Security Economics

Information security has finally become mainstream. It is almost a recognized profession, with its own areas of specialization: network security, audit, incident response, forensics, and security management. Salaries for IS practitioners have been rising constantly, the market for security products and services is much bigger than it was five or ten years ago, and more firms are entering it.

The “security frontier” has moved from firewalls and anti-virus to IM and VoIP security. However, convincing people and organizations to implement effective security measures has not become easier, so we must ask ourselves:

Is security worth it?
First, let’s look at how vendors attempt to sell security. There is usually some FUD factor involved. Years ago it was pretty blunt, concentrating on web defacements and Denial of Service takedowns “the hackers are coming”. Now, sleek statistics from reputable firms or institutions are used, so the language has also become more grown up: “organizations should secure,”, “we must ensure that every piece of critical information in a company is appropriately secured”, etc. The problem with these approaches is that the need for security is not personalized enough to trigger a buying decision.

Security as insurance does not work really well because either people can see through FUD and dismiss it as a cheap sales ploy, or because the potential consequences of a lapse in security are not immediately clear. The issue is quantification. You or your firm may not care much that “virus attacks have increased by X% in the last 12 months”, but you may pay more heed if the warning was specific to your industry: “virus attacks against XYZ systems running ABC applications have increased against ACME-industry institutions”.

It is of course, easier to sell any type of insurance or advisory services in regulated industries: housing or car insurance, financial services, health care, government. One only has to look at laws like Data Protection Act, HIPAA (US) and Sarbanes-Oxley to see how these created new business opportunities for consulting firms in may countries. However, for the security practitioner catering for a diverse clientele, another class of arguments must be found, in order to successfully convince clients to buy security services and products.

Fear vs. Economics
The problem with using Fear to sell security is that it is subject to the stroboscopic light effect: you get used to it, you may not realize when it really is bad and you could collapse under it not knowing why. Fear also works if you are naturally risk averse. But, it doesn’t work if you’ve never experienced the touted bad consequences or, if you are not risk averse.

Basic economics tells us that a free market for one specific product or “good” (let’s leave it “good”, please, as this is the basic economics terminology.. thanks) will converge to an equilibrium position, where supply equals demand, at a certain price P per unit. However, security is a complex issue, where many remedies are required for different aspects, so such a simplistic view may not be enough to look at when selling our security wares. Besides, in some cases it is difficult to determine what “one unit” of that product or good may be and company purchasing decisions are not as simple as the theoretical academic models may suggest.

Some industry participants complain about increased competition as a factor in depressing their security sales. However, let’s take a quick look at a typical large European country as a “market” for example Germany or the UK. This reveals that there will be, on average, ten firms providing Managed Security Services (MSS), with the biggest firm holding about a 20% market share. There will also be around 30 firms providing various Security Consulting services and we’ll perhaps find one with the biggest market share of 10%. This would mean HHI indexes of competitive intensity of 526 and 135 respectively.

Glancing back at our economics textbooks, we find that this is not an overly competitive market to be selling security services in, even if we accept that defining the actual “market’ may be the trickiest part of this type of analysis.

Security ROI
Then there is another way: proving security ROI. Of course, ROI is a valid financial tool. In the security industry, however, every vendor seems to have one, which is slightly different from other vendors’ and which “proves’ that buying that vendor’s product or service makes the best economic sense. For example, I’m sure we’ve all seen the statistics stating that having someone else to manage your company’s firewalls is a 400% ROI over one year, when compared to managing them in house.

Whenever we are confronted with such figures, there are several things we need to ask: How many firewalls do these figures refer to? How many different technologies? Were these devices located in one company office, or distributed on a country or continental level? What service levels do the costs refer to? How many clients participated in the survey, how many vendors?

Many ROI calculations adopt a simplistic and/or simplified view of the underlying costs. They also tend to disregard “communications’ costs, human and skills costs, dealing with process or operational exceptions, with network upgrades. One must always seek to understand the assumptions of any ROI model. As a final note, an IDC study in 2003 found that 83% of companies do not track ROI for their security investments. Things are likely to have changed, but caution and scrutiny should still be applied to ROI models.

Buy or Build and the Individual Perspective
From a client perspective, a lot of energy is usually spent debating whether security is best kept “in house’ and delivered by client’s own personnel (or built by internal efforts), or is it better to outsource or buy “off the shelf’. Because security is essentially a trust issue, the natural inclination is to keep it in house, shrouded in secrecy. We know that, from a technical perspective, “security through obscurity’ is not good practice. The encryption algorithms that become standards are subjected to scrutiny for years before being widely adopted.

From an economic perspective, there will be security tasks which are more efficiently carried out by an outsourcer (e.g. managing firewalls or IDS), and some which are more suited for in house delivery (e.g. fraud and incident investigations), if skills exist in-house. A good provider will remind the client that they always retain the full responsibility for their organization’s security posture, even if some security tasks have been “delegated’ to hands and brains outside the firm.

Economics also plays a part in everyday decisions taken by individuals (employees) when it comes to doing the “right security thing.” We must ask whether security is facilitating or hindering their jobs. Is it “cheaper’ to comply with or to flaunt security rules and procedures? What is the employee’s time-horizon when it comes to making security decisions? The answer is making security a business enabler and with a relatively low compliance cost. Otherwise, individual cost-benefit analysis decisions (e.g. about how often to change their system password) may trump the best laid out corporate security strategies.

Fear, Risk and Economics
So, where does this discussion leave us? Are we any wiser about how to make security more widely adopted – and encouraging clients to spend more on their security budgets?

The main idea we need to tell our clients is that security can be a business enabler and not just an “IT cost,” Let’s stop viewing information security through the prism of fear and start to quantify it and, more generally, technology risks and threats in economic terms. At the end of the day, buying decisions are made by business people and not necessarily by technologists, so security investment decisions must make business sense in order to be adopted.

We need to articulate the economics angle whenever we buy or sell security. This should enable us to make rational (economics-based, rather than fear-based) decisions when it comes to security. Let’s not allow fear or the latest technological fad to cloud our judgment. We can and should place economic value on security measures, be they technology, people or processes. If we adopt an economic approach, we can demystify Information Security and make it a friend of the organization. This should benefit both the “buy’ and the “sell’ side of the market.

Next time you turn on your system at work and it asks you to change your password, you know you’re facing an economic decision. It is always cheaper to comply than to clean up after a security incident. The economic benefit of complying with the security policy will accrue to both you and your organization. Then, you can concentrate on doing what you do best, knowing you’ve done “your bit” to keep your information safe. You know it makes (economic) sense.