Economics is driving security, said security expert Bruce Schneier in his keynote address this morning, at the ITWeb Security Summit, held in Midrand, Johannesburg.
Economics was one of the top 10 security trends highlighted by Schneier.
The economics of IT, he noted, are characterised by four key principles: net effect; high fixed costs and low marginal costs; high switching costs (lock-in); and the fact that the IT market is a "market of lemons".
The net effect principle, he explained, is based on Metcalfe's Law, which holds that the value of the network is the square of the number of users it handles.
According to Schneier, security has a high fixed-cost and a low marginal cost - it costs a lot to develop a product, but virtually nothing to distribute it.
The nature of technology products also allows vendors to lock-in customers. He said the higher the cost to switch from one product to another, the stronger the lock-in to the company.
He also said information security is a market for "lemons", applying Nobel laureate economist George Ackerlof's findings, which state the seller knows more than the buyer. "Buyers don't know the difference between a lemon, a product that isn't any good, and a good product."
This principle allows the bad products to drive the good products out the market.
Stupid customers
The two most important variables of security economics include the trade-off of security and externalities.
"Security is a trade-off," stated Schneier, adding that enough security is security that is worth it. "It depends on the value of what is being protected and always means giving up one thing for another."
Externality, a term Schneier borrows from economics, is the cost of a decision that is borne by people other than those taking the decision. "Externalities represent those security issues that do not directly affect companies."
Banks are a good example of externalities. "Banks need to stop authenticating the user and start authenticating the transaction. Let's assume the customer is stupid and go from there."
He said that, by making companies liable, externalities become internal, which is essential to security and privacy.
Get the economics right and the technology will follow, concluded Schneier. "Security failures tend to be economics failures, because you've made the wrong trade-off."
Related Story:
Complexity the enemy of security
Share
