Ross ANDERSON and Tyler MOORE wrote an interesting state of the art about economics of information security. Why does economics matter? The obvious answer is that it is about money. And money is one major driving factor of the software industry. This paper highlights a more compelling argument: many security failures come from unaligned incentives rather from bad design. For instance, I will suffer of the inadequacy of the Operating System to prevent a virus to crash my computer and not the OS’s editor (especially if it is in a dominant portion). Another example, the editor of a player reading AACS protected content does not suffer from the loss due to content piracy.

The survey explores many fields of information security and shows how economic analysis can help to understand failure or can strengthen security. For instance, to trigger network effect, it may be economically wise to lower security (at least security should not get in the way of potential customers) to become more attractive. Once the threshold passed, then too strong security can be a good way to lock in the market (second part of a good network effect). Another interesting topic is secure software development. It seems that should have few but extremely competent developers (in security) and have a lot of testers.

I am not fully aligned with the conclusions on DRM and Trusted Computing. But, here we may object that we do not have the same incentives :Happy: .

Definitively, a paper to read. Furthermore, taking into account economics in the design is probably a good thing. I will have to dive in game theory.

The paper is available here