Four economic principals that affect security
If you want security, Schneier said, go back to DOS. Since no one wants to do that, Schneier advocates thinking about networking and computer security in terms of four basic economic principals to make sense of it all.
1. The Network Effect. In short, the network effect means that the value of a network increases with the number of people who use it. And because the platform is increasingly valuable, the economic truth is that the big get bigger, no matter what kind of network, whether it's telephone, Internet, virtual, Schneier said. This economic principal leads to dominant firms emerging in the market (think Microsoft), and because they're valued, they will get still bigger. In terms of security, the bigger the network, the more attention from hackers.
2. High Fixed Costs/Low Marginal Costs IT doesn't operate using the traditional rules of capitalism, Schneier said. With software, for example, the cost of making the first copy can be millions of dollars and the following copies are free. In normal markets, competition drives down marginal costs. But society has built in anti-capitalist defenses to help recover fixed costs for some industries, which include software, movies and entertainment, and pharmaceuticals. "Patents, copyrights and trademarks fly in the face of capitalism and allow companies to recover fixed costs," Schneier said. Compatibility and proprietary accessories also work the same way. "This leads to a dominant market structure, so the bigger firms get bigger, again.
3. Switching Costs. In most markets, the cost of switching to a competitor could be zero, Schneier said. "In IT, switching costs can be extremely expensive, which means the value of a company can be judged on how expensive it would be for customers to move to a competitor. "Companies don't have to do a good job if switching costs are high. In fact, a company has to be pretty bad before you leave," Schneier said. "The cellphone number portability battle was about switching costs," he said. "No one wanted to switch providers even if they had bad service because they didn't want to switch their numbers."
4. A Market for Lemons. In a lemons market, sellers knows a lot more about the products than the buyer, and this relates directly to the security and used car markets, according to Schneier. "In markets where buyers can't tell the difference between a bad and a good product, bad products drive good products out of the market," he said, and it is unfortunately true of the security market. Ten years ago during the great firewall battles, the products that survived weren't the best ones, Schneier said, because buyers couldn't tell the difference.
In lemons markets, buyers tend to rely on signals, which include things like warrantees for cars or promises of money back if a car turns out to be a lemon. "In IT markets, signals to buyers include vendor awards, testimonials and product reviews," Schneier said. "Name recognition is another buyer signal that doesn't always mean the product is the best, but the name is more trusted because consumers recognize it."
Internet security offers confusing signals
"In Internet security, it's very hard to know what to buy because lots of very good products are not being sold," Schneier said. "The signals don't work right, and buyers don't know the difference."
In addition, many buyers are concerned about the newest technologies and how they work. "I'm telling you as a techie, it really doesn't matter that much," Schneier said. "We have all the technology we need. It's a matter of economics and a matter of getting the technology to work right."