We hypothesize that security is a good with insufficient information, and reject the assumption that security fits in the market for goods with asymmetric information. Security can be viewed as in a market where neither buyer nor seller has sufficient information to be able to make a rational buying decision. These characteristics lead to the arisal of a market in silver bullets as participants herd in search of best practices, a common set of goods that arises more to reduce the costs of externalities rather than achieve benefits in security itself.Evidently security needs to find another precious metal for its bullets, given that the Storm Botnet is still out there after months, phishing becomes more expensive all the time, spam has killed electronic mail for a whole generation of users, and the best the monoculture OS vendor can come up with is a new release that attempts to push responsibility for all its bugs and design flaws back on the user.
— The Market for Silver Bullets, by Ian Grigg, Systemics, Inc. $Revision: 1.27 $ $Date: 2005/11/05 18:25:54 $
What to do?
Maybe increase the number of attacks until there's enough information to produce an economically viable market:
Seen in this light, laws to criminalise activities such as cracking, reverse engineering and academic research into security products will probably work to reduce information in security, and thus may an important negative impact on security. Given the model of information insufficiency, this negative impact may override any positive impacts.After all, the attackers do have a lot of information, and their own functional market for sharing it. Maybe Iang is onto something: find a way for the white hats to participate in the black hat market and gain enough information to gain the upper hand.
The insight of the asymmetric and game theory literature was to change the payoffs so as to incentivise the more informed side of the buy/sell divide to reveal information. In markets with insufficient information, there is no information advantage on the other side, but there is a third party, the attacker.
Can we incentivise the attacker into revealing information? Indeed, have we miscast the roles; should the problem be cast as an asymmetric information problem between the users and the attackers? Although worth thinking about, it does stretch the framework as no business relationship, no negotiation and no contract has been entered into by these two (or three) agents.
And I would like this part:
For the sell side, sellers can aggregate information across client sites, but this implies admission of weakness of product. This would indicate towards selling services such as network monitoring rather than goods such as intrusion detection systems.Damn! Wish I'd thought of that. :-)