Schneier on Economic Insights to IT Security

Scyld_Scefing writes "In his June 29, 2006 Wired News article, 'It's the Economy, Stupid,' Bruce Schneier covers the content of the 2006 Workshop on the Economics of Information Security. Schneier says that economic analysis of IT security issues is relatively new, and links to one of the significant earlier papers from 1991, 'Why Information Security Is Hard -- An Economic Perspective' (.pdf). This article states: 'According to one common view, information security comes down to technical measures. Given better access control policy models, formal proofs of cryptographic protocols, approved firewalls, better ways of detecting intrusions and malicious code, and better tools for system evaluation and assurance, the problems can be solved. In this note, I put forward a contrary view: information insecurity is at least as much due to perverse incentives. Many of the problems can be explained more clearly and convincingly using the language of microeconomics: network externalities, asymmetric information, moral hazard, adverse selection, liability dumping and the tragedy of the commons.'"

can't prove a negative

[yagu]

One of the hardest things about security is knowing you really have security. It's kind of like knowing your software doesn't have a bug. It's easy to know when you do have a bug, it's virtually impossible to know you don't.

I think security suffers the same or similar perception, rightly so. So, no matter how much you invest, how strict your policies, you really never know you have security. Couple that with how expensive it is to apply and enforce the more draconian policies... who wants to spend a fortune and find out they've been compromised anyway?

And, extreme security makes computing far less transparent, often to the exclusion of any reasonable work flow for day to day tasks. If security could be transparent (not sure it can), that would help.... no business likes fielding support issues for an entire corporation just because their network is PKI (ever administrate Sun's version?).

(I once worked at a place that had a thirteen-rule requirement for setting new passwords... it was so intrusive, I kept a printout of the rules on my monitor to try and avoid a twenty-minute guessing game session for setting new passwords. What was really funny was at one point the "rules" conflicted with one of our systems, so you couldn't define a qualified password that the system could use. Hilarious.)

On top of all of that, no matter how diligent you've been, one disgruntled (ex-)employee is all it takes with a modicum of social engineering savvy and you find the investment for naught. It's no wonder security is a tough nut to crack.

(As an aside opinion... I think the press gives too much attention to things like the recently stolen laptop with all of the info on it -- it was a stolen laptop, probably nothing more -- they get stolen all of the time, and people have no idea what they've gotten other than a "free" computer.)

Re:can't prove a negative

[ScrewMaster]

I had a similar experience many years ago. I did some consulting for a major hospital, and as it happened one contract I received was to reverse-engineer a multi-drop mainframe terminal protocol. The idea was to use regular PCs as terminals instead of the mainframe vendor's overpriced equipment. In any event, I was working with one of the hospital's programmers on the job, and I asked about getting a logon so I could start analyzing the protocol. He said, "Here, watch this." It turned out that Arthur-Anderson (yes, that AA) had performed a security audit on the hospital and discovered that, as you would expect, the hospital's security was woefully inadequate. So they required that a triple-password scheme be implemented (yes, typing in three successive passwords to log in to the mainframe) in order to improve security and pass the audit. Well, as it happens this was back when "smart terminals" were getting popular, and this was a floor full of programmers, so it took about eight seconds after the last auditor left for the coders to agree on "F12" as a common macro key to spit out the required three passwords and log in. Everybody programmed their passwords into their own terminals so anybody could log in any time. Pretty funny, really, but it does go to show that what you're saying is correct: if security interferes too much with productivity there will be problems. Prior to that audit, everybody had a private password and used it. Afterwards ... productivity was unimpaired while security simply disappeared.

Re:can't prove a negative

[BVis]

Well, as it happens this was back when "smart terminals" were getting popular, and this was a floor full of programmers, so it took about eight seconds after the last auditor left for the coders to agree on "F12" as a common macro key to spit out the required three passwords and log in.

Two problems here: Ignorant overpaid "consultants" who think a splint is a good remedy for food poisoning and a floor full of programmers who should be escorted to the door by (physical) security personnel.

Just because a security policy is retarded is no reason to justify ignoring it. I don't care if the password policy is that you must dance a particular sequence on a DDR pad for access, if that's the security policy, you follow it until a better policy can be put in place.

Re:can't prove a negative

[Tony-A]

It's easy to know when you do have a bug

Since this is about security, a bit of nitpicking is in order.

There are at least two meanings.

It's easy to know when you do have a bug. You do. Just no idea what, where, how, etc. You can even use statistics to draw confidence intervals on the number and severity of the bugs.

It's easy to know when you do have a bug. Assuming that if you have a bug you'd know it. This one is false, very false. It is quite possible for a bug to exist and to not be demonstrable under any circumstances. I've had lots of situations where it was necessary for TWO bugs to get together for anything to show up. I've even had a triple -- and that one was downright spooky.

To further complicate matters, bugs are not created equal. Counting bugs is about as silly as counting money tokens (equating pennies with $100 bills, except that computer stuff is not nearly that equal).

Re:can't prove a negative

[ScrewMaster]

No, the problem was ignorant, overpaid "consultants" who thought a bludgeon was a good replacement for actually analyzing the situation and solving the problem.. The idea was to make their own jobs easier so they could leave the site having "increased security" thereby justifying their rather hefty fees. Those consultants were paid serious money to come up with a solution that would balance the customer's stated security requirements with the need for workers to actually, well, work. The consultants failed, and management implicitly recognized this when they allowed the programmers' "solution" to stand. Remember, Arthur Anderson's recommendations were just that ... recommendations. They were implemented, they didn't work, and they were eliminated in the most expeditious way possible. No need to escort anyone to the door. Last I heard they had gone back to their old password system.

If this kind of thing happens a lot it's not hard to see why hospitals are so expensive.

Re:can't prove a negative

My legs are broken you insensitive clod!

Re:can't prove a negative

[Tony-A]

And, extreme security makes computing far less transparent, often to the exclusion of any reasonable work flow for day to day tasks. If security could be transparent (not sure it can), that would help.... no business likes fielding support issues for an entire corporation just because their network is PKI (ever administrate Sun's version?).
Methinks the reality is that losing transparency means losing security.

(I once worked at a place that had a thirteen-rule requirement for setting new passwords... it was so intrusive, I kept a printout of the rules on my monitor to try and avoid a twenty-minute guessing game session for setting new passwords. What was really funny was at one point the "rules" conflicted with one of our systems, so you couldn't define a qualified password that the system could use. Hilarious.) ... And the next step is ...
Breaking security is "hilarious".
"Hilarious" is a good thing not a bad thing.
A Rube Goldberg contraption trying to fake security will have predictable consequences.

Any time you have many eyes which know what is supposed to be going on, it is rather hard for any outsider to penetrate.
Any time you have superfluous and illogical rules trying to enforce someone's bad idea of security, there are just too many unwatched cracks, too many ways to get around things.

Re:can't prove a negative

[firewrought]

Just because a security policy is retarded is no reason to justify ignoring it.
That sounds like a good reason to me! You should follow rules that serve practical and ethical purposes, but you are morally obligated to circumvent the useless cock snot coughed out by some process consultants.

Re:can't prove a negative

[BVis]

You should follow rules that serve practical and ethical purposes, but you are morally obligated to circumvent the useless cock snot coughed out by some process consultants.

By that logic I should be able to plant a dozen pot plants in my back yard and drag my idiot Governor from his car and beat him with a lead pipe. You can't pick which rules to follow and which ones not to. If the rule is bad, change the rule. If everyone chooses to ignore security policy you may as well not have one. ANY security policy is better than none. And the people who break the policy because "the rule is stupid" should be sanctioned appropriately, up to and including termination; otherwise, when the policy IS corrected to be less retarded, nobody will follow that one either.

And need I remind you that this is in a hospital? The administration is opening themselves up for SERIOUS liability if they don't fire these people. Look up HIPAA in Wikipedia for what I'm talking about.

Re:can't prove a negative

By that logic I should be able to plant a dozen pot plants in my back yard...

Yes, you should. Why shouldn't you be able to?

Re:can't prove a negative

[ScrewMaster]

I agree, but in any event there's a big practical difference between management of a hospital being upset with you for breaking a rule (however stupid) and having the FBI or DHS come after you for breaking a law (however stupid.) The GP is comparing apples to oranges.

Re:can't prove a negative

[Kjella]

Just because a security policy is retarded is no reason to justify ignoring it.

Well, that depends... I've seen cases where the employes definately should have followed the policy even though it seemed retarded to them, but I've also seen instances where the business would come to a screeching halt if the policies were actually followed. I think it's part of the blame distribution process - when shit hits the fan senior management can point to the security regs and say this is against protocol, isolated incident and some token gestures - but they don't actually expect people to follow them (at least the retarded parts). On the other hand, if the security policies are too relaxed then they'll get the blame, even if it was unreasonable to achieve that level of actual security. I think most of the retarded rules are simply CYA for management. Like in this case, it sounds really good on paper to have triple passwords.

Re:can't prove a negative

[ScrewMaster]

Like in this case, it sounds really good on paper to have triple passwords.
Yes, indeed, because neither upper management nor the Arthur-Anderson hacks were required to use them, and both of those groups were well-enough paid that they should have had some inkling that this was a bad idea.

I guess hiring an accounting firm to perform a security audit wasn't all that bright either, now that I think of it.

Re:can't prove a negative

[ScrewMaster]

Well, then ... you'll have to let your fingertips do the walking.

For those of you that remember that particular line of Ma Bell ads.

Re:can't prove a negative

[BVis]

I beg to differ. HIPAA is very serious business, and the penalties for violating any part of it are severe.

Re:can't prove a negative

[garyrich]

Management covered their asses by hiring "expert"s, folowing their advice and performing a followup audit. As long as they followed existing approved SOPs they are clean. The programmers are at each other's mercy. If any one of them got pissed at the others and dropped a dime on the others they would be in federal prison for conspiracy and dozen other charges.

If federal auditors discovered this the real penalty to management would be that they would rip their systems apart and do a *real* audit from top to bottom. 99% of the people the feds send out for routine computer audits are totally clueless about how technology actually works and what real failure modes there may be or where security problems is likely to have. All they know howe to do is pore over validation and design docs (that they also don't understand) and look for clerical things they don't like. The fed *does* have a (very) few people with a clue, but you have to be very bad to get their attention. They would probably still have to pull in people from FBI to do what you or I would consider a real audit.

Re:can't prove a negative

[Schraegstrichpunkt]

... if you have a bug you'd know it. This one is false, very false. It is quite possible for a bug to exist and to not be demonstrable under any circumstances.

Example: RC4. The keystream was supposedly indistinguishable from random data. People believed this for the good part of a decade, but they were wrong.

There's also that ssh1 key parsing bug that was found a few years ago.

Re:can't prove a negative

[BVis]

Sadly, I fear you're quite correct.

Re:can't prove a negative

[firewrought]

You can't pick which rules to follow and which ones not to.

You can, and do. In your hypothetical example (violent assault of a public official), you made the wrong choice because you hurt another person and cheated the democratic process, not because you violated any law. (The law, in this case, exists so that we have a fair process for figuring out how to convict, jail, and execute you.)

Rules serve to protect the more intangible exchanges of human nature. To make things fairer. To gain efficencies by solving common problems. Etc. Yes, we should have a certain amount of respect for the rules, "just because they're the rules", but this is by no means absolute. This distinction is especially important for the citizens of failing empire-states to understand, that they might adapt more seasoned, rational rules instead of subcumbing to imaginary and overblown fears. :D

Re:can't prove a negative

[BVis]

You're missing my point. If the rule is bad, change the rule. But in the meantime, the bad rule is STILL the rule.

We're not talking about ethics or morals here. We're talking about computer security. Security policy must be enforced at all times; if it isn't, and people are allowed to get away with breaking it, when the rule IS changed to not suck so much, people still won't follow it.

Legal Insights to IT Security

Since you can sue to death anyone breaching security, you only need to put a cheap fence around the company assets and invoke the DMCA.

Re:Legal Insights to IT Security

[guruevi]

You make fun of it but for some of us it is a problem that they have to deal with daily.

I for myself work at a multi-national, multi-location site with a mixed environment of mainframes, servers, terminals, windows workstations, mac workstations.
I have to implement the policy according to Sarbanes-Oxley in their macintosh computers. They never got anyone to do it decently, so currently a mixed environment of G4's, G5's with all different software, licensed and unlicensed versions of Mac OS, Office, random proprietary software, cracked software, people with mp3's, m4a's, 60g of downloaded video shows and then you have those smart-asses that think that they can manually modify the NetInfo databases.

I come, I saw, I get everyone integrated into the Active Directory, disable all admins and admin rights, make sure everyone logs in (no automatic logins) and a screensaver has a password... next thing you know, my supervisor tells me that everyone needs to be admin on their own computer. If they screw up their environment, they will get fired, they're not allowed to do that by company policy etc. according to something said/agreed by CEO and CIO. I think by myself: wtf was I hired for then. I enable local admin rights, next thing you know everyone logs in automatically and disables screen saver passwords and even disables my Remote Desktop and SSH capabilities. NOW ARE THEY GOING TO FIRE EVERY SINGLE MAC USER AROUND (all artists, copywriters, ...), nope, no-one gets fired, I have to make sure everything works and tell everyone not to do that. The best thing is that in OS X you don't need to have admin rights to function properly. In the Windows world, maybe, but in OS X you have your home directory with your Library, Preferences, Documents etc. as admin you function as your own user until you need more rights and then you're allowed to become root. So why did everyone here at /. say you don't need root rights under any circumstance? Is it justified because the manager of the artists complained that they had to create a folder in their users folder and couldn't do it in the root (/).

Still too limited

[Beryllium+Sphere(tm)]

Put the incentives in the right place and there's still the issue of implementation. Nobody benefited from Chernobyl blowing, but it did anyway, and investigators think part of the reason is that there were no reactor engineers on duty. Security, just like industrial safety, depends on having trained and informed people at critical decision-making points.

Making security usable is another implementation issue. Everyone wanted airplanes to land safely, especially the pilots who were inside them, but there was one crash after another due to "pilot error" until the aerospace world began laying out controls and instruments to meet the needs of the pilots who used them.

True, incentives do come first. But even then they need to be carefully chosen. Bad publicity and the threat of job loss didn't make the VA careful: instead those incentives fueled a search for scapegoats, a search which ended with the analyst who had written permission issued on three occasions to take the data home with him.

Re:Still too limited

[alshithead]

We've had this discussion before. For those folks where security is paramount there will be trade offs in usability. If you want more security then you have to jump through more hoops. The end users often (unfortunately) have the final say in usuability and therefore the extent of security. Where users value security more than the annoyance of jumping through hoops, security is better implemented. Where you don't want to be is caught between usability issues versus "how secure I thought I was". The VA is a great example. The "powers that be" thought security was in place but now the IT folks are partially catching hell because some end user took data home. The end user placed data in jeopardy because they didn't absolutely secure it. "Yeah, well my house got broken into and my computer got stolen" somehow places the blame back on IT.

Re:Still too limited

[BVis]

This VA situation also appears to be yet another case of IT being given responsibility without any of the required authority. Had you asked anyone in IT whether this was a good idea or not, unless they've all been lobotomized, they'd say "absolutely not". But, since they have no authority, the users know they can basically do whatever the fuck they want, since IT will catch the heat for anything they do wrong anyway.

It's kind of like telling a police officer, "OK guard this prisoner, but you can't watch him or lock the door. Just sit in your office down the hall. But if he escapes, it's your fault."

Re:Still too limited

[Tony-A]

The end users often (unfortunately) have the final say in usuability and therefore the extent of security.

THERE'S your problem.
The end users have the final say on security. Really.
It's like the bit about physical security.
Security is not about the hardest way in (IT and management controlled) but the easiest way in (user controlled).
Now it is completely feasible for management and IT to delude each other about the state of security. I assume that is the normal state of affairs.

If stuff in an office needs to be secured, is the door locked when the occupant is not present? Is the computer the most sensitive thing in the office?

Re:Still too limited

[alshithead]

In real life that's how it happens. I've seen suggestions for improvement in security shot down because of the impact it would have on the end users. I'm sure others have too. Physical and IT security are the same in some ways. If everyone in the office has to suddenly unlock three deadbolt locks on their office door, plus unlock the doorknob, when they used to keep it unlocked, then they will freak. Same thing with security for IT. Try to force the end users, especially those that are the "powers that be", to allow more steps to do what they need to do. Hell, what do you do about the ones who intentionally violate security related policies that already exist? They WILL NOT fire that senior partner who is bringing in the big bucks because he did something stupid on the computer that (may have) compromised the system security. That's life...

Re:Still too limited

[Tony-A]

They WILL NOT fire that senior partner who is bringing in the big bucks because he did something stupid on the computer

Hmmm.
senior partner who is bringin in the big bucks
computer

Basic security. You don't risk valuable resources (senior partner) to preserve cheap resources (computer).

'The Economics of Information Technology'

http://www.ecampus.com/bk_detail.asp?isbn=05216052 10&referrer=frgl

Cheapest place a quick froogle revealed. I read this book a few months ago and found it pretty interesting, though perhaps best in its role as summarising further papers for reading.

That's why you take the scientific approach.

[khasim]

Just to make this clear, "security" is not an end item. You cannot "have" security. My definition is: The process of identifying and evaluating threats and reducing their effectiveness.

As Bruce says, when there isn't an economic incentive, that process is not maintained.

But, suppose you are maintaining it. How do you know how good your security is?

Bruce also wrote about "attack trees".
http://www.schneier.com/paper-attacktrees-ddj-ft.h tml

Identifying and evaluating the different avenues of attack is part of evaluating the threats. Once you've identified one, don't think about how you can "prove" it is "secure". Think about how you would go about showing that it is NOT secure. Make your statements about your security "falsifiable". Just like in the scientific method.

Then experiment, on an on-going-basis, to see if you can demonstrate that your security can be broken. This takes time and effort on your part as you have to continually read about the latest advances and theories.

Which gets back to the economic issue. If the organization does not see an economic incentive for you to perform that research/work, then you will be assigned to other tasks and the process will not be followed. If you are not following the process, there is no "security".

Economics is Everywhere

[CodeBuster]

It should not be surprising to people that economics provides the basis for explaining many interesting situations that occur in the real world in relation to computer security. Recall that economics is the study of how humans react to scarcity, or more bluntly how we behave in light of the fact that we cannot simply snap our fingers and have anything we want immediately placed in front of us all of the time (with the possible exception of Bill Gates and a few others, but they are not representative). It is precisely the ability of economics to insightfully solve common conundrums with deliciously counterintuitive explanations that seems to fascinate so many people, as evidenced by the recent success of books such as Naked Economics: Undressing the Dismal Science and Freakonomics, despite the generally boring ways in which the subject is presented by our schools. If it involves human interactions and human nature then, ultimately, it involves economics.

Re:Economics is Everywhere

The only reason that the way in which Economics is boring as presented by schools is that the great proportion of students don't take the next step to consider the implications Economics has on their lives. What these two books (both great reads, by the way) do is reveal the more fringe, sometimes unexpected outcomes, of applying economics theories to peoples' lives. My hope is that rather than replacing the role of the inquisitive student in applying their knowledge to their own lives, it with further inspire them, and maybe even cause some of those who just see Economics as a boring subject for boring people, who think it'll make them more desirable employees, to actually see the extent to which Economics is not merely a subject, but a toolkit for the exploration of the world around them.

I was disappointed by another book in the vein of 'PopEcon', though, which was "The Undercover Economist". This book didn't take the often ingenious extra steps that make Freakonomics in particular very readable.

Re:Economics is Everywhere

[Alucard454]

I couldn't agree more. I'm working on my PhD in economics at the moment, but getting here was one hell of a ride through basically every major known to man. At least one of these required me to take basic micro and macro....

My macro class was pretty dry and boring, which was what I and everyone else there (including the professor) seemed to expect.

My micro class on the other hand was taught by an incredible man who had an absolutely infectious passion for the material. I was converted from day one, and changed my major two weeks into the semester. He became my advisor and steered me through the rest of my undergraduate career. When I was debating going to grad school, he bought me a copy of Freakonomics and suggested I spent a weekend reading it and thinking before I decided. I won't say that the book seriously influenced my decision, but it certainly helped renew my passion for economics after the beatdown of my final semesters.

My point? there is no magic bullet. I think economics is a profoundly powerful tool, and an amazingly interesting study. I'm disappointed at the image that it has with most people as the "dismal science." And yes, a big part of that problem is that most students have no sense of perspective, or come into economics with a preconcieved notion of how boring the subject is. I also agree that books like Freakonomics help (i bought a copy for my own father after I told him what I was doing for grad school. he went from being disappointed that I was going to be a "banker or money man" to being fascinated with my research work and quizzing me every chance he gets).

That being said, I think that another (possibly more powerful) way to help students see the beauty of economics is the same answer to so many issues in education: teachers. I've always been a bright kid (this is slashdot for chrissakes... we're all bright, except perhaps for the trolls) and I've always been incredibly curious about most areas of study. This is why it took me 2 years of changing majors to settle down... I wanted to study EVERYTHING. Somehow though, economics slipped completely under my radar until that one teacher changed everything. One teacher really can make a difference, as fruity and captain-planety (redundant?) as that sounds. In fact, it is that realization that pushed me over the edge and made me go to grad school. I knew that if i could share and demonstrate the same passion for economics that my advisor did, I'd have a chance of making some sort of impact.

[Already, my passion is being divided between sharing with undergrads and working on my own research, and i have never had more fun (in academics anyway). I have the fortune to be at a fairly high-powered research institute, so I am free to work on and be funded for just about anything. This is not the sort of place I would want to be a professor at, as I would prefer to focus on teaching after my dissertation, but as a grad student it's perfect.]

Anyways, as I recall, the point I was trying to make was this: Books like Freakonomics are great. Teachers like the one I had are greater, but harder to come by. If you find either, count yourself lucky, and spread the word however you can.

back to work.

This paper is a direct analogy to Sex Ed class...

'Why Information Security Is Hard -- An Economic Perspective' (.pdf). This article states: 'According to one common view, information security comes down to technical measures. Given better access control policy models, formal proofs of cryptographic protocols, approved firewalls, better ways of detecting intrusions and malicious code, and better tools for system evaluation and assurance, the problems can be solved. In this note, I put forward a contrary view: information insecurity is at least as much due to perverse incentives.

I know this is author's description is "perverted" (quoting the article) when you can make a very direct reference to something else that is "Hard":

"Given better access control policy models": Learning how to say NO.

"formal proofs of cryptographic protocols:" cryptic nerd speak and or tech speak to keep the true introvert safe from those frisky STD laiden women

"approved firewalls:" contraception tools.

"better ways of detecting intrusions and malicious code": better methods to protect against STDs

"and better tools for system evaluation and assurance": the monthly "selfcheck" for various cancers.

"information insecurity is at least as much due to perverse incentives.": "perverse incentives??" what else could that analogy be like but the "temptation" of hot sex?

Insurance risk

[stox]

We will not see real security until Insurance companies start to really evaluate the risks involved. Once premiums sky-rocket due to poor security, then people will pay attention.

Re:Insurance risk

[Ulrich+Hobelmann]

I think it's the other way round: because IT is new terrain for them, most insurances make IT insurance too expensive.

Now if any insurance company were to make IT insurance for certain systems with certain properties cheap, maybe people would try to implement those properties (say, Unix, separation of privileges, managed code or alternatively strongly checked code with powerful type/effect systems) to be able to get the cheap insurance (or to offer that cheap insurance to their clients/users).

Put the liability in the right place

[Dadoo]

I've been telling my co-workers for a long time - while hackers who break into companies' networks should be punished, the companies, themselves should be punished more. The very first paragraph of this essay (the one comparing the European banks to the American banks) would seem to agree with me.

Let's face it: if your corporate network can't stand up to some high-school kid in his basement, it certainly isn't going to stand up to a well-funded foriegn power trying to attack us.

Re:Put the liability in the right place

You can't though - it would be a bigger incentive to keep quiet if admitting to the hack cost you even more money - generally cleaning up the mess is expensive enough. As such a lot of banks are pretty good at IT security, certainly compared to most companies.

There are very few security issues that fully cost shift. Spam is one area of cost shifting, but if your machine is turned into a spambot it does have a cost to you. More likely it may also be used for key logging, or other such abusive practices, when the cost could be large, and very direct.

And while Microsoft may not suffer when your PC gets a virus -- guess what operating system they use internally (no not Solaris, I think those boxes have mostly gone now).

I think the desktop security issue is down almost entirely to monopoly, that cuts both at monoculture, and lack of competition for better products (and let's be clear pretty much all the competing products have much better security records, what they don't have is significant market share). Of course society already has mechanisms for dealing with the ill effects of monopoly in areas of business, just no one seems prepared to use them effectively. It also explains why Microsoft have the cash to hire a whole army of IT people to keep their systems running inspite of the problems.

Anderson's paper is from 2001, not 1991

[44BSD]

That is all.

Re:Anderson's paper is from 2001, not 1991

[Tony-A]

Looks like several of 'em in the same general space.
Other than specific references to Windows 2000, seems relevant regardless of epoch.

[4] RJ Anderson, "Why Cryptosystems Fail"
in Communications of the ACM vol 37 no 11
(November 1994) pp 32-40

[1] GA Akerlof, "The Market for 'Lemons': Qual-
ity Uncertainty and Market Mechanism,"
Quarterly Journal of Economics v 84
(August 1970) pp 488-500

From the paper,

The theory of asymmetric information gives us an explanation of one of the mechanisms. Consider a used car market, on which there are 100 good cars (the `plums'), worth $3000 each, and 100 rather trouble-some ones (the `lemons'), each of which is worth only $1000. The vendors know which is which, but the buyers don't. So what will be the equilibrium price of used cars?
If customers start off believing that the probability they will get a plum is equal to the probability they will get a lemon, then the market price will start off at $2000. However, at that price only lemons will be offered for sale, and once the buyers observe this, the price will drop rapidly to $1000 with no plums being sold at all. In other words, when buyers don't have as much information about the quality of the products as sellers do, there will be severe downward pressure on both price and quality. Infosec people frequently complain about this in many markets for the products and components we use; the above insight, due to Akerlof [1], explains why it happens.
The problem of bad products driving out good ones can be made even worse when the people evaluating them aren't the people who
suffer when they fail.

Even if the people evaluating are the people who suffer, it's like the quality of snake-oil offered for sale. The quality is much much lower if the ingredients do not have to be listed. That's really the reason that Microsoft gets all the malware. You don't know what's in it. You don't know what it's doing. You don't know what it's supposed to be doing. The OPEN of open source is enough to shift the balance even if the quality were much much worse than closed. You can expect similar when IT tries to secure the system from the users.

One final crack about the economics of security.
The price of a compromised machine give a very accurate overall economic view of the worth of security. This is similar to the price of a hit-man as a measure of crime-in-the-streets. When this price is too low (five cents ????), you know something is wrong, very wrong.

Re:Anderson's paper is from 2001, not 1991

[Helevius]

Mod parent up: here is the IEEE citation from 2001.

How do you put a cost on what doesn't happen?

[netringer]

It occurs to me that is similar to what I encountered when a I was sysadmin. The boss has no idea how many problems the company didn't have because you're good at your job. In fact, an admin that's always fighting fires can be highly valued for all of the work they put it in.

With security, the only measure is imagining the cost of outages and security breaks, maybe for other companies if you're good enough or lucky enough to prevent them. Otherwise, the bean counters will only look at what you want to spend as having no return.

An exception might be if the company hires a consultant (because what would YOU know. You work here. You can't be smart.) to assses the econonmic impact of the risks. That would be followed of course, by how you need to hire them to prevent the danger.

Economics is fascinating

[Colin+Smith]

It has a profound effect on our society.

Take for example the debt based money system we have now. The government has the ability print money (well, borrow) as it likes. Well when you have that power, it's pretty damned difficult not to use it. After all, raising taxes is about as popular as a fart in a lift and all politicians want to be re-elected. So borrow some money from the central bank to pay for your pet oil liberation project. This has a number of implications:

1: We've increased the amount of money available in circulation. This causes the value of the existing money to decrease; Inflation. Though it's percieved to be a general increase in prices it's essentially a tax on the currency holding population.

2: That debt you have to pay back, well it has an interest rate on it, the bankers want a little bit more back than they loaned, so you and everyone who works for you have to work that little bit harder to pay it back, you have to expand and grow to service the debt. The more you expand, the smaller the debt is in proportion, so you must expand. Which basically means there must be a continual increase in the exploitation of resources. For some reason the ecologists haven't picked up on this.

3: The government has free money to give away. Well, easy money anyway. The military, haliburton and all the direct contractors to the government benefit directly, in fact they get the cash before the inflation hits the economy generally so they benefit and grow hugely. Well we could call the military, it's direct suppliers like haliburton etc the military industrial complex.

4: Money is power, the free money the government is acquiring increases the power it has to intervene in, well anything it wants to.

So... Debt based money gives us... Inflation, mandatory economic expansion, increase in the size and power of the military industrial complex, increasing size and power of the state.

Re:Economics is fascinating

[jadavis]

Inflation. Though it's percieved to be a general increase in prices it's essentially a tax on the currency holding population.

The effect on debtors and creditors should far outweigh the effect on holders of currency. If you loaned money to someone to buy a house, inflation is very bad for you and very good for the person to whom you lent money.

The more you expand, the smaller the debt is in proportion, so you must expand. Which basically means there must be a continual increase in the exploitation of resources.

Economic expansion does not require the exploitation of resources. If exploitation of resources was as important to economic expansion as you imply, Mexico would be rich and Japan would be poor.

in fact they get the cash before the inflation hits the economy generally so they benefit and grow hugely

Huh? When the money is in circulation, the inflation has already hit.

Re:Economics is fascinating

[Colin+Smith]

The effect on the holders of the currency is whatever the inflation rate is, 5%, 10% would be quite a big effect, particularly on the poor and if you don't adjust the interest rate on loans you provide in a timely fashion for inflation yup it will be very bad for you. If the inflation rate gets very high it's very bad indeed for the debtor. High interest rates, payments out of control, house lost and all that.

"Economic expansion does not require the exploitation of resources. If exploitation of resources was as important to economic expansion as you imply, Mexico would be rich and Japan would be poor."

Haven't you heard the term human resources? :D and anyway that isn't true, Japan "adds value" to resources that have been exploited by someone else. Turning more iron ore into more cars. Any one stage in the process might produce a greater or less economic benefit, but the resources still have to be exploited at some point.

"Huh? When the money is in circulation, the inflation has already hit."

The effect doesn't hit everyone in the economy simultaneously. e.g. If I counterfeited 100 million dollars perfectly, gave half to my friend, there's a massive inflationary effect on my friends and my money but no effect on the rest of the economy until we start spending the money, and then the effect pushes out slowly from the people we spend the money with. The closer you are to source of the money the more you benefit.

Re:Economics is fascinating

[jadavis]

If the inflation rate gets very high it's very bad indeed for the debtor. High interest rates, payments out of control, house lost and all that.

No, inflation is very good for any debtor. If you owe $1000 at 5%, and inflation is 10%, then the debtor actually makes money in the transaction. Even ARM (adjustable rate mortgages) are typically fixed for years, and even when they do adjust they are not likely to change more than inflation. And that's only talking about mortgages, there are many other types of loans, and many don't adjust at all.

Inflation is bad for creditors, and good for debtors, because the debtors borrow in today's dollars, and pay back in tomorrow's dollars. It's also bad for currency holders, but there is a lot more debt in existence than currency.

Japan "adds value" to resources that have been exploited by someone else.

But expansion doesn't necessarily mean the "exploitation" of new resources. It could add value to existing resources, or more efficiently allocate existing resources. That's actually where most of the money is, not in selling raw materials. So, value add is also where most of the expansion would happen.

I will agree that the modern world is accustomed to economic expansion. However, debt only makes sense when expanding the economy, so if we didn't expand economically we wouldn't need debt at all.

The closer you are to source of the money the more you benefit.

The person who printed the money benefits. If you throw around money left and right because you have a printing press, you'll immediately feel the forces of inflation. You still benefit because you have essentially used inflation to rob creditors and currency holders of $1M, but you'll feel the same forces of inflation as if someone on the other side of the country spent the money. If I am wrong about this point, please provide me with a reliable source that says that the people printing the money don't feel the effects of it's inflation as they spend it.

Re:Economics is fascinating

[Colin+Smith]

$1000 at 5%, and inflation is 10%, then the debtor actually makes money in the transaction. Even ARM (adjustable rate mortgages) are typically fixed for years, and even when they do adjust they are not likely to change more than inflation. And that's only talking about mortgages, there are many other types of loans, and many don't adjust at all.

Um, not here in the UK, most mortgages are variable rate. i.e. Set at the central bank base interest rate plus a couple of percent. The central bank increases/decreases the interest rate according to the apparent rate of inflation on a monthly basis. There's certainly a lag so inflation does still work slightly to the benefit of debtors unless the interest rates go very high (we had 17% during the eighties). otherwise I largely agree with you on this.

so if we didn't expand economically we wouldn't need debt at all.

I was referring to the national debt. Something we have already, in fact it's the very basis of the monetary system so we have to expand in order to service it.

If I am wrong about this point, please provide me with a reliable source that says that the people printing the money don't feel the effects of it's inflation as they spend it.

No, I'm saying that the money printers create inflation around them and the inflationary pressure spreads gradually through the economy over a period of time and doesn't happen everywhere instantaneously. Like a ripple. The people on the edge of the ripple benefit from increased money supply on one side and pre-inflationary lower prices on the other. The closer to the supply of money, the larger is the differential, the larger is the benefit.

Re:Economics is fascinating

[Doctor+O]

No, inflation is very good for any debtor. If you owe $1000 at 5%, and inflation is 10%, then the debtor actually makes money in the transaction.

Not true. It depends on how rich you are. Let me illustrate:

Let's say I make $1000 per month, constantly, and need to spend $600 for rent, food, etc. I have a monthly obligation to the bank of $300. Inflation hits. I still have to pay the $300, while my daily life gets more expensive because of the inflation. For most of the working population, that will probably mean that the higher fixed costs at some point cut into the money which is needed to repay the debt. This is more of a problem, the poorer you are. And it's not rich people who need debts, they've got enough money. It's the poorer part of the population who needs debts. So it can be assumed that inflation very much is a problem for the majority of people who get depts.

I believe that the USA are in for a big surprise if they don't stop their rampant inflation. I remember reading that after 9/11, more money was being printed *daily* than *existed* globally in 197something. The only reason the public doesn't notice is how the GDP is calculated in the USA. It's artificially being held constant by using a changing "shopping basket" as the basis of the calculation. That same article calculated the 'real' GDP to be around 10 or 15%, but I frankly can't remember anymore, that was some years ago.

Anyway, the whole money system as it exists today will ultimately crash. The interesting questions are: When will this happen? and What comes next?

Ah, I'd so much love to explore this further, but I can't afford studying anymore, I've got wife, kids and house to sustain. If you have some recommended reading on this, preferably online, I'd like to see if my theories are *that* much far off.

Re:Economics is fascinating

[jadavis]

The closer to the supply of money, the larger is the differential, the larger is the benefit.

I think I see what you're getting at, but could you please provide a source? I am not trying to disagree, but I am not entirely convinced and I would be interested to read a more thorough explanation.

Re:Economics is fascinating

[jadavis]

Not true. It depends on how rich you are. Let me illustrate:

In your example, your salary is declining, because the value in dollars is constant while the value of a dollar is declining (inflation). Generally, as your skills and experience increase, your salary will follow. A person's salary will decrease if the market value of their job decreases, or if it was higher than market value to begin with (for instance, in the case of minimum wage).

But yes, "the rich" or middle class sometimes benefit (in the short term) from inflation, and the poor rarely benefit from inflation. Middle class tends to have a higher debt/credit ratio because it's typical to have a house that's mortgaged at a fixed or nearly fixed rate, and inflation is likely to drive up the middle class wages, meaning an overall benefit. Inflation causes wage increases, and the people who benefit the most from that are the people that work the most, which are "the rich" and the middle class.

I believe that the USA are in for a big surprise if they don't stop their rampant inflation.

Inflation is a problem, but it's far from "rampant". And something is being done, we are raising the discount rate. Since around 2000, the discount rate started falling rapidly, causing inflation as well as (perhaps) a real estate bubble. However, now the discount rate is going back up, and we can expect inflation to decrease.

If you have some recommended reading on this

If you're interested in monetary policy, you can't beat reading some resources at http://www.federalreserve.gov/. I suggest the "Monetary Policy Report to Congress" in the "News and Events" section. Many of those reports (which are basically speeches to Congress) are available going back years. Also there are more resources linked from the site in the "Publications and Education Resources" section.

As for economic reading in general, I think the best author around is Dr. Thomas Sowell. He presents his ideas in a very readable fashion, but his works are very well-researched. He draws from current events and history, and analyzes policy in a simple, step-by-step manner. The author grew up in a (very) poor black family in the Bronx, and his writing comes across as plain english that relates to real people, not abstract academic theories built upon other abstract academic theories. Most other academics either use such rich language that you can't understand what they are saying in plain english, or they are so boring that you can't make it past page 10.

Re:Economics is fascinating

[Doctor+O]

In your example, your salary is declining, because the value in dollars is constant while the value of a dollar is declining (inflation). Generally, as your skills and experience increase, your salary will follow.

Not at all. Actually virtually everyone I talk to these days is complaining about the decline in salaries. Taxes go up significantly for years now (at least here in Germany, YMMV), salary rises are mostly unheard of, and those that get into the media are in the 1-3% area, by far not enough to outweigh inflation and taxes. The opposite is true for *many* people nowadays - work contracts are changed in huge numbers to contain more working hours for the same salary, both in the private and the public sectors. Public service just went from 40 hours to up to 48 hours per week at the same salary - the last rise from 38 to 40 hours was only two years ago.

No, I don't buy it. Salaries are declining massively, and the number of people working in badly-paid jobs increases. You in the US are already in the situation where many "normal folk" have to work several shit-jobs just to be able to earn the minimum needed to eat and not sleep under a bridge. And it's getting worse. As you have a degree and therefore would know different people, the effect might just not be as visible to you. It's rather visible to everyone I know. Fair enough, I only know around 10 people with a degree, and the above tends to not apply to them as much as to the 'working' people I know.

Inflation causes wage increases, and the people who benefit the most from that are the people that work the most, which are "the rich" and the middle class.

Actually I believe that it's the working class who works most, 60 hours per week aren't uncommon, both in Germany and in the US, with the worst work/pay ratio of the whole population. A CEO might as well work 60+ hours/week, but with a *much* higher pay.

I remember reading an article that stated that in Germany there's more creation of value through interest than through work (production and services). This means that more money goes to the upper class in form of interest than to the other classes through their work. As it's the other classes who pay those interests, there's a steady and growing money stream from the "poorer" majority to the upper class. As this is an accelerating process (geometrical growth works for the rich), we can expect social problems few decades into the future.

Inflation is a problem, but it's far from "rampant".

Even if the real inflation rate in the US is 10% (most international estimates hover around 15%), it's pretty massive. The only reason the bubble doesn't burst is that the USD is the reference currency for many global transactions. Once this changes, e.g. because of the OPEC nations switching to EUR as their standard currency, the shit will hit the fan rather hard. There are many economists over here who suggest that it was Iraq's strive to change the currency for all oil deals from USD to EUR which lead to Iraq's invasion by the USA. If Iraq had changed, other countries might have followed. That would hit the US economy royally.

Mind you, I'm not anti-USA, I'm just interested in global economics - and I frankly don't understand why the rest of the world still relies on the USD while your government prints as much as it sees fit while there's a HUGE and growing trade deficit. (Not that the Euro is a hard currency, either. We had better kept our Deutsche Mark, at least that was a currency valued on the value of production and service and not some arbitrary, easy-to-manipulate process. But I digress.)

Thanks a lot for the reading recommendations, I'll check out federalreserve.gov and get something from Sowell in the university library. :)

I'm genuinely interesting in getting a good understanding of all this. Mind continuing the discussion?

Re:Economics is fascinating

[jadavis]

virtually everyone I talk to these days is complaining about the decline in salaries

I don't know much about the German economy (I have a friend that moved there a few years ago, but he doesn't talk much about the economy), but the US economy is actually doing quite well. We had a recession (technically, it wasn't even a recession according to the definition, but it's generally recognized as a recession). Now the recession is over and we are recovering (not that it was very bad anyway).

To me, the problems in the German economy signify the superiority of a market economy, but I am an economic conservative. In the U.S., salaries tend to increase for a given individual as that person ages and gains experience. Income tends to increase with increased hours of work. Also, unemployment in the U.S. is low compared with countries like Germany and France (http://www.destatis.de/indicators/e/arb210ae.htm indicates Germany has double-digit inflation regularly, while 6% in the US is considered high). Even public salaries are often determined by the marketplace. Sowell (the author I recommended) does a good job of explaining why the market economy produces better results. Again, I'm an economic conservative (and so is Sowell), so you should consider these statements critically.

You in the US are already in the situation where many "normal folk" have to work several shit-jobs just to be able to earn the minimum needed to eat and not sleep under a bridge.

I live in San Diego, one side of the busiest border crossing in the world. It's also one of the areas where around 1M immigrants per year enter this country illegally and without education or skills (of course that's the entire border, not just San Diego). These people come here, and for the most part are productive citizens. They often work many hours, not just to support themselves but also relatives south of the border. I am sure that you can find examples of people who work hard and have a tough time in America. But generally speaking, people who are hard working, motivated, and ambitious are able to support themselves and often have money left over, even if they have no skills or education. Generally the poor in America are considered obese, rather than malnourished. We are far from perfect around here, but I think that from an economic perspective, the US provides opportunity for nearly everyone. If that were not true, there would not be so many successful immigrants from Mexico. And there are a LOT of successful immigrants from Mexico who own property and live comfortably (again, even with no education or skills coming in here).

I believe that it's the working class who works most, 60 hours per week aren't uncommon

If you show me a man in the U.S. who has worked 60 hours per week for 30 years, I will show you a wealthy man. I'm sure you can find exceptions, but generally, in the US, if you work a lot of hours, you make a lot of money.

Even if the real inflation rate in the US is 10% (most international estimates hover around 15%), it's pretty massive.

Can you provide a source? If that were true, banks would not lend money in the U.S. at the rates that they do. Mortgages are much lower rates than 10%, and clearly a bank would lose if the inflation exceeded the interest they made. Real inflation in the U.S. is a couple percent by any reasonable estimate. At a rate of 10%, $1.00 in 1900 would be the same as about $14,000 in 2000, which is rediculous.

I frankly don't understand why the rest of the world still relies on the USD while your government prints as much as it sees fit while there's a HUGE and growing trade deficit.

Like everything else, people choose among the options they have. USD and EUR both have problems, but they are both used because they are better than th

I respect Bruce but he misses a KEY point

I really do respect the work and opinion of Bruce Schneier but I believe is completely overlooking the most fundamental issues summarized here:

http://www.innersafe.com/about_us#reasons_for_weak _security

In a nutshell, companies are incented to provide weak security, because including stronger security means loss of revenues and decreased profits.

If you are one of the masses that believe export restrictions related to cryptographic software today is loose, you are sadly mistaken. As the above link shows, gathering the names & addresses of every end user located outside US & Canada is not a practical option for many companies. And neither is checking each customer's name against the Denied Persons List. Fines and penalties are ridicuously high for violations.

So there you have it. Your security is sacrified because current laws penalize companies that provide strong data security. After all, governments get nervous when citizens can keep secrets from them and therefor restrict imports or exports (yes, even today in USA).

Re:I respect Bruce but he misses a KEY point

[canuck57]

In a nutshell, companies are incented to provide weak security, because including stronger security means loss of revenues and decreased profits.

I beg to disagree with this on 2 points.

First, more secure systems tend to run more efficiently and more reliably, thus increasing the users productivity. As you will not have to deal with your order entry being down for an hour on a crash or patch. More secure systems tend to be run by more knowledgeable staff, better planning, better management and a better choice of applications. Applications that are insecure are also tend to be unreliable, require higher "handholding" and service levels to keep running that increase costs. Over my years of experience, assessing security is a good way to generally assess products fitness for use and over all cost of ownership. Less secure products also tend to cost more to maintain.

Second, security is also about enabling the business to function efficiently. A case in point with employee access control (proxies) and QoS. Corporate I/T gets a call from the manager a major distribution center that they can't process shipments fast enough. So security investigated to find the telnet/ssh traffic for the business applications was competing on the WAN with video porn. Here is the kicker, of 3 video streams; one was going to that very same manager who called! Firing the manager, placing QoS and site filtering on the proxies increased the company's efficiencies. Positive impacts also include a lower risk of sexual harassment and increased customer service levels, with a nice byproduct of better profits.

So it might be more correct to say many companies perceive that security costs are not worth the investment and do not contribute to the bottom line. However, more often than not it is a misguided as many companies have gone bankrupt because their security practices were insufficient.

The biggest problem in security today is getting a rational and logical assessment of how much you should spend, and what you should spend it on. Sales people are liars, yet often management s most trusted source. But this is a I/T industry problem in general.

Re:I respect Bruce but he misses a KEY point

[StreamCipher]

I think what the original poster tried to communicate was this (based on visiting the URL):

If product vendors include effective data security in their products:

1. they have to get export approval from their own country (see below for USA to see added costs)
2. they have to get import approval from the destination country (many will reject, thus the reduced revenues)

If the company is based in USA:

1. they cannot sell the software to anyone who appears on the Denied Persons Lists provided by the U.S. Govt (criminal penalties are heavy and how do you check DPL if the product is sold on store shelves?)

2. semi-annual reports need to be provided to the U.S. Bureau of Industry and Security that includes the names & full addresses of every single end-user who purchases the product.

3. the U.S. Bureau of Industry and Security can revoke authorization for the company to use License Exception ENC at any time (even after the 30 day review period) so the company risks becoming an instant violator of export regulations. Failure to answer any question whatsoever (e.g., how do we crack this in 5 minutes?) may result in being unable to sell to anyone outside U.S. and Canada even after you begin selling overseas. "All your balls are belong to them."

The above 3 points assume that you successfully receive authorization to export outside U.S. and Canada.

The impact is clear. Reduced revenues from inability to sell in as many countries and inability to sell off-the-shelf due to DPL requirements. Increased costs due to export compliance, semi-annual reporting, legal fees, etc. And of course the added risk of being charged with heavy criminal penalties for violating any EAR--even when selling to countries considered strong allies.

This 1-2-3 punch practically forces companies to sell weak security. The reasons you posted are highly unlikely to counter this impact on product vendors.

If you ever run a business that sells products, especially to consumers, you'll instantly recognize the above as a complete nightmare to be avoided at all costs. Who wants anything that massively reduces your total market size and simultaneously increases costs?

Next econ & security workshop is in October

[andyoz]

The next workshop on economics & info security will be held in October. So if you have strongly held views in this area (and who on slashdot lacks strongly held views), then think about submitting. You don't have to be an academic to submit a paper, although arguments should be carefully constructed and well organized.

The Workshop on the Economics of Securing the Information Infrastructure (WESII)

• Workshop: October 23-24, 2006, Washington DC
• Papers due: August 6, 2006

Suggested topics (not intended to be comprehensive):

• The economics of deploying security into:
  • The Domain Name System (DNS)
  • BGP & routing infrastructure
  • Email & spam prevention
  • Programming languages
  • Legacy code bases
  • User interfaces
  • Operating systems
• Measuring the cost of adding security
• Models of deployment penetration
• Empirical studies of deployment
• Measuring/estimating damages
• Code origin authentication
• Establishing roots of trust
• Identity management infrastructure
• Data archival and warehousing infrastructure
• Securing open source code libraries
• Adding security to/over existing APIs
• Liability and legal issues
• Internet politics
• Antitrust Issues
• Privacy Issues

A presentation by Ross Anderson

[sully67]

Ross Anderson made an interesting presentation on the Economics of Dependability and Security at Networkshop this year which provides a good overview of the subject. The video and slides are linked from:
http://www.ja.net/services/events/networkshop/Netw orkshop34/webprog.html