Skip to Content
MIT Technology Review
Sign in
Uncategorized

Taking on Security with Beckstrom’s Law

The former cyber chief explains his equation for valuing networks, and what it means for computer security.
August 3, 2009

For many years, computer scientists and venture capitalists have posited that value of any Internet-based technology or service increases by approximately the square of the number of users.

Yet, that model, known as Metcalfe’s Law, departs significantly from current experiences on the Internet. For example, the relationship does not account for service degradation due to an overabundance of users or bad actors who steal value from the network, according to Rod Beckstrom, an entrepreneur and the former head of the National Cybersecurity Center. Just last week, Microsoft founder Bill Gates cut himself off from Facebook, canceling his account because, in the words of one media report, “it was just way too much trouble.”

Instead of focusing on the number of nodes in the network, we need to focus on the transactions, Beckstrom argues.

“The key to cybersecurity is the number of transactions that we want versus the number of transactions that we don’t want,” he told attendees at the DEFCON Hacking Conference on Friday. “If we can find what the value of the network is to you–and 1.5 billion people–that’s what is important.”

Beckstrom started with a simple equation, that the value of a network is equal to the benefit it provides minus the cost to provide it, and tailored it for the security world. The reduced form of the equation expresses value, V, as:

V = B - C’ - SI - L

“SI” is the security investment that a company or person spends to avoid losses and “L” is the actual losses due to poor security. “B” is the benefit, and the remaining costs, “C’ ”, are all those outside of the security investments and losses.

Using this equation, security management can focus on minimizing the costs of computer security, “SI” and “L”. On the other hand, proactive defenders, such as law enforcement, can focus on raising the security costs of the bad guys, Beckstrom said.

“Hackers have to spend a lot of money on trying not to be found–that’s the security investment,” he said. “Loss is getting caught or being taken to court.”

The model easily scales and has similarities to profit-and-loss relationships, so corporate financial officers can easily get their heads around the concept. Unfortunately, the model is only as good as the data, and that can be a problem, Beckstrom acknowledged.

Keep Reading

Most Popular

DeepMind’s cofounder: Generative AI is just a phase. What’s next is interactive AI.

“This is a profound moment in the history of technology,” says Mustafa Suleyman.

What to know about this autumn’s covid vaccines

New variants will pose a challenge, but early signs suggest the shots will still boost antibody responses.

Human-plus-AI solutions mitigate security threats

With the right human oversight, emerging technologies like artificial intelligence can help keep business and customer data secure

Next slide, please: A brief history of the corporate presentation

From million-dollar slide shows to Steve Jobs’s introduction of the iPhone, a bit of show business never hurt plain old business.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.