Skip to Content
Uncategorized

Taking on Security with Beckstrom’s Law

The former cyber chief explains his equation for valuing networks, and what it means for computer security.
August 3, 2009

For many years, computer scientists and venture capitalists have posited that value of any Internet-based technology or service increases by approximately the square of the number of users.

Yet, that model, known as Metcalfe’s Law, departs significantly from current experiences on the Internet. For example, the relationship does not account for service degradation due to an overabundance of users or bad actors who steal value from the network, according to Rod Beckstrom, an entrepreneur and the former head of the National Cybersecurity Center. Just last week, Microsoft founder Bill Gates cut himself off from Facebook, canceling his account because, in the words of one media report, “it was just way too much trouble.”

Instead of focusing on the number of nodes in the network, we need to focus on the transactions, Beckstrom argues.

“The key to cybersecurity is the number of transactions that we want versus the number of transactions that we don’t want,” he told attendees at the DEFCON Hacking Conference on Friday. “If we can find what the value of the network is to you–and 1.5 billion people–that’s what is important.”

Beckstrom started with a simple equation, that the value of a network is equal to the benefit it provides minus the cost to provide it, and tailored it for the security world. The reduced form of the equation expresses value, V, as:

V = B - C’ - SI - L

“SI” is the security investment that a company or person spends to avoid losses and “L” is the actual losses due to poor security. “B” is the benefit, and the remaining costs, “C’ ”, are all those outside of the security investments and losses.

Using this equation, security management can focus on minimizing the costs of computer security, “SI” and “L”. On the other hand, proactive defenders, such as law enforcement, can focus on raising the security costs of the bad guys, Beckstrom said.

“Hackers have to spend a lot of money on trying not to be found–that’s the security investment,” he said. “Loss is getting caught or being taken to court.”

The model easily scales and has similarities to profit-and-loss relationships, so corporate financial officers can easily get their heads around the concept. Unfortunately, the model is only as good as the data, and that can be a problem, Beckstrom acknowledged.

Keep Reading

Most Popular

Large language models can do jaw-dropping things. But nobody knows exactly why.

And that's a problem. Figuring it out is one of the biggest scientific puzzles of our time and a crucial step towards controlling more powerful future models.

OpenAI teases an amazing new generative video model called Sora

The firm is sharing Sora with a small group of safety testers but the rest of us will have to wait to learn more.

Google’s Gemini is now in everything. Here’s how you can try it out.

Gmail, Docs, and more will now come with Gemini baked in. But Europeans will have to wait before they can download the app.

This baby with a head camera helped teach an AI how kids learn language

A neural network trained on the experiences of a single young child managed to learn one of the core components of language: how to match words to the objects they represent.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.