« Are Markets Driven by Positive Behavior? | Main | Does Financial Liberalization Help Developing Countries? »

Sunday, January 21, 2007

Externalities in Information Security

Market failure in everything: The information security edition.

An email points to the following story on externalities in information security. The email says:

Imagine, a geek using the word "externality." He doesn't use the word "Microsoft" in this essay, but it is certainly there. It cost me $149 retail for one copy of Windows XP, and it costs the hardware vendors like Dell much less for their copies. I find it very annoying that my direct cost buying anti-virus software and the rest of it, not to mention my labor, quickly passed the inflated retail price of the OS itself.

It is amazing that the software industry in general and Microsoft in particular are able to keep everybody else convinced that this is normal.  Btw, I'm a professional software developer and have been for 20+ years.

Here's the article:

Information Security and Externalities, by Bruce Schneier: Information insecurity is costing us billions. There are many different ways in which we pay for information insecurity. We pay for it in theft, such as information theft, financial theft and theft of service. We pay for it in productivity loss, both when networks stop functioning and in the dozens of minor security inconveniences we all have to endure on a daily basis. We pay for it when we have to buy security products and services...

Fundamentally, the issue is insecure software. It is a result of bad design, poorly implemented features, inadequate testing and security vulnerabilities from software bugs. The money we spend on security is to deal with the myriad effects of insecure software. Unfortunately, the money spent does not improve the security of that software. We are paying to mitigate the risk rather than fix the problem.

The only way to fix the problem is for vendors to improve their software. ... But they will not do this until it is in their financial best interests to do so. And so far, it is not. The reason is easy to explain. ... Vendors try to balance the costs of more secure software -- extra developers, fewer features, longer time to market -- against the costs of insecure software: expense to patch, occasional bad press, potential loss of sales.

So far, so good. But what the vendors do not look at is the total costs of insecure software; they only look at what insecure software costs them. And because of that, they miss a lot of the costs: all the money we, the software product buyers, are spending on security. In economics, this is known as an externality: the cost of a decision that is borne by people other than those taking the decision.

Normally, you would expect users to respond by favouring secure products over insecure products... Unfortunately, that is not generally possible. In some cases software monopolies limit the available product choice; in other cases, the 'lock-in effect' created by proprietary file formats or existing infrastructure or compatibility requirements makes it harder to switch; and in still other cases, none of the competing companies have made security a differentiating characteristic. In all cases, it is hard for an average buyer to distinguish a truly secure product from an insecure product with a ‘trust us’ marketing campaign.

Because of all these factors, there are no real consequences to the vendors for having insecure or low-quality software. Even worse, the marketplace often rewards low quality. More precisely, it rewards additional features and timely release dates, even if they come at the expense of quality. The result is what we have all witnessed: insecure software. Companies find that it is cheaper to weather the occasional press storm, spend money on PR campaigns touting good security and fix public problems after the fact, than to design security in from the beginning. And so the externality remains…

If we expect software vendors to reduce features, lengthen development cycles and invest in secure software development processes, it needs to be in their financial best interests to do so. If we expect corporations to spend significant resources on their own network security -- especially the security of their customers -- it also needs to be in their financial best interests.

Liability law is one way to make it in those organisations’ best interests. If end users could sue software manufacturers for product defects, then the cost of those defects to the software manufacturers would rise. Manufacturers would then pay the true economic cost for poor software, and not just a piece of it. ... This would provide an incentive for them to make their software more secure. ...

Information security is not a technological problem. It is an economics problem. And the way to improve information security is to fix the economics problem. If this is done, companies will come up with the right technological solutions that vendors will happily implement. Fail to solve the economics problem, and vendors will not bother implementing or researching any security technologies, regardless of how effective they are.

    Posted by on Sunday, January 21, 2007 at 12:33 AM in Economics, Market Failure | Permalink  TrackBack (0)  Comments (23)


    TrackBack URL for this entry:

    Listed below are links to weblogs that reference Externalities in Information Security:


    Feed You can follow this conversation by subscribing to the comment feed for this post.