In this paper I dip into the esoteric theory of insufficient markets, as pioneered by Nobel Laureate Michael Spence, to discover why security is so difficult. The results are worse than expected - I label the market as one of silver bullets. Yes, there are things that can be done, but they aren't the things that people have been suggesting.
This paper is a bit tough - it is for the serious student of econ & security. Far from being the pragmatic "fix this now" demands of Philipp Gühring and the "rewrite it all" diagnosis of Mark Miller, it offers a framework of why we need this information out there in the public sphere.
What is security?As an economic `good' security is now recognised as being one for which our knowledge is poor. As with safety goods, events of utility tend to be destructive, yet unlike safety goods, the performance of the good is very hard to test. The roles of participants are complicated by the inclusion of agressive attackers, and buyers and sellers that interchange.
We hypothesize that security is a good with insufficient information, and reject the assumption that security fits in the market for goods with asymmetric information. Security can be viewed as in a market where neither buyer nor seller has sufficient information to be able to make a rational buying decision. These characteristics lead to the arisal of a market in silver bullets as participants herd in search of best practices, a common set of goods that arises more to reduce the costs of externalities rather than achieve benefits in security itself.
Does it really show that the security market is one of silver bullets, and best practices are bad, not good? You be the judge! That's what we do in FC++, put you in the peer-review critic's seat.
Posted by iang at June 25, 2006 11:53 AM | TrackBackIan, you make an unwarranted claim (through a logical jump) that herding results in a single herd. Both empirical evidence and logic suggest otherwise: several competing herds may (and often do) emerge. Moreover, there is often an advantage from moving from a larger herd to a smaller one, both from a fingerpointing and a security (direct risks) point of view.
Certainly, there is no incentive for the smaller herd to give up its distinctiveness: if security breaches happen within the large herd, the members of the small one can exclude themselves (to some extent) from paying the extraordinary costs. Also, rational attackers can be expected to invest more in searching for vulnerabilities in the largest herd, thus stabilizing the smaller ones.
In short, the (otherwise very convincingly described) process of herding does not imply that only a single herd is stable. Nor does this seem to be the case.