
Use security measures to prevent add-on generic productsE.g. printer cartridges
18
Why – Protect and Gather DataRFID
Helps prevent theftCreates revenue (e.g. toll tags)Track inventory and shipments
(IBM “you’re on the road to Fresno” ad)
ButBig privacy threat
Can track car movementsCan track people (see movie “Minority Report”)
19
Why – Get Market DataMS Passport – a good example of a bad example
Purported purpose – to provide a single point of security to many Web sites
But Passport tracks your surfingAnd shares your dataAnd provides bad guys with a single point of attack
20
Where is the Advantage?(Economics of “War”)In security matters today, attackers have the
advantageEasier to find one flaw than find and patch them all
Attacker only needs one
Can model investment in attack and defenseEstimate bug count and investment in findingAttacker’s advantage is largeLike trying to defend in Iraq
Attack can come anywhere – defense must be everywhere
21
Another Who QuestionWho Determines Security Quality?International Standards for Security existBut like ISO 9000, they appear to be more about process
than contentNo absolute standardCustomer says what is wanted in securityVendor verifies product meets requirements
Current working standard is called “Common Criteria”
22
Who Pays for Evaluation?
Should be customer, but this is big expense if each customer does it
Current practice is that vendor pays an evaluatorThis leads to shopping for “easy” evaluatorsAn Application Vendor may actually consider an
evaluated product to have less valueIf A.V. embeds the security product in his product and it
fails, A.V. is more likely liable if security product is certified
23
ConclusionWhy do IT vendors not provide great security?
Economics!Create MonopolyMaximize revenueReduce risk
Economics promotes insecurityUltimately the problem is more political than technical
24