Schneier on Economic Insights to IT Security

Scyld_Scefing writes "In his June 29, 2006 Wired News article, 'It's the Economy, Stupid,' Bruce Schneier covers the content of the 2006 Workshop on the Economics of Information Security. Schneier says that economic analysis of IT security issues is relatively new, and links to one of the significant earlier papers from 1991, 'Why Information Security Is Hard -- An Economic Perspective' (.pdf). This article states: 'According to one common view, information security comes down to technical measures. Given better access control policy models, formal proofs of cryptographic protocols, approved firewalls, better ways of detecting intrusions and malicious code, and better tools for system evaluation and assurance, the problems can be solved. In this note, I put forward a contrary view: information insecurity is at least as much due to perverse incentives. Many of the problems can be explained more clearly and convincingly using the language of microeconomics: network externalities, asymmetric information, moral hazard, adverse selection, liability dumping and the tragedy of the commons.'"

can't prove a negative

[yagu]

One of the hardest things about security is knowing you really have security. It's kind of like knowing your software doesn't have a bug. It's easy to know when you do have a bug, it's virtually impossible to know you don't.

I think security suffers the same or similar perception, rightly so. So, no matter how much you invest, how strict your policies, you really never know you have security. Couple that with how expensive it is to apply and enforce the more draconian policies... who wants to spend a fortune and find out they've been compromised anyway?

And, extreme security makes computing far less transparent, often to the exclusion of any reasonable work flow for day to day tasks. If security could be transparent (not sure it can), that would help.... no business likes fielding support issues for an entire corporation just because their network is PKI (ever administrate Sun's version?).

(I once worked at a place that had a thirteen-rule requirement for setting new passwords... it was so intrusive, I kept a printout of the rules on my monitor to try and avoid a twenty-minute guessing game session for setting new passwords. What was really funny was at one point the "rules" conflicted with one of our systems, so you couldn't define a qualified password that the system could use. Hilarious.)

On top of all of that, no matter how diligent you've been, one disgruntled (ex-)employee is all it takes with a modicum of social engineering savvy and you find the investment for naught. It's no wonder security is a tough nut to crack.

(As an aside opinion... I think the press gives too much attention to things like the recently stolen laptop with all of the info on it -- it was a stolen laptop, probably nothing more -- they get stolen all of the time, and people have no idea what they've gotten other than a "free" computer.)

Re:can't prove a negative

[ScrewMaster]

I had a similar experience many years ago. I did some consulting for a major hospital, and as it happened one contract I received was to reverse-engineer a multi-drop mainframe terminal protocol. The idea was to use regular PCs as terminals instead of the mainframe vendor's overpriced equipment. In any event, I was working with one of the hospital's programmers on the job, and I asked about getting a logon so I could start analyzing the protocol. He said, "Here, watch this." It turned out that Arthur-Anderson (yes, that AA) had performed a security audit on the hospital and discovered that, as you would expect, the hospital's security was woefully inadequate. So they required that a triple-password scheme be implemented (yes, typing in three successive passwords to log in to the mainframe) in order to improve security and pass the audit. Well, as it happens this was back when "smart terminals" were getting popular, and this was a floor full of programmers, so it took about eight seconds after the last auditor left for the coders to agree on "F12" as a common macro key to spit out the required three passwords and log in. Everybody programmed their passwords into their own terminals so anybody could log in any time. Pretty funny, really, but it does go to show that what you're saying is correct: if security interferes too much with productivity there will be problems. Prior to that audit, everybody had a private password and used it. Afterwards ... productivity was unimpaired while security simply disappeared.

Re:can't prove a negative

[BVis]

Well, as it happens this was back when "smart terminals" were getting popular, and this was a floor full of programmers, so it took about eight seconds after the last auditor left for the coders to agree on "F12" as a common macro key to spit out the required three passwords and log in.

Two problems here: Ignorant overpaid "consultants" who think a splint is a good remedy for food poisoning and a floor full of programmers who should be escorted to the door by (physical) security personnel.

Just because a security policy is retarded is no reason to justify ignoring it. I don't care if the password policy is that you must dance a particular sequence on a DDR pad for access, if that's the security policy, you follow it until a better policy can be put in place.

Still too limited

[Beryllium+Sphere(tm)]

Put the incentives in the right place and there's still the issue of implementation. Nobody benefited from Chernobyl blowing, but it did anyway, and investigators think part of the reason is that there were no reactor engineers on duty. Security, just like industrial safety, depends on having trained and informed people at critical decision-making points.

Making security usable is another implementation issue. Everyone wanted airplanes to land safely, especially the pilots who were inside them, but there was one crash after another due to "pilot error" until the aerospace world began laying out controls and instruments to meet the needs of the pilots who used them.

True, incentives do come first. But even then they need to be carefully chosen. Bad publicity and the threat of job loss didn't make the VA careful: instead those incentives fueled a search for scapegoats, a search which ended with the analyst who had written permission issued on three occasions to take the data home with him.

That's why you take the scientific approach.

[khasim]

Just to make this clear, "security" is not an end item. You cannot "have" security. My definition is: The process of identifying and evaluating threats and reducing their effectiveness.

As Bruce says, when there isn't an economic incentive, that process is not maintained.

But, suppose you are maintaining it. How do you know how good your security is?

Bruce also wrote about "attack trees".
http://www.schneier.com/paper-attacktrees-ddj-ft.h tml

Identifying and evaluating the different avenues of attack is part of evaluating the threats. Once you've identified one, don't think about how you can "prove" it is "secure". Think about how you would go about showing that it is NOT secure. Make your statements about your security "falsifiable". Just like in the scientific method.

Then experiment, on an on-going-basis, to see if you can demonstrate that your security can be broken. This takes time and effort on your part as you have to continually read about the latest advances and theories.

Which gets back to the economic issue. If the organization does not see an economic incentive for you to perform that research/work, then you will be assigned to other tasks and the process will not be followed. If you are not following the process, there is no "security".

Economics is Everywhere

[CodeBuster]

It should not be surprising to people that economics provides the basis for explaining many interesting situations that occur in the real world in relation to computer security. Recall that economics is the study of how humans react to scarcity, or more bluntly how we behave in light of the fact that we cannot simply snap our fingers and have anything we want immediately placed in front of us all of the time (with the possible exception of Bill Gates and a few others, but they are not representative). It is precisely the ability of economics to insightfully solve common conundrums with deliciously counterintuitive explanations that seems to fascinate so many people, as evidenced by the recent success of books such as Naked Economics: Undressing the Dismal Science and Freakonomics, despite the generally boring ways in which the subject is presented by our schools. If it involves human interactions and human nature then, ultimately, it involves economics.

Re:Economics is Everywhere

[Alucard454]

I couldn't agree more. I'm working on my PhD in economics at the moment, but getting here was one hell of a ride through basically every major known to man. At least one of these required me to take basic micro and macro....

My macro class was pretty dry and boring, which was what I and everyone else there (including the professor) seemed to expect.

My micro class on the other hand was taught by an incredible man who had an absolutely infectious passion for the material. I was converted from day one, and changed my major two weeks into the semester. He became my advisor and steered me through the rest of my undergraduate career. When I was debating going to grad school, he bought me a copy of Freakonomics and suggested I spent a weekend reading it and thinking before I decided. I won't say that the book seriously influenced my decision, but it certainly helped renew my passion for economics after the beatdown of my final semesters.

My point? there is no magic bullet. I think economics is a profoundly powerful tool, and an amazingly interesting study. I'm disappointed at the image that it has with most people as the "dismal science." And yes, a big part of that problem is that most students have no sense of perspective, or come into economics with a preconcieved notion of how boring the subject is. I also agree that books like Freakonomics help (i bought a copy for my own father after I told him what I was doing for grad school. he went from being disappointed that I was going to be a "banker or money man" to being fascinated with my research work and quizzing me every chance he gets).

That being said, I think that another (possibly more powerful) way to help students see the beauty of economics is the same answer to so many issues in education: teachers. I've always been a bright kid (this is slashdot for chrissakes... we're all bright, except perhaps for the trolls) and I've always been incredibly curious about most areas of study. This is why it took me 2 years of changing majors to settle down... I wanted to study EVERYTHING. Somehow though, economics slipped completely under my radar until that one teacher changed everything. One teacher really can make a difference, as fruity and captain-planety (redundant?) as that sounds. In fact, it is that realization that pushed me over the edge and made me go to grad school. I knew that if i could share and demonstrate the same passion for economics that my advisor did, I'd have a chance of making some sort of impact.

[Already, my passion is being divided between sharing with undergrads and working on my own research, and i have never had more fun (in academics anyway). I have the fortune to be at a fairly high-powered research institute, so I am free to work on and be funded for just about anything. This is not the sort of place I would want to be a professor at, as I would prefer to focus on teaching after my dissertation, but as a grad student it's perfect.]

Anyways, as I recall, the point I was trying to make was this: Books like Freakonomics are great. Teachers like the one I had are greater, but harder to come by. If you find either, count yourself lucky, and spread the word however you can.

back to work.

Insurance risk

[stox]

We will not see real security until Insurance companies start to really evaluate the risks involved. Once premiums sky-rocket due to poor security, then people will pay attention.

Re:Insurance risk

[Ulrich+Hobelmann]

I think it's the other way round: because IT is new terrain for them, most insurances make IT insurance too expensive.

Now if any insurance company were to make IT insurance for certain systems with certain properties cheap, maybe people would try to implement those properties (say, Unix, separation of privileges, managed code or alternatively strongly checked code with powerful type/effect systems) to be able to get the cheap insurance (or to offer that cheap insurance to their clients/users).

Put the liability in the right place

[Dadoo]

I've been telling my co-workers for a long time - while hackers who break into companies' networks should be punished, the companies, themselves should be punished more. The very first paragraph of this essay (the one comparing the European banks to the American banks) would seem to agree with me.

Let's face it: if your corporate network can't stand up to some high-school kid in his basement, it certainly isn't going to stand up to a well-funded foriegn power trying to attack us.