Skip to content
— CH. 1 · THE 2000 AWAKENING —

Economics of security

~3 min read · Ch. 1 of 6
6 sections
  • Ross Anderson wrote a paper titled Why Information Security is Hard in the year 2000. He argued that security technology fails when incentives do not align with technical design. Designers often rely on altruism for adoption and diffusion of their tools. This approach ignores the rational economic behavior of the party at risk. Anderson insisted that economic insights must be integrated into technical design to enable rational investment. Many scholars consider this publication the birth of economics of security as a distinct field. The intellectual status of information security rose to prominence around that same time. Innovations arose simultaneously in multiple venues rather than following a single linear path.

  • Jean Camp and Wolfram published arguments at Harvard School of Government in 2000 stating security is not a public good. They defined vulnerabilities as tradable goods with an associated negative externality value. Six years later markets emerged for these vulnerabilities involving iDEFENSE, ZDI, and Mozilla. The Computer Emergency Response Team at Carnegie Mellon University proposed the Hierarchical Holographic Model in 2000. This mechanism provided the first multi-faceted evaluation tool to guide security investments using risk science. CERT developed a suite of systematic mechanisms called OCTAVE for organizations to use in risk evaluations. These frameworks depend on the size and expertise of the organization receiving the assessment. The study of computer security as an investment in risk avoidance has become standard practice today.

  • Lawrence A. Gordon and Martin P. Loeb published Using Information Security as a Response to Competitor Analysis System in 2001. Their working paper was written during the year 2000 before publication occurred. These professors from Maryland's Smith School of Business presented a game-theoretic framework. They demonstrated how information security can prevent rival firms from gaining sensitive information. The article considers the economic cost-benefit aspects of information security decisions. Hal Varian presented three models of security using the metaphor of wall height around a town. He showed security acts as a normal good, public good, or good with externalities. Free riding remains the end result regardless of which model applies to a specific scenario.

  • Gordon and Loeb wrote the Economics of Information Security Investment document later in their research career. The resulting Gordon-Loeb model determines the optimal amount to invest to protect a given set of information. This formula takes into account the vulnerability of the information to a security breach. It also calculates the potential loss should such a breach occur for any organization. Many consider this the first economic model that successfully quantifies protection spending levels. The model links investment directly to both vulnerability magnitude and potential financial damage. Organizations use this logic to decide exactly how much money to spend on defense measures.

  • Proof of work is a security technology designed to stop spam by altering economics. An early paper argued that proof of work cannot function without price discrimination mechanisms. A later paper titled Proof of Work can Work illustrated this necessity clearly. The finding suggests that technical solutions fail if they ignore market pricing strategies. Spam prevention requires altering the cost structure for legitimate users versus malicious actors. Without price discrimination the system collapses under the weight of automated attacks. Economic viability depends entirely on distinguishing between different types of users through pricing tiers.

  • Andrew Odlyzko authored Privacy and Price Discrimination to explain current American data practices. He found that the opposite of privacy is not anonymity but rather price discrimination in economic terms. What appears as information pathology in collection of data is actually rational organizational behavior. Companies collect data because it allows them to segment markets effectively. This behavior is driven by profit motives rather than simple surveillance desires. The study illustrates that privacy loss is often a calculated business decision. Rational agents choose to trade personal data for lower prices or better services.

Common questions

What is the title of Ross Anderson's 2000 paper on information security?

Ross Anderson wrote a paper titled Why Information Security is Hard in the year 2000. He argued that security technology fails when incentives do not align with technical design.

When did Jean Camp and Wolfram publish their arguments at Harvard School of Government about security as a public good?

Jean Camp and Wolfram published arguments at Harvard School of Government in 2000 stating security is not a public good. They defined vulnerabilities as tradable goods with an associated negative externality value.

Who developed the Gordon-Loeb model for optimal information security investment?

Lawrence A. Gordon and Martin P. Loeb wrote the Economics of Information Security Investment document later in their research career. The resulting Gordon-Loeb model determines the optimal amount to invest to protect a given set of information.

Which organizations emerged six years after 2000 to trade security vulnerabilities?

Six years later markets emerged for these vulnerabilities involving iDEFENSE, ZDI, and Mozilla. These entities facilitated trading of vulnerabilities which were previously considered non-tradable assets.

What does Andrew Odlyzko identify as the opposite of privacy in economic terms?

Andrew Odlyzko authored Privacy and Price Discrimination to explain current American data practices. He found that the opposite of privacy is not anonymity but rather price discrimination in economic terms.

All sources

1 references cited across the entry

  1. 1journalThe Economics of Information Security InvestmentLawrence A. Gordon et al. — November 2002