There have been talks about how the products in the market are not “secured” and much of this talk has been centered from a technical perspective. Though many of the problems can be explained technically, much of the problem can be answered more clearly from an economist’s perspective, using simple economic evaluations, to help us get to the root cause of the problem.
Security has always been viewed as an externality. In the competitive market, where there are lots many choices and many similar products are available, consumers will be drawn towards the most popular and the one offering the best price. One of the major contributors to a product’s popularity is the early entry of the product in the market. As there is no competition for the product, consumers will buy it and this will lead to an increase in the popularity of the product. The rest of the consumers will soon buy the product merely because of its popularity as majority of people use it. All companies would like to build their products fast and enter the market before everyone else. Unfortunately for security, it has always been seen as an overhead or a burden leading to wastage of time, and is always compromised. Vendors would ignore security in the beginning to enter the market first. Once the product’s popularity has been established, they would come out with security patches to address the deficiencies of the initial release.
Consider two companies A and B selling similar products and assuming they hit the market at the same time. Product A provides a better security, maintaining privacy of its users, etc. Product B on the other hand only claims of providing security, but doesn’t provide one. Product A is priced high at $100 compared to product B which is priced at $50. Since the consumers have no means to measure the security, they will go by the claim and go for the cheapest product, which in this case is product B. Though product A provides all the necessary security, it will loose out in the market and will be forced to withdraw. The next strategy for company A might be to reduce the cost of product A to re-enter the market. Usually the hardware costs are inevitable. Security being viewed as a burden and also time consuming (not to mention effects on performance in the case of HTTPS websites) is often compromised to get the price statistics correct. This would probably explain why there are lots many good / popular products in the market with security vulnerabilities.
One way to tackle this issue and making vendors more responsible of their products is by public disclosure of vulnerabilities. This will serve two purposes. First, it will make the users aware of the vulnerability in their software and make necessary changes, so that an attacker cannot take undue advantage of the vulnerability. Second, it will make the vendors responsible for the vulnerability. If vendors are made responsible publicly, they will be forced to fix the vulnerability and come out with a patch for it quickly. More the vulnerabilities in a particular product are made public, less will be the trust of the people in the product will be. This would eventually result in the declination of the sale of the product. As more vulnerability in a product would mean a negative image being built in the market of the vendor, vendors will become more responsible and will concentrate on the security of the product.
One of the questions which would arise would be if public disclosure of vulnerabilities is one way of making the vendors more responsible and getting them to concentrate more on security, then why are there so many products in the market which have vulnerabilities? One answer to this problem is lack of incentives. Tough the vendors can create more secure product, however there is little or no incentives provided to them. Many vendors adopt a policy of “sell first, build later”, where they have already committed on the shipping date of the product before the product has actually been designed. This would lead to stringent deadlines for the product’s design and development. With little or no time being devoted to proper testing, as it is also considered as time consuming, it would eventually open doors for products entering the market with vulnerabilities.
Once the security flaw has been found in a product, patches are sent to the users. There is however a co-ordination risk which user exposes to in case the other user has not updated his/her patches. The co-ordination risk involved can be explained with the help of the game theory concept. Consider the case of Bonnie and Clyde using software in which a recent vulnerability has been identified and a patch has been released for its fix. In a scenario where both Bonnie and Clyde have updated the patch, then both of them are secured / protected. In the opposite case where both Bonnie and Clyde have not updated their patch, then both of them run the risk of being attacked. However in a case where Bonnie has updated the patch and Clyde has not, Bonnie is still not secured as he still runs the risk of the attacker using the vulnerability in Clyde’s software and exploiting it against Bonnie. Similar is the case when Clyde has updated the patch and Bonnie has not.
The reason why many people run the risk of being attacked by an attacker is because they lack the knowledge. For eg: many individuals might not know that their email travels in a plain text format when passing through the network. A network tap can be easily used by the attacker to sniff the data and its contents. Many emails come with an option of selecting HTTPS for their mails, which would allow messages to travel in an encrypted form through the network. The other reason would be that the users simply lack motivation or incentives.
Incentive centered design works towards providing incentives to the weakest link, which would motivate them and help make the system more secured. For eg: a password which would contain only alphabets is considered as a weak password and can be broken easily using brute force or dictionary attacks. Where as, a password containing alphanumeric characters is considered a strong password which would be difficult to break by an attacker. Since the passwords are chosen by the user, certain incentives have to be provided to the user which will motivate him/her to choose a stronger password. For eg: a user would be constrained to choose a password which would contain a combination of alphabets and numeric characters in order for him to create his email account. In this case incentive centered design helps the user in choosing a strong password.
Economics of security is about aligning incentives. Any misalignment in the system would cause the system to fail. The product vendors and the users form the two ends in the system. On one hand public disclosure provides incentive to vendors to build secured products, while on the other hand incentive can be provided to “induce human behavior”. Any misalignment of incentives at one end would cause the system to break and easy for the attacker.