interesting paper on the economics of security

Hal Finney hal at finney.org
Tue Aug 21 16:47:14 EDT 2007 

Steven M. Bellovin forwards a pointer to:
> http://www.cl.cam.ac.uk/~rja14/Papers/econ_crypto.pdf 

Ross Anderson gave his invited talk at Crypto yesterday on this topic
of the economics of crypto and security. It was an excellent talk,
showcasing a new way to look at problems that sheds light on a number
of otherwise odd behaviors.

At the same time economics is inherently fuzzier than the kind of
mathematical precision we aim for in crypto results. It often seems that
every economic claim has an opposing one with arguments on each side.
Along these lines, I felt that many of the points Ross made were open
to debate and interpretation.

One example was his comparison between the security business and the
used-car "lemons" market. The idea is that lemons dominate the used-car
market due to asymmetric information: only the sellers know which cars
are lemons, hence these are the ones that are mostly made available,
hence buyers assume all cars are likely to be lemons, hence good cars
can't be sold for a higher price and are largely kept off the market.

However security products are not really that much like used cars. Used
cars are individually unique and it is impossible to know in advance
how well they will work. That's where the asymmetric information
comes from. But security products are more like other retail products;
each one has its own characteristics, strengths and weaknesses, and
there are ways consumers can find out about them in advance. There was
considerable publicity a couple of weeks ago about a side-by-side test
at the LinuxWorld conference which compared ten anti-virus products,
with highly differentiated results:

http://it.slashdot.org/article.pl?sid=07/08/09/2243229

Information on the quality of AV and other security products is widely
available on the net, in magazines and other places that consumers
might look for reviews and comparisons. This is completely unlike
the situation with individual used cars. I don't see this analogy as
particularly accurate.

I certainly do fully support the concept behind Ross's program of
investigating the role economics plays in the crypto and security field.
The mere fact that so many of the conclusions are provocative indicates
that there is much fertile work yet to be done. Ross is a major pioneer
of this effort and I am looking forward to further interesting results.

Hal Finney

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list