Friday, December 09, 2011

Freakonomics vs Cybersecurity

I saw this go across my Twitter feed, so I thought I'd write up a quick response. The cybersecurity view of economics is not the same as the economists view of economics. Using freaky economics like Freaknomics is a good way of explaining normal economics.

SpireSec Pete Lindstrom 
Security freakonomics talk tomorrow... what should i say? ;-)

The first misconception of economics cybersecurity people have is calculating where the money goes, or how much things cost. That's "business", not "economics". If you are thinking in terms of "Return on Investment" (ROI), then it's not "Economics".

The second, and more common use of economics (in the field of cybersecurity), is the political attempt to prove that there is some sort of "externality" or "market failure" that means we get to punish Microsoft for its vulnerabilities. While the conclusion is faulty, this is a real economics concept. It describes the situation where I sell you fireworks, then you set them off, causing your neighbor's house to catch fire. The "failure" is that it's neither you (the buyer) or me (the seller) who paid the costs, but your neighbor. The cost of fire is an "externality", external to the original transaction.

The cybersecurity version is that when buyers buy Microsoft software, which has vulnerabilities, it's third parties who suffer. For example, a hacker might exploit a vulnerability in Windows, take control of thousands of desktops, and flood a website with traffic. That website suffers, even though it might not own any Microsoft products.

While this sounds plausibly "economic", it isn't. Consider the fireworks case. One solution to the problem is to fine the seller of fireworks, or regulate which fireworks they could sell. Another solution is to fine the customer who bought the fireworks and who lit them near their neighbors house.

Or, the third solution is punish the neighbor for having a flammable house.

Economics isn't about fairness, it's about the efficiency of results. It's that guy with the flammable, thatched roof that imposes costs on all his neighbors. It means the neighbors can't have a cozy fire in their fireplace during winter, they can't have BBQs in the summer, and they can't set of fireworks for celebrations. That is why local government usually choose the third option. They regulate how houses are built, and outlaw flammable roofs, believing this is the most efficient solution.

So which is the most efficient solution to Microsoft vulnerabilities? Blame Microsoft? Blame the user? Or blame the poor website victim? Or let the free market decide? I don't know the answer, but I know that I've never seen cybersecurity people make an "economic" answer based on efficiency, but instead, I've only seen arguments based on how Microsoft is big and evil, and how it's unfair to blame innocent users.

But this is just a tiny portion of economics, there is so much more. I recommend getting a college textbook on beginning economics, such as Greg Mankiw's Principles of Economics. Follow the link to the Amazon site, and you can read the first chapter for free, which outlines his basic 10 principles of economics.

Below, I take some of those basic principles and describe them in a cybersecurity context. Think of it as a useful way to learn economics if you already know cybersecurity, or as a way of learning cybersecurity if you already know economics.

The first principle from Mankiw's textbook is that cybersecurity is a tradeoff. In terms of logic, it's an XOR operator, not an AND. In terms of Heinlein (sci-fi author), it's TANSTAAFL - Their Ain't No Such Thing As A Free Lunch. Making the network more secure means making it worse in some other fashion, such as slower, less reliable, less user friendly. When cybersecurity experts say dumb things, there's usually a failure to acknowledge tradeoffs involved, that you must give up something in return for more security. The tradeoffs are not just between security and other things, but between two security choices. The funniest joke in cybersecurity are the two Wikipedia articles on Defense in Depth and Defense in Depth (computing). The original meaning was about trading off border security for better internal security, such as moving the troops from the border of a country to deeper inside. But no cybersecurity professional can admit to such tradeoffs, that it's ok to reduce security in some place in order to improve security somewhere else. So "defense in depth" has morphed into an argument that no matter how much security you have now, you need even more, both on the border AND in depth.

The second Mankiw principle is opportunity cost, or that the cost of something is what you give up to achieve it. The cost of cybersecurity isn't the money you spend, but what you gave up. Hiring another cybersecurity expert on your team means not hiring a saleperson who could sell more of your company's products/services. When you go to your boss and explain why your budget for cybersecurity needs to increase, you need to explain why the budget for marketing, sales, and RnD needs to decrease. During the dot-com era, companies that put up insecure websites first won the dominant market share, those that waited until their websites were secure lost. The opportunity costs of waiting until something is completely secure can mean your entire business.

The third principle is that rational people think at the margin. Cybersecurity people talk in absolutes, as if something is insecure or secure. They should instead talk in relative terms of "more secure" or "less secure". Moreover, they need to compare the marginal benefits in security to the marginal costs. That fancy new expensive firewall still won't make you secure, the question instead is whether the marginal improvement in security is worth the price over a cheap firewall. Or, take the TSA screening requiring people to take off their shoes. Cybersecurity experts complain that this makes no difference. They are wrong; taking off the shoes at security makes people marginally safer. The only question is whether this tiny improvement in safety is worth the enormous additional cost (probably not). Part of this is realizing that security has decreasing margin returns. The reason that Microsoft can't fix all their bugs is that the more bugs they fix, the more it costs to fix more bugs. Spending a million dollars might fix a 1000 vulnerabilities, but spending another million might fix only an additional 100 vulnerabilities. Spending a third million might fix only an additional 10 vulnerabilities. Spending yet another million might find and fix only one additional vulnerability.

The fourth principle is that people respond to incentives, perversely. A straightforward example is that of complicated password policies, the more complicated they are, the more a person is likely to write down the password on a sticky note underneath their keyboard, thus making the system less secure, not more so. The consequence of this is that people have a fixed risk tolerance. When you make things safer, people behave more recklessly. If you install anti-virus on their desktop, they are more likely to run e-mail attachments. Measured one way, such as on an obstacle course, talking on a mobile phone impairs a person's ability to drive. Measured with economics, we find that while people are on the phone, they slow down and otherwise drive more safely, to accommodate the distraction. Drivers slow down and pay attention when it rains to compensate for the additional danger, which means they speed up and drive more recklessly when the roads dry up to compensate for the increase safety.

Another principle is that the value of security isn't infinite. One of the fun things freaky economists like to do is calculate what a person's life is worth. For example, let's say that you put your kid in the car to drive to the store rather than paying the neighbor to babysit for an hour for $10. Dying in a car accident is the leading cause of death for children, and those deaths are overwhelmingly near the home. If the chance of death on that trip is 1-in-a-million, and you could've spent $10 to avoid it, this means you value your kid's life at $10-million. (Well, not, not exactly, I'm glossing over the fine bits to make a point). The same is true of cybersecurity, where people treat security as infinitely worth. That's why they can't deal with marginal benefits vs marginal costs: the marginal benefits of increased security are always infinite, according to cybersecurity experts. Given free reign, cybersecurity experts will make the costs infinite, too. The only way to satisfy them completely would be to turn off the Internet.

The sixth principle on Mankiw's list is that free-markets are usually the best, tempered by the seventh principle that sometimes government can improve on free-market outcomes (such as when there is a market failure and externalities). A wrong application of this principle was President Bush's "Strategy to Secure Cyberspace" that had the fatuous statement "federal regulation will not become a primary means of securing cyberspace ... the market itself is expected to provide the major impetus to improve cybersecurity". This is wrong because the free-market will never "secure cyberspace". Instead, the free-market is what determines how valuable cybersecurity is in the first place, identifying the truth that people don't want the tradeoffs needed to make the Internet more secure. I once gave a talk where I asked "Raise your hand if cybersecurity is your highest priority" (everyone: yes), then "Raise your hand if you use wifi" (everyone: yes), then "Raise your hand if you think your wifi is secure" (everyone: no). In other words, people claimed to want security, but even though wifi wasn't secure, they used it anyway. That's because people lie; they claim security has infinite importance, but behave as if it's a tradeoff. The free-market captures this true value, government regulation doesn't. When government starts regulating cybersecurity, we'll start complaining about it in much the same way we complain about the TSA and the Patriot Act (which make what many consider unacceptable tradeoffs for small marginal improvements in security). In many cases, the cost of "compliancy", proving to the government that you are secure, is starting to outweigh the costs of the actual security.

I could spend days talking about the freakiness of economics, and cybersecurity, but this gives you a taste.

I get more comments via twitter than the desired comments page. A particularly cogent one is:

 Chris Wysopal 

 Al Qaeda was able to harm up the US economy w/excess security spending abroad and at home. Could anonymous do same for cyber?


The Ubiquitous Mr. Lovegroove said...

Your wrote:
Cybersecurity people talk in absolutes, as if something is insecure or secure. They should instead talk in relative terms of "more secure" or "less secure".

To make accurate statements in categories of "more" or "less" requires some sort of scale, preferably with real numbers.
In most security investment decisions, such scale is not available. Usually, the best you can do is say: "The solution X will mitigate risks Y and Z". Which can sometimes be augmented with: "Reading various surveys and statistics, risks Y and Z are ranked as Nth". In ever more rare cases you can say: "We have suffered/our peers have suffered $W of cost in opportunity costs and cash-out-of-door costs because of failure to mitigate risks Y and Z and therefore it is a smart investment based on simple probabilities."

I haven't seen good cybersecurity metrics yet.

Robert Graham said...

I see that you reject the application of economics to cybersecurity.

Solution X does not solve risk Y. There is no complete and sure solution to any cybersecurity risk. Instead, when solutions mitigate risk, they mitigate only part of the risk.

Thus, when argue for putting a WAF (WebAppFirewall) in front of your website to protect against, you have to ask yourself how much of the risk you've mitigated for the cost. Is the marginal reduction in risk worth the marginal cost? If you've only reduces the risk by half for $100,000, is it really worth it?

Anonymous said...

Another wonderful introduction to economics would be Henry Hazlitt's Economics in One Lesson. The lesson is stated:

"The art of economics consists in looking not merely at the immediate but at the longer effects of any act or policy; it consists in tracing the consequences of that policy not merely for one group but for all groups."

and the book goes on to apply this lesson to a wide variety of contexts.

Andrew Sledge said...

Another recommendation, since you're talking economics of regulation (law), is Thomas Miceli's The Economic Approach to Law. It provides a very good history of how law in the U.S. has been shaped by economic thought and principals paying specific attention to risk, mitigation, and efficiency.

Unknown said...

"people have a fixed risk tolerance."