The World

[as I find it]

Thoughts on the Economics of Security Systems

Since I was on four different flights out of three different airports recently, I had occasion to do some thinking about the costs and benefits of security systems. I realized that most people take off their shoes without even being asked anymore, or considering whether it’s necessary — despite the fact that they’re the ones paying for, and supposedly benefiting from, that system. Each new threat causes some kind of increase in the cost of maintaining airport security (we didn’t always have to take our shoes off, or pay someone to x-ray them), and the cost of security against the old threats never goes away. Isn’t there a breaking point, then, where the rising cost of the security system comes to outweigh the benefit of having it? And if so, isn’t that a general problem for security systems, not just airport security systems in particular?

Assumptions

There are a few assumptions I will make about security systems. They are:

  1. Security systems attempt to protect a valuable resource.
  2. Security systems are never perfect: they are always vulnerable to being circumvented by a sufficiently determined attacker.
  3. Security systems must stay up-to-date to be successful. Their maintainers must anticipate and fix vulnerabilities in order to avoid having the system exploited.
  4. Fixing vulnerabilities always requires time, energy or money, or has some other cost.

Not all security systems meet these assumptions, but many do. It wouldn’t normally make much sense to build a security system to protect something that doesn’t need protecting (assumption 1), and it’s pretty much always possible to circumvent a system with brute force (assumption 2) if you have enough of it (think nuclear bombs or quantum computers). As time goes on, attackers will acquire new technologies and more information about your system, so the system needs to be maintained to stay ahead of them (assumption 3); this is why it’s important, for example, to keep anti-virus software updated. Finally, you can’t fix anything without taking some time to figure out what’s wrong, and usually you need to expend some effort to install the fix. Security systems are no different from your car or computer in this respect (assumption 4).

I believe these assumptions describe a very general class of realistic security systems, from airport scanners to computer software to bank vaults. These systems are prominent in our daily lives; we invest in them to protect our valuables, and we deal with the inconvenience of using them because we think the alternative — little or no security — is far worse. Should we accept this conclusion? Is our continued public and private investment in security worth the investment?

The Golden Apples Point

According to Greek mythology, the golden apples in the garden of Hesperides were a wedding gift from Gaia to Hera when she married Zeus. They are protected in the garden by a never-sleeping, hundred-headed dragon, Ladon. Now, to be sure, the apples are fairly valuable and worth protecting: they give whoever eats them immortality, they’re golden, and they obviously must have some sentimental value. But are they so valuable that it’s worth constantly feeding a dragon whose metabolism must sustain one hundred heads without sleep? Hera is a goddess, so immortality isn’t really an issue for her; she’s married to Zeus, the king of the gods, who can probably get gold for his wife whenever she wants it; and the sentimentality of wedding gifts, while not to be overestimated, can generally be assumed to fade with time. I don’t know what dragons eat, but I imagine that a hundred portions of whatever it is can’t be cheap. So, for Hera, protecting the apples with Ladon is something like protecting the blender you got from your Aunt Sally with a team of Rottweilers: it won’t make sense for very long.

The point, of course, is that a security system becomes ridiculous when the cost of maintaining it exceeds the value of whatever it’s protecting. It is reasonable to consider that when this happens, the security system has failed. The purpose of the system is to protect against the loss of value that could occur if the resource is stolen, damaged, destroyed, or otherwise depreciated by exposure to attackers. If that value is lost through spending on the security system, instead of by an attack on the resource, it’s still lost. At the point at which this occurs — the point at which the cost of feeding the Rottweilers exceeds the cost of a new blender — the security system has failed to fulfill its purpose. In the interests of having a catchy title, I’m calling this the “Golden Apples Point.”

Given the assumptions I outlined above, it follows that the cost of any security system they describe will only ever rise. To successfully protect a resource, the system must be maintained; and maintenance has a non-recoverable cost. As time passes, the total cost of the system will bring it closer and closer to the Golden Apples Point. Unless the protected resource appreciates in value at a faster rate than the cost of the security system, the Golden Apples Point will eventually be reached: the system will have failed. (In some cases, such as with stock certificates appreciating in a bank vault, it might be possible for the resource to appreciate fast enough to stave off the Golden Apples failure, but such cases are probably rare and won’t last indefinitely.)

If the assumptions I have made are right, then reaching the Golden Apples Point is a near-inevitability for most garden variety security systems; it’s just a question of how long it will take to get there. It’s therefore prudent to ask whether it’s ever reasonable to build such a security system, and if so, under what conditions.

Time Restrictions

One possible response to this problem is to implement a security system with the expectation that it will no longer be needed by the time the Golden Apples Point is reached; once it’s no longer needed, it doesn’t need to be maintained, so the cost will stop rising. This solution will work in a situation where the protected resource depreciates in value relatively quickly (and predictably), so that it’s possible to estimate how long it needs to be protected.

This is essentially the bet that media companies are making with DRM (“digital restrictions management”), the technology used to prevent users from playing iTunes Store songs on anything other than an iPod and the like. The digital encryption that prevents users from copying the media from one device to another, playing the media on multiple devices, and so forth, can always be broken, but if it’s not broken before the sales for the “protected” product drop to unprofitable levels, the security does what it’s intended to do: prevent people from sharing, thereby forcing anyone who wants access to the media content to buy their own copy.

Implementing a security system with a time restriction will only work in a small number of cases, though. There is no easily-computed time in the future when you can say, “Well, I think we’ve had this bank vault sealed off long enough. No need to maintain that system anymore.” The point of most security systems is to be a haven from uncertainty: no one knows at which point in the future the protected resource will be safe from attack; usually, we only build a security system when we have a reasonable expectation that there is no such point.

Time-restricted security systems are thus something of an anomaly, which makes me wonder if it is ever in anyone’s interest to endure them. If I expect that something is going to significantly depreciate in value, why should I spend my time, energy, and peace-of-mind to comply with a system for securing it? Even if I decide to do so, is my decision rational? After all, what it amounts to is a decision that having access to this thing is not really valuable, since I can get that later for a much-reduced cost, but having access to it right now is valuable. If it’s the immediacy that matters, then that’s what I should pay for, just as I pay for fresh food when I can get spoiled food for free. I wouldn’t happily endure a system in which I was told what I was paying for was not the freshness of the food but the privilege of not sharing it with my neighbors or doing whatever else I wanted to do with it; why should I endure DRM?

Separating Domains

A second type of response to the Golden Apples problem is to separate the cost of building and maintaining a security system from the (still finite) value of the resource it protects. In corporate boardrooms, this practice is euphemistically known as “externalizing the cost.” This is not so much a response in the sense that it solves the problem; rather, it is a means of avoiding the problem by making it someone else’s concern. A security system fails when it reaches the Golden Apples point precisely because, at that point, the cost of the system to the person paying for its maintenance outweighs the value that same person assigns to the protected resource. If the person who values the resource isn’t the person paying for its protection, she may not care how much the security system costs. Hera probably isn’t feeding Ladon herself, after all.

When it is possible to separate the cost of security from the value of the protection it affords, the security system will be considered successful for an indefinitely long period. Of course, this sort of circumstance, fortunate though it may be for the person who values the resource, is somewhat rare. Banks don’t give away safe deposit boxes for free, anti-virus software companies charge for subscriptions to new virus definitions, and even very friendly neighbors don’t buy burglar alarms for others’ houses. Philanthropy in the security business, I presume, is extremely rare.

There is one kind of situation in which the cost of security is regularly covered by people who would seem to have very little interest in what’s being secured: the kind that is paid for by taxpayers. (Actually, the phenomenon is more general: any group which covers the cost of a system that may not actually have value for any particular member, but which has value for some indeterminate subgroup of them, will fit the bill. Insurance pools are one example.) By convincing this group to finance security systems which protect the vague resource of “national security,” the bearers and executors of those systems externalize their costs to people who are often too scared or too disorganized to protest.

This doesn’t exactly amount to philanthropy, but it does largely separate the people who have an interest in or place a value on the protected resource. (How many Vermonters are worried about terrorist attacks? How many Minnesotans care whether or not the CIA’s secrets are kept secure?) According to at least one poll, more than half the people in the United States don’t fly at all in a given year, and 81% of those who do fly take fewer than 5 flights. Meanwhile, the 7% or so of flyers who take more than 10 flights in a year take an average of over 22 flights.

The Transportation Security Administration spent $5,719,000,000 (see page 14) in 2005. The fact that taxpayers continue to pay this bill, despite the fact that nearly two thirds of us don’t fly at all, and most of us that do fly don’t do it very often, is sound evidence that the U.S. government has succeeded in implementing this response to the Golden Apples problem. But again, this response is hardly a solution: the cost of screening for old threats in airports (shoes, Gatorade) isn’t going to go away, but the cost of screening for new threats will rise with the appearance of every new idea about how to breach airport security — and you can probably come up with a few ideas yourself. So, unless you’re among that small minority taking more than 22 flights per year, ask yourself: at what point will your generosity run out? And why, exactly, was it rational for you to be so generous in the first place?

By the way, if you’re feeling like voicing your concerns about this issue, I’ve just learned that the TSA has set up a blog! I’m sure they will be most interested to learn what you have to say.

Conclusion

The only conditions under which a security system can avoid the Golden Apples point are those in which the resource it protects has infinite value, or is at least appreciating in value more quickly than the cost of securing it. This almost never happens. The next best thing is not to care if your security system is headed toward that point, either because you know the system will stop being useful long before it gets there, or because someone else is paying for it. Again, I suggest that these cases are rare, and it’s at the very least questionable whether it makes sense for the people who are on the receiving end of such systems (as consumers, as travelers, as taxpayers) to put up with their existence.

That leaves the vast majority of security systems unaccounted for. Ultimately, these systems are built because they’re worth it to someone, even if only because that person hasn’t thought about the Golden Apples point, or has justified the expense to himself in some other way. For my part, I’d love to hear those justifications. I bet there’s a bug in every one of them.

Advertisements

Written by whereofwecannotspeak

February 2, 2008 at 11:03 pm

Posted in Free Software, Ideas

%d bloggers like this: