Even Minimal Diversity Accrues Benefits

Here's an interesting paper that says that while diversification as in portfolio management or pooling as in insurance does not usually reverse the expected risk, that diversification in information systems is different.

“Exploiting externalities unique to information systems, we show that diversification can not only reduce loss variance but also minimize expected loss.”
--Software Diversity for Information Security, by Chen, Kataria and Krishnan, Fourth Workshop on the Economics of Information Security, Kennedy School of Government, Harvard University, 2 - 3 June 2005.

The paper takes into account both positive effects of less exploits and negative effects of less ease of use because of less uniformity. It takes into accounts benefits to the firm that implements diversity, and benefits to society.

The paper concludes that benefit of diversity accrue even if a firm adds only one piece of software to its incumbent monoculture software, and even if the new software is not as secure as the incumbent software.

Of course, if we're talking operating systems, any of the alternatives to the incumbent OS have greater security, as the paper demonstrates.

So software diversity in information systems would be good even in a world of worse alternatives to incumbent software, and is even better in our actual world.

-jsq

Thanks to Dan Geer for pointing out this paper.