Here’s his outlook on the coming year:

In terms of ’09, the conventional wisdom says it’s going to be a horrible year – but I never believe conventional wisdom. I think Q1 will be a horrible quarter – a really horrible quarter actually. But that could become a low point and therefore, from a very low base, things hopefully have got to improve. So I think there’s a chance the market could improve later this year as opposed to everybody’s perspective that it’s going to be horrible. The thing that I worry about is when things do start to improve, with all the money being put into the system inflation could come back. With inflation, interest rates would likely go up, and now you have the seeds of another downturn.

I admire and share his optimism. Interesting though when you try to match a prediction like that up to some market prediction models. Dow Theory suggests that the market may have discounted the worst, since the Transportation average broke below its November 20 bear market low and the Industrial average has thus stayed above its November 20 low of 7552.29. Dow Theorists call that a non-confirmation of the bear market. If both the Industrial and Transportation averages can now better their January highs, 9034.69 and 3717.26 ,respectively, a new bull market will have been signaled. This much I have learned from Richard Russell’s Dow Theory Letters and his 1958 book Dow Theory Today. So Dow Theory may be on the verge of confirming Ken’s sentiment but the jury’s still out.

Elliot Wave analysis take your current optimism and uses it as proof that the bear market isn’t over, since at the end of a bear market, supposedly no one is optimistic. That and they look at a chart and notice that the current bear market is missing a fifth wave down.

Image courtesy of Elliot Wave International.

Then there’s the January rule- as goes January, so goes the year – which has been right 87% in the last 25 years. We just had the worst January ever.

I’m still trying to decide which model best approximates reality. In any case, Ken’s advice about what we should do is excellent:

Don’t waste the recession. Use the time well to do things that need to be done, and force yourself to do things you might not have done otherwise.

Also interesting to have a window into Fortinet’s current strategy:

Well in our case, in technology, I’ve always learned that it’s all about the products. Always remember that – technology is all about the products. So we’re going to continue to invest heavily in R&D. We’re going to continue to focus on bringing out our new products on a timely basis. Then we’re going to look at how we can price attractively, and how we can aggressively hire good sales people from other companies. I think it is a great time to hire sales people. So we’ll continue to do what we have been doing, which is to invest in people. We will also set some high standards in terms of our quotas for this coming year. We’re setting a high bar for achievement and we’re aggressive. On the conservative side, we’re budgeting to keep our expenses under control. We’re going to make sure we’re running an efficient shop and not spending money in a nonsensical way. On the other hand, we intend to invest in areas that we think will pay dividends when we do have an upturn. We think we can grow through the tough times and gain market share.

You know the idea is good when it scares your competition to death before you even release it. I hope the government lets Apple please its customers the best way it sees fit. Let the competition create something else to please the consumer rather than use government force to keep themselves in business.

At Bejtlich’s recommendation, I read with great interest Cyberinsurance in IT Security Management by Walter S. Baer and Andrew Parkinson. The bulk of the paper describes the success and prospects of the cyberinsurance industry, but comes to a conclusion that we need government regulation to “facilitate private market development”. This conclusion isn’t based on their informative analysis of the cyberinsurance industry, but rather on an ethical judgement revealed in the third paragraph:

My investments in IT security might do me little good if other systems connected to me remain insecure because an adversary can use any unprotected system to launch an attack on others. In economic terms, the private benefits of investment are less than the social benefits, making networked IT security a public good—and susceptible to the free-rider problem. As a consequence, private individuals and organizations won’t invest sufficiently in IT security to provide an optimal (or even adequate) level of societal protection.

The authors believe that current levels of IT security are sub-optimal and believe it will stay at those levels because “the private benefits of investment are less than the social benefits”. They don’t explain or rationalize these statements in the rest of the article. Instead, they explain the benefits and success of cyberinsurance, but make another value-judgement after noting that only 25% of the market uses cyberinsurance. This is too low in their eyes, so we obviously need government regulation to stimulate the industry, since IT security is a public good. But they never give reasons as to why IT security is a public good suffering from the free-rider problem. Not to my satisfaction, at least. They did offer this example as noted above:

My investments in IT security might do me little good if other systems connected to me remain insecure because an adversary can use any unprotected system to launch an attack on others.

If you deem your neighboring systems as a threat because they don’t live up to your standard of protection and there is a risk of their systems being used to launch an attack, why don’t you take that into consideration when buying security? As Sammy Migues (via Alex) points out, it often makes no difference where the attack comes from. I don’t see how how their example illustrates that IT security is a public good, but let’s go along with it anyway.

The assertion that IT security is a public good suffering from the free-rider problem is one that not all economists would agree with. The free-rider problem and public goods theory are used by some economists to justify government regulation of markets. The supposed “market failure” that occurs because of the free-rider problem is merely an opinion of the economist doing the analysis. From whose point of view are we to judge what the optimal level of IT security is; that of the central-planning economist or that of the individual who owns the means to spend on security? From the point of view of the authors and many security practitioners, we need more security. Obviously companies aren’t buying enough, otherwise we wouldn’t be suffering breaches right? They think private interests aren’t buying the optimal amount of security because of “perverse economic incentives”, i.e. the security they buy benefits others more than it benefits themselves. But from the point of view of the individual actors in the economy, they are already buying the ideal amount security that the market can offer them, given the means they have available and the other options they have for using those means.

A rational approach to the problem looks at the situation from the point of view of the private actors in the market devoid of any personal preference. Each actor uses means (time, money, labor, producer goods) to produce ends (consumer goods or producer goods that later become consumer goods). Every action taken in the economy is aimed at improving the condition and enjoyment of some consumer somewhere. An individual (or company) might perceive a threat of invasion or damage to property. He will determine, to the best of his ability, if he has the means to mitigate the threat or reduce the chances that the threat occurs by buying some form of security. He will buy the security inasmuch as he values the security and the comfort and advantage it gives him. When making this decision whether or not to buy the security he also considers the other uses of his means. His final decision reveals how he values the respective ends. Would he rather use the means to buy or produce more widgets or buy security? We can’t know ahead of time what he would rather do with his means, we can only look at his actions to determine what he values.

Those who value security more than that actor can’t understand why he wouldn’t buy more, blame this on the “public goods” assertion and “perverse economic incentives” and call for government to force the actor to buy more security. Any such security regulation can only reduce the amount of wealth and comfort the economy produces because it is foisting one man’s values upon another – “for the public good”.

The paper pointed out that the cybersecurity market is young, small and growing. I’m sure it will do fine on its own. Let’s just keep government out of it.