Slashdot Mirror
Schneier on Economic Insights to IT Security
Scyld_Scefing writes "In his June 29, 2006 Wired News article, 'It's the Economy, Stupid,' Bruce Schneier covers the content of the 2006 Workshop on the Economics of Information Security. Schneier says that economic analysis of IT security issues is relatively new, and links to one of the significant earlier papers from 1991, 'Why Information Security Is Hard -- An Economic Perspective' (.pdf). This article states: 'According to one common view, information security comes down to technical measures. Given better access control policy models, formal proofs of cryptographic protocols, approved firewalls, better ways of detecting intrusions and malicious code, and better tools for system evaluation and assurance, the problems can be solved. In this note, I put forward a contrary view: information insecurity is at least as much due to perverse incentives. Many of the problems can be explained more clearly and convincingly using the language of microeconomics: network externalities, asymmetric information, moral hazard, adverse selection, liability dumping and the tragedy of the commons.'"
I had a similar experience many years ago. I did some consulting for a major hospital, and as it happened one contract I received was to reverse-engineer a multi-drop mainframe terminal protocol. The idea was to use regular PCs as terminals instead of the mainframe vendor's overpriced equipment. In any event, I was working with one of the hospital's programmers on the job, and I asked about getting a logon so I could start analyzing the protocol. He said, "Here, watch this." It turned out that Arthur-Anderson (yes, that AA) had performed a security audit on the hospital and discovered that, as you would expect, the hospital's security was woefully inadequate. So they required that a triple-password scheme be implemented (yes, typing in three successive passwords to log in to the mainframe) in order to improve security and pass the audit. Well, as it happens this was back when "smart terminals" were getting popular, and this was a floor full of programmers, so it took about eight seconds after the last auditor left for the coders to agree on "F12" as a common macro key to spit out the required three passwords and log in. Everybody programmed their passwords into their own terminals so anybody could log in any time. Pretty funny, really, but it does go to show that what you're saying is correct: if security interferes too much with productivity there will be problems. Prior to that audit, everybody had a private password and used it. Afterwards ... productivity was unimpaired while security simply disappeared.
The higher the technology, the sharper that two-edged sword.
We will not see real security until Insurance companies start to really evaluate the risks involved. Once premiums sky-rocket due to poor security, then people will pay attention.
"To those who are overly cautious, everything is impossible. "