Economics of security
Encyclopedia
The economics of information security
addresses the economic aspects of privacy
and computer security
. Economics of information security includes models of the strictly rational “homo economicus
” as well as behavioral economics. Economics of security addresses individual and organizational decisions and behaviors with respect to security and privacy as market decisions.
Economics of security addresses a core question: why do agents choose technical risks when there exists technical solutions to mitigate security and privacy risks? Economics addresses not only this question, but also inform design decisions in security engineering
.
is the canonical public good
. The economic status of information security came to the intellectual fore around 2000. As is the case with innovations it arose simultaneously in multiple venues.
In 2000, Ross Anderson wrote, Why Computer Security is Hard. Anderson explained that a significant difficulty in optimal development of security technology is that incentives must be aligned with the technology to enable rational adoption. Thus, economic insights should be integrated into technical design. A security technology should enable the party at risk to invest to limit that risk. Otherwise, the designers are simply counting on altruism
for adoption and diffusion. Many consider this publication the birth of economics of security.
Also in 2000 at Harvard, Camp at the School of Government and Wolfram in the Department of Economics argued that security is not a public good
but rather each extant vulnerabilities has an associated negative externality
value. Vulnerabilities were defined in this work as tradable goods. Six years later, iDEFENSE, ZDI and Mozilla have extant markets for vulnerabilities. Vulnerabilities are also known as computer security exploits.
In 2000, the scientists at the Computer Emergency Response Team at Carnegie Mellon University
proposed an early mechanism for risk assessment. The Hierarchical Holographic Model provided the first multi-faceted evaluation tool to guide security investments using the science of risk. Since that time, CERT has developed a suite of systematic mechanism for organizations to use in risk evaluations, depending on the size and expertise of the organization: OCTAVE. The study of computer security as an investment in risk avoidance has become standard practice.
In 2001 in an unrelated development, Larry Gordon and Marty Leob published A framework on using information security as a response to competitor analysis systems. These professor of Maryland's Smith School of Business examined the strategic use of security information from a classical business perspective.
The authors came together to develop and expand a series of flagship events under the name Worksop on the Economics of Information Security.
as illustrated by a later paper, Proof of Work can Work.
Another finding, one that is critical to an understanding of current American data practices, is that the opposite of privacy
is not, in economic terms anonymity
, but rather price discrimination
. Privacy and price discrimination was authored by Andrew Odlyzko
and illustrates that what may appear as information pathology in collection of data is in fact rational organizational behavior.
Hal Varian
presented three models of security using the metaphor of the height of walls around a town to show security as a normal good, public good, or good with externalities. Free riding is the end result, in any case.
Information security
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
addresses the economic aspects of privacy
Privacy
Privacy is the ability of an individual or group to seclude themselves or information about themselves and thereby reveal themselves selectively...
and computer security
Computer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
. Economics of information security includes models of the strictly rational “homo economicus
Homo economicus
Homo economicus, or Economic human, is the concept in some economic theories of humans as rational and narrowly self-interested actors who have the ability to make judgments toward their subjectively defined ends...
” as well as behavioral economics. Economics of security addresses individual and organizational decisions and behaviors with respect to security and privacy as market decisions.
Economics of security addresses a core question: why do agents choose technical risks when there exists technical solutions to mitigate security and privacy risks? Economics addresses not only this question, but also inform design decisions in security engineering
Security engineering
Security engineering is a specialized field of engineering that focuses on the security aspects in the design of systems that need to be able to deal robustly with possible sources of disruption, ranging from natural disasters to malicious acts...
.
Emergence of economics of security
National securityNational security
National security is the requirement to maintain the survival of the state through the use of economic, diplomacy, power projection and political power. The concept developed mostly in the United States of America after World War II...
is the canonical public good
Public good
In economics, a public good is a good that is non-rival and non-excludable. Non-rivalry means that consumption of the good by one individual does not reduce availability of the good for consumption by others; and non-excludability means that no one can be effectively excluded from using the good...
. The economic status of information security came to the intellectual fore around 2000. As is the case with innovations it arose simultaneously in multiple venues.
In 2000, Ross Anderson wrote, Why Computer Security is Hard. Anderson explained that a significant difficulty in optimal development of security technology is that incentives must be aligned with the technology to enable rational adoption. Thus, economic insights should be integrated into technical design. A security technology should enable the party at risk to invest to limit that risk. Otherwise, the designers are simply counting on altruism
Altruism
Altruism is a concern for the welfare of others. It is a traditional virtue in many cultures, and a core aspect of various religious traditions, though the concept of 'others' toward whom concern should be directed can vary among cultures and religions. Altruism is the opposite of...
for adoption and diffusion. Many consider this publication the birth of economics of security.
Also in 2000 at Harvard, Camp at the School of Government and Wolfram in the Department of Economics argued that security is not a public good
Public good
In economics, a public good is a good that is non-rival and non-excludable. Non-rivalry means that consumption of the good by one individual does not reduce availability of the good for consumption by others; and non-excludability means that no one can be effectively excluded from using the good...
but rather each extant vulnerabilities has an associated negative externality
Externality
In economics, an externality is a cost or benefit, not transmitted through prices, incurred by a party who did not agree to the action causing the cost or benefit...
value. Vulnerabilities were defined in this work as tradable goods. Six years later, iDEFENSE, ZDI and Mozilla have extant markets for vulnerabilities. Vulnerabilities are also known as computer security exploits.
In 2000, the scientists at the Computer Emergency Response Team at Carnegie Mellon University
Carnegie Mellon University
Carnegie Mellon University is a private research university in Pittsburgh, Pennsylvania, United States....
proposed an early mechanism for risk assessment. The Hierarchical Holographic Model provided the first multi-faceted evaluation tool to guide security investments using the science of risk. Since that time, CERT has developed a suite of systematic mechanism for organizations to use in risk evaluations, depending on the size and expertise of the organization: OCTAVE. The study of computer security as an investment in risk avoidance has become standard practice.
In 2001 in an unrelated development, Larry Gordon and Marty Leob published A framework on using information security as a response to competitor analysis systems. These professor of Maryland's Smith School of Business examined the strategic use of security information from a classical business perspective.
The authors came together to develop and expand a series of flagship events under the name Worksop on the Economics of Information Security.
Examples of findings in economics of security
Proof of work is a security technology designed to stop spam by altering the economics. An early paper in economics of information security argued that proof of work cannot work. In fact, the finding was that proof of work cannot work without price discriminationPrice discrimination
Price discrimination or price differentiation exists when sales of identical goods or services are transacted at different prices from the same provider...
as illustrated by a later paper, Proof of Work can Work.
Another finding, one that is critical to an understanding of current American data practices, is that the opposite of privacy
Privacy
Privacy is the ability of an individual or group to seclude themselves or information about themselves and thereby reveal themselves selectively...
is not, in economic terms anonymity
Anonymity
Anonymity is derived from the Greek word ἀνωνυμία, anonymia, meaning "without a name" or "namelessness". In colloquial use, anonymity typically refers to the state of an individual's personal identity, or personally identifiable information, being publicly unknown.There are many reasons why a...
, but rather price discrimination
Price discrimination
Price discrimination or price differentiation exists when sales of identical goods or services are transacted at different prices from the same provider...
. Privacy and price discrimination was authored by Andrew Odlyzko
Andrew Odlyzko
Andrew Michael Odlyzko is a mathematician and a former head of the University of Minnesota's Digital Technology Center.In the field of mathematics he has published extensively on analytic number theory, computational number theory, cryptography, algorithms and computational complexity,...
and illustrates that what may appear as information pathology in collection of data is in fact rational organizational behavior.
Hal Varian
Hal Varian
Hal Ronald Varian is an economist specializing in microeconomics and information economics. He is the Chief Economist at Google and he holds the title of emeritus professor at the University of California, Berkeley where he was founding dean of the School of Information...
presented three models of security using the metaphor of the height of walls around a town to show security as a normal good, public good, or good with externalities. Free riding is the end result, in any case.
See also
- AuthenticationAuthenticationAuthentication is the act of confirming the truth of an attribute of a datum or entity...
- CryptographyCryptographyCryptography is the practice and study of techniques for secure communication in the presence of third parties...
- CryptanalysisCryptanalysisCryptanalysis is the study of methods for obtaining the meaning of encrypted information, without access to the secret information that is normally required to do so. Typically, this involves knowing how the system works and finding a secret key...
- Computer insecurityComputer insecurityComputer insecurity refers to the concept that a computer system is always vulnerable to attack, and that this fact creates a constant battle between those looking to improve security, and those looking to circumvent security.-Security and systems design:...
- Data remanenceData remanenceData remanence is the residual representation of data that remains even after attempts have been made to remove or erase the data. This residue may result from data being left intact by a nominal file deletion operation, by reformatting of storage media that does not remove data previously written...
- Defensive programmingDefensive programmingDefensive programming is a form of defensive design intended to ensure the continuing function of a piece of software in spite of unforeseeable usage of said software. The idea can be viewed as reducing or eliminating the prospect of Murphy's Law having effect...
(secure coding) - Security engineeringSecurity engineeringSecurity engineering is a specialized field of engineering that focuses on the security aspects in the design of systems that need to be able to deal robustly with possible sources of disruption, ranging from natural disasters to malicious acts...
- Electronic underground community
- Explosion protectionExplosion protectionExplosion protection is used to protect all sorts of buildings and civil engineering infrastructure against internal and external explosions or deflagrations. It was widely believed until recently that a building subject to an explosive attack had a chance to remain standing only if it possessed...
- HackingHacker (computer security)In computer security and everyday language, a hacker is someone who breaks into computers and computer networks. Hackers may be motivated by a multitude of reasons, including profit, protest, or because of the challenge...
- Information Systems Security Engineering
- Password policyPassword policyA password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly. A password policy is often part of an organization's official regulations and may be taught as part of security awareness training...
- Software crackingSoftware crackingSoftware cracking is the modification of software to remove or disable features which are considered undesirable by the person cracking the software, usually related to protection methods: copy protection, trial/demo version, serial number, hardware key, date checks, CD check or software annoyances...
- Software Security AssuranceSoftware Security AssuranceSoftware security assurance is a process that helps design and implement software that protects the data and resources contained in and controlled by that software...
- Secure computingSecure ComputingSecure Computing Corporation, or SCC, was a public company that developed and sold computer security appliances and hosted services to protect users and data...
- Trusted systemTrusted systemIn the security engineering subspecialty of computer science, a trusted system is a system that is relied upon to a specified extent to enforce a specified security policy...
Centers that study economics of security
- Carnegie Mellon University Heinz School
- Carnegie Mellon University Privacy Lab
- Cambridge University Computer Science Laboratory
- Indiana University School of Informatics
- University of Minnesota
- University of Michigan School of Information
- Harvard University Division of Engineering and Applied Sciences
- Dartmouth hosts the I3P which includes the Tuck School as well as the Computer Science Department in studying economics of information security.
Resources in economics of security
- Ross Anderson maintains the Economics of Information Security page.
- Alessandro Acquisti has the corresponding Economics of Privacy Resources page.
- Jean Camp Economics of Information Security links to all the past workshops, with the corresponding papers, as well as current conferences and calls for papers. It also provides events, books, past workshops, and an annotated bibliography.
- Return on Information Security Investment provides self assessment questionnaire, papers and links to Information security economics resources.