The State of Incident Response by Bruce Schneier 2: Security-Related IT Economics

Having highlighted the basic IT security trends, Bruce Schneier moves on to dwell on the economic facet of the contemporary cybersecurity.

Now I want to give you some IT economics that’s relevant to security. I have four pieces of economics that matter for IT and matter for security, and I think the more we understand them the more we understand the weird stuff that happens in our industry.

Metcalfe’s law

Metcalfe’s law

First one is network effect. You’ve all heard of Moore’s law. There’s a lesser known law called Metcalfe’s law, which says that the value of a network equals to square of the number of users. Basically, the value of a network equals the pairwise connections between the nodes. This is true for real networks – phones, email, SMS, Skype, Facebook users. And the intuition is pretty simple: one fax machine is useless, two are boring; you have a million – suddenly you have a network. Same for email, for everything else. The more people that have the system the more valuable the system is. The more people on Instagram the more you want to be on Instagram.

This is also true for virtual networks: the network of Windows versus Mac users or iOS versus Android users. The more people in the virtual network the more apps, the more user groups, the more stuff happens. This phenomenon means you tend to have a single dominant player in the marketplace. Big get bigger because being big is valuable to the new users. Think of Facebook, think of Skype, think of Windows. Most people are on Windows because most people that most people know are on Windows. People are on Mac because people they know are on Mac.

Second piece of economics that’s relevant is the notion of fixed costs versus marginal costs. When you look at any product, there are two types of cost: there’s the development cost to develop the thing and the cost to make each individual thing. In IT, most cost is in development. So, for this wonderful hat of mine there’s some design cost and there’s the cost for making another one. But for this thing – it’s a random disk up here – the cost of the first one might be a bunch of million dollars, and the cost of the second one is free, 10 cents, it’s a DVD.

Big get bigger because being big is valuable to the new users.

This weird economics that all the cost of the thing is front-loaded in the development means stealing the result of the development because of a very powerful attack. Think of movies, think of music, think of pharmaceuticals. Being able to make a lot of these (disks) and have someone pay to make the first one can be very valuable. And this is why you see a lot of security going into making this not happen – fundamentally, mechanisms that break the market, because we have to artificially make it harder to make a lot of these so that whoever made the first can recover his money.

In other cases, the high fixed cost becomes a barrier to competition. Think of Google Maps, or actually Google Street View is a better example. Once someone drives a car around the entire planet taking pictures, it’s much harder for a competitor to do the same thing. And then you have these dynamics where vendors will cut costs of sale dramatically to drive out of competition. So if the maker of this thing (disk) sees a competitor on the line, they can drop the cost to almost nothing, where the competitor can’t compete because he hasn’t recovered his fixed cost yet.


Switching costs can be high

Third piece of IT economics that matters a lot is the notion of switching costs. Switching cost is the cost to switch to a competitor’s product. In some cases switching costs are very low. If you drank a Coke today and you didn’t like it, you can drink a Pepsi tomorrow. The switching cost is zero. That means that Coke has to taste good, or you’re going to switch. Sometimes switching costs are high. If AT&T pisses me off today, I’m likely going to keep them tomorrow, because getting a different phone carrier is expensive, it’s time-consuming, it’s annoying. And in IT, switching from one product to another can be a lot of things: retraining staff, rewriting applications, converting data.

What’s relevant to us is that the higher the switching costs the more a company can piss you off before you’ll switch. In industries where switching costs are high, customer service is lousy because you have what’s called lock-in. Customers are locked in. And this is why you have in our industry companies doing everything they can to keep switching costs high. That includes proprietary file formats, that includes non-compatible accessories, not letting you take your data with you when you leave. Apple wants it to be really hard for you to take your music with you when you leave iTunes. All game companies want it to be very expensive, or impossible, for you to run one set of games on someone else’s console. A good decade and a half ago, the cell phone companies fought really bitterly cell phone number portability, because the whole cost of you reprinting your business cards telling people your new phone number kept the switching costs high.

All these three things tend to lead to a dominant market structure. Big get bigger. And big stay big. It’s not guaranteed, but these are trends in that direction.

When the buyer can’t tell the difference between a good product and a mediocre product, the mediocre products win.

Fourth piece of IT economics that’s especially relevant to security is the notion of a “lemons market”. This is work by economist named George Akerlof. He actually won a Nobel Prize for this. What he studied was markets where there was asymmetric information between the buyer and the seller, specifically markets where the seller knew a lot more about the product than the buyer. The specific example he used was a used car market. And this is his thought analysis: suppose there is a town with 100 used cars for sale; 50 of them cost $2000, and 50 of them are lemons that cost $1000. In that market, the medium price for a car is $1500. And in that market, all the lemons sell and none of the good cars sell.

'Lemons market' principles apply to IT economics as well

‘Lemons market’ principles apply to IT economics as well

And so, what he proposed is that in a market where the buyer can’t tell the difference between a good car and a lemon, lemons drive the good cars out of the market. When the buyer can’t tell the difference between a good product and a mediocre product, the mediocre products win. Since he came up with this theory it’s been verified experimentally, it’s been verified observationally – this is true. This is what happens. This is a lemons market. And I think this explains quite a lot about IT security. If you think about antivirus companies of the 1980s, the firewalls of the 90s, the IDS’s of the 2000s, the companies that won weren’t the best products. Because the buyers couldn’t tell the difference. I can hold up two encryption products that use the same algorithms, the same protocols; that make the same security claims; one is really good, one is kind of mediocre; you can’t tell the difference. What are you going to buy? You’re going to buy the cheaper one.

The real problem here is that the requirements are non-functional. It’s actually easy to tell if, I don’t know, a word processor does italics – you hit the Italics button and see what happens. That is a functional requirement easy to test. Whether an encryption product is secure is much harder to test. So security, availability, reliability are what I think of as the “why” requirements. Buyers have trouble telling the difference.

This is why you see a lot of effort going into what economists call “signals”. And signals are ways that sellers signal the buyers that their products are actually not lemons. In the used car market, they tend to be warranties: take the car home, drive for a month, if you don’t like it bring it back and get your money back. In IT, signals tend to be certifications, awards, references – all the ways that our bosses buy IT products, not by knowing what they’re doing but by finding someone else that they can rely on. Remember in the 1960s no one ever got fired for buying IBM – that’s what that meant. “I don’t know what to buy, but they all buy IBM; I’m just gonna buy IBM,” or today’s best practices: “I don’t know what to do, but everyone says “Do this,” so I’m gonna do this.” And that’s a lemons market.

Alright, that’s the economics.

Read previous: The State of Incident Response by Bruce Schneier

Read next: The State of Incident Response by Bruce Schneier 3: Effects of the Prospect Theory

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: