Economics of Malware
Full Title of Reference
Economics of Malware: Security Decisions, Incentives and Externalities
Michel J. G. van Eeten and Johannes M. Bauer, Economics of Malware: Security Decisions, Incentives and Externalities, (2008). Report for the Organization of Co-operation and Development (OECD). Web
Malicious software, or malware for short, has become a critical security threat to all who rely on the Internet for their daily business, whether they are large organisations or home users. While initially a nuisance more than a threat, viruses, worms and the many other variants of malware have developed into a sophisticated set of tools for criminal activity. Computers around the world, some estimate as many as one in five, are infected with malware, often unknown to the owner of the machine. Many of these infected machines are connected through so-called botnets: networks of computers that operate collectively to provide a platform for criminal purposes. These activities include, but are not limited to, the distribution of spam (the bulk of spam now originates from botnets), hosting fake websites designed to trick visitors into revealing confidential information, attacking and bringing down websites, enabling so-called ‗click fraud,‘ among many other forms of often profit-driven criminal uses. There are also reports that indicate terrorist uses of malware and botnets. This report, however, focuses primarily on malware as an economic threat.
While originating in criminal behaviour, the magnitude and impact of the malware threat is also influenced by the decisions and behaviour of legitimate market players such as Internet Service Providers (ISPs), software vendors, e-commerce companies, hardware manufacturers, registrars and, last but not least, end users. All of these market players are confronted with malware, but in very different ways. Most importantly, they face different costs and benefits when deciding how to respond to malware. In other words, they operate under different incentives.
As security comes at a cost, tolerating some level of insecurity is economically rational. From an economic perspective, the key question is whether the costs and benefits perceived by market players are aligned with social costs and benefits of an activity. In certain situations, the security decisions of a market player regarding malware may be rational for that player, given the costs and benefits it perceives, but its course of action may impose costs on other market players or on society at large. These costs are typically not taken into account by the market player making the initial decision, causing an ―externality.‖ Externalities are forms of market failure that lead to sub-optimal outcomes if left unaddressed. In the presence of externalities, Internet-based services may be less secure than is socially desirable. This study has primarily an empirical and analytical focus and intends to document these effects. Whereas new policies may be required to address these problems, developing recommendations for such policies is outside the scope of this report.
We set out to identify externalities by analysing the incentives under which a variety of market players operate when dealing with malware. The core of the report is made up of a detailed discussion of the outcomes of a qualitative empirical field study. In the course of 2007, we conducted 41 in-depth interviews with 57 professionals from organisations participating in networked computer environments that are confronted with malware. Based on this unique data, we identified the key incentives of ISPs, e- commerce companies (with a focus on financial service providers), software vendors, registrars and end users.
The results indicate a number of market-based incentive mechanisms that contribute to enhanced security but also other instances in which decentralized actions may lead to sub-optimal outcomes – i.e. where significant externalities emerge. A pressing question is whether the response to malware of actors in information and communication markets is adequate or whether improvements are possible. Pointing to a variety of reports that show increases in malicious attack trends, one might conclude that markets are not responding adequately. Our analysis revealed a more nuanced picture.
Across the value net of the different market players, three relevant situations emerge:
i) No externalities. This concerns instances in which a market player, be it an individual user or an organisation, correctly assesses security risks, bears all the costs of protecting against security threats (including those associated with these risks) and adopts appropriate counter measures. Private and social costs and benefits of security decisions are aligned. There may still be significant damage caused by malware, but this damage is borne by the market player itself. This situation would be economically efficient but, due to the high degree of interdependency in the Internet, it is relatively rare.
ii) Externalities that are borne by agents in the value net that can manage them. This concerns instances in which a market player assesses the security risks based on the available information but, due to the existence of (positive or negative) externalities, the resulting decision deviates from the social optimum. Such deviations may be based on lack of incentives to take costs imposed on others into account, but it can also result from a lack of skills to cope with security risks, or financial constraints faced by an individual or organisation. As long as somebody in the value net internalises these costs and this agent is in a position to influence these costs – i.e. it can influence the security tradeoffs of the agents generating the externality – then the security level achieved by the whole value net will deviate less from a social optimum than without such internalisation. This scenario depicts a relatively frequent case and numerous examples were found that confirm externalities were being internalised by other market players.
iii) Externalities that are borne by agents who cannot manage them or by society at large. An individual unit may correctly assess the security risks given its perceived incentives but, due to the existence of externalities, this decision deviates from the social optimum. Alternatively, an individual unit may not fully understand the externalities it generates for other actors. Unlike in scenario two, no other agents in the information and communication value net absorb the cost or, if they do, they are not in a position to influence these costs – i.e. influence the security tradeoffs of the agents generating the externality. Hence, costs are generated for the whole sector and society at large. These are the costs of illegal activity or crime associated with malware, the costs of restitution of crime victims, the costs of e- commerce companies buying security services to fight off botnet attacks, the cost of law enforcement associated with these activities, and so forth. Furthermore, they may take on the more indirect form of slower growth of e-commerce and other activities. Slower growth may entail a significant opportunity cost for society at large if the delayed activities would have contributed to economic efficiency gains and accelerated growth. A comprehensive assessment of these additional costs will demand a concerted effort but will be necessary to determine the optimal level of action to fight malware.
Although the research reported in this report was not designed to develop specific policy recommendations, some general concluding remarks are offered. We found many feedback loops which mitigate the externalities arising from security-reducing behaviour. All market players we studied experience such feedback, which potentially better aligns their decisions with the social optimum. We also noted, however, that in many cases these feedback loops are too weak or localised to effectively change the security tradeoffs from which the externalities emerge. In terms of policy development, a key strategy would be to strengthen the existing feedback loops and create new ones where possible. That would also keep public policy out of the realm of having to decide how secure is secure enough when it comes to defending against malware.
Additional Notes and Highlights
* Outline key points of interest