Economics and Security Resource Page Economics and Security Resource Page Ross Anderson Do we spend enough on keeping `hackers' out of our computer systems? Do we not spend enough? Or do we spend too much? For that matter, do we spend too little on the police and the army, or too much? And do we spend our security budgets on the right things? The economics of security is a hot and rapidly growing field of research. More and more people are coming to realise that security failures are is often due to ***perverse incentives*** rather than to the lack of suitable technical protection mechanisms. (Indeed, the former often explain the latter.) While much recent research has been on `cyberspace' security issues - from hacking through fraud to copyright policy - it is expanding to throw light on `everyday' security issues at one end, and to provide new insights and new problems for theoretical computer scientists and `normal' economists at the other. In the commercial world, as in the world of diplomacy, there can be complex linkages between security arguments and economic ends. This page provides links to a number of important papers, conferences, the home pages of active researchers, relevant books, and other resources. Introductory Papers Managing Online Security Risks is a good introduction. It shows how a range of problems, from bank fraud to distributed denial-of-service attacks, result when the incentives to avoid abuse are poorly allocated. An analysis of cash machine fraud, for example, showed that banks in countries with strong customer rights suffered less fraud; complaints could not be ignored or brushed aside, so they took more care than in countries where it was harder for fraud victims to complain. Why Information Security is Hard - An Economic Perspective was the paper that got information security people thinking about the subject. It applies economic analysis to explain a number of phenomena that security researchers had previously found to be pervasive but perplexing. Why do mass-market software products such as Windows contain so many security bugs? Why are their security mechanisms so difficult to manage? Why for that matter are so many specialist security products second-rate, with bad ones driving good ones out of the market? Why is it hard for people to use security for competitive advantage - and how might they? Why are government evaluation schemes, such as the Orange Book and the Common Criteria, so bad? For that matter, why do government agencies concerned with information warfare concentrate on offense rather than defense, even now that the Cold War is over? Cryptographic abundance and pervasive computing was an early paper to point out the economic and social limits on security technology - if a boss's secretary cannot forge his signature, a digital security system is as likely to subtract value as add it. Cars, Colera and Cows: The Management of Risk and Uncertainty is a classic paper on why organisations (and in particular governments) tend to be more risk-averse than rational economic considerations would dictate. One of the mechanisms is adverse selection: the people who end up in risk management jobs tend to be more risk-averse than average. Electronic Commerce: Who Carries the Risk of Fraud? describes how many banks have seen online banking, and information security mechanisms such as cryptography and digital signatures, as a means of dumping on their customers many of the transaction risks that they previously bore themselves in the days of cheque-based and even telephone banking. Why the Security Market has Not Worked Well is a chapter from a 1990 study by the NAS Computer Science and Technology Board which provides an early analysis of the `computer security problem'. It blames the rapid pace of technological (and particularly architectural) change, the comparatively slow pace of government market interventions (through procurement and evaluation programs), export controls, a lack of consumer understanding of the risks, and the very limited recourse that US customers have against vendors of faulty software. Improving Information Flow in the Information Security Market describes the efforts of the US government over the last couple of decades to tackle a perceived market failure in the security business - the lemons problem, whereby bad products drove out good ones. The attempted fix was a government-sponsored evaluation scheme (the Orange Book), but that was not without its own problems. The European Union has proposed a Network Security Policy that sets out a common European response to attacks on information systems. This starts using economic arguments about market failure to justifly government action in this sector. The proposed solutions are rather familiar, involving everything from consciousness raising to Common Criteria evaluations; but the use of economic analysis could be significant for the future. The Economist covered the subject in a recent survey of information security. The Center for Strategic and International Studies has a very good study of the risks of cyber-terrorism which goes a long way to debunk the scaremongering and hype about the vulnerability of critical infrastructures to digital attack. The Brookings Institute has published a short paper on the economic effects of security interdependency, and a longer book chapter on the economics of homeland security - what should be the roles of government and the private sector in financing precautions against terrorism? Economics and Security in Statecraft and Scholarship explains why a web search on `economics' and `security' turns up few interesting documents on international affairs. The two were considered closely linked until 1945; thereafter nuclear weapons were thought to decouple national survival from economic power, while the USA established a pattern of confronting the USSR over security, and Japan and the EU over trade. This caused Washington bureaucrats to split into a `security' camp and a `political economy' camp; academics studying international relations followed suit. Bill Clinton started to get the bureaucrats working together again from about 1995, but the academics are still lagging somewhat. Econometrics of Security Annual FBI surveys are used as a standard reference by practitioners in the field. Survey results are generally recognised to be unsatisfactory, but unfortunately we don't have anything better at present. There are comparable figures from other countries, such as Britain and Australia, various link farms, and an ***awful lot*** of hype. Kevin Soo Hoo's thesis is an interesting first attempt to bring some economentrics to the field. It looks at what countermeasures might be most cost-effective, given the FBI data. He also has an article analysing the return on security investment, which he puts at an unexciting 17-21 percent. (See press coverage here.) There is also a US government guide to doing risk assessment and cost-benefit analysis. Return on Information Security Investments - Myths vs. Realities discusses a number of technical problems in evaluating security investments; when using return on investment, one needs to distinguish between the accounting and economic rates of return, and between ex post and ex ante figures. They recommend that companies would be better off trying to sdecide on an optimal level of security expenditure rather than chasing rates of return. The Economic Impact of Role-Based Access Control is a study commissioned by the US National Institute of Standards and Technology study to assess the economic impact of an investment they made in promoting role-based access control. It appears to be the first serious study that uses the return on investment to assess research in the field. The Effect of Internet Security Breach Announcements on Market Value of Breached Firms and Internet Security Developers provides an analysis of the effect of security scares on share prices. A firm whose security is publicly breached can expect to lose 2.1% of its market capitalisation (an average of $1.61 bn per incident) while security vendors gain an average of 1.36% from each such announcement (giving a total gain of $1.06 bn per incident). Another study, of the February 2000 DDoS attacks, showed a slightly greater loss. (The Register has a more cynical view.) Relevant Theory Papers System Reliability and Free Riding discusses ways in which the defence of a system can depend on the efforts of the defenders. Programming, for example, might be down to the weakest link (the most careless programmer introducing the fatal vulnerability) while the effectiveness of testing might depend on the sum of everyone's efforts. There can also be cases where the security depends on the efforts of an individual champion. These different models have interesting effects on whether an appropriate level of defence can be provided, and what policy measures are advisable. An Economics Perspective on the Sharing of Information Related to Security Breaches considers whether firms have adequate incentives to share information on security breaches within the context of the ISACs set up recently by the US government. Theoretical tools developed to model trade associations and research joint ventures can be applied to work out optimal membership fees and other incentives. The economics of information security investment shows that it may often be economic for a firm to protect those information sets with middling vulnerability, rather than the most vulnerable (as that may be too expensive), and that to maximise the expected benefit, a firm might only spend a small fraction of the expected loss. On the Evolution of Attitudes toward Risk in Winner-Take-All Games presents an evolutionary model of how winner-take-all conflicts such as patent races (or for that matter battles for control of software standards) select for risk-takers and lead to the extinction of risk-avoiders. A BGP-based Mechanism for Lowest-Cost Routing shows how combinatorial auction techniques can be used, at least in theory, to provide distributed routing mechanisms that are proof against strategic behaviour by one or more of the participants. There are two related papers by Geoffrey Heal and Howard Kunreuther on security externalities: Interdependent Security - the Case of Identical Agents discusses the social benefits of silent alarms, the difficulty of making computer security investment a dominant strategy, while You Can Only Die Once: Managing Discrete Interdependent Risks examines the more general case and analyses the conditions under which various security problems have equilibria that are not socially optimal. This work lay behind the less technical paper from Brookings. Ascending Auctions with Package Bidding shows that certain types of combinatorial auction can be solved efficiently if bidding is conducted through a trusted proxy - a system that can be relied on to bid according to an agreed strategy. The Communication Complexity of Efficient Allocation Problems shows that although one can solve the allocation problem using strategy-proof mechanisms, the number of bits that must be communicated grows exponentially; thus in many cases the best practical mechanism will be a simple bundled auction. The paper also suggests that if arbitrary valuations are allowed, players can submit bids that will cause communications complexity problems for all but the smallest auctions. Algorithmic Mechanism Design shows how distributed mechanisms can be designed that are strategyproof, that is, participants cannot hope to gain an advantage by cheating in various ways. This paper sparked off much recent research at the boundary between theoretical computer science and economics. Interactions of Security with Copyright and Digital Rights Management Security in Open versus Closed Systems - the Dance of Boltzmann, Coase and Moore first examines the traditional argument about open source security - whether source code access makes it easier for the defenders to find and fix bugs, or makes it easier for the attackers to find and exploit them. It shows that under standard assumptions used by the reliability growth modelling community, the two cancel each other out exactly. Second, the paper points out that Intel's TCPA initiative, which claims to be making the next generation PC more secure, is ***actually*** making it more secure for the PC and software vendors rather than for users. Cruel, Mean or Lavish?: Economic Analysis, Price Discrimination and Digital Intellectual Property shows that the next target of the copyright lobby, after cracking down on fair use, will logically be the doctrine of first sale: the right to resell, lend, or even criticise a book (or film or software product) will be increasingly limited by contract and by technical means. Extending publishers' control into the aftermarket will probably be justified with reference to the economics of price discrimination. The Law and Economics of Reverse Engineering describes what may go wrong if some combination of technical and legal restraints can be made to undermine the right to reverse engineer software products so as to make other products compatible with them. It provides the theoretical and scholarly underpinnings for much of the work on the anti-competitive effects of the DMCA, copyright control mechanisms, and information security mechanisms applied to accessory control applications. There is also a shorter paper that applies the lessons of the main paper to the DeCSS case. New Chips Can Keep a Tight Rein on Consumers provides a concise introduction to the problems that strict usage control mechanisms create for innovation policy. A certain level of reverse engineering for compatibility is an important brake on the abuse of monopoly power, especially in information goods and services markets whose incumbents try hard to manipulate switching costs by controlling compatibility. Open Source Software Projects as User Innovation Networks expands on this. Eric von Hippel shows how most of the innovations that spur economic growth are not anticipated by the manufacturers of the platforms on which they are based; the PC, for example, was conceived as an engine for running spreadsheets. If IBM had been able to limit it to doing that, a huge oppoerunity would have been lost. Furthermore, technological change in the IT goods and services markets is usually cumulative. If security technology can be abused by incumbent firms to make life harder for people trying to develop novel uses for their products, this will create all sorts of traps and perverse incentives. TCPA / Palladium Frequently Asked Questions provides a reference on the latest copyright protection technology from Intel and Microsoft. This technology is aimed at making digital rights management technology pervasive in all consumer electronic appliances. It will not only enable the content industry to crack down on piracy and the software industry to put an end to reverse engineering for compatibility (even in countries where it's legal); it will also create chilling new powers of censorship, and it may pose a serious threat to the survival of free and open source software. This initiative has really serious implications for competition policy, innovation policy and national sovereignty. Conferences The first international workshop on the economics of information security took place at UC Berkeley in May 2002, and attracted over 70 people. It was a seminal event. The second international workshop on the economics of information security is due to be held on May 29-30, 2003 at the Robert H Smith School of Business, University of Maryland. This is the place to go if this subject interests you. A number of relevant papers were also presented at the conference on Open Source Software Economics in Toulouse in June 2002; there was another relevant session that month at the Stanford Institute of Theoretical Economics. There was a workshop in June 2002 on the economic consequences of terrorism. There are also annual colloquia run by NATO on the interaction between economics and national security, with a focus on stabilizing Eastern Europe and the Balkans. Finally, Middlesex University runs annual conferences on economics and security aimed at nonproliferation, sponsored by Economists Allied for Arms Reduction. Home Pages of People Interested in Security Economics Ross Anderson Ralf Bendrath Yochai Benkler Jean Camp Huseyin Cavusoglu George Cybenko Yvo Desmedt Joan Feigenbaum Li Gong Larry Gordon Anke Hoeffler Carl Landwehr Kin Sing Leung Marty Loeb John Mitchell Andrew Odlyzko Todd Sandler Bruce Schneier Suzanne Scotchmer Stuart Schechter Doug Tygar Hal Varian Books Information Rules, by Carl Shapiro and Hal Varian, is a good introduction to economics for computer scientists. It focuses on the specific problems and opportunities of IT goods and services markets, and the characteristics that tend to make them different from the market for potatoes - such as the combination of high fixed costs and low marginal costs, network externalities, technical lock-in and standards wars. It is pitched at the level of an educated general reader. If you want the mathematical detail too, read Varian's Intermediate Microeconomics". Security Engineering by Ross Anderson is a good introduction for economists (and others) to secure systems engineering. It covers not just technologies such as crypto and `infrastructure' matters such as firewalls and PKI, but a number of specific applications, such as banking and medical record-keeping, and embedded systems such as automatic teller machines and burglar alarms. It brings out the fact that most systems don't fail because the mechanisms are weak, but because they're used wrong, and provides economic explanations for a number of these failures. Secrets and Lies by Bruce Schneier is a more populist book in the same theme. It discusses how things go wrong and what sort of organisational measures are advisable to contain them. It debunks the idea that security problems can be fixed by focussing on purely technical measures such as cryptography. Economic Behavior in Adversity by Jack Hirshleifer is a set of essays from the early days of conflict theory. It starts off from early work at Rand on how societies and economies recover from disaster; in an attempt to plan for World War 3, Rand economists looked at the aftermath of tragedies from World War 2 to the Black Death. This led to work on a broader front from evolutionary game theory through the interplay of law and economics to hindrance strategies in general. (These are where a competitor concentrates not on running faster, but on making its adversaries run slower.) The Dark Side of the Force: Economic Foundations of Conflict Theory is a more recent set of essays by Jack Hirshleifer, looking at such topics as the causes of war, why it is not always true that the rich get richer and the poor poorer, and why the technology of conflict is absolutely essential to such questions. The decisiveness of conflict matters; so does whether its outcome depends on the absolute or relative difference of effort between the combatants. The evolution of strategies, for both conflict and cooperation, is growing in its perceived importance. Risk by John Adams is the classic study of why people and organisations are sometimes more risk-averse than would seem rational, and sometimes more risk-loving. For example, mandatory seat-belt laws did not reduce road traffic casualties overall, but merely shifted them from vehicle occupants to pedestrians and cyclists. Adams explains this by a `risk thermostat': people compensate for an increased feeling of safety by driving faster. In general, behaviour is governed by the probable costs and benefits of possible actions as perceived through filters formed from experience and culture. This work exposes the rather shaky foundations of much current risk assessment work. The Future of Ideas by Larry Lessig is an important and influential description of the effects that increasing technical protection of copyright is likely to have on a range of fields, from academic and intellectual life through the competitiveness of markets and the level of innovation. He argues that the overprotection of digital rights is an error: private land is more valuable if it is separated from other private land by public roads, sewers and other utility rights-of way. Its value is also enhanced by the existence of public parks. Other Resources Here are some suggestions for further reading: Recent press stories include an article in Wired about the low ratio of vulnerabilities to exploits and the attention-seeking nature of many vulnerability reports Larry Gordon's links to journals with papers relevant to the economics of security, and the Information Security Economics Research Group he leads at the University of Maryland Economic Aspects of Personal Privacy, Hal Varian The Information Economy pages at SIMS, UC Berkeley Smart and stupid networks: Why the Internet is like Microsoft, Andrew Odlyzko The bumpy road of electronic commerce, Andrew Odlyzko Risk Management is Where the Money Is, Dan Geer The Vmyths site is devoted to debunking computer security hysteria (and see press coverage here) The Battle Over the Institutional Ecosystem in the Digital Environment, Yochai Benkler Coase's Penguin, or Linux and the Nature of the Firm, Yochai Benkler The software economics site run by Kevin Sullivan, Barry Boehm, Mary Shaw and David Notkin How to buy better testing, Stuart Schechter Reverse Engineering, David Musker A Simple Model of Fads and Cascading Failures, Duncan Watts Information Security for Electronic Commerce on the Internet: The Need for a New Policy and New Research, Lee McKnight Measuring Positive Externalities from Unobservable Victim Precaution: An Empirical Analysis of Lojack by Ian Ayres and Steven Levitt The Cyberwar Debate: Perception and Politics in US Critical Infrastructure Protection, Ralf Bendrath The Link Between Economics, Stability and Security in a Transforming Economy Katarzyna Zukrowska Economics and Security in the Asia Pacific: A Constructivist Analysis, Shaun Narine (requires free ciaonet subscription) Power and Prosperity: Linkages Between Security and Economics in US.-Japanese Relations Since 1960, Robert Wampler (requires free ciaonet subscription) Economics-Security Nexus: The Evolution of Chinese Security Policy 1979-1991, Mumin Chen The Economics of Airline Safety and Security by Robert Hahn NATO has been running annual colloquia on the interaction between economics and national security, with a particular emphasis on Eastern Europe. There's a summary by Martin Spechler of the 1999 workshop An Economic Perspective on Transnational Terrorism, Todd Sandler The World Bank has some fascinating papers on the economics of civil war, crime and violence, by Paul Collier and Anke Hoeffler. Finally, there is another site on economics and security, run by Huseyin Cavusoglu at UT Dallas.