The economics of information security

Ross Anderson and Tyler Moore have published a nice paper that gives an overview of recent research in the economics of information security and some open questions (PDF). The paper begins with an overview of the relevance of economic factors to information security and a discussion of "foundational concepts." The concept of misaligned incentives is described with the now-standard example of how UK and U.S. regulations took opposite positions on liability for ATM fraud is given--the UK held customers liable for loss, while the U.S. held banks liable for loss. This led to U.S. banks having incentives to make their systems secure, while UK banks had no such incentives (and the UK has now reversed its position after this led to "an epidemic of fraud"). other examples are given involving anti-virus deployment (where individuals may not have incentives to purchase software if the major benefit is preventing denial of service attacks on corporations), LoJack systems (where auto theft plummets after a threshold number of auto owners in a locality install the system), and the use of peer-to-peer networks for censorship resistance.

The authors examine the economics of vulnerabilities, of privacy, of the deployment of security mechanisms including digital rights management, how regulation and certification can affect system security (and sometimes have counterintuitive adverse effects, such as Ben Edelman's finding that TRUSTe certified sites are more likely to contain malicious content than websites as a whole).

They end the paper with some open issues--attempts to develop network protocols that are "strategy-proof" to prevent cheating/free-riding/bad behavior, how network topologies have different abilities to withstand different types of attacks (and differing vulnerabilities), and how the software development process has a very high failure rate for large projects, especially in public-sector organizations (e.g., as many as 30% are death-march projects).

There are lots of interesting tidbits in this paper--insurance for vulnerabilities, vulnerability markets, the efficacy of spam on stock touting, the negligible effect of music downloads on music sales, and how DRM has moved power from record labels to platform owners (with Apple being the most notable beneficiary), to name a few.

(Hat tip to Bruce Schneier's blog, where you can find links to a slide presentation that covers the highlights of this paper.)