The Economics Of Networks And Cybersecurity Rod Beckström December 2008

The Economics Of Networks And Cybersecurity Rod Beckström Director National Cybersecurity Center December 12, 2008 ©U.S. Department of Homeland Security. Author: Rod Beckström

Economics of Networks Value of network to one user Total value of a network Security economics Security risk management Hacker economics Economics of deterrence Supply chain incentives Economics of Internet protocols (architecture) Economics of outages Economics of resiliency (correlation of losses)

Economics of Networks What is the value of a network? How much should be spent to defend it? Fundamental Questions

Economics of Networks A user can have an implicit or explicit contractual relationship with a network and perform transactions through it. The presence of a network can impact the price, value and nature of transactions. Some transactions may only be available only on that network. Definition of Relationship to Network

Economics of Networks A user can be any entity that contracts for transactions, whether an individual, company, non-profit organization, government or any other party. Definition of a User

Economics of Networks Previous models focused on the number of nodes or users (Metcalfe’s Law, Reed’s Law), or on the architecture or structure of the network. This focus was misplaced. Valuing Networks

Economics of Networks The value of a network equals the net value added to each user’s transactions conducted through that network, summed for all users. New Network Valuation Model

Economics of Networks The value of a network equals the value added to all transactions conducted on that network, valued from the standpoint of each user. New Network Valuation Model Alternative but Equivalent Description

New Network Model V = ΣB - ΣC Where: V = value of network to one user B = the benefit value of all transactions C = the cost of all transactions Value of a Network to One User

Economics of Networks First, we need to determine the value a network like the Internet adds to a single user such as you. Then, if we do the same for all users and sum it up, we have the total network value. Let’s first calculate the value of one transaction, that of purchasing a book online versus at the bookstore.

Book Purchase Example V = B - C V = $26 - $16 V = $10 You decide to buy a book online instead of at a bookstore, to save money. How much value does the network add? If it costs $26 to buy the book in a store or $16 to buy it over the Internet, including shipping, the net value is $10.

One User Example If you then tallied up all of the books and other products a user purchased over the internet, and the Benefit value of free searches, research, reading, entertainment and phone calls, less all associated costs of network usage and transactions, you then have a composite net value V to that Individual over any time period, for example, one year. The same approach can be used to value any network for that user.

Economics of Networks The benefit value is bounded with a lower and an upper limit. It should be higher than the Cost and it should be equal or less than the Cost of obtaining the product through another means, with identical quality of service. In a paired transaction like buying a book, where you deliver money and receive a book, the Benefit is assumed to be higher than the Cost. You would not pay more for a book than you value it. On the upper limit, the Benefit should not be greater than the all-in cost of purchasing an identical product or service from another provider. So if instead of buying a book online, you could pick it up from the bookstore below your office for $26 (including your time), then that is the maximum Benefit, even if you would pay $100 for it if you had to. Benefits (B) are Bounded

Economics of Networks Benefits (B) are Bounded C < B < LAC Where: C = Cost of a transaction B = the benefit value of a transactions LAC = the Lowest Alternative Cost of a transaction through another network

Economics of Networks Because the Benefits are bounded, and the value to transactions is computed for each user from their unique perspective, it is possible to sum the value to all users. In the book example, the user benefits $10. The online bookseller can still make a $1 profit, which is their net value from the transaction as well. The shipper may make 50 cents on the transactions. These net benefits gained by other parties can be summed up for the network, and there is no double counting. Benefits (B) are Bounded

Economics of Networks Costs include the cost of joining or maintaining access to a network, such as paying for Internet access charges, and all costs of doing transactions over that network, including labor time, electricity, the costs of products, and any other costs. Most costs (except time) can be fairly straight forward to track and account for. The Internet is interesting as a network, because once access is paid for, there are many services which are offered for free, such as Skype calls, Wikipedia information, search services, etc. These provides significant Benefits (B). Costs (C)

ΣV = ΣB - ΣC Where: ΣV = value to all users of a network B = the benefit value of all transactions C = the cost of all transactions Network Value is Summation of Value to All Users New Network Model

Where: ΣV i,j = value of a network j to all users V i,j = net present value of all transactions to user i with respect to network j, over any time period j = identifies one network i = one user of the network B i,k = the benefit value of transaction k to individual i C i,l = the cost of transaction l to individual i r k and r l = the discount rate of interest to the time of transaction k or l t k or t l = the elapsed time in years to transaction k or l New Network Model Beckström’s Proposed Model for Valuing Networks

The “Network Effect” This effect is much discussed but poorly defined. Generally refers to increase in value of network as size increases. Metcalfe’s Law is sometimes referred to. Using the New Network Valuation Model, the value of the network increases as more users join, bringing more transactions to the network. The more potential transactions a network has to offer, the more users will be attracted to it.

The “Network Effect” The more users are attracted, the more valuable the network becomes, and a virtuous cycle develops. Other networks stand to lose as one gains. The value is locked in, if there are no comparable networks, or there are significant barriers and costs to switching.

The “Network Effect” As the number of users doing transactions grows, the value Of a network tends to grow (unless the increase in number of users has some offsetting negative effect on the network, such as Less trust). For networks that increase in value with size: Some examples of networks that decrease in value with increase in size are support groups and exclusive clubs.

The “Network Effect” More broadly, as more users move to the Internet, it is replacing almost all other networks, because it adds Continues to add more value to most users: V Internet > V Proprietary Where: V Proprietary = Value of a proprietary network V Internet = Value of Internet network

The “Network Effect” You need to buy a flight, and can call around to airlines (phone) or use a travel search engine on the Internet. You might rank the value of services as follows: Where: V Internet = Transaction Value of Internet Network V Phone = Transaction Value of Travel Agent Service V Internet > V Phone

“ Inverse Network Effect” Some networks decrease in value when they exceed a certain size. Whether a corporate board, a support group, or an exclusive club, Some networks decrease in value as size increases, beyond some point. Sometimes less is more. Beyond their optimal size, These networks exhibit the following behavior: Why? In support groups for example, there is only so much time for each person to speak. More people, less speaking for each, plus the affinity may decrease.

Economics of Security V = B - C Basic Model Sigmas ( Σ’s) ommited but assumed henceforward.

Economics of Security Where: SI = Security Investments L = Losses C’ = C – SI – L (all costs except SI & L) Basic Model V = B - C’ - SI - L Security Model V = B - C

Economics of Security Minimize Security Costs = SI + L The Fundamental Security Risk Management Function

Loss $ Security Investment $ Economics of Security 0 Pareto Chart of Best Security Investments Against Losses (hypothetical curve)

Loss $ Security Investment $ Economics of Security 0 Different security technology investments can be ranked in order of payoff (reduced losses per dollar of investment). IP Patch IDS DLP

Loss $ Economics of Security Security Investment $ 0 Optimal Security Investment occurs where $1 of Investment reduces $1 in losses, tangential to 45 degree line.

Economics of deterrence Minimize the Hacker’s Gain Minimize V = B - C’ - SI - L For example, by seeking to reduce their Benefit or take. Increase their operating costs (making stealing more difficult). Force them to invest more in their own Security Investments (making it harder for them not to get caught). Increase their losses by improving enforcement and increasing Penalties and imprisonment, for example.

Hacker Economics NPV = B - C’ - SI - L Your Loss

Hacker Economics V = B - C’ - SI - L Your Loss Is the Hacker’s Gain V = B - C’ - SI - L

Hacker Economics V = B - C’ - SI - L Your Loss Is the Hacker’s Gain V = B - C’ - SI - L Criminal hacking for financial gain is worse than a zero sum game. It creates no value and adds great costs to the system.

Economics of deterrence Minimize V = B - C’ - SI - L Minimize the Hacker’s Gain

Supply Chain Policy Objective: reduce malicious code in products Supply Chain Economics NPV = B - C’ - SI - L Hackers Like High Benefit/Low Cost of Embedded Malcode

Supply Chain Solution NPV = ΣB - ΣC’ - ΣSI - ΣL ,[object Object],[object Object],NPV = ΣB - ΣC’ - ΣSI - ΣL 2) Punish Bad Guys Levy large fines on companies with infected products

Loss $ Economics of Protocols Better network protocols can drive Loss function down for most or all users. Security Investment $ 0

Enhance Internet Architecture IPv6, DNS-SEC, BGP-SEC, SMTP Protect Other Networks/Protocols SMS/IP, POTS … Protocol Investments

Economics of Outages If Network Shuts Down: 1) Normal operating loss goes to zero 2) Loss becomes lost V (Value of Network) V = B - C’ - SI - L Security Model L = Lost NPV

Impact of IP Outages Where: L IP,i = lost value of Internet Protocol (IP) services failing to activity i i = a category economic activity L IP,Ecommerce = Economic Loss of IP service failure to Ecommerce i = 1 n

Impact of IP Outages IP based economic activities spread… as surely as an apple falls from a tree with the power of a tsunami the value of the Internet increases many or most activities become vulnerable all activities which are IP dependent, trend towards a correlation of losses of 1.0 this is one of the greatest points of economic and security risk in the world

Economics of Networks Value of network to individuals Total value of a network Security economics Security risk management Hacker economics Economics of deterrence Supply chain incentives Economics of Internet protocols (architecture) Economics of outages Economics of resiliency (correlation of losses)

The Model Can… ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Benefits of New Model Highly granular (every transaction included) Focuses on value to each party from their standpoint Accurate Simple Network architecture independent Scales from one user to one or all networks Subsets of users can be analyzed No double counting of benefits Consistent with existing cost accounting methods (e.g. amortizing costs over time) Consistent with profit and loss accounting Can be applied as foundation model for other network, security and policy problems (deterrence, outages, etc.)

Questions About Model Is this a new universal model for network valuation? Why or why not? Does it equally apply to off-line social networks (e.g. trade associations) as on-line networks? Can it be used to value other relationships between individuals, or between creatures in nature? Should it be called an Economic Model of Relationships instead of an Economic Model of Networks?

Possible Next Steps Empirical work to estimate Benefits and Costs in various networks or for various companies, countries. New derivatives of model can be developed to examine problems such as Net Neutrality and internet service pricing policies, and issues of privacy.

Economics Of Networks And Cybersecurity Rod Beckstrom Director [email_address]

The Economics Of Networks And Cybersecurity Rod Beckström December 2008

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to The Economics Of Networks And Cybersecurity Rod Beckström December 2008

Similar to The Economics Of Networks And Cybersecurity Rod Beckström December 2008 (20)

Recently uploaded

Recently uploaded (20)

The Economics Of Networks And Cybersecurity Rod Beckström December 2008

Editor's Notes