Do you have a question? Post it now! No Registration Necessary. Now with pictures!
April 20, 2007, 3:04 pm
rate this thread
(Bruce Schneier)---Why are there so many bad security products out
there? Why do mediocre security products beat the good ones in the
Economist George Akerlof wrote a paper called The Market for Lemons,
which established asymmetrical information theory. He won a Nobel
Prize for his work, which looks at markets where the seller knows a
lot more about the product than the buyer.
Akerlof illustrated his ideas with a used car market. A used car
market includes both good cars and lousy ones (lemons). The seller
knows which is which, but the buyer can't tell the difference, at
least until he's made his purchase. What ends up happening is that the
buyer bases his purchase price on the value of a used car of average
This means that the best cars don't get sold - their prices are too
high. Which means that the owners of these best cars don't put their
cars on the market. And then this starts spiraling. The removal of the
good cars from the market reduces the average price buyers are willing
to pay, and then the very good cars no longer sell, and disappear from
the market. And then the good cars, and so on until only the lemons
In a market where the seller has more information about the product
than the buyer, bad products can drive the good ones out of the
The computer security market has a lot of the same characteristics of
Akerlof's lemons market. Good security design takes time, and
necessarily means limiting functionality. Good security testing takes
even more time. This means the less-secure product will be cheaper,
sooner to market, and have more features.
I see this kind of thing happening over and over in computer security.
In the late 1980s, there were more than a hundred competing firewall
products. The few that "won" weren't the most secure firewalls - they
were the ones that were easy to set up, easy to use, and didn't annoy
users too much. Because buyers couldn't base their buying decision on
the relative security merits, they based them on these other criteria.
Security testing is both expensive and slow, and it just isn't
possible for an independent lab to test everything. A complex software
product is very hard to test well. And, of course, by the time you
have tested it, the vendor has a new version on the market.
How do you solve this? You need what economists call a "signal," a way
for buyers to tell the difference. Warrantees are a common signal. In
reality, we have to rely on a variety of mediocre signals to
differentiate the good security products from the bad. Reputation is a
common signal - we choose security products based on the reputation of
the company selling them, the reputation of some security wizard
associated with them, magazine reviews, recommendations from
colleagues, or general buzz in the media.
All these signals have their problems. With so many mediocre security
products on the market, and the difficulty of coming up with a strong
quality signal, vendors don't have strong incentives to invest in
developing good products. And the vendors that do tend to die a quiet
and lonely death.
The only reason some people get lost in thought is because it's unfamiliar