I spend a lot of time thinking about how to use economics to create safer, more secure systems. That’s what’s been driving my forays into seeing if how economists deal with grey markets might work in infosec, what we as system designers can learn from game theory, how to connect secure networks using graph theory (haha), why submitted a paper to WEIS, and why, now, I’ve gone back to school (again) to study economics in more depth. I’m taking microeconomic theory now. It’s just like micro the last two times around, with less folksy examples and more calculus.

So. What I want to talk to you about is a little idea I had regarding inferior goods as they may relate to a firm’s level of maturity, and how that might be interesting both on it’s own, and if we had the concept of a CPI (consumer price index) for security. Let’s call this @selenakyle’s Security CPI, in case anyone wants to adopt this idea in the pantheon of the Hutton Security Mendoza line or Corman’s HD Moore’s law.

 

Some background.

What’s an inferior good?

The simple answer is: an inferior good is one where when consumer income rises, their demand for the good decreases. (Period. “Inferior goods” as a concept is totally distinct from information asymmetry and conversations about lemon markets)

More detail on inferior goods:

spare a util, brother?

Utility curves: Preferences between Good A & Good B, at different levels of investment (U1, U2, U3). Thanks investopedia!

Start with the assumption that consumers seek to maximize their utility given a fixed budget, i.e. they have an income, and they spend it in a way to get the most for their money, given their individual preferences. When consumers experience an increase in income, they will consume *more* of most goods (due to rational utility maximization and non-satiation) but will purchase less “inferior” goods – potentially because they can afford better.

A classic example is potatoes within a food budget; when income goes up many consumers will purchase less potatoes…and more meat, or higher-end food items. So, the effect of changes in prices may also be affected by the mix of normal vs inferior goods in the bundle. An example – when prices go up and income stays flat, a consumer may change their mix to include more inferior goods. Or another example – when prices are flat and income goes up, a consumer may shift their mix to include less inferior goods. In any case, the consumer will shift their consumption to maximize their utility, and adjust to new prices or income levels.

The key here is what happens as income rises: does the mix of products in the bundle consumed change (preferences shift) or is it just *more* of the products (same preferences)?

Why might this be interesting related to security maturity models?

One of the top questions I get re: both risk and infosec is, “what is your advice for SMB’s & sole props?” and the answer is I don’t have a great answer. My preferred approach when starting small or starting from scratch is to follow a maturity model of some kind. So in my head I see that size of a company, or their level in a maturity model, is akin to income level for consumers. And so I see two options.

  • Either smaller orgs, which for the most part will have smaller budgets (in general and also to dedicate to risk) need to do the EXACT SAME THING as larger organizations, but just at a smaller scale (meaning, same preference mix to maximize utility, just at a lower curve), or
  • Perhaps smaller orgs actually have different needs, in which case their needs (preferences) will change as they evolve through the maturity model
Helloooo maturity model.

CMMI to ISO17799 (thanks ISACA)

Now, I am able to abstract the concepts of “budgets” and “investment” fairly easily, so when we’re talking about budget (or investment), keep in mind that the construct of a security strategy (or architecture) represents choices, and therefore preferences – whether the investment is in dollars, or servers, or the time of a security engineer. And that’s fairly complicated to write all that down so *actual* products purchased and *actual* dollars spent work in a pinch here, but let’s keep strategy as an articulation of preferences in our back pocket for a while, it might come in handy someday.

Also here’s a good point to note that “utility” necessarily mean that the combination of products work out for the consumer. Utility is a concept of preferences, and we give the consumer the benefit of the doubt they bought the right mix of items (i.e. the items they decided to purchase). Potatoes, from the example above, might not deliver the nutritional *value* of beef (Or kale. Or pop-tarts, for that matter…did you know pop-tarts are fortified?). But if the consumer decided to buy potatoes as part of their budget, they *must* have been utility maximizing. So…understanding what firms consume as far as security products lets us understand their preferences, full stop. And we are off the hook for evaluating if the combination consumed provided an effective level of security – that’s a different discussion. A worthy one, but a different one.

If we were able to build out an understanding of what inferior goods are, and at what level in a maturity model they drop out (or are replaced by something that only makes sense to incorporate at a certain level of maturity) I feel like we get to a point where we can answer one of the other popular questions I get a lot, which is: “How much investment in security is enough?”. We need to be able to answer that question someday. Because “it’s never enough” is only a good answer if you’re in a James Bond movie. BTW, understanding what inferior goods are, the first item that pops out of most folks brains is Anti-Virus. Not that it was a formal poll, but AV is one of the products that we clearly differentiate between consumer and enterprise.

So this brings me to the Security CPI.

What’s the CPI?

The CPI (Consumer Price Index), is an index based on a bundle of goods commonly purchased by consumers, and the US Bureau of Labor Statistics tracks the index and changes of the product prices over time. It’s mostly relevant if you’ve ever been interested in inflation, as the CPI is used by the Bureau to understand changes in purchasing power of the dollar, relative to households and their incomes.

Just like your security indexes, it’s not perfect – it’s doesn’t describe everyone’s purchasing patterns…it describes spending patterns of a subset of Americans, specifically urban consumers/wage earners, and clerical workers. Also, it doesn’t take all consumer purchases into consideration…it’s based on a (large) bundle of items selected by the Bureau, they make changes to it over time, but it’s got a lot of food items (milk, potatoes, meat for example) and not a lot of consumer electronics (laptops, smart phones, for example). Ask an economist to criticize it, and they will probably explain that while income statistics (like price levels) may give us insight into how spending patterns change, they are ineffective in measuring consumer utility achieved.

But what is interesting about it, is that it gives us a baseline of how households are spending, across a large mix of products that are commonly purchased.

So…a Security CPI?

It feels like understanding how companies are investing in security might give us some useful information from which to at least start seeing, at a more macro level, decisions and preferences. What would be in the security consumer basket? Understanding vulnerabilities and threats and attacks (oh my!) yields a ton of great data, but it’s a roundabout way to figuring out what companies security strategies are. Which is kind of a prerequisite to understanding which strategies are effective. And we don’t actually need to specifics of budget/spend to do this, we can use a proxy of maturity level for income/investment (as described a bit above), and focus instead on how preferences change as maturity level rises.

Anyway, the idea can be fleshed out more, but critical to understanding defense is understanding investment in defense.

Anyway, I might have more for you when we get into production functions, because hoo-eee, that’s when we start converting inputs into outputs! *fist-pump*