Slashdot Mirror

← Back to Stories (view on slashdot.org)

Schneier on Economic Insights to IT Security

Posted by ryuzaki0 on from the song-remains-the-same dept.

Scyld_Scefing writes "In his June 29, 2006 Wired News article, 'It's the Economy, Stupid,' Bruce Schneier covers the content of the 2006 Workshop on the Economics of Information Security. Schneier says that economic analysis of IT security issues is relatively new, and links to one of the significant earlier papers from 1991, 'Why Information Security Is Hard -- An Economic Perspective' (.pdf). This article states: 'According to one common view, information security comes down to technical measures. Given better access control policy models, formal proofs of cryptographic protocols, approved firewalls, better ways of detecting intrusions and malicious code, and better tools for system evaluation and assurance, the problems can be solved. In this note, I put forward a contrary view: information insecurity is at least as much due to perverse incentives. Many of the problems can be explained more clearly and convincingly using the language of microeconomics: network externalities, asymmetric information, moral hazard, adverse selection, liability dumping and the tragedy of the commons.'"

1 of 58 comments (clear)

  1. Re:can't prove a negative by Tony-A · · Score: 2, Informative

    It's easy to know when you do have a bug

    Since this is about security, a bit of nitpicking is in order.

    There are at least two meanings.

    It's easy to know when you do have a bug. You do. Just no idea what, where, how, etc. You can even use statistics to draw confidence intervals on the number and severity of the bugs.

    It's easy to know when you do have a bug. Assuming that if you have a bug you'd know it. This one is false, very false. It is quite possible for a bug to exist and to not be demonstrable under any circumstances. I've had lots of situations where it was necessary for TWO bugs to get together for anything to show up. I've even had a triple -- and that one was downright spooky.

    To further complicate matters, bugs are not created equal. Counting bugs is about as silly as counting money tokens (equating pennies with $100 bills, except that computer stuff is not nearly that equal).