Many of us are geeks. We like to think that just because we have a good idea other people will like it as well. We’re particularly bad at user interface design and understanding the underlying economic drivers for technology. As a case and point, why is it that IPv6 hasn’t taken IPv4’s place, even thought it has been in existence for nearly fifteen years and solves a real problem of address space shortage? The answer can be found, I believe, in economics, which is to say that the motivations have not been there to spend the money to get people to move from one system to the other.
On Tuesday I am off to New Hampshire via Boston to attend the Workshop on Economics of Information Security (WEIS). In past conferences, WEIS has covered such topics as when to disclose vulnerabilities, the economics of the insurance industry and cyberthreat insurance, digital media protection mechanisms, and the risks of new technology introduction. One past paper that I particularly enjoyed discussed the risks of homo- versus heterogeneity in an enterprise. It has long been an axiom that if you wanted to protect yourself from systemic failure you used redundant systems that are built using different methods. In airplanes the rule is meant to keep passengers alive (although Airbus has flouted this idea, according to the Telegraph).
Cyberthreat insurance people take this to the extreme by not particularly liking even the idea of interoperability. Their logic goes that any interoperating system can continue a cascading failure, and that is potentially true. Of course, while an insurance salesman might want you to not have an accident, his management need some accidents to prove that insurance is necessary. The extreme case of a cascading failure, however, has insurance people shaking in their boots. They get away with insuring households and businesses against losses by (a) applying a reserve and (b) knowing that a fire or other natural accident can only cause so much damage in a local area. In the case of a computer virus, they have no reason to believe that there is any locality, and so the policies tend to be very restrictive.
I have a few economic questions of my own to ask. What will it take to motivate the adoption by a service provider of a new authentication mechanism that would provide benefit to OTHER service providers? In other words, how will service providers serve the common good? In general, by the way, they do. They recognize rightly that if they don’t cooperate on their own they will be made to do so under far less favorable terms. But here is something new, and not old. Introduction of new technology and new ways to cooperate is not exactly what they’re all looking for. I am. If we can find improved methods of authentication for end users we can surely reduce the value a PC represents to a criminal.
Of course this means we have to create a new authentication mechanism that actually does improve matters, but as my favorite theoreticians say, let’s assume that’s true, nevermind reality. What then has to happen for the mechanism to be adopted by consumers and providers alike?
Going back to that earlier question of what will it take for IPv6 to get deployed, in this year’s WEIS Jean Camp, Hillary Elmore, and Brandon Stephens have produced a paper that puts the question into a formal economics context. While the work is neither the beginning nor the end of the discussion, it is a very good continuation.
You can soon expect a post that discusses the outcome of this year’s conference.