-
Notifications
You must be signed in to change notification settings - Fork 30
/
Lecture21.tex
97 lines (88 loc) · 6.67 KB
/
Lecture21.tex
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
% Lecture 21: 1 December 2014
\sektion{21}{Economics of Security}
Does the market produce optimal security? To understand this question, we'll first want to to define what "optimal" means.
\subsektion{Definitions of Efficiency}
Definition 1: Strong Pareto Efficiency
\begin{itemize}
\item Condition A is Strong-Pareto-Superior to Condition B if everyone likes A better than B
\item "Available alternative" $\implies$ one that is reasonably feasible
\item A condition is SP-efficient if: no SP-superior alternative is available
\end{itemize}
Definition 2: Kaldor-Hicks efficiency
\begin{itemize}
\item Condition A is KH-superior to Condition B if there exist zero-sum payments among people such that A + P is SP-superior to B
\item payments need not happen, just a theoretical construct
\item A condition is KH-efficient if: no KH-superior alternative is available
\end{itemize}
Using these definitions, consider a world with \emph{perfect information} and \emph{perfect bargaining}. Theorem: Outcomes in this world will be both SP-efficient and KH-efficient.
\\
Proof:
\begin{itemize}
\item SP-Efficient: By contradiction. Assume the outcome is not SP-Efficient. Then an alternative exists that is SP-superior to the existing outcome. However, bargaining would lead to the adoption of this superior outcome.
\item KH-Efficient: By contradiction. Assume the outcome is not KH-Efficient. Then there is an alternative A and a set of payments P such that A + P is SP-superior to the existing outcome. Then the outcome isn't SP-Efficient (as proved above).
\end{itemize}
Therefore, if we observed market failures, they must result from a breakdown in either perfect information or perfect bargaining.
\subsektion{Market Failures}
Market failure \#1: Negative Externalities
\begin{itemize}
\item If my machine is compromised, some harm falls on me, and some harm falls on strangers (e.g. from denial of service attacks or spam launched from my computer)
\item In general, users will invest in reducing harm to themselves, but not to strangers
\item Outcome is underinvestment in security, since the external harm doesn't enter into user's cost/benefit calculation
\item Breakdown in perfect bargaining, since the "strangers" are unidentified and unable to invest to prevent the harm that falls on them
\end{itemize}
Market failure \#2: Asymmetric Information
\begin{itemize}
\item Arises when vendors know more than users about the security of their products
\item If it is hard for buyers to evaluate the security of products, then they won't be able to differentiate between high-quality and low-quality products
\item As a result, users won't pay more for supposedly high-quality products, so producers won't invest to develop more secure products, leading to underinvestment in security
\item Antidotes:
\begin{itemize}
\item Warranties: act as a signal of quality to buyers if companies willing to bear the downside of security breaches
\item Seller reputation: companies may be harmed in the long-run by selling poor quality products due to damaged reputation
\item Note: both of these solutions don't work well for start-ups, since the lifetime of these companies are short and thus warranties aren't very valuable and seller reputation isn't a large concern
\end{itemize}
\end{itemize}
Network Effect:
\begin{itemize}
\item Some products tend to become more valuable the more people use it (e.g. search engines)
\item Markets for these products tend to be pushed towards monopoly
\item Standardization can lead to positive network effect without monopoly
\item Argument: network effect $\to$ monoculture
\item Example: if all products use the same security protocol, might be easier for bad guys to break lots of system by exploiting a vulnerability in that standard
\item However, there are benefits to having a dominant producer of security:
\begin{itemize}
\item There are scale efficiencies in security, since large companies can amortize investments over a large number of users
\item Companies can also internalize some of the security benefits, if users harmed (as in the Negative Externality scenario) fall within the same user base
\item Antidotes to asymmetric information are more effective (reputation is more important to large companies than start-ups)
\end{itemize}
\end{itemize}
Race to market:
\begin{itemize}
\item Because of the network effect, companies have a strong incentive to gobble up market share as fast as possible
\item Often, minimum viable products tend not to require large investment in security
\item Start-ups face decision to invest \$1 in security today and receive a pay-off of \$N in the future
\item Lead to a "bolt on security" approach, where security features are added once product is already being used
\end{itemize}
\subsektion{Solutions to Market Failures}
Large customers tend to be able to protect themselves; for example, they can demand that certain security features be implemented in a product. But what about individual users?
\\
\\
Can market structures improve information flow? \emph{Insurance companies} (i.e. that offer insurance against security breaches) can aggregate the bargaining power of many different customers. \emph{Certification programs}, which would give products/companies certificates of quality, could lead to the same effect. Presumably, certified companies would see more demand and be able to charge higher prices for their products. However, companies are unlikely to pay certification bodies to criticize their software.
\\
\\
Can we change liability rules? An optimal liability rule: costs should be borne by whoever can best prevent harm.
\\
\\ Case study: ATM Fraud
\begin{itemize}
\item In the early days of ATMs, many people would withdraw money and claim they didn't to force banks to re-credit their account
\item In the US, if there wasn't conclusive proof, banks bore the cost
\item In the UK, if there wasn't conclusive proof, customers bore the cost
\item level of fraud significantly lower in US, since banks had made investments to gather evidence of withdrawal in order to avoid losses
\item Generalizing, this seems like an argument in favor of shifting liability for security flaws to producers, since they are generally in a better position to identify and fix errors in software and hardware
\end{itemize}
Some problems with shifting liability:
\begin{itemize}
\item It's hard to attribute blame: e.g. identifying the true source of a denial of service attack launched from a network of computers in many geographic locations
\item It's hard to measure harm: difficult to isolate the harm caused by a single security breach
\item There's a substantial cost to adjudication
\end{itemize}