Wednesday, September 21, 2011

Thinking on the margin (Economics)

By any rational measure, the Internet is secure enough. It's obviously true. The value of the Internet, with the hackers, is far greater than not having the Internet. Credit card companies, despite all the credit card losses, make a net profit on the Internet.

The problem with the security industry, especially so-called "experts", is that they don't know how to measure "enough security". So they fall back to a default position that no matter how much security you have, it's not enough, you need more. Becoming a security expert is insanely easy: just tell people they don't have enough security. Blame security weakenesses on moral weaknesses, such as laziness, greed, corruption, stupidity, and so on.

But while nobody knows how to measure "enough", it turns out there is an easy alternative. The trick is thinking on the edge, on the margin, on what changes, on the differences. Discuss whether a specific change in security is worth the change in cost, whether the marginal benefits exceed marginal costs.

Consider credit cards. Obviously, credit card losses are huge. But that's not the question. The question is whether the losses exceed the benefits. Since consumers, stores, and credit card companies are all finding credit cards profitable, obviously, credit cards are secure enough. Indeed, credit card "rewards" programs show the opposite problem: they are too secure. Credit cards withhold a certain percentage of each transaction to cover fraud, and when there isn't enough fraud, they rebate it back to the customer as airline miles or just plain cash.

But even though credit cards are secure enough, could they be even more secure? Rephrase the question to this: are their things we can do whose marginal benefits exceed their marginal costs? Maybe. But maybe there are also things who marginal benefits are less than their marginal costs, meaning credit card companies should be less secure.

Or take DNSsec. I love it, it should've been done 10 years ago (from one perspective), but on the other hand, I think it's marginal costs may exceed its marginal benefits. It doesn't solve any of the most common attacks that happen today, it's a security solution in search of a problem. This means that it's marginal benefits are low, while it's marginal costs are high. That doesn't mean we shoudln't do it -- it means that we need to find more benefits to justify its costs.

Consider the TSA. The most common (but wrong) thing said about them is that they, or one of their techniques, don't stop terrorists. People often post anecdotes of getting through security with bad things, or ways to trick the TSA. The correct way to analyze this is on the margin. Consider the "taking off the shoes" requirements. The question isn't whether this "works", obviously it'll work a little bit but not all the way. Instead, the question is on the margin: does the increase security justify the increase in trouble?

Here is the thing about terrorism: it's oddly elastic. You'd think that a serious suicide bomber would surgically implant a bomb making it 100% undetectable, and thus, all TSA security is meaningless. In fact, few suicide bombers are that rational. Most are stupid, incompetent, or crazy. Most find it too difficult to ignite a shoe or underwear bomb. Nothing the TSA does can stop the next 9/11 attack by competent suicide bombers, but for everything they do, there is probably some incompetent suicide bomber that is stopped by that procedure. So the question isn't whether these procedures work, they do. The question is whether whether every procedure is worth the cost -- whether the added trouble is worth it to solve the rare shoe/underwear bomber, even though we can't stop the even rarer serious bomber.

In summary, we can't measure the absolute security of the Internet. But we can measure the benefits and costs of changes to security. Instead of talking about absolutes, we need to measure security on the margin.


JP said...

The issue associated to this is that most people decide emotionally where to invest in security; data is stolen via cyber-attacks but the best defense is physical.

The incapacity to measure the actual benefit (marginal or not) due o the incapacity to measure the damage is negatively impacting the choices of many companies.

The Ubiquitous Mr. Lovegroove said...

You forget externalized costs: TSA doesn't pay in any way for people to take off their shoes.

A good security measure considers externalized costs too.

Anonymous said...

I always laugh when people bring up the TSA, it is just security theater.

And if it wasn't, it would just move the problem around.

To for example the queue in front of the checks done by the TSA. I keep wondering when they will blow up the people staying in line.