Cyber Security
The economics of security CThe Network Effect
By Bruce Schneier
You’ve all heard of Moore’s Law: but there’s a lesser known law called Metcalf ’s Law and that is, “The value of a network equals the square of the number of users.” Take, one phone – it’s useless; two phones are at least useful; a thousand phones is a network; a million phones are suddenly essential. So, is this true for real networks? A network of cell phone users, email users, SMS, Skype, and Facebook, and is it also true of a virtual network? The network of window versus mac users or IOS versus Android users. The more people use a thing, the more valuable it is for each one of us that uses it. This notion of network effect lends itself to a single dominant player in the marketplace. Think of Facebook. There was a time when you were not on Facebook because it was too small; now it seems to be the time when you have no choice but to be on Facebook because you would never speak to your friends otherwise. That’s the network effect. It’s true for Skype. It’s true for any application, the more people on it, the more likely you are to be on it. So a single player wins, because that’s what makes sense. Fixed Cost versus Marginal Cost The second piece of IT economics is fixed cost versus marginal cost. In any product, there are two sets of costs. There is the cost to develop the product, and the cost to create the one of it that you’re buying, so a normal product like a chair, someone designed it and they were paid, then the company made a lot of chairs, and that development cost was amortised into the per unit cost that, say a hotel, purchased when they bought the chairs. In IT, pretty much all the cost is in development. The first copy of Microsoft Windows, for example, cost $20 million (I’m making this up), the second copy is free. So, what this means is stealing the results of development is a very powerful attack, this is true for not just software, it’s true for movies, for music, for pharmaceuticals, and this is why you see so much effort going in to protecting the development costs. In other cases, the high fixed cost becomes a barrier to competition. Once Google maps the world, it’s hard for someone else to come in. A company like Google can further cut the costs to zero to prevent further competition coming in. Switching Costs The 3rd piece of IT economics is the notification of switching costs. The switching cost is the cost for you as a consumer
18 | Chief IT
to switch to a competing product. Normally switching costs are low. Think about Coke versus Pepsi. You drink a Coke and you don’t like it, you drink a Pepsi tomorrow. That means that Coke better taste good. Compare to that the switching costs are high, so I have a cell phone, I use AT & T. If I don’t like AT & T’s service I am kind of likely to use it tomorrow, because the cost of switching cell phone providers is pretty high. I don’t like my operating system, it’s really hard for me to switch. In IT, switching from one product to another can be really expensive, it is retraining of staff, rewriting of applications, it is converting data. So, here is the thing of it: the higher the switching costs, the more a company can piss you off before you switch. They can provide you with a less quality service because they know that switching is hard, and companies do all they can to keep switching costs high. This is why you see proprietary file formats, non compatible accessories, programmes that won’t let you take your data with you when you leave, it is all designed to keep switching costs high, because that basically allows them to keep customer service low and that is cheaper. The Lemons Market The fourth and last piece of IT economics is the notion of a lemons market. This actually came from an economist who won a Nobel Prize called George Akerlof, he studied markets with a symmetry of information he thought of by himself. Basically, markets where the seller knows a lot more about the products than the buyer. So think of the used car market, the seller knows a lot about the cars he sells, you as the buyer pretty much knows nothing. In those markets, I will spare you the economic math, in products where the seller knows more than the buyer, bad products drive good products out of the market. This is true for a used car market, and it’s true for IT security. This is why in the 1990s the best firewalls didn’t survive. This is why in the 2000s the best IDS programmes didn’t survive. Because we live in a Lemons market. And in a Lemons markets buyers tend to rely on economist pulled signals. So different signals are warranties – the used car market is full of warranties, take a car home drive it for a month and you don’t like it, you bring it back. Certifications, awards… have you ever wondered why our industry chases those dumb awards all the time? They’re signals. Awards, reviews, certifications, anything a buyer can jump on, and say I’m going to do that! I don’t know how to choose but this one won an award and this one is certified to ‘this’ standard.