E-Book Overview
Paper, 2007, 22 p.
This paper studies manufacturer incentives to invest in the improvement of reliability and security of a software system when (i) reliability and security failures are caused by the same errors in the development of the software components and (ii) naive users find it too costly to distinguish between these two classes of system failures. We trace the effects of these informational imperfections and discuss how the resulting supply and demand externalities affect manufacturer investments. When users cannot distinguish between reliability and security failures and investment in system security is driven by the weakest link, the standard for optimal due care then depends on manufacturer characteristics with respect to both security and reliability. In this case, imposition of a due care standard based solely on reliability or on security becomes socially suboptimal.
E-Book Content
Interdependence of Reliability and Security1 Peter Honeyman University of Michigan, Ann Arbor
Galina A. Schwartz
University of California, Berkeley Ari Van Assche HEC Montr´eal Abstract This paper studies manufacturer incentives to invest in the improvement of reliability and security of a software system when (i) reliability and security failures are caused by the same errors in the development of the software components and (ii) naive users find it too costly to distinguish between these two classes of system failures. We trace the effects of these informational imperfections and discuss how the resulting supply and demand externalities affect manufacturer investments. When users cannot distinguish between reliability and security failures and investment in system security is driven by the weakest link, the standard for optimal due care then depends on manufacturer characteristics with respect to both security and reliability. In this case, imposition of a due care standard based solely on reliability or on security becomes socially suboptimal.
JEL Codes: D82, L14, D40. Key words: computer security, computer reliability, free-riding, externalities
Updated version: March 3, 2007. We are grateful to Weston Andros Adamson, J. Bruce Fields, Niels Provos, Dug Song, and Terence P. Kelly for insights on the technical details of software production. We thank Jean Walrand, John Musaccio and Hal Varian for useful comments. 1
1
Introduction
This paper studies manufacturer incentives to invest in software system reliability and security when users are unable to distinguish between failures caused by security or reliability faults. By far, most users lack the expert knowledge required to make this distinction, and therefore find it too costly to identify (i) the manufacturer responsible for a system failure and (ii) whether a system failure is caused by a reliability failure (i.e., a non-malicious programming error) or a security failure (i.e., a malicious attack by a malevolent party). As a result, manufacturer incentives to invest in system reliability and security are socially suboptimal due to public good features on both the supply and demand side. Our paper is related to a growing literature that has considered the incentives for the provision of system reliability or system security.2 Varian (2004) approaches system reliability as a problem of public good provisioning and analyzes the ensuing free-rider problem for various functional forms. He investigates possibilities to alleviate the resulting underinvestment in system reliability through fines, due care standards, and legal liability. Anderson (2001) and Kunreuther and Heal (2003) focus on the incentives to invest in system security. Anderson (2001) and Anderson and Moore (2006) connect with principal-agent theory arguments to demonstrate that when the parties charged with protecting systems are no