Skip to Content
MIT Technology Review
  • Featured
  • Topics
  • Newsletters
  • Events
  • Podcasts
    • Sign in
    Uncategorized

    Taking on Security with Beckstrom’s Law

    The former cyber chief explains his equation for valuing networks, and what it means for computer security.
    August 3, 2009

    For many years, computer scientists and venture capitalists have posited that value of any Internet-based technology or service increases by approximately the square of the number of users.

    Yet, that model, known as Metcalfe’s Law, departs significantly from current experiences on the Internet. For example, the relationship does not account for service degradation due to an overabundance of users or bad actors who steal value from the network, according to Rod Beckstrom, an entrepreneur and the former head of the National Cybersecurity Center. Just last week, Microsoft founder Bill Gates cut himself off from Facebook, canceling his account because, in the words of one media report, “it was just way too much trouble.”

    Instead of focusing on the number of nodes in the network, we need to focus on the transactions, Beckstrom argues.

    “The key to cybersecurity is the number of transactions that we want versus the number of transactions that we don’t want,” he told attendees at the DEFCON Hacking Conference on Friday. “If we can find what the value of the network is to you–and 1.5 billion people–that’s what is important.”

    Beckstrom started with a simple equation, that the value of a network is equal to the benefit it provides minus the cost to provide it, and tailored it for the security world. The reduced form of the equation expresses value, V, as:

    V = B - C’ - SI - L

    “SI” is the security investment that a company or person spends to avoid losses and “L” is the actual losses due to poor security. “B” is the benefit, and the remaining costs, “C’ ”, are all those outside of the security investments and losses.

    Using this equation, security management can focus on minimizing the costs of computer security, “SI” and “L”. On the other hand, proactive defenders, such as law enforcement, can focus on raising the security costs of the bad guys, Beckstrom said.

    “Hackers have to spend a lot of money on trying not to be found–that’s the security investment,” he said. “Loss is getting caught or being taken to court.”

    The model easily scales and has similarities to profit-and-loss relationships, so corporate financial officers can easily get their heads around the concept. Unfortunately, the model is only as good as the data, and that can be a problem, Beckstrom acknowledged.

    Keep Reading

    Most Popular

    Geoffrey Hinton tells us why he’s now scared of the tech he helped build

    “I have suddenly switched my views on whether these things are going to be more intelligent than us.”

    Deep learning pioneer Geoffrey Hinton has quit Google

    Hinton will be speaking at EmTech Digital on Wednesday.

    Video: Geoffrey Hinton talks about the “existential threat” of AI

    Watch Hinton speak with Will Douglas Heaven, MIT Technology Review’s senior editor for AI, at EmTech Digital.

    Doctors have performed brain surgery on a fetus in one of the first operations of its kind

    A baby girl who developed a life-threatening brain condition was successfully treated before she was born—and is now a healthy seven-week-old.

    Stay connected

    Illustration by Rose Wong

    Get the latest updates from
    MIT Technology Review

    Discover special offers, top stories, upcoming events, and more.

    Thank you for submitting your email!

    Explore more newsletters

    It looks like something went wrong.

    We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.