As quoted in Ken Belva’s blog, Larry Gordon writes:
However, the above is not the end of the information security story from an economics perspective. If an organization can distinguish itself as having much better information security than its competitors, then that organization may well derive a “competitive advantage” (at least in short-run, until competing firms catch-up in terms of security) that results in increased demand for the organization’s physical product(s) and/or service(s).
While I’m sympathetic to the claim, let’s ask how an organization “can distinguish itself as having better information security than its competitors.” (In this post, I’m explicitly not speaking for or about my employer, who I think is doing a great job investing in security, eg, by paying me.)
How can a potential customer make a decision about security? As a consumer, I might look to funny television advertising, or other forms of marketing. But marketing isn’t a good signal: it’s equally easy for a firm to invest in marketing their security effort if they do little, or nothing as it is to market if they invest in a security development lifecycle. As an enterprise, I might consider spending a little money on a critical analysis of the software under consideration, but that’s expensive, and I might cynically believe that the results will all be on the order of “this stinks!”
Even if I could analyze security, security is likely only one of several factors that contribute to my buying choices. It’s not clear that it’s a great source of competitive advantage. For example, in their early days, ebay and paypal invested in things other than security, and did spectacularly well on that decision.
See Ken Belva, “Dr. Gordon: Information Security can have a positive return.”
Lastly, I’ll mention series here in 2004 on the value of signaling as a means to address information asymmetry in “Security Signaling,” “Signalling by Counting Low Hanging Fruit,” and “Ratty Signals.” There’s some great comments.