Shostack + Friends Blog Archive


4th Workshop on the Economics of Information Security

The Fourth Workshop on the Economics of Information Security will be held in Boston, June 2-3. The schedule is now online.

I’ll be presenting a short essay on “Avoiding Liability: An Alternative Route to More Secure Products” at the rump session. I’d love feedback. Ian Grigg has talked about alternate review systems.

2 comments on "4th Workshop on the Economics of Information Security"

  • Cypherpunk says:

    “A healthy debate is raging over extending liability rules to software companies. Respected security experts and economists argue that it is an effective way to force companies to internalize externalities. After all, if a company can spend nothing on security, and produce a product that customers will buy, why should they spend on security? If customers can’t distinguish between a secure and an insecure product, the company that produces an insecure product will get to market first, and have an advantage. This shifts the high cost of dealing with insecurities to customers, who are in a poor position to fix the products they have purchased. Thus, imposing liabilities on software producers will induce them all to take care in the creation of their software.”
    This misstates the externalities argument. Companies do not impose externalities on their customers. An externality, by definition, is a cost imposed on a THIRD PARTY. If companies create products which impose costs on their customers, the market system is fully able to incorporate those costs.
    The actual argument is that insecure products impose costs on third parties which do not affect either companies or their customers. Therefore there is no market mechanism for these costs to be incorporated into the market transaction when these products are purchased.
    The specific externalities due to insecure products will differ depending on the situation, but a typical example would be that a cracked computer can be used as a staging point to launch further attacks on other users. The fact that his computer is (somewhat) broken affects the customer and this cost is incorporated in the market; but the fact that his broken computer is imposing costs on third parties does not affect the customer (he is usually not even aware of it) and so this cost is an externality that the market does not take into consideration.
    From this analysis it is clear that the externality could be equally well addressed either by charging the external costs to the customers or to the manufacturers of the products. In either case, the costs will be incorporated into the market pricing and, neglecting transaction costs, the outcome will be the same, per Coase’s theorem.
    In practice, transaction costs may not be negligible and it will usually be more efficient to impose the costs on the side of the transaction where there are fewer actors, which will be the sellers in this case. So it generally makes more sense to charge the costs to the manufacturers of insecure products.

  • adam says:

    Good point! I think there’s actually 2 sets of costs, which I’ve let overlap: one is the externality, the other is the operational cost of insecure software.

Comments are closed.