The Anonymization of Losses: A Market Forces Failure

By Rich

We talk a lot about the role of anonymization on the Internet. On one hand, it’s a powerful tool for freedom of speech. On the other, it creates massive security challenges by greatly reducing attackers’ risk of apprehension.

The more time I spend in security, the more I realize that economics plays a far larger role than technology in what we do.

Anonymization, combined with internationalization, shifts the economics of online criminal activity. In the old days to rob or hurt someone you needed a degree of physical access. The postal and phone systems reduced the need for this access, but also contain rate-limiters that reduce scalability of attacks. Physical access corresponds to physical risk – particularly the risk of apprehension. A lack of sufficient international cooperation (or even consistent international laws), combined with anonymity, and the scope and speed of the Internet, skew the economics in favor of the bad guys. There is a lower risk of capture, a lower risk of prosecution, limited costs of entry, and a large (global) scope for potential operations.

Heck, with economics like that, I feel like an idiot for not being a cybercriminal.

In security circles we spend a lot of time talking about the security issues of anonymity and internationalization, but these really aren’t the problem. The real problem isn’t the anonymity of users, but the anonymity of losses.

When someone breaks into your house, you know it. When a retailer loses inventory to shrinkage, the losses are directly attributable to that part of the supply chain, and someone’s responsible. But our computer security losses aren’t so clear, and in fact are typically completely hidden from the asset owner. Banking losses due to hacking are spread throughout the system, with users rarely paying the price.

Actually, that statement is completely wrong. We all pay for this kind of fraud, but it’s hidden from us by being spread throughout the system, rather than tied to specific events. We all pay higher fees to cover these losses. Thus we don’t notice the pain, don’t cry out for change, and don’t change our practices. We don’t even pick our banks or credit cards based on security any more, since they all appear the same.

Losses are also anonymized on the corporate side. When an organization suffers a data breach, does the business unit involved suffer any losses? Do they pay for the remediation out of their departmental budget? Not in any company I’ve ever worked with – the losses are absorbed by IT/security.

Our system is constructed in a manner that completely disrupts the natural impact of market forces. Those most responsible for their assets suffer minimal or no direct pain when they experience losses. Damages are either spread through the system, or absorbed by another cost center.

Now imagine a world where we reverse this situation. Where consumers are responsible for the financial losses associated with illicit activity in their accounts. Where business unit managers have to pay for remediation efforts when they are hacked. I guarantee that behavior would quickly change.

The economics of security fail because the losses are invisibly transfered away from those with the most responsibility. They don’t suffer the pain of losses, but they do suffer the pain/inconvenience of security. On top of that, many of the losses are nearly impossible to measure, even if you detect them (non-regulated data loss). No wonder they don’t like us.

Security professionals ask me all the time when users will “get it”, and management will “pay attention”. We don’t have a hope of things changing until those in charge of the purse strings start suffering the pain associated with security failures.

It’s just simple economics.

No Related Posts

What if corporate security staff seized hacked computers to perform forensics, just like law enforcement?  You never know if the BIOS got hacked or something.

Security staff, of course, would need a long time to examine the first few computers seized under this policy.  If word got around that seized computers are out of action for several weeks or months ...

And restoring from backups to a new computer might be delayed until enough forensics work was done to know when the system was compromised.

The costs of security problems would definitely be felt by the end user and department!

This would require iron-willed support by top management.

Has anybody tried this outside of law enforcement?

By Rex

Not unlike the risk that grocery stores now take with credit cards. Charges less than $25 you don’t even need to sign for. It’s cheaper for the store or credit card company to absorb the loss on the occasional small bag of groceries bought with a stolen card than it is to slow everybody down at the register so they can sign the slip.

Or, on a non-financial note. It’s easier/cheaper for you to have a cat or two and a shoe to kill the occasional scorpion that sneaks into your house than it is to invest in whatever technology it would take to keep them away. Or, in my case, while I am constantly searching for where mice access the house, I keep mousetraps set in “key” locations to catch the ones that do come in. I’m sure that with enough time & money I could prevent all mice from entering the house, but it’s just not worth it. Killing them when they go searching for food is easier..

Now, if only somebody could make writing checks at the grocery store illegal…...

By Rob

If you like to leave comments, and aren’t a spammer, register for the site and email us at and we’ll turn off moderation for your account.