« Quoting | Main | Future Crawlers »
April 25, 2003
Economics of Information Security
I recently had the opportunity to hear Dr. Ross Anderson of Cambridge University speak on the Information Security and Public Policy.
The talk started off discussing the failures of information security, why each has happened, and closes with the trends he sees happening in computing today. With the first failure he starts describing why cryptology has been a disappointment in many ways. It can be condensed down to because the direct impact of cryptos failure is not felt by those directly involved, but rather by those of a second party (or one step removed). His example cases were previous incidents of European banks having phantom transfers occur. The banks main point was that their security was infallible, and as such each customer must have made such a transaction. The problem with this idea is that you can't disprove the infallibility as a victim of such actions. Here in the US, a New York court case held in 1976 resulted in a ruling that bank machine logs were not substantial enough to prove that a customer did or did not do a transaction (thus they are not infallible). In this case public policy has dictated that a stronger means of security (logs and another form) be used rather than placing an implicit trust on it (log files only). This tidbit made me consider if this is why we have video cameras attached to ATMs, not for the purported public safety aspects (a value added side benefit). He points out an interesting comparison though; The US spends less money on security precautions than Europe does (with regards to banking), and yet it has less fraud too. While he didn't provide data to back this, it is certainly an interesting side effect that would be interesting to research.
Distributed Denial of Service attacks (DDoS) were another bit he touched upon. His main point with these is that we can currently implement systems to prevent this, but there is no reason to. When investigated further it breaks down to there is no direct financial reasoning to provide such a service. In the past when a virus would infect and destroy information on your local machine/network, the $N investment had a direct effect on you, your information, and your safety. Now with the use of distributed systems, implementing, at cost, a security system to help others provides no direct benefit to you as a user. It could, to use an example he did, benefit Microsoft X times more than it could benefit you. The only way I've really been able to discredit this theory is through groups that pay per month on bandwidth usage, but those typically have a cap system already in place.
With these kinds of ideals, how is it that software is able to generate any money? When looking at the traditional sense of economics, one typically looks at the marginal cost for a sense of possible income. In the case of software, while it may cost $N millions in research and development, the after effect is it costs nearly nothing to mass produce (depending upon a shrink-wrapped or electronic distribution). So how do software companies ensure their livelihood? The cost of switching. The total time to convert your current information over to the new formats, and total monetary costs are what keep people from switching.
Dr. Anderson points out that there are really two routes that could be taken here with regards to preventing user switching. The easier route, which includes locking users into a one format lifestyle much the way Microsoft has done. This creates an arena for which to keep users that makes it near impossible to get out of. The harder, but (purported) more prosperous, route is to become the universal enabler that allows access and interaction to all currently known formats. This format is harder due to the nature of supporting all these formats, and the ease of which you provide for switching from one format to another.
The effects of the easier route can be seen in everyday software. The need to release early and often can be directly traced back to the need to keep users confined within the format arena. If a competitor releases a product quicker you may loose userbase. Because of this confinement, the creation of the 3-version release process becomes essential to implementing and integrating any form of working security considerations (and stable software).
The effects of this kind of thinking are not limited to software only, and can be found in the hardware world pretty easily. Take for example the use of Motorola cellular phones. The battery contains a group of four connectors that power a special key chip. If the key chip matches a series known by Motorola (usually only sold by Motorola), the battery will work a lot longer. If it doesn't match the phone turns up the power consumption resulting in a shorter lifespan of the "alien" battery. Supposedly Motorola had put up a reasoning for this in the past but had taken it down for the poor wording choices. Dr. Anderson has stated he's mirrored the page somewhere on his site if you decide to investigate further.
Another example used in the lecture were toner cartridges for printers (Lexmark in particular). In this case they slowly begin to cut down the number of dots per inch produced on an "alien" cartridge, hopefully to get you to replace it with a "proper" piece. Remember the bit about public policy in the topic? Turns out that European legislators are planning to pass a regulation that requires all toner cartridges be refillable (presumably in a standard fashion). The logic behind this regulation is simple; environmental requirements. We will not have regulations that cut into corporate profit in an effort to save environmental conditions. This will surely cause a change (or at least a conflict) with thinking in the United States.
So why all these ploys to make the customers life difficult? Examining the data a bit, it stands to show that Motorola makes most of it's money off of cell phone batteries, not the phone itself. The same is true for printer makers and the toner cartridges, which makes sense given the number of times these are replaced vs printers themselves.
What this leaves you the customer with is better known as a trusted computer. But it's late now, and there is a lot of information to remember, digest, rethink, and type out on this topic so I'll have it for another day.
Posted by Dan at April 25, 2003 10:15 PM