The economics of security
Five questions for Fernando Montenegro: Insights on how to apply economic theory to solve security challenges and improve an organization’s overall security posture.
I recently sat down with Fernando Montenegro, senior systems engineer at vArmour, to discuss how understanding the economics that drive security transactions (i.e., incentives, contract design, appropriate market mechanisms) can help achieve more effective security solutions. Here are some highlights from our talk.
1. You assert that many of the issues that security teams work with are based not necessarily on the technical details around security but on the underlying economic transaction. What led you to this hypothesis?
It was a combination of things, personal and professional. On a personal level, we live our lives as part of the economy and I wanted to understand my role in it. On the professional side, my experience includes working on the technical aspects of security projects but also being a part of the business transactions when customers purchase security solutions. I took part in many selection processes, sales pursuits, and implementations. The underlying economics come across clearly in these scenarios.
When we talk about economics we’re not just talking about tying dollar amounts to security-related things: cost of a breached record, or price of a security solution. Economics—the part that is relevant to this conversation—is the study of how individuals or firms interact with one another and deal with the reality of allocating scarce resources. This leads to all sorts of interesting discussions about incentives, costs, and measuring value.
2. Can you provide an example of an economic principle applicable to current security challenges?
There are quite a few, but my favorite is the notion of “information asymmetry.” Think about an “ideal” economic transaction: You want to sell something, and I want to buy it, and we both know exactly what we’re talking about. We agree on a price and the transaction takes place.
Information asymmetry, on the other hand, is the relatively common situation where one party is better informed about the quality of the good being bought or sold—usually sold—and that leads to different issues, including the decrease in overall quality—or security, in our case—of the goods being offered in the market.
How? Well, the security of a product is something inherently difficult to assess, so there is tremendous potential for information asymmetry to develop when you are trying to conduct a transaction around a security product: Do you know what you’re buying? Do you know what you’re selling? This leads to all sorts of interesting dynamics.
3. How does drawing parallels between economic principles and security challenges improve security posture?
I think it is not only advocating parallels between principles. Rather, it is recognizing that achieving a good outcome in terms of security posture requires an understanding of the economic reality. It is similar to how eradication of diseases requires not only medical research to find a cure but also epidemiology to understand how to treat the target population.
In our case, understanding the economics of security means understanding when achieving security outcomes—a secure product, a safe user behavior—requires working on the right incentives, the right contract design, or the right market mechanism. These are all aspects of rolling out security that are not tied to actual security technology, but rather to the underlying economics of the transaction.
4. How can individual organizations apply economic theory to solving security challenges?
I think having an understanding of economics principles as they apply to security is tremendously beneficial to individuals, teams, and organizations. In terms of examples:
- It helps us understand the context of how software is developed and which mechanisms should be in place to achieve a required level of security.
- When performing UX design, understanding the cognitive biases of users and administrators becomes crucial to creating effective controls.
5. You’re speaking about the economics of cybersecurity at the O’Reilly Security Conference in New York this November. What presentations are you looking forward to attending while there?
There are so many! I am particularly looking forward to Laura Mather’s groupthink presentation, Kelly Harrington’s web malware session, and Adrian Ludwig’s Android security talk.