Economics and computer security Hal R. Varian UC Berkeley - - PowerPoint PPT Presentation

economics and computer security
SMART_READER_LITE
LIVE PREVIEW

Economics and computer security Hal R. Varian UC Berkeley - - PowerPoint PPT Presentation

Nov 24, 2022 113 likes •308 views

Economics and computer security Hal R. Varian UC Berkeley http://www.sims.berkeley.edu/~hal Outline Assignment of liability Role of insurance Efficiency and coordination costs Implications of weakest link technology

slide-1
SLIDE 1

Economics and computer security

Hal R. Varian UC Berkeley http://www.sims.berkeley.edu/~hal

slide-2
SLIDE 2

11/16/2005 2

Outline

  • Assignment of liability
  • Role of insurance
  • Efficiency and coordination costs
  • Implications of weakest link technology
slide-3
SLIDE 3

11/16/2005 3

Assignment of liability

  • Want to reduce expected cost of accidents

– Parties can affect the probability of accidents happening – Want to set up incentives to get the right parties invest effort in reducing expected costs of accidents – Liability: who has to pay and how much if accident

  • ccurs. Sets incentives to reduce expected costs.
  • Basic principles

– Least cost avoider: assign liability to the party that is best positioned to reduce expected costs – Due care standard: set a due care standard, no liability if you meet the due care standard, otherwise pay accident cost

slide-4
SLIDE 4

11/16/2005 4

Least cost avoider

  • ECost = Prob(e1+e2) A – c1 e1 – c2 e2

– ECost = expected cost – Prob(e1+e2) = prob accident occurs – A = cost of accident/event – e1, e2 = effort to reduce prob of accident – c1, c2 = cost of effort

  • Observe: you want the party with the lowest effort

cost to exert all the effort

  • This drives the other party’s effort to zero, but

that’s OK in this case

slide-5
SLIDE 5

11/16/2005 5

Due care standard

  • EC = Prob(e1,e2) A – c1 e1 – c2 e2

– Find efforts that minimize expected costs, (e1*,e2*) – Set due care standards equal to this effort level – No liability if you meet due care standard – Otherwise, pay fine equal to cost A if accident

  • ccurs

– See Steven Shavell, Economic Analysis of Accident Law

slide-6
SLIDE 6

11/16/2005 6

Computer security

  • Sometimes the effort cost is so extreme (e.g.,

technical knowledge) that liability goes to one party

  • Other times due care standard is plausible

– Due care standard determined by courts, but guided by industry practices – Could be very important role for security community – Better to be proactive than just let these standards evolve – Should there be a FASB-like board?

slide-7
SLIDE 7

11/16/2005 7

Example: ATM machines

  • Ross Anderson: “Why cryptosystems fail”
  • Suppose there is a dispute between you and your

bank about your ATM usage

– England: bank is right unless you can prove them wrong – US: you are right unless the bank can prove you wrong

  • Two different default assignments of liability
slide-8
SLIDE 8

11/16/2005 8

Result of ATM liability assignment

  • US: banks invest in risk reduction

technology

  • England: banks typically do not invest in

such technology

  • Credit card and phone card risk

management

  • Role of competition: debit cards
slide-9
SLIDE 9

11/16/2005 9

Role of insurance

  • Two major risk management institutions

– Stock market – Insurance market

  • Why do corporations buy insurance?

– Value of shares depend on portfolio value – Shareholders can diversify risk themselves – Particularly good question in case of computer security

slide-10
SLIDE 10

11/16/2005 10

Why do corporations buy insurance?

  • Answer: risk management services
  • Insurance companies are well placed to

– recommend actions – require compliance – disseminate best practices – insurance contract is incentive compatible!

  • Especially valuable services for rare events
slide-11
SLIDE 11

11/16/2005 11

Examples

  • Expert certification

– Year 2000 problem

  • Could do more

– CERT patches requirement for insurance – SATAN test

  • Prediction

– insurance companies will move into computer security (supplemented by expert advisors)

slide-12
SLIDE 12

11/16/2005 12

Insurance: moral hazard

  • Want the insured to bear some risk

– full insurance has bad incentives – deductible/co-pay is much better

  • Want to structure incentives to reduce risk

– liability assignments – as discussed – deductible – moral hazard

slide-13
SLIDE 13

11/16/2005 13

Adverse selection

  • Those who need insurance most buy it
  • Pool that purchases insurance is not

representative of entire population

  • Adverse selection can destroy market

– argument for social insurance – e.g., infrastructure protection above and beyond that covered by private incentives

slide-14
SLIDE 14

11/16/2005 14

Infrastructure as public good

  • Private good v public good

– excludability – rivalry

  • Public good aspect to security

– national defense ; police services

  • How to pay for security?

– individual or social choice?

slide-15
SLIDE 15

11/16/2005 15

Private or public?

  • Gated communities or private walls?
slide-16
SLIDE 16

11/16/2005 16

Costs

  • Production costs

– economies of scale in protection?

  • Countervailing effects

– decision costs: social v private decisions – coordination/complexity management costs – effectiveness of measures – clarity of who is responsible – genetic diversity

slide-17
SLIDE 17

11/16/2005 17

Total effort v weakest link

  • Public goods usually involve total effort
  • Security often has weakest-link character

– makes public good more costly – private incentives

  • leadership is critical
  • coordination is critical
slide-18
SLIDE 18

11/16/2005 18

Why systems fail?

  • Ross Anderson paper “Why cryptosystems

fail”

– http://www.cl.cam.ac.uk/~rja14

  • What to do about human failure?

– get incentives right (e.g., liability assignments) – outside monitors and auditors (insurance) – follow procedures (banking) – standards setting role of military (e.g., aviation)