Security Economics

Accumulated thoughts on interplay of economics and security

Market forces

Market forces exist. If you are unwilling to accept this premise, you can save yourself some time and close this tab.

Producers, consumers, suppliers, competitors, investors, and regulators are all subject to forces acting on them, just as they exert forces on each other.

I do not suggest that market participants lack agency. They absolutely should be accountable for their decisions and actions. But it is important to understand how the range of their actions, at least of those that survive, is constrained by the market forces acting on them.

These forces create evolutionary pressure on market participants. Surviving and succeeding in a competitive market requires a combination of skill and luck in navigating these forces, leveraging those that are favorable, and counteracting those that are not.

Market forces, like physical forces, cannot be overcome by willpower alone. Although free will enables you to step off a cliff, it does not give you the power to fly. Just because you saw someone fly does not mean that one simply has to decide take the plunge to do it. Moreover, if you do not understand the physics of flight, you are in no position to comment on viability of repeating the feat under different conditions.

Understanding how market forces constrain the range of motion can be essential to providing constructive advice and guidance.

I am not an economist and I do not pretend to be an expert in this field. Nonetheless, I have tried to pay particular attention to how market forces appear to shape product security. Below I’ve written down some thoughts on this topic accumulated over the last two decades in the industry.

Security is the last differentiator

In consumer markets, security (along with broader reliability and safety) becomes a significant factor in purchasing decisions typically only after the product becomes commoditized.

The PC industry provides a good case study. Remember buying a PC in the ‘90s? By the time you brought it home and finished setting it up, it was already an outdated pile of junk. You could go back to the store a few weeks later and buy one that’s twice as fast for half the price. In that context, you were always looking forward to an upgrade. Every problem, every infection, every crash you experienced, brought you one excuse closer to what you really wanted— a new one. Then, by around 2000, hardware got fast enough, OS was stable enough, Office had all the features you could ever want plus that paperclip thingy. Suddenly, you didn’t want a new one, you didn’t want to upgrade. Suddenly, upgrading became a chore. Yeah, the plastic shell could be nicer and the display a bit better, but you would have to reinstall all your apps, move all your data, etc. You just wanted the one you already had to keep working. It is not coincidental that Bill Gates’ Trustworthy Computing memo came out in 2002.

A similar trend could be observed in the automotive industry. At least in the US, wide availability of convenience features — such as radio, air conditioning, and automatic transmission — generally predates that of safety features like air bags, anti-lock brakes, and even seatbelts. However, as cars became commoditized, TV ads focused almost exclusively on long warranties and high crash safety ratings. That is, until the recent auto industry renaissance fueled by computation and connectivity.

This wasn’t all Bugtraq and Nader, either. Without dismissing the role of activism, it is important to appreciate other forces at play and to consider why advocacy efforts succeeded when they did.

Security is not free. It costs money and it costs time to market. While the rate of innovation is high and new features are arriving at a rapid rate, consumers don’t want to wait (or pay) for greater security. While there are lines waiting for stores to open on launch day, delaying the launch to improve security without increasing the feature set can be suicidal for a manufacturer.

However, once the innovation curve plateaus, once each successive model is pretty much the same as the previous one, suddenly consumers want reliability. They don’t want a new thing, they want the thing they already have to work.

This may even be a rational (though not necessarily conscious and explicitly thought out) choice for most consumers. If we evaluate security as the ratio of benefit to risk, then during periods of rapid innovation it may be best to optimize this ratio by capitalizing on the skyrocketing numerator. When innovation begins to flatten out, the only way to improve the ratio remains to drive down the denominator.

Exercises to the reader:

  1. What does this mean for IoT?
  2. Name another tech sector that has been putting a greater emphasis on security as commoditization began to set in over the last couple of years.

Exploit markets

The market for exploits appears to be split into two: elastic and inelastic. In the elastic one, demand responds acutely to pricing changes. This is the market of hobbyists and profiteers. If exploitation suddenly takes twice as long, fewer people would have the free time to do it for fun. If it becomes twice as expensive, fewer business models make sense.

The inelastic market remains fairly unaffected by pricing pressure. This is the market of governments. You can double the cost of exploitation several times over, and it still wont show up as a rounding error in the defense department budget.

Starving the elastic market is a realistic goal for defenders. Make exploitation expensive enough that it’s just not worth it. Addressing the inelastic one, where buyers’ purchasing power far outweighs defenders’ ability to influence cost, may be infeasible.

Ironically, the harder it becomes to exploit something, the more difficult it becomes for a new exploit supplier to enter the market, and the more entrenched the incumbent becomes. As a defender, if you are driven by personal animosity towards your adversaries, you are going to have a bad time.

A new expectation for consumer goods

Consumer goods have never been made to withstand intentional abuse. There is nothing in my house that can survive a three-year-old on a sugar rush, much less a bored teenager with a baseball bat or an armed goon.

Items intended for home use have been made to be affordable, stylish, and provide superior functionality. They have also required careful handling. They were never designed to be abused.

There are products specifically designed to be placed in public places and withstand abuse. They don’t look as nice, provide only the bare minimum functionality, and cost a lot more than their consumer variants. But, unlike the really nice things we keep at home, they can take a beating.

But digital devices are different. Because the software they run is exposed to the Internet, they are essentially in a public space all the time. We expect the software in our consumer devices to actually withstand not only casual abuse from misbehaving kids, but even targeted attacks by trained professionals.

This is a fundamentally different expectation for consumer goods than has ever existed before. This has profound implications for how manufacturers design and test their products; how sellers advertise and price them; how consumers evaluate and compare them; how regulators assess and certify them. This is really something new for the consumer market and the market is still adjusting to this change.

Patching costs

Not only do we expect our products to be designed and built with security in mind to be resilient against attacks, but also, as new vulnerabilities are discovered, we expect our devices to be regularly updated and patched.

The days of a shrink-wrapped product that is sold and forgotten are over. Consumers expect regular security updates. Future devices will be managed — connected and maintained by a provider.

But updates come at a cost. It takes a non-trivial amount of engineering effort to develop, test, and deploy fixes. It should therefore come as no surprise, that when you look around, companies that seem to be most actively patching their products are also the ones that have a continuous revenue stream generated by those devices. These revenue streams could be direct from service offerings, or indirect from advertising or app sales. At the same time, companies that continue to see challenges with regular patching are the ones that made all their money at the time the device was sold. The only* way a continuous investment in patching can be sustainable is if there is a continuous revenue stream to offset that cost.

*Technically, there’s also regulation. Compelled compliance can force all competitors to factor the cost of support into the original price of the device. But, I’ll have more to say about regulation in another post …