Thursday 2 August 2012

Inducing failure

Is cybersecurity a market failure? Every individual counts the cost to him of a virus attack but ignores the cost to others if his system becomes a zombie spam machine; consequently, people underinvest in computer security.

Eli Dourado does a great job in taking on this kind of argument in his Mercatus working paper - on the syllabus in my Economics of Current Policy Issues course. 

First, the externality is, in most cases, inframarginal: most individuals have sufficient personal interest in ensuring security that the external benefit accrues inframarginally rather than at the margin. In other words, while it's true that people benefit others when they install proper security software, they're doing enough to benefit themselves at the same time that they're likely getting things right.

Second, there are plenty of other parties that have an encompassing interest in ensuring that the Internet works well. Google has a harder time selling ads if a lot of clicked links install malware and the like; consequently, Google works hard to make sure that, if you're using their Chrome browser, you get lots of warnings if you try to visit a dodgy site.

We'd think that Microsoft would have a similarly encompassing interest. Why isn't a decent security system built into Windows? I recently built a computer and put Windows 7 on it. After a bit of searching around, I found that Microsoft produces a very decent, and free, Internet security package. So I downloaded it, for free, and installed it. And I wondered why it wasn't built into the OS. Surely it would be in Microsoft's interest that people using their machines be protected against virus attacks, and it's precisely the kinds of people who don't know they need to go searching for an antivirus package who'd be the kinds of people who'd impose costs on others by letting their machines turn into a zombie.

Then I remembered... Microsoft gets slapped around by the Department of Justice and the European antitrust guys whenever they try to make Windows better by adding features. Bundling antivirus into Windows, where it should be, could be deemed a measure that the Europeans would figure would hurt competitors; hurting competitors seems to matter more than helping consumers in European law. And Eli pointed me to this article from 2008 offering antitrust as reason why antivirus hadn't been built into Windows.

Fortunately, it looks like Microsoft's found a workaround for Windows 8. Antivirus will be built in, but will be automatically switched off if any other vendor's product is installed; it only turns back on if the user fails to renew the subscription to the alternative product. Note that Windows 8 is already under antitrust investigation in Europe, but for browser default issues rather than antivirus (so far).


  1. Note that having multiple antivirus programs can be problematic for technical reasons, so there may be better reasons to be skeptical of bundling than there are for other programs.

    The idea of a built-in system that turns itself off when an alternative product is installed sound like it could work. I do wonder, though, how it will decide when to turn itself off. I don't think it can just turn itself off when it sees something that looks like another scanner; as I understand it, the reason antivirus programs don't place nice with each other is that a real-time antivirus scan looks a lot like a virus to another antivirus program. If it operates via a whitelist, is Microsoft going to set itself up as the arbiter of legitimate antivirus programs? I can see people not being thrilled about that.

  2. I imagine they'll white-list the main commercial anti-virus software for a licensing fee: 'Win 8 Certified'. Geeky, niche software would be manual job.

  3. Sure, but can't any of these installs then give you a prompt to uninstall the prior package?

  4. Wouldn't surprise me; the OEM folks getting paid per main commercial subscription would like it too.

  5. According to Wikipedia, the Fount of All Wisdom, MS was indeed threatened with antitrust actions if MS Security Essentials was bundled into Windows 7.