Economics of Malware: Security Decisions, Incentives and Externalities
Total Page:16
File Type:pdf, Size:1020Kb
OECD Science, Technology and Industry Working Papers 2008/01 Economics of Malware: Michel J. G. van Eeten, Security Decisions, Johannes M. Bauer Incentives and Externalities https://dx.doi.org/10.1787/241440230621 Unclassified DSTI/DOC(2008)1 Organisation de Coopération et de Développement Économiques Organisation for Economic Co-operation and Development 29-May-2008 ___________________________________________________________________________________________ _____________ English - Or. English DIRECTORATE FOR SCIENCE, TECHNOLOGY AND INDUSTRY Unclassified DSTI/DOC(2008)1 ECONOMICS OF MALWARE: SECURITY DECISIONS, INCENTIVES AND EXTERNALITIES STI WORKING PAPER 2008/1 Information and Communication Technologies Michel J.G. van Eeten and Johannes M. Bauer English - Or. English JT03246705 Document complet disponible sur OLIS dans son format d'origine Complete document available on OLIS in its original format DSTI/DOC(2008)1 STI Working Paper Series The Working Paper series of the OECD Directorate for Science, Technology and Industry is designed to make available to a wider readership selected studies prepared by staff in the Directorate or by outside consultants working on OECD projects. The papers included in the series cover a broad range of issues, of both a technical and policy-analytical nature, in the areas of work of the DSTI. The Working Papers are generally available only in their original language – English or French – with a summary in the other. Comments on the papers are invited, and should be sent to the Directorate for Science, Technology and Industry, OECD, 2 rue André-Pascal, 75775 Paris Cedex 16, France. The opinions expressed in these papers are the sole responsibility of the author(s) and do not necessarily reflect those of the OECD or of the governments of its member countries. http://www.oecd.org/sti/working-papers © Copyright OECD/OCDE, 2008. 2 DSTI/DOC(2008)1 ECONOMICS OF MALWARE: SECURITY DECISIONS, INCENTIVES AND EXTERNALITIES Michel J.G. van Eeten1 and Johannes M. Bauer2 with contributions from Mark de Bruijne, Tithi Chattopadhyay, Wolter Lemstra, John Groenewegen, and Yuehua Wu ABSTRACT Malicious software, or malware for short, has become a critical security threat to all who rely on the Internet for their daily business, whether they are large organisations or home users. While originating in criminal behaviour, the magnitude and impact of the malware threat are also influenced by the decisions and behaviour of legitimate market players such as Internet Service Providers (ISPs), software vendors, e- commerce companies, hardware manufacturers, registrars and, last but not least, end users. This working paper reports on qualitative empirical research into the incentives of market players when dealing with malware. The results indicate a number of market-based incentive mechanisms that contribute to enhanced security but also other instances in which decentralised actions may lead to sub-optimal outcomes - i.e. where significant externalities emerge. 1 . Faculty of Technology, Policy and Management, Delft University of Technology - [email protected]. 2 . Quello Center for Telecommunication Management & Law, Michigan State University - [email protected]. 3 DSTI/DOC(2008)1 ECONOMIE DU “MALWARE”: DECISIONS DE SECURITE, INCITATIONS ET EXTERNALITES Michel J.G. van Eeten3 et Johannes M. Bauer4 avec les contributions de Mark de Bruijne, Tithi Chattopadhyay, Wolter Lemstra, John Groenewegen, et Yuehua Wu. RÉSUMÉ Les logiciels malveillants, ou ―malware‖, sont devenus une menace sérieuse pour tout ceux dont les activités quotidiennes reposent sur l‘utilisation d‘Internet, qu‘il s‘agisse de grandes organisations ou de particuliers. Bien qu‘elle trouve sa source dans un comportement criminel, l‘étendue et les conséquences de cette menace sont également influencées par les décisions et les comportements d‘acteurs légitimes du marché tels que les fournisseurs d‘accès Internet, vendeurs de logiciels, entreprises de commerce électronique, fabricants de matériel informatique et registres, sans oublier les utilisateurs finals. Ce document reflète le contenu d‘une recherche qualitative et empirique concernant les incitations des acteurs du marché lorsqu‘ils sont confrontés au malware. Les résultats indiquent qu‘il existe des incitations fondées sur le marché qui contribuent à augmenter la sécurité mais également des cas dans lesquels des actions décentralisées peuvent conduire à des résultats sous-optimaux, i.e. où des externalités significatives émergent. 3 . Faculty of Technology, Policy and Management, Delft University of Technology - [email protected]. 4 . Quello Center for Telecommunication Management & Law, Michigan State University - [email protected]. 4 DSTI/DOC(2008)1 TABLE OF CONTENTS EXECUTIVE SUMMARY ............................................................................................................................ 6 ACKNOWLEDGEMENTS ............................................................................................................................ 9 I. INTRODUCTION...................................................................................................................................... 10 Economics of information security and the OECD Guidelines ................................................................. 11 Report outline ............................................................................................................................................ 13 II. AN ECONOMIC PERSPECTIVE ON MALWARE ............................................................................... 15 Cybercrime and information security ........................................................................................................ 16 Incentives and economic decisions ............................................................................................................ 19 Externalities ............................................................................................................................................... 20 Origins of externalities in networked computer environments .................................................................. 21 Externalities in a dynamic framework ....................................................................................................... 23 Research design ......................................................................................................................................... 24 III. SECURITY DECISIONS AND INCENTIVES FOR MARKET PLAYERS ........................................ 26 Internet service providers ........................................................................................................................... 26 E-commerce companies ............................................................................................................................. 34 Software vendors ....................................................................................................................................... 38 Registrars ................................................................................................................................................... 46 End users .................................................................................................................................................... 51 IV. INCENTIVES AND EXTERNALITIES RELATED TO MALWARE ................................................. 56 Externalities related to malware ................................................................................................................. 56 Distributional and efficiency effects .......................................................................................................... 59 The costs of malware ................................................................................................................................. 60 REFERENCES .............................................................................................................................................. 62 APPENDIX: LIST OF INTERVIEWEES .................................................................................................... 67 5 DSTI/DOC(2008)1 EXECUTIVE SUMMARY Malicious software, or malware for short, has become a critical security threat to all who rely on the Internet for their daily business, whether they are large organisations or home users. While initially a nuisance more than a threat, viruses, worms and the many other variants of malware have developed into a sophisticated set of tools for criminal activity. Computers around the world, some estimate as many as one in five, are infected with malware, often unknown to the owner of the machine. Many of these infected machines are connected through so-called botnets: networks of computers that operate collectively to provide a platform for criminal purposes. These activities include, but are not limited to, the distribution of spam (the bulk of spam now originates from botnets), hosting fake websites designed to trick visitors into revealing confidential information, attacking and bringing down websites, enabling so-called ‗click fraud,‘ among many other forms of often profit-driven criminal uses. There are also reports that indicate terrorist uses of malware and botnets. This report, however, focuses primarily on malware as an economic threat. While originating in criminal behaviour, the magnitude and impact of the malware threat is also influenced by the decisions and behaviour of legitimate