Cisco Blogs

Security Externalities : Meet Security Defenses and Incentives

May 30, 2007 - 0 Comments

WASHINGTON, DC – This past week I was at an excellent conference put on by Larry Gordon and Marty Loeb of the University of Maryland Business School on”Financial Information Systems and Cybersecurity: A Public Policy Perspective.” It provided a good opportunity to think some more about what I think are way overstated values of externalities in cyber security markets. During the Conference, among other things, Larry reviewed some of the really important work he and Marty have done on the costs and benefits of investing in security, risk-based security, and generally the concept that security spend is in fact rationally tied to risk and the value of what an entity is protecting (see generally here ).And Eric Johnson of the Tuck Business School at Dartmouth talked about some excellent new research on inadvertent information leakage, and on >peer-to-peer networks (which struck me as further illuminating why end-to-end encryption (without security inspection points) can and will hide leakage from detection, and also highlights benefits of Network Admission Control systems that provide a security check, and an admission control, before someone gets onto a network remotely).But it was another presentation that really struck me. It was a very broad attempt to create a policy framework to think about security and privacy questions, and was hinged in part on the ‘pervasive externalities’ that characterize the cyber security system, flavored a bit with the idea that the Internet and networks are ‘public goods.’ These ideas have been running through cyber security discussions a lot lately -and they strike me as significantly overstated in the case of the size of externalities, and wrong with regard to the Internet being a public good. First ‘pervasive’ externalities. Quite simply, an externality is something that happens to someone else. The classic case is air pollution, where emissions from Midwest coal- fired electricity generation plants float across the country and create acid rain in the Northeast. The harm, cost, occurs not to the owner of the plant emitting the pollution, but to the environment and people who are subject to the acid rain. People say that the ‘externalities’ (costs) of the emissions are not ‘internalized’ (paid for) by the actor -so the incentive to reduce emissions (but for the clean air laws) is not there. Many have made it part of their story that in cyber security these externalities are huge, pervasive, and unchecked.The story goes that the owner of a computer or system doesn’t care if they spread a worm or virus, or let their computer be ‘zombied’ to become part of a botnet for sending Spam, or Spyware, or used as part of a DDoS action against others because the harm done by the zombie’s action is to someone else (the externality). Now, we do have lots of computers that have been zombied by criminals, and many — way too many -botnets, and the externalities of sending out all the Spam, and malware, and DDoS packets are certainly not trivial -perhaps even quite large — but, networks are connected things, and the actual size of the externality (the actual, cost, effect) is substantially reduced by the defenses of people and entities who have something of value to defend -all of us. So, Spam from zombied computers meets Spam filters and malware screening devises, DDoS actions meet new technologies that slough-off the ‘bad’ packets and keep sites up and attempts at ID theft meet Security Agents that identify a machine acting badly, and stop the possible flow of information out and of course for consumers, most ever ISPs provide anti-virus, anti-spam, anti-spyware protection software for free with their broadband or dial-up service ( ; And those that have the most to lose, like banks, e-commerce sites, and infrastructures, spend the most, and protect themselves (see Larry Gordon’s work cited above), and thereby greatly reduce the actual costs of the externalities. So, I’m not saying there are no externalities, of course there are (as in most markets), but it does mean that we should be very careful not to overstate the size of the externalities, to recognize the impact of the mitigation techniques employed by people protecting valuable information and property (and their clear incentives to do so) because, when thinking of policy responses to the cyber crime, fraud, and security issue, fact based policy making will lead to better results with fewer unintended consequences. Finding the right ways to stop illegal activity on the Net is too important not to work from the best facts, theories, and analysis.Just a note on the ‘public good’ nature of the Internet and networks. The classic public good is a common defense, provided by no individual except the State, in part to address free rider problems. The Internet, and other networks, are not public goods. Every bit is owned by somebody, and people pay to get access to the network, and the backbone of the network (and every part of the backbone is owned by somebody who derives economic value from it), and each of these owners quite sensibly believe their ownership has economic value, and also incentives to secure that value and the network. So, there may be micro economic issues about who invests how much, in what, and where, but, the Internet is not a public good in the classic economic sense. So, please, let’s not call it one. Anyway, the Maryland Business School had a very good conference, which provided a good opportunity to think a bit more about externalities and public goods in security. Adam

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.