Security Advantage? I Don’t Buy It.
As quoted in Ken Belva’s blog, Larry Gordon writes:
However, the above is not the end of the information security story from an economics perspective. If an organization can distinguish itself as having much better information security than its competitors, then that organization may well derive a “competitive advantage” (at least in short-run, until competing firms catch-up in terms of security) that results in increased demand for the organization’s physical product(s) and/or service(s).
While I’m sympathetic to the claim, let’s ask how an organization “can distinguish itself as having better information security than its competitors.” (In this post, I’m explicitly not speaking for or about my employer, who I think is doing a great job investing in security, eg, by paying me.)
How can a potential customer make a decision about security? As a consumer, I might look to funny television advertising, or other forms of marketing. But marketing isn’t a good signal: it’s equally easy for a firm to invest in marketing their security effort if they do little, or nothing as it is to market if they invest in a security development lifecycle. As an enterprise, I might consider spending a little money on a critical analysis of the software under consideration, but that’s expensive, and I might cynically believe that the results will all be on the order of “this stinks!”
Even if I could analyze security, security is likely only one of several factors that contribute to my buying choices. It’s not clear that it’s a great source of competitive advantage. For example, in their early days, ebay and paypal invested in things other than security, and did spectacularly well on that decision.
See Ken Belva, “Dr. Gordon: Information Security can have a positive return” [link to http://www.bloginfosec.com/2007/08/20/dr-gordon-information-security-can-have-a-positive-return/ no longer works].
Lastly, I’ll mention series here in 2004 on the value of signaling as a means to address information asymmetry in “Security Signaling,” “Signalling by Counting Low Hanging Fruit,” and “Ratty Signals.” There’s some great comments.
I think that claim that “more security” = “competitive advantage” has been flushed down the drain quite some time ago. I am wondering why this zombie was brought back from the dead ….
Hi Adam,
Thanks for your thoughtful post. We are not far off in opinion. I have replied to you here:
http://www.bloginfosec.com/2007/08/27/a-clarification-for-shostack/
Ken
http://www.bloginfosec.com
For a suitable definition of “short”, Gordon is right. This is just restating Nick Carr’s derogation of IT in a way that is less insulting to “IT professionals”. The idea is that innovation is so rapidly diffused/copied that for all intents and purposes we’re all just overhead.
The signaling question is interesting. There certainly seems to be alot of herding.
Can these be considered for security as biz enabler?
“Apple has received credit for fixing known flaws, but it may have to get more serious about security if it wants to take on Vista.” from http://www.macnewsworld.com/story/VgB95vj73xBmFI/Super-Sized-Apple-Update-Fixes-45-Flaws.xhtml
“We knew we would only use Windows Mobile, and we waited for it because it’s the platform we felt we could secure most easily and at the lowest cost.” from http://www.infoworld.com/article/07/04/06/HNwindowsmono_2.html