8 thoughts on “Security Economics

  1. Mr. Anderson, I just read your paper “Why Information Security is Hard – An Economic Perspective”, and as an economics student I’m worried that you don’t know what you are talking about in many areas. Perhaps you should just stick to security?

    I will highlight some of the key problems in your paper by quoting them and discussing them briefly. I think the main problem stems from approaching economics from a computer security background.

    “Saxon village had community mechanisms to deal with this problem; the world of computer security still doesn’t.”

    I can’t speak for Saxon villages, but where other tragedy of the commons appeared this mechanism was called privatization, i.e. getting rid of the commons. This mechanism is available today, simply by privatizing the internet (one should get rid of the ISPs that have a government-backed exclusive franchise as well).

    ” A very common ob jective is differentiated pricing. This is usually critical to firms that price a product or service not to its cost but to its value to the customer. This is familiar from the world of air travel: you can spend $200 to fly the Atlantic in coach class, $2000 in business class or $5000 in first. ”

    I think this is key proof that you should stay away from economics. If you honestly understood economics you would say that the supply-demand clearing price is $200 for coach, $2000 for business, and $5000 for first.

    You pay for different prices for different services. Ice-in-the-summer is a radically different product than Ice-in-the-winter, and therefore commands a higher price on the market.

    “All three of these effects tend to lead to ”winner take all” market structures with dominant firms.”

    Actually none of these things leads to a “winner take all” situation. There is some truth to the ‘lock in’ process , but its not what you say it is. The real ‘lock in’ is created by a government monopoly of privilege in copyrights and patents. As long as there is no barrier to entry in a given market there is no way a firm can monopolize anything.

    “They make it likely that, over time, government interference in information security standards will be motivated by broader competition issues, as well as by narrow is-sues of the effectiveness of infosec pro duct markets (and law enforcement access to data).”

    Exactly how is a monopoly of legal force (government) able to stimulate competition? This is an incredible denial of the historic record.

    “This is usually critical to firms that price a product or
    service not to its cost but to its value to the customer.”

    I think you’ve been imbibing too much Karl Marx.

    The cost of production has nothing to do with the price. The price is determined by supply & demand.

    It is determined by the subjective value of the consumer and then imputed all the way back (going through all the intermediate firms) into the primary ingredients of production: land, labor, and capital.

    Therefore every firm does not price its good according to cost. Cost determines whether or not there was a profit or a loss to the firm.

    “The theory of asymmetric information gives us an explanation of one of the mechanisms. Consider a used car market, on which there are 100 go o d cars (the ‘plums’), worth $3000 each, and 100 rather trouble-
    some ones (the ‘lemons’), each of which is worth only $1000. The vendors know which is which, but the If customers start off believing that the probability they will get a plum is equal to the probability they will get a lemon, then the market price will start off at $2000. However, at that price only lemons will be offered for sale, and once the buyers observe this, the price will drop rapidly to $1000 with no plums being sold at all. In other words, when buyers don’t have as much information about the quality of the products
    as sellers do, there will be severe downward pressure on both price and quality.”

    I honestly don’t even know where to begin in with this poorly thought out and economically incoherent paragraph, so I will just state that you need to revisit Gresham’s Law and see how you misapplied it.

    Also, no one buys or sells cards like that in real life (especially today). Your model is some sort of stock market for cars, where the buyers are freaking morons that can’t examine cars or even haggle properly.

    “In passing, it is worth mentioning that (thanks to distributed denial of service attacks) the economic aspects of security failure are starting to get noticed by government.”

    I think you got it backwards. Studying history & economics, most of the problems you complain about in your paper occurs from persistent government intervention in areas such as money, corporate law, trading regulations, & anti-trust.

    You give a naive reader the impression that we are operating under some sort of free market – and all these problems occur because of it. You could not be more wrong, I suggest you look further investigate the kind of incentives created in society by the above regulations.

    “So much for commercial information security. But what about the government sector? As information attack and defense become ever more important to ols of national policy, what broader effects might they have?”

    The government sector works like it has always worked for millenia – abrdging your freedoms and having you pay for it.

    Everything you say on pirates is dead wrong. There are so many things wrong with this paper, that I got a migraine from reading it.
    I advise you to read “Human Action” by Ludwig von Mises, and “Man, Economy, & State” + “Power & Market” by Murray Rothbard, so that you can understand basic economics before you write papers by taking a hodge podge of economic concepts (that have been disputed) and slapping them together.

    You paper shows more political alignment than economic knowledge. I suggest you read the above books before you taint society with more disinformation.

  2. Well if you’re a student of economics, you have a bit more reading to do. Network externalities are nothing to do with government action; the Austrian school, some of whose ideas you seem to have imbibed; accepts marginalism much more completely than factor-input theories of value; and as for the lemons market, on which you remark ‘I honestly don’t even know where to begin in with this poorly thought out and economically incoherent paragraph’, this very argument won George Akerlof the Nobel in 2002. The extent to which governments should act against monopolies remains open to debate, but few serious economists now support the extreme laissez-faire view that you advocate. The USA and the EU both have a long tradition of antitrust law

  3. “Network externalities are nothing to do with government action;”

    I would think that patents and copyright play a significant role in reducing competition, and therefore leading much quicker to industry concentration.

    All those other regulations I have mentioned also have a large impact since they all erect barriers to entry and stifle competition in the capital market.

    Also think about this: The government makes Microsoft Word documents the gov standard, gee, what happens then? Can you say corporate welfare?

    Are you honestly telling me that the agency that gobbles up betwen 30%-60% of people’s income does not have a noticeable effect on the market? Especially when any imposed standard greatly benefits a few market players.

    “the Austrian school, some of whose ideas you seem to have imbibed; accepts marginalism much more completely than factor-input theories of value;”

    That’s nice that you know the name, but have you read the material?

    I hate to break it to you but value radiates from humans. Always has and always will. This factor-input theory doesn’t make sense since land, labor, and past capital would have no value. Therefore it only makes sense as a complimentary theory, and even then it is not a theory that maximizes wealth by finding the appropriate spot on the demand schedule ‘curve’. Rather it is a great tool for governments to decide how much guaranteed profits to give to their monopoly franchised utilities & contractors.

    I have imbibed many different schools of economic thought, and the only one that explains it all, never ignores the other schools, beautifully explains most historic episodes to a tee as well as having successfully predicted the Great Depression, the fall of Soviet Union, and the inevitable failure of every government program, is the Austrian School.

    Which is why I suggest you have an honest academic look into the subject matter before you make national policy proposals.

    ” and as for the lemons market, on which you remark ‘I honestly don’t even know where to begin in with this poorly thought out and economically incoherent paragraph’, this very argument won George Akerlof the Nobel in 2002.”

    That’s a nice appeal to authority, but really doesn’t make any sense. In fact it really does seem like a botched explanation of Gresham’s Law (1588). So in my opinion it is rather sad that the Swedish Government is giving out prizes to people that can’t comprehend 400 year old theories.

    Interestingly, I like Hayek’s speech for his 1974 prize: “The Pretense of Knowledge”. He basically muddies the water for everyone before and after him.

    “The extent to which governments should act against monopolies remains open to debate, but few serious economists now support the extreme laissez-faire view that you advocate. The USA and the EU both have a long tradition of antitrust law”

    That’s another appeal to authority, and a strange proposition that the quantity of economists is what determines correctness. This is not to mention that fact that most economists are trained at state-sponsored or regulated schools, probably sent on a tax-subsidized loan. Yeah it’s quite easy to see why economists love the state and believe it can do something good, when in fact it NEVER has without inflicting harm on someone else.

  4. quincunx I’ve read your posts where you discuss Ross’s paper with interest.

    Whilst I appreciate there are some points you want to make, and some of the debate may be passionate, could I ask you please to show some respect and politeness in future when you are posting on our own site. Your posts here for instance accuses one of our authors of “tainting society with disinformation”, and I think this is rude and malicious. Another example is where you make a statement along the lines that all the misunderstandings gave you a migraine.

    You are very welcome to post your own opinions on your own site, and in the interest of promoting active discussion and recognising differences of opinion we may link to them, but please don’t assume you can come here and insult our community.

    We are open to criticism (for instance some of your critcism may well be valid — I don’t have the economic understanding to hold an opinion), but we are not open to abuse. This is my personal opinion, that of other authors may differ, and that of the site administrators ultimately triumphs. My goal is to preserve a civil atmosphere for discussion here.

    Mike Bond.

  5. You are correct, I apologize. I think I got it out of my system.

    Let me explain why I got so frustrated (not that it’s a valid excuse). I have not applied my economic knowledge to the area of information security, so when I got interested in it, I was dismayed that many papers (on Anderson’s econ. of it. sec. link page) had the same ‘stuff’ in it.

    I discovered that many of them have their roots in Ross Anderson’s paper. Bruce Schneier co-credits himself & Anderson as the first to analyze security with some economic insight,both around 2000-1.

    So there is basically a bunch of papers that all chide “discriminatory pricing” on EXACTLY the same product (which is not the case) as some sort monopolization attempt, rather than seeing that a different supply & demand price applies to ‘different’ products built on the same base (or underlying tech).

    This view stems from the “perfect competition” model that was developed by state-subsidized economists and anti-trust regulators (pseudo-economists) in the 1920s and 30s as an ex-post facto rationale for government intervention. Particularly in the area of anti-trust, exclusive utility franchises, nationalizing the radio spectrum, nationalization of telecomm, and stock market regulation. This is not a conspiracy theory, but a non-disputed historic fact. This is well discussed by Thomas DiLorenzo, Harold Demsetz, and Murray Rothbard.

    In other words, a rationale masked in highly complex math equations or otherwise setup on parallel universe models hid the fact that there was NO GOOD economic reason for having the government interfere. There was already a working economic paradigm that explained why such intervention will fail, but it was muted by high sounding rhetoric and the obvious financial & prestige incentive for economists to back up the intervention of government.

    Now honestly, if you are an economist, don’t you think you will fare much better financially if you say you can plan & coordinate the economy? As opposed to stepping down from the temptation for power just for the sake of being honest and saying you don’t know what people want & how to give it to them because you are not an entrepreneur, but just a lowly academic?

    So when I hear policy proposals, that sound exactly like the same stuff repeated every generation after 1930, I kinda get concerned for people’s real security in the future.

    My goal is the same as yours, but I disagree with the epistemological methods you have chosen, and the strategy of achieving security by pitching policy proposals to an organization that for millenia been recognized as the most egregious violator of security.

    A lot of the papers discuss specifically microeconomics in certain areas of security. What is missing (and maybe I should fill the gap? or did I overlook someone?) is the macro analysis that can explain how government regulation prevents the market from obtaining proper risk-assessment in security, such as what factors prevent better security models from overtaking bad ones in a quick & efficient manner.

    While there is always the temptation for a business to want to “monopolize” as many papers claim – one must realize that business should be allowed to fail. A lot of time is spent on discussing these egregious business practices without mentioning that eventually they failed, or are currently failing.

    A lot of time is spent on ‘power assymetry’ relations.

    While it has it’s best merits at understanding government ( I can’t see a bigger example of power disparity) failure it is weaker argument for understanding the market, especially in the information age, when access to many review sites, opinions, journals, & blogs is easily accessible.

    Taking the authenticated ink cartridge laser printer example:
    One does not know what factors the manufacturer is relying
    on to obtain profits. If public opinion via the aforementioned channels sullies the reputation of this manufacturer and reduces sales by even 5%, this seemingly small number can erode all profits and may even lead to a loss.

    It is not true that consumers are all idiots running around and buying expensive gadgets without investing a little bit of research time. And to the extent that some are, it is quite a bet for company to solely rely on this minority for its profits. Even if they do bet on it, this business mistake will probably not be repeated by others (at least in the same narrow industry).

    I do not agree with the black and white view that all risk should be given to any single group, be it producer or consumer. Any product has inherent risk that should be properly assessed. But the only way for assessing it is through the market – buying and abstention from buying. Some risks like fireworks, are obviously borne out exclusively by the consumer, while others things like kitchen knifes typically have long time warranties and safety guarantees, so the risk is somewhat shared between producer & consumer. Obviously it would be great, to use Anderson’s words, in an ideal world, information security would work the same way.

    Therefore, to repeat myself, a macroeconomic view of how current and long standing regulations pervert the natural market process of risk-assessment is a must in order to better understand why information security is in shambles.

  6. I have to practice this proffesion in a bank, all I know is that there are no black and white answers, and the grey is in the hands of the powers that be. Risk registers are great, liability dumping, i.e. it’s your call boss.

    However my interest in the philopsphy of economics has been somewhat ignited!

    Keep on the good polite authoratative fight – none physical of course.

    TTFN

Leave a Reply

Your email address will not be published. Required fields are marked *