Mario Čagalj Sveučilište u Splitu 2014/15. Sigurnost računala i podataka.

Mario Čagalj

Sveučilište u Splitu

2014/15.

Sigurnost računala i podataka

Why Information Security is HardAn Economic Perspective

Ross Anderson

IntroductionCommon view

Information security comes down to technical measures (better technical solutions)

In this presentationInformation security is at least as much due to tricky incentivesMany of the security problems can be explained more clearly

using the language of microeconomics

3

SummaryUse the language of economics to describe

Why Information Security is often not implementedWhy Information Security is often implemented for motives

other than protection

4

Simple EconomicsLook at all decisions and designs in terms of a Costs and

Benefits

To maximize returns:Do what costs least or brings biggest returnsUltimately measured in $$

5

A Matter of QuestionsEconomic

WhoWhenWhyWhere

TechnicalWhatHow

6

Who Suffers?Who has primary responsibility when bank fraud occurs?

In US – the bankIn Europe – the customer

Guess which has the more effective security system

7

Who Suffers?Disincentive:

The party funding the security measure is not the party suffering the consequence of a breach

Why should the funding party spend a lot if no liability?Would virus protection be more effective if mail client

vendors had to pay user’s costs of a virus?

8

Who Pays?Who pays for protecting a shared resource?

Users want to get as much of it as they canAren’t motivated to spend to protect itResource manager wants to maximize use (and revenue), so

he should payExample – Network vendor should prevent DoS attacks and

not expect users to pay for the protection

9

When Should Security be Added?All software engineers know – when the product is

developed

But what are the real costs?Time to MarketComplexity

10

Economics Term: Network ExternalitiesThe change in value of a resource when the number of

consumers of the resource changesExample: Metcalfe’s Law – value of a network increases as

the square of the number of nodes (N2)A product has more underlying value if it has more users

11

When – Time to MarketThe preceding implies a high value for getting to market

firstDominateLow marginal costs once establishedSet up barriers – high switching costs

Adding security features increases time to market and risks missing the window of opportunity

12

When – Time to MarketUsers would probably pay more if product were more

secureI.e. incremental development costs are OK

But lost opportunity costs are too high to vendorA disincentive to building security in from the start

13

When - ComplexitySecurity features in OS or Network make life more

difficult for developersThink of capability like record locking – necessary, but makes

application more complicatedDevelopers are a primary target for OS and Network

vendorsThus arises an implicit agreement to pass security costs

on to the usersNot absolutely required for applications

14

Why Have Security?Economic Reasons

Add security features for the benefit of the vendor, not the userLock-in usersMaximize revenueProtect on-going revenueGet market data

15

Why? – Lock-in UsersUse proprietary security measures

Vendor can controlCan create revenueBlock or hinder competitionUsers get familiar – harder to switch

Probably reduces reliability and stability

16

Why – Maximize RevenueUse as a high price upgrade feature

Incremental cost is low to nothingBut can charge a lot for itNon-IT example: Airline faresIT example: Basic product vs. “Gold” version

17

Why – Protect RevenueUse security to prevent reverse engineering

Use security measures to prevent add-on generic productsE.g. printer cartridges

18

Why – Protect and Gather DataRFID

Helps prevent theftCreates revenue (e.g. toll tags)Track inventory and shipments

(IBM “you’re on the road to Fresno” ad)

ButBig privacy threat

Can track car movementsCan track people (see movie “Minority Report”)

19

Why – Get Market DataMS Passport – a good example of a bad example

Purported purpose – to provide a single point of security to many Web sites

But Passport tracks your surfingAnd shares your dataAnd provides bad guys with a single point of attack

20

Where is the Advantage?(Economics of “War”)In security matters today, attackers have the

advantageEasier to find one flaw than find and patch them all

Attacker only needs one

Can model investment in attack and defenseEstimate bug count and investment in findingAttacker’s advantage is largeLike trying to defend in Iraq

Attack can come anywhere – defense must be everywhere

21

Another Who QuestionWho Determines Security Quality?International Standards for Security existBut like ISO 9000, they appear to be more about process

than contentNo absolute standardCustomer says what is wanted in securityVendor verifies product meets requirements

Current working standard is called “Common Criteria”

22

Who Pays for Evaluation?

Should be customer, but this is big expense if each customer does it

Current practice is that vendor pays an evaluatorThis leads to shopping for “easy” evaluatorsAn Application Vendor may actually consider an

evaluated product to have less valueIf A.V. embeds the security product in his product and it

fails, A.V. is more likely liable if security product is certified

23

ConclusionWhy do IT vendors not provide great security?

Economics!Create MonopolyMaximize revenueReduce risk

Economics promotes insecurityUltimately the problem is more political than technical

24