Freakonomics vs Cybersecurity

I saw this go across my Twitter feed, so I thought I'd write up a quick response. The cybersecurity view of economics is not the same as the economists view of economics. Using freaky economics like Freaknomics is a good way of explaining normal economics.

SpireSec Pete Lindstrom 

Security freakonomics talk tomorrow... what should i say? ;-)

The first misconception of economics cybersecurity people have is calculating where the money goes, or how much things cost. That's "business", not "economics". If you are thinking in terms of "Return on Investment" (ROI), then it's not "Economics".

The second, and more common use of economics (in the field of cybersecurity), is the political attempt to prove that there is some sort of "externality" or "market failure" that means we get to punish Microsoft for its vulnerabilities. While the conclusion is faulty, this is a real economics concept. It describes the situation where I sell you fireworks, then you set them off, causing your neighbor's house to catch fire. The "failure" is that it's neither you (the buyer) or me (the seller) who paid the costs, but your neighbor. The cost of fire is an "externality", external to the original transaction.

The cybersecurity version is that when buyers buy Microsoft software, which has vulnerabilities, it's third parties who suffer. For example, a hacker might exploit a vulnerability in Windows, take control of thousands of desktops, and flood a website with traffic. That website suffers, even though it might not own any Microsoft products.

While this sounds plausibly "economic", it isn't. Consider the fireworks case. One solution to the problem is to fine the seller of fireworks, or regulate which fireworks they could sell. Another solution is to fine the customer who bought the fireworks and who lit them near their neighbors house.

Or, the third solution is punish the neighbor for having a flammable house.

Economics isn't about fairness, it's about the efficiency of results. It's that guy with the flammable, thatched roof that imposes costs on all his neighbors. It means the neighbors can't have a cozy fire in their fireplace during winter, they can't have BBQs in the summer, and they can't set of fireworks for celebrations. That is why local government usually choose the third option. They regulate how houses are built, and outlaw flammable roofs, believing this is the most efficient solution.

So which is the most efficient solution to Microsoft vulnerabilities? Blame Microsoft? Blame the user? Or blame the poor website victim? Or let the free market decide? I don't know the answer, but I know that I've never seen cybersecurity people make an "economic" answer based on efficiency, but instead, I've only seen arguments based on how Microsoft is big and evil, and how it's unfair to blame innocent users.

But this is just a tiny portion of economics, there is so much more. I recommend getting a college textbook on beginning economics, such as Greg Mankiw's Principles of Economics. Follow the link to the Amazon site, and you can read the first chapter for free, which outlines his basic 10 principles of economics.

Below, I take some of those basic principles and describe them in a cybersecurity context. Think of it as a useful way to learn economics if you already know cybersecurity, or as a way of learning cybersecurity if you already know economics.

The first principle from Mankiw's textbook is that cybersecurity is a tradeoff. In terms of logic, it's an XOR operator, not an AND. In terms of Heinlein (sci-fi author), it's TANSTAAFL - Their Ain't No Such Thing As A Free Lunch. Making the network more secure means making it worse in some other fashion, such as slower, less reliable, less user friendly. When cybersecurity experts say dumb things, there's usually a failure to acknowledge tradeoffs involved, that you must give up something in return for more security. The tradeoffs are not just between security and other things, but between two security choices. The funniest joke in cybersecurity are the two Wikipedia articles on Defense in Depth and Defense in Depth (computing). The original meaning was about trading off border security for better internal security, such as moving the troops from the border of a country to deeper inside. But no cybersecurity professional can admit to such tradeoffs, that it's ok to reduce security in some place in order to improve security somewhere else. So "defense in depth" has morphed into an argument that no matter how much security you have now, you need even more, both on the border AND in depth.

The second Mankiw principle is opportunity cost, or that the cost of something is what you give up to achieve it. The cost of cybersecurity isn't the money you spend, but what you gave up. Hiring another cybersecurity expert on your team means not hiring a saleperson who could sell more of your company's products/services. When you go to your boss and explain why your budget for cybersecurity needs to increase, you need to explain why the budget for marketing, sales, and RnD needs to decrease. During the dot-com era, companies that put up insecure websites first won the dominant market share, those that waited until their websites were secure lost. The opportunity costs of waiting until something is completely secure can mean your entire business.

The third principle is that rational people think at the margin. Cybersecurity people talk in absolutes, as if something is insecure or secure. They should instead talk in relative terms of "more secure" or "less secure". Moreover, they need to compare the marginal benefits in security to the marginal costs. That fancy new expensive firewall still won't make you secure, the question instead is whether the marginal improvement in security is worth the price over a cheap firewall. Or, take the TSA screening requiring people to take off their shoes. Cybersecurity experts complain that this makes no difference. They are wrong; taking off the shoes at security makes people marginally safer. The only question is whether this tiny improvement in safety is worth the enormous additional cost (probably not). Part of this is realizing that security has decreasing margin returns. The reason that Microsoft can't fix all their bugs is that the more bugs they fix, the more it costs to fix more bugs. Spending a million dollars might fix a 1000 vulnerabilities, but spending another million might fix only an additional 100 vulnerabilities. Spending a third million might fix only an additional 10 vulnerabilities. Spending yet another million might find and fix only one additional vulnerability.

The fourth principle is that people respond to incentives, perversely. A straightforward example is that of complicated password policies, the more complicated they are, the more a person is likely to write down the password on a sticky note underneath their keyboard, thus making the system less secure, not more so. The consequence of this is that people have a fixed risk tolerance. When you make things safer, people behave more recklessly. If you install anti-virus on their desktop, they are more likely to run e-mail attachments. Measured one way, such as on an obstacle course, talking on a mobile phone impairs a person's ability to drive. Measured with economics, we find that while people are on the phone, they slow down and otherwise drive more safely, to accommodate the distraction. Drivers slow down and pay attention when it rains to compensate for the additional danger, which means they speed up and drive more recklessly when the roads dry up to compensate for the increase safety.

Another principle is that the value of security isn't infinite. One of the fun things freaky economists like to do is calculate what a person's life is worth. For example, let's say that you put your kid in the car to drive to the store rather than paying the neighbor to babysit for an hour for $10. Dying in a car accident is the leading cause of death for children, and those deaths are overwhelmingly near the home. If the chance of death on that trip is 1-in-a-million, and you could've spent $10 to avoid it, this means you value your kid's life at $10-million. (Well, not, not exactly, I'm glossing over the fine bits to make a point). The same is true of cybersecurity, where people treat security as infinitely worth. That's why they can't deal with marginal benefits vs marginal costs: the marginal benefits of increased security are always infinite, according to cybersecurity experts. Given free reign, cybersecurity experts will make the costs infinite, too. The only way to satisfy them completely would be to turn off the Internet.

The sixth principle on Mankiw's list is that free-markets are usually the best, tempered by the seventh principle that sometimes government can improve on free-market outcomes (such as when there is a market failure and externalities). A wrong application of this principle was President Bush's "Strategy to Secure Cyberspace" that had the fatuous statement "federal regulation will not become a primary means of securing cyberspace ... the market itself is expected to provide the major impetus to improve cybersecurity". This is wrong because the free-market will never "secure cyberspace". Instead, the free-market is what determines how valuable cybersecurity is in the first place, identifying the truth that people don't want the tradeoffs needed to make the Internet more secure. I once gave a talk where I asked "Raise your hand if cybersecurity is your highest priority" (everyone: yes), then "Raise your hand if you use wifi" (everyone: yes), then "Raise your hand if you think your wifi is secure" (everyone: no). In other words, people claimed to want security, but even though wifi wasn't secure, they used it anyway. That's because people lie; they claim security has infinite importance, but behave as if it's a tradeoff. The free-market captures this true value, government regulation doesn't. When government starts regulating cybersecurity, we'll start complaining about it in much the same way we complain about the TSA and the Patriot Act (which make what many consider unacceptable tradeoffs for small marginal improvements in security). In many cases, the cost of "compliancy", proving to the government that you are secure, is starting to outweigh the costs of the actual security.


I could spend days talking about the freakiness of economics, and cybersecurity, but this gives you a taste.

---

I get more comments via twitter than the desired comments page. A particularly cogent one is:

WeldPond Chris Wysopal 

@ 

@ErrataRob Al Qaeda was able to harm up the US economy w/excess security spending abroad and at home. Could anonymous do same for cyber?

Thinking on the margin (Economics)

By any rational measure, the Internet is secure enough. It's obviously true. The value of the Internet, with the hackers, is far greater than not having the Internet. Credit card companies, despite all the credit card losses, make a net profit on the Internet.

The problem with the security industry, especially so-called "experts", is that they don't know how to measure "enough security". So they fall back to a default position that no matter how much security you have, it's not enough, you need more. Becoming a security expert is insanely easy: just tell people they don't have enough security. Blame security weakenesses on moral weaknesses, such as laziness, greed, corruption, stupidity, and so on.

But while nobody knows how to measure "enough", it turns out there is an easy alternative. The trick is thinking on the edge, on the margin, on what changes, on the differences. Discuss whether a specific change in security is worth the change in cost, whether the marginal benefits exceed marginal costs.

Consider credit cards. Obviously, credit card losses are huge. But that's not the question. The question is whether the losses exceed the benefits. Since consumers, stores, and credit card companies are all finding credit cards profitable, obviously, credit cards are secure enough. Indeed, credit card "rewards" programs show the opposite problem: they are too secure. Credit cards withhold a certain percentage of each transaction to cover fraud, and when there isn't enough fraud, they rebate it back to the customer as airline miles or just plain cash.

But even though credit cards are secure enough, could they be even more secure? Rephrase the question to this: are their things we can do whose marginal benefits exceed their marginal costs? Maybe. But maybe there are also things who marginal benefits are less than their marginal costs, meaning credit card companies should be less secure.

Or take DNSsec. I love it, it should've been done 10 years ago (from one perspective), but on the other hand, I think it's marginal costs may exceed its marginal benefits. It doesn't solve any of the most common attacks that happen today, it's a security solution in search of a problem. This means that it's marginal benefits are low, while it's marginal costs are high. That doesn't mean we shoudln't do it -- it means that we need to find more benefits to justify its costs.

Consider the TSA. The most common (but wrong) thing said about them is that they, or one of their techniques, don't stop terrorists. People often post anecdotes of getting through security with bad things, or ways to trick the TSA. The correct way to analyze this is on the margin. Consider the "taking off the shoes" requirements. The question isn't whether this "works", obviously it'll work a little bit but not all the way. Instead, the question is on the margin: does the increase security justify the increase in trouble?

Here is the thing about terrorism: it's oddly elastic. You'd think that a serious suicide bomber would surgically implant a bomb making it 100% undetectable, and thus, all TSA security is meaningless. In fact, few suicide bombers are that rational. Most are stupid, incompetent, or crazy. Most find it too difficult to ignite a shoe or underwear bomb. Nothing the TSA does can stop the next 9/11 attack by competent suicide bombers, but for everything they do, there is probably some incompetent suicide bomber that is stopped by that procedure. So the question isn't whether these procedures work, they do. The question is whether whether every procedure is worth the cost -- whether the added trouble is worth it to solve the rare shoe/underwear bomber, even though we can't stop the even rarer serious bomber.

In summary, we can't measure the absolute security of the Internet. But we can measure the benefits and costs of changes to security. Instead of talking about absolutes, we need to measure security on the margin.

The Economist on the Kindle

You can now get a subscription to the Economist on the Kindle (or Kindle readers on devices like the iPhone).

Economics is the red pill. It explains how the world really works. Whereas a normal newspaper will report an event as inexplicable, The Economist might explain how it's the expected result of an economics concept, like decreasing marginal returns, incentives, opportunity cost, etc.

For example, last year a hurricane took out oil refinery production in the south. The result was long gas lines, with people waiting hours to get gasoline. Typical news stories talked about how the government should act to reduce prices, shorten lines, and crack down on "gougers". Economics explains that the gas lines are the direct consequence of the government's anti-gouging law, and that if the government allowed "gouging", prices would rise a little bit and the lines would disappear.

If you know basic economics, The Economist is a great explanation of the news. If you don't, then it's a great use of the news to explain basic economics. Or, a combination of both: I studied economics in college, but it wasn't until I started ready The Economist that I really started to grok the subject.

If you want to learn economics, I recommend Principles of Economics by Greg Mankiw.

PS: The Economist has a left-wing bias like much of the rest of the media, but at least it's a saner left-wing bias. For example, it believes in global warming, but correctly points out that the "cap-and-trade" mechanism used in Europe (and soon to be used in the United States if the Senate bill passes) is expensive and corrupt, compared to a more efficient and transparent carbon tax.

PPS: The Kindle isn't the future of publishing, but it certainly fits my lifestyle of heavy reading and traveling.

PPPS: This CNN story on the upcoming federal minimum wage increase is another good example. Economists believe that increasing minimum wage increases unemployment. The Economist magazine mentions this when reporting on minimum wage, other news sources (like CNN) don't.