BlackHat & DEFCON ‘09 Beckstrom’s Law & the Economics of Networks ICANN
August 2009 by
Can we adopt this Law and build an acceptable methodology that matches the real application needs of both Enterprises and Governments. What are the exceptions to the law, and how do we, realistically value “t” transaction value. A real challenge will be around soft costs and value versus hard costs and value, what level of detail needs to be included? A new approach is worth while pursuing, today’s metrics of % of IT budget or run rates, last year’s budgets etc., do not provide the real tools to value using a more rigorous cost accounting methodology and ROI, leave a lot of questions open. Further information is available at ’Beckstrom’s Law & The Economics Of Networks - ICANN’ and ’Ncsc Value Of Networks Rod Beckstrom 090312 Final’ . Worthwhile spending 30 minutes reviewing this presentation and white paper..
One of the greatest challenges CIO’s, CSO’s and CISOs face is determining the amount of investment that is need to be allocated to Cyber Security. A factory is a hard asset, with clear production value, R&D is a clear cost that produces value over time and Call Centers take Orders and Supply Services providing value to customers. The Network on the other hand does not provide the same black and white economic value. Early valuations used Metcalf’s Law, which intrinsically is flawed due to it never ending increasing growth depending on the number of end points (Rod Beckstrom 2009). Rod Beckstrom the CEO and President of ICANN has proposed a new model for Network Valuation, affectionately called Beckstrom’s Law, based primarily on the value of transactions on the network.
So what is this law and what type of debate can be had regarding this economic law. How can this law move from a theory to a practical application? How does this help us in allocating budgets for protecting networks and assessing risk?
Beckstrom’s law is based on a simple economic premise. The Value of the network is determined by the sum of all the transactional Benefits less the sum of all the transactional Costs. These Benefits and Costs are based on the transactions that enter and leave the network, plus transactions that remain in the network. The value to one user is:
Vi,j = Σ Bi,k ‐ Σ C i,l Beckstrom 2009
i = one user of the network
j = identifies one network or network system
Bi,k = the benefit value of transaction k to individual i
Ci,l = the cost of transaction l to individual i
Vi,j= the value to one user I on one network j
Thus the value of the whole network is:
Σ Vi,j = Σ Bi,k ‐ Σ C i,l Beckstrom 2009
With this information we now have the value of the network we are protecting, this is not just limited to Internet Networks, but trains, roads, subways etc. Depending on our cost accounting model we can use both hard and soft costs, we can also factor in the time value of money.
Additionally we now have a potential Security derivation:
Vi,j = Bi,k ‐ C’ i,l ‐ ‐ SIi,o ‐ L i,p Beckstrom 2009
Where C’ i,l = the cost of all transactions except security related investments and losses
SIi,o = the cost of security investment transaction o to the individual i
Li,p = the cost of security loss p to the individual i
This allows one of the main factors to be determined; what is the investment target of security. Our real challenge will be to get the real Benefits and Costs of the transactions for the network. Additionally we will need to test to see if this is sufficient and reliable to answer the question; will this help quantify our security budgets better, and add rigor to our Risk Management process.