Information security as an externality

Information in general is a special commodity. On the demand side, buyers cannot determine the value of information (how much they would pay for it) until they have it, and having it removes their willingness to pay for it. There are differences also in the supply side:

information is costly to produce, and yet it costs relatively little to copy and transmit. Thus, it is extremely hard for anyone who has devoted resources to the production of information to appropriate its value through the sale of that information. This is because the buyer of the information can resell it at the cost of transmission. Owing to the low cost of transmitting information, information producers have difficulty selling information for more than a fraction of its value (economics call this the problem of non-appropriability). Consumers desire to become “free riders” for information, paying no more than

Regulating Secure Software Development 104

248 Cooter and Ulen, Law and Economics, p. 109 and 126.

249 Cooter and Ulen, Law and Economics, p. 42.

250 McNutt, Public Goods and Club Goods, p. 927

the cost of transmission for the commodity (e.g. copying a computer program for free).²⁴⁸

Why is the appropriation of the value of information so difficult?

An answer can be found from the theory of public goods (economics see the problem of non-appropriability similar to the public goods issue). Public good is a commodity which benefit is shared by the public as a whole, or by some group with it. It has two very closely related characteristics: non-rivalrous consumption (i.e. consumption by one person does not leave less for any other consumer) and non-excludability (i.e. the costs of excluding non-paying beneficiaries who consume the good are so high that no private profit-maximizing firm is willing to supply the good)²⁴⁹.

As Patrick McNutt explains in the Encyclopedia of Law and Economics²⁵⁰, a pure public good exhibits in extreme measure the characteristics of non-rivalry in consumption (one person’s consumption of it does not diminish the amount that others are able to consume), and non-excludability (no one can be excluded from enjoying it). The property of non-rivalrous consumption implies zero marginal cost to existing users in sharing the benefits of the good with an additional person. If a pure public good is privately provided, then it will quickly be provided at that zero marginal cost; but at that price it does not pay any private producer to supply it since their investment (the fixed costs of production) could never be recovered.

At the same time, the non-excludability of public goods implies that the benefits of access cannot be fully appropriated by producers: if someone cannot be excluded from enjoying the benefits of a good, he or she has little incentive to pay for it but will be inclined to “free ride”. There is then little incentive for a private producer to undertake the supply of such a good, which would consequently be undersupplied.

Understanding secure software development 105

251 These considerations suggest that the unregulated market will produce sub-optimal amounts of information (undersupply), such as in inventive ideas and in creative works. And this, in turn, suggests the need for governmental intervention in the market for information. Even though the view that unregulated market will undersupply information is still dominating most policy discussions, situations can occur in which no regulation results in too much information or just the right amount as explained by Robert Cooter and Thomas Ulen in Law and Economics, p. 127, and Anthony Ogus in Regulation, p.

40. However interesting this wide discussion is, it will not be taken further in this context due to the lack of direct connection to the issue of information security.

Firstly, information contains ideas and person’s use of an idea does not diminish its availability for others to use, so there is non-rivalrous consumption of information. Possession of certain information, e.g.

using computer software, leaves it still equally valuable to another individual because she can have it at the same time. Secondly, excluding some people from learning about a new idea can be expensive, because the transmission of ideas is so cheap – the use of information is non-excludable.²⁵¹

But this should be nothing new, not even to lawyers, since the copyright theories and the discussions on freedom of information and publicity principles are based on the public goods problem. But, does the public good nature of information create similar problems to the security of it, in other words, does information security exhibit in extreme measure the characteristics of non-rivalry in consumption and non-excludability similar to information as a commodity?

Actually there is no clear cut answer. In order to make a clear point in relation to the quality aspects of information security we must come back to the general information security question for a while, even though we have earlier limited the study to concentrate only to the development of secure software part of information security. This is because the different parts of information security require different treatment under welfare economics and without shortly considering them it is not possible to make a clear point about the development part of information security. There is however, a need to introduce the concept ‘externality’ into the discussion before we can continue because economic theories of public goods and externalities caused

Regulating Secure Software Development 106

252 Economic theory makes a distinction between public and private externalities (Cooter and Ulen, Law and Economics, p. 40 and 110). If the external cost or benefit affects a relatively small number of third parties, the externality is said to be a private externality. In such cases, it is more likely that the externality can be accounted for through private agreements. So, there typically is no market failure at the presence of private externalities since private agreement possibly with the help of private law measures is able to correct them. If the external cost or benefit affects a relatively large number of third parties, the externality is said to be a public externality. In such cases private bargaining is likely to be too costly, especially due co-ordination problems. I will concentrate mainly of public externalities since they raise the real problems for society.

253 Not all goods exhibit the characteristics of excludability and non-rivalrous consumption to the same degree. Most public goods typically fall somewhere between the extremes of excludable/non-excludable and rivalrous/non-rivalrous, and can be called impure public goods as Anthony Ogus point out in an influential book developing an extensive theory of regulation based on legal scholarship and economic research, Regulation, p. 34.

Actually majority of the real world’s property lies in between purely private and purely public goods as Ugo Mattei state in Comparative Law and Economics, p. 52.

This has implication for the corrective public policies as discussed on the following headings.

254 Cooter and Ulen, Law and Economics, p. 106.

by consumption or production of some good are closely related.

Public externalities²⁵² typically also have these characteristics of non-rivalry and non-excludability; the external costs or benefits are not depleted when one person suffers or gains their effects.

All goods share the characterised of rivalry in consumption and excludability from supply to some degree²⁵³. If a good is rival, only one person can consume it at a time; if it is non-rivalrous, many people can enjoy the good without affecting the enjoyment of others. A good is excludable if the person in possession or the producer can exclude anyone from enjoying it; it is non-excludable if is impossible or too costly for the supplier to exclude those who do not pay from the benefit. For example, once property rights are defined over private goods, they are relatively cheap to enforce (e.g., the owner can exclude others from using them at low cost). With public goods, it is costly to exclude anyone from enjoying them.²⁵⁴

Understanding secure software development 107

255 Cooter and Ulen, Law and Economics, p. 40 and 110.

256 Coleman, Markets, Morals and the Law, p. 76. The same distinction was made also about network effects and network externalities above.

257 As Coleman notes in Markets, Morals and the Law, p. 76, internalisation need not, and often does not, require that the external effect itself is eliminated.

Only the inefficiency in production or exchange that the externality generates is eliminated.

258 Kunreuther and Heal, Interdependent Security, p. 231-249. Hal Varian argues similarly about system reliability in System Reliability and Free Riding, p. 1.

Exchange (i.e., trading or agreeing on a bargain) inside a market is voluntary and mutually beneficial. Typically, the parties to the exchange capture all the benefits and bear all the costs. However, sometimes the benefits or the costs of an exchange (a private transaction) may spill over onto other parties than those explicitly engaged in the exchange. Because market transactions are voluntary, these spill-over effects are outside the market system of exchange and, as a result, are not considered in the determination of the market price. This is why they are named externalities²⁵⁵.

Externalities are a category of external effects that are by-products of an activity that influence the production of other goods or the welfare of other individuals. As Jules Coleman explains it externalities are inefficient external effects; social costs or benefits that result in inefficient production or non-optimal distributions of welfare²⁵⁶. In order to ensure that an efficient amount of the item is traded, there is a need to somehow internalise the externality. That is, there is a need to ensure that the external costs and benefits are considered in the determination of the transaction price²⁵⁷.

Externalities in information security in general. Yes, information security at the level of information infrastructures (e.g. communications and electrical networks) and other networked information systems is interdependent as denominated by Howard Kunreuther and Geoffrey Heal: your security can be compromised by the failure of others to act even if you take appropriate precautions on your own. The security of system depends on the effort of many parties²⁵⁸. The lack of security in one system can cause adverse effects on others (e.g. when a virus

Regulating Secure Software Development 108

259 This has been noted by the European Commission in its communication on network and information security (COM(2001) 298 final, p. 14). It is not required that everyone cooperates. But co-operation only works if a critical mass of players participates which is difficult to achieve as there are ‘free-rider’

profits to be made.

260 When considering the customer confidence aspect, not only the information security investments made, but also sharing of security information can involve spillovers, which result in positive externalities for the industry as a whole.

Enhanced customer trust in transacting with a particular firm also expands the overall market size within the industry, as the Amazon.com case makes explicit especially in the online market for books. This has been tentatively explained by Esther Gal-Or and Anindya Ghose in The Economic Consequences of Sharing Security Information, p. 3.

261 In other words, investing in security seems to buy less for the firm making the investment when there is the possibility of contagion from others than in isolation as explained by Kunreuther and Heal in Interdependent Security, p.

8-infects or a hacker breaks into one computer in a network, the whole network easily gets contaminated).

Losses from security breaches at the level of information infrastructures and other networked information systems can be dealt with only if a large number of parties coordinate to make the needed investments²⁵⁹. So, the incentive to invest in infrastructure security is affected by the security investments taken by others, because the security level an organisation can achieve is affected by the security level of others in that network. In this situation, investing in protection produces involves spillovers that result in positive externalities for the whole network. For example, when one system owner in a network (e.g. a telecommunications operator) takes additional security measures to protect her machines and networks, the overall security of telecommunications network becomes more secure. But the security of the network does not have to actually improve since the investment made by one party may involve spillovers in customer confidence (increased trust)²⁶⁰.

This benefit given to others by securing one’s own networks is not considered when deciding the amount of investment made to for the security measures and too little investment into security is made²⁶¹. Because a secure system does not allow users to do any more

Understanding secure software development 109

9, andy by Kunreuther et al., Interdependent Security, p. 2. This is emphasized by the benefits given to others not being internalised.

262 This has been explained by the Computer Science and Telecommunications Board (CSTB) report Cyber-security Today and Tomorrow: Pay Now or Pay Later, p.

9.

263 As Soo Hoo et al. note in Regional Interest Group on Information Security, p. 1, information security is a part of the general public good of a secure information infrastructure, regardless of whether the information networks that provide public goods such as emergency services, defence, or basic infrastructure components are publicly or privately owned and operated. See also Camp and Wolfram, Pricing Security, p. 31-39, where information security is considered as a public positive externality, but not a public good. However, the argumentation of information security not being a public good because it is not a single, indivisible good (instead it is the sum of a number of individual firm’s or people’s decision) and because the solutions to public goods problem might differ from those of externalities (government provision e.g. of national security contra simple interventions to enhance the private market), is valid only if information security is seen as a pure public good – which it is not.

than an insecure system, system and network operators in private sector spend only as much on security as they can justify on business grounds – and this may be much less than the society needs as a whole. Further, because serious cyberattacks are rare, the payoff form security investment is uncertain. In many cases, it is society (or other users) rather than any individual firm that will capture the benefit of improved security. As a result, system and network operators tend to underinvest in security.²⁶²

Developing secure information and software systems can be seen as having the characteristics of a public good to some degree; maybe not in the extreme form (i.e. it is not a pure public good), but it creates positive public externalities that are not internalized and thus too little of security is provided²⁶³. According to the economic theory of public goods, the market fails in that it produces too little of the commodities (network security in our case) due to the lack encouragement to invest into the security of networks above the needs of that particular

Regulating Secure Software Development 110

264 Similar to public goods, the market fails at the presence of positive public externalities in that it produces too little of the commodities. There is a strong inducement for consumers of the privately provided public good or at the presence of positive public externalities to try to be free riders: they hope to benefit at no cost to themselves from the payment of others.

265 This is emphasised by the European Commission in its Communication on Network and Information Security: Proposal for a European Policy Approach (COM(2001)298 final, p. 14).

organisation (the appropriability of the value of increased network security is limited and ‘free-riding’ on the costs of others is possible)²⁶⁴. In relation to secure software or information systems development part of information security this means that developing information security properties (e.g. security requirements of confidentiality, integrity and availability) into information or software systems or correcting defects (e.g. by patching) in components used in their development can be seen as causing positive public externalities. When the security of one networked information system is enhanced, also the users and operators of other information systems in that network reap the benefits because there are fewer possibilities for security failures in that network.

From the viewpoint of the overall security of that network, the incentive to invest into the security of one’s information systems is too low because the benefits given to others are not considered in deciding about the investment. So, the benefits of improved security are not fully reflected in market prices. When operators, suppliers, or service providers improve the security of their products a good deal of the benefits of this investment accrue not only to their customers but to all those directly or indirectly affected by electronic communication - basically the whole economy²⁶⁵.

These positive public externalities are relevant also for the component developer, when the products are used in the networked information system development. Adding security features to components used in networked systems enhances the security of the overall network and gives the whole industry a face-lift (customers may consider the products of others also more secure which increases trust as has happened e.g. with the heavy investments made by

Understanding secure software development 111

266 Overpricing is not the only cause for the lack of demand for more secure components. As noted earlier, customers are accepting to errors and malfunctions due to long term industry practice and desire for features and performance instead of security. In addition, the positive externalities caused by the information security investments and raised customer confidence diminishes their willingness to invest into the security of their systems which means that there is less demand for more secure components or add-on security devices.

267 Even though the diminishment of security related vulnerabilities in a software product used in a networked information system also makes the overall network more secure by diminishing vulnerabilities that could be misused, it is not a positive externality case. The product developed is not vulnerabilities. Instead it is a software component that should have certain quality and security by default. Vulnerability avoidance is not the product even though with patching considered as a sufficient remedy for even a security related defects it seems to have evolved into something like that. But the product is the software that is expected to have quality and security in addition to functionality. So, the spillovers from vulnerabilities being misused (security breaches) resulting in negative externalities are reduced but no positive externalities are produced while diminishing the vulnerabilities. Protecting computer networks from viruses and from hackers reduces the chances that a loss will occur to the agent who takes protection and at the same time reduce negative externalities. Similarly in Kunreuther and Heal, Interdependent Security, p. 21.

Amazon.com in customer privacy spilling over to other online bookstores), thus creating benefits that the component developer does not consider while deciding about the pricing of the component. Thus a more secure component tends to be overpriced²⁶⁶.

Externalities and the quality aspect of security. ‘Public goods’ are, however, relevant only in relation to developing security properties Defects (vulnerabilities) in common software products that are used as components in the development of networked information systems are a totally different issue. They cause the whole networked information system to be vulnerable²⁶⁷. And since components are

Externalities and the quality aspect of security. ‘Public goods’ are, however, relevant only in relation to developing security properties Defects (vulnerabilities) in common software products that are used as components in the development of networked information systems are a totally different issue. They cause the whole networked information system to be vulnerable²⁶⁷. And since components are