John Markoff's story about internet fraud (NYT, 12/5/08: "Thieves winning online war"), is important, but he does not identify the basis of the fraud. There is a "market failure" because there is so little demand for secure software. Thus, Microsoft's Windows machines control over 90 percent of the operating systems, most of which are on the Web. Much more secure operating systems exist - Ubuntu, which is freeware, has as yet to be captured by hackers, and Sun and other systems offer very secure systems. But financial institutions readily pay the cost of fraud. Internet financial transactions are growing at a faster rate than internet fraud, so credit card companies and banks are willing to pay the costs rather than demand that customers switch to safer systems, which might lead to losing them. Last year, Visa Europe had credit card fraud costs that were only 0.05 percent of its volume, a trivial amount compared to its huge profits, according to a report to the European Committee on Economic Security and Cooperation.
The basic problem is the architecture of Windows (and web-based programs that Markoff identifies); it is integrated rather than modular. Integration means that if a fault or opening is found in the software the intruder can bore into the core (kernel) and capture the machine. With a modular structure, the intruder is not able to get to the kernel, which is protected by a tight interface. Macintosh architect is more modular, open source software such as Ubuntu is very modular, and has to be because anyone can program it. If fraud expands faster than financial transactions on the internet, we might find there is a market for safe software. Microsoft would have to completely rewrite its programs in a modular form to reach this market.
Charles Perrow, Emeritus Professor of Sociology, Yale University, and author of Normal Accidents: Living with High Risk Techologies, Princeton, 1999, and The Next Catastrophe: Reducing Our Vulnerabilities to Natural, Industrial, and Terrorist Disasters, Princeton, 2006.
Citation: van Eeten, Michel J.G., and Johannes M. Bauer. 2008 "Economics of malware: security decisions, incentives and externalities". Organization for Economic Co-operation and Development, Paris. May 29.
Charles.perrow@yale.edu