Schneier on Economic Insights to IT Security

Scyld_Scefing writes "In his June 29, 2006 Wired News article, 'It's the Economy, Stupid,' Bruce Schneier covers the content of the 2006 Workshop on the Economics of Information Security. Schneier says that economic analysis of IT security issues is relatively new, and links to one of the significant earlier papers from 1991, 'Why Information Security Is Hard -- An Economic Perspective' (.pdf). This article states: 'According to one common view, information security comes down to technical measures. Given better access control policy models, formal proofs of cryptographic protocols, approved firewalls, better ways of detecting intrusions and malicious code, and better tools for system evaluation and assurance, the problems can be solved. In this note, I put forward a contrary view: information insecurity is at least as much due to perverse incentives. Many of the problems can be explained more clearly and convincingly using the language of microeconomics: network externalities, asymmetric information, moral hazard, adverse selection, liability dumping and the tragedy of the commons.'"

Still too limited

[Beryllium+Sphere(tm)]

Put the incentives in the right place and there's still the issue of implementation. Nobody benefited from Chernobyl blowing, but it did anyway, and investigators think part of the reason is that there were no reactor engineers on duty. Security, just like industrial safety, depends on having trained and informed people at critical decision-making points.

Making security usable is another implementation issue. Everyone wanted airplanes to land safely, especially the pilots who were inside them, but there was one crash after another due to "pilot error" until the aerospace world began laying out controls and instruments to meet the needs of the pilots who used them.

True, incentives do come first. But even then they need to be carefully chosen. Bad publicity and the threat of job loss didn't make the VA careful: instead those incentives fueled a search for scapegoats, a search which ended with the analyst who had written permission issued on three occasions to take the data home with him.

Re:can't prove a negative

[ScrewMaster]

I had a similar experience many years ago. I did some consulting for a major hospital, and as it happened one contract I received was to reverse-engineer a multi-drop mainframe terminal protocol. The idea was to use regular PCs as terminals instead of the mainframe vendor's overpriced equipment. In any event, I was working with one of the hospital's programmers on the job, and I asked about getting a logon so I could start analyzing the protocol. He said, "Here, watch this." It turned out that Arthur-Anderson (yes, that AA) had performed a security audit on the hospital and discovered that, as you would expect, the hospital's security was woefully inadequate. So they required that a triple-password scheme be implemented (yes, typing in three successive passwords to log in to the mainframe) in order to improve security and pass the audit. Well, as it happens this was back when "smart terminals" were getting popular, and this was a floor full of programmers, so it took about eight seconds after the last auditor left for the coders to agree on "F12" as a common macro key to spit out the required three passwords and log in. Everybody programmed their passwords into their own terminals so anybody could log in any time. Pretty funny, really, but it does go to show that what you're saying is correct: if security interferes too much with productivity there will be problems. Prior to that audit, everybody had a private password and used it. Afterwards ... productivity was unimpaired while security simply disappeared.

Insurance risk

[stox]

We will not see real security until Insurance companies start to really evaluate the risks involved. Once premiums sky-rocket due to poor security, then people will pay attention.

Re:Insurance risk

[Ulrich+Hobelmann]

I think it's the other way round: because IT is new terrain for them, most insurances make IT insurance too expensive.

Now if any insurance company were to make IT insurance for certain systems with certain properties cheap, maybe people would try to implement those properties (say, Unix, separation of privileges, managed code or alternatively strongly checked code with powerful type/effect systems) to be able to get the cheap insurance (or to offer that cheap insurance to their clients/users).

Re:can't prove a negative

[BVis]

Well, as it happens this was back when "smart terminals" were getting popular, and this was a floor full of programmers, so it took about eight seconds after the last auditor left for the coders to agree on "F12" as a common macro key to spit out the required three passwords and log in.

Two problems here: Ignorant overpaid "consultants" who think a splint is a good remedy for food poisoning and a floor full of programmers who should be escorted to the door by (physical) security personnel.

Just because a security policy is retarded is no reason to justify ignoring it. I don't care if the password policy is that you must dance a particular sequence on a DDR pad for access, if that's the security policy, you follow it until a better policy can be put in place.

Re:Economics is Everywhere

[Alucard454]

I couldn't agree more. I'm working on my PhD in economics at the moment, but getting here was one hell of a ride through basically every major known to man. At least one of these required me to take basic micro and macro....

My macro class was pretty dry and boring, which was what I and everyone else there (including the professor) seemed to expect.

My micro class on the other hand was taught by an incredible man who had an absolutely infectious passion for the material. I was converted from day one, and changed my major two weeks into the semester. He became my advisor and steered me through the rest of my undergraduate career. When I was debating going to grad school, he bought me a copy of Freakonomics and suggested I spent a weekend reading it and thinking before I decided. I won't say that the book seriously influenced my decision, but it certainly helped renew my passion for economics after the beatdown of my final semesters.

My point? there is no magic bullet. I think economics is a profoundly powerful tool, and an amazingly interesting study. I'm disappointed at the image that it has with most people as the "dismal science." And yes, a big part of that problem is that most students have no sense of perspective, or come into economics with a preconcieved notion of how boring the subject is. I also agree that books like Freakonomics help (i bought a copy for my own father after I told him what I was doing for grad school. he went from being disappointed that I was going to be a "banker or money man" to being fascinated with my research work and quizzing me every chance he gets).

That being said, I think that another (possibly more powerful) way to help students see the beauty of economics is the same answer to so many issues in education: teachers. I've always been a bright kid (this is slashdot for chrissakes... we're all bright, except perhaps for the trolls) and I've always been incredibly curious about most areas of study. This is why it took me 2 years of changing majors to settle down... I wanted to study EVERYTHING. Somehow though, economics slipped completely under my radar until that one teacher changed everything. One teacher really can make a difference, as fruity and captain-planety (redundant?) as that sounds. In fact, it is that realization that pushed me over the edge and made me go to grad school. I knew that if i could share and demonstrate the same passion for economics that my advisor did, I'd have a chance of making some sort of impact.

[Already, my passion is being divided between sharing with undergrads and working on my own research, and i have never had more fun (in academics anyway). I have the fortune to be at a fairly high-powered research institute, so I am free to work on and be funded for just about anything. This is not the sort of place I would want to be a professor at, as I would prefer to focus on teaching after my dissertation, but as a grad student it's perfect.]

Anyways, as I recall, the point I was trying to make was this: Books like Freakonomics are great. Teachers like the one I had are greater, but harder to come by. If you find either, count yourself lucky, and spread the word however you can.

back to work.

Economics is fascinating

[Colin+Smith]

It has a profound effect on our society.

Take for example the debt based money system we have now. The government has the ability print money (well, borrow) as it likes. Well when you have that power, it's pretty damned difficult not to use it. After all, raising taxes is about as popular as a fart in a lift and all politicians want to be re-elected. So borrow some money from the central bank to pay for your pet oil liberation project. This has a number of implications:

1: We've increased the amount of money available in circulation. This causes the value of the existing money to decrease; Inflation. Though it's percieved to be a general increase in prices it's essentially a tax on the currency holding population.

2: That debt you have to pay back, well it has an interest rate on it, the bankers want a little bit more back than they loaned, so you and everyone who works for you have to work that little bit harder to pay it back, you have to expand and grow to service the debt. The more you expand, the smaller the debt is in proportion, so you must expand. Which basically means there must be a continual increase in the exploitation of resources. For some reason the ecologists haven't picked up on this.

3: The government has free money to give away. Well, easy money anyway. The military, haliburton and all the direct contractors to the government benefit directly, in fact they get the cash before the inflation hits the economy generally so they benefit and grow hugely. Well we could call the military, it's direct suppliers like haliburton etc the military industrial complex.

4: Money is power, the free money the government is acquiring increases the power it has to intervene in, well anything it wants to.

So... Debt based money gives us... Inflation, mandatory economic expansion, increase in the size and power of the military industrial complex, increasing size and power of the state.