Economics of Software Vulnerabilities

[ed.reed at aesec.com (Ed Reed)]

Steven M. Christey wrote:
> On Mon, 19 Mar 2007, Crispin Cowan wrote:
>
>   
> > Since many users are economically motivated, this may explain why users
> > don't care much about security :)
> >     
>
> But... but... but...
>
> I understand the sentiment, but there's something missing in it.  Namely,
> that the costs related to security are not really quantifiable yet, so
> consumers are not working with the best information.  Then there's simple
> lack of understanding, such as that exmplified by an individual consumer -
> their computer gets really bogged down and slow, and they don't know
> what's happening, so they go buy a new computer, when it was "just" a ton
> of spyware from surfing habits that they didn't know were unsafe, or they
> were running some zombie that was sucking up all their bandwidth for warez
> distribution.
>
>   
That's the sort of economic inefficiences that I'm talking about -
unfortunately, economic forces operate on scales of decades and
centuries, not months.  While we're still in this phase of rapid
expansion of Information Technology growth software moves too fast for
regulations and sluggish consumer reaction to force changes on suppliers.
> > > Eventually I think they'll get fed up and there'll be a consumer uprising.
> > >
> > >       
> > Why do you think it will be an uprising? Why not a gradual shift of the
> > vendors just get better, exactly as fast as the users need them to?
> >     
>
> I really really wish for an uprising, but unfortunately I'm not too
> optimistic right now.  Off the top of my head, I can't think of any
> consumer uprisings in other industries, although the US' recent decline in
> fuel-inefficient vehicles is sort of close.  Didn't some large
> brick-and-mortar companies heavily criticize the software industry a
> couple years ago?  I don't know how that played out.
>
>   
Not all of these are consumer uprisings - some are, some aren't - but I
think they're all examples of the kinds of economic adjustments that
occur in "mature" markets.

    * Rise and Fall of unions (the triumph of worker safety and rights
      over egregious industrial working conditions, and the subsequent
      triumph of increased productivity over lethargic labor
      responsiveness to international competitive pressures)

    * "Unsafe at any speed" (the triumph of consumer safety over
      industrial laziness)

    * Underwriter Laboratories (the triumph of the fire insurance
      industry over shoddy electrical manufacturers)

    * Alternating Current power distribution (still waiting for
      consensus on 110v/220v disagreement)

    * The Rise and Fall and Rise of AT&T (industry consolidation,
      followed by forced divestiture, followed by reconsolidation)

    * demise of IBM PS2 (the triumph of commoditization over monopoly
      control)

    * VHS (vs BetaMax - the triumph of content over technology)

Note that only the last two of these occurred "quickly" - within a
decade or so or the change that set the stage for them, and they might
both be better characterized as featurism competition.

But you get my point - Auto safety wasn't an issue in the 1st half
century of the industry, it took unions a couple of centuries to gain
strength in the face of the industrial revolution (and another half
century to squander their good will), and it took decades for the fire
insurance industry to develop and respond to the new dangers introduced
by poor electrical wiring.

Software and computer technology are having similar kinds of sweeping
productivity gains (though it took 40 years or longer for the effect to
gain enough momentum to be really measurable).  And we have already seen
the costs of shoddy product born mainly by the end consumers, rather
than by the producers.  I'm just saying that over the long run, that
imbalance will shift and even out - I just hope to live to see it,
whether it happens before I retire, or not.

Ed (whose beard IS gray and who DOES mutter to himself that you can't
add security to a system if its not secure to begin with)


> - Steve
>
>
>
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://krvw.com/pipermail/sc-l/attachments/20070320/2029a94e/attachment-0001.html