Slashdot Mirror

← Back to Stories (view on slashdot.org)

Schneier on Economic Insights to IT Security

Posted by ryuzaki0 on from the song-remains-the-same dept.

Scyld_Scefing writes "In his June 29, 2006 Wired News article, 'It's the Economy, Stupid,' Bruce Schneier covers the content of the 2006 Workshop on the Economics of Information Security. Schneier says that economic analysis of IT security issues is relatively new, and links to one of the significant earlier papers from 1991, 'Why Information Security Is Hard -- An Economic Perspective' (.pdf). This article states: 'According to one common view, information security comes down to technical measures. Given better access control policy models, formal proofs of cryptographic protocols, approved firewalls, better ways of detecting intrusions and malicious code, and better tools for system evaluation and assurance, the problems can be solved. In this note, I put forward a contrary view: information insecurity is at least as much due to perverse incentives. Many of the problems can be explained more clearly and convincingly using the language of microeconomics: network externalities, asymmetric information, moral hazard, adverse selection, liability dumping and the tragedy of the commons.'"

6 of 58 comments (clear)

  1. can't prove a negative by yagu · · Score: 4, Insightful

    One of the hardest things about security is knowing you really have security. It's kind of like knowing your software doesn't have a bug. It's easy to know when you do have a bug, it's virtually impossible to know you don't.

    I think security suffers the same or similar perception, rightly so. So, no matter how much you invest, how strict your policies, you really never know you have security. Couple that with how expensive it is to apply and enforce the more draconian policies... who wants to spend a fortune and find out they've been compromised anyway?

    And, extreme security makes computing far less transparent, often to the exclusion of any reasonable work flow for day to day tasks. If security could be transparent (not sure it can), that would help.... no business likes fielding support issues for an entire corporation just because their network is PKI (ever administrate Sun's version?).

    (I once worked at a place that had a thirteen-rule requirement for setting new passwords... it was so intrusive, I kept a printout of the rules on my monitor to try and avoid a twenty-minute guessing game session for setting new passwords. What was really funny was at one point the "rules" conflicted with one of our systems, so you couldn't define a qualified password that the system could use. Hilarious.)

    On top of all of that, no matter how diligent you've been, one disgruntled (ex-)employee is all it takes with a modicum of social engineering savvy and you find the investment for naught. It's no wonder security is a tough nut to crack.

    (As an aside opinion... I think the press gives too much attention to things like the recently stolen laptop with all of the info on it -- it was a stolen laptop, probably nothing more -- they get stolen all of the time, and people have no idea what they've gotten other than a "free" computer.)

    1. Re:can't prove a negative by ScrewMaster · · Score: 4, Interesting

      I had a similar experience many years ago. I did some consulting for a major hospital, and as it happened one contract I received was to reverse-engineer a multi-drop mainframe terminal protocol. The idea was to use regular PCs as terminals instead of the mainframe vendor's overpriced equipment. In any event, I was working with one of the hospital's programmers on the job, and I asked about getting a logon so I could start analyzing the protocol. He said, "Here, watch this." It turned out that Arthur-Anderson (yes, that AA) had performed a security audit on the hospital and discovered that, as you would expect, the hospital's security was woefully inadequate. So they required that a triple-password scheme be implemented (yes, typing in three successive passwords to log in to the mainframe) in order to improve security and pass the audit. Well, as it happens this was back when "smart terminals" were getting popular, and this was a floor full of programmers, so it took about eight seconds after the last auditor left for the coders to agree on "F12" as a common macro key to spit out the required three passwords and log in. Everybody programmed their passwords into their own terminals so anybody could log in any time. Pretty funny, really, but it does go to show that what you're saying is correct: if security interferes too much with productivity there will be problems. Prior to that audit, everybody had a private password and used it. Afterwards ... productivity was unimpaired while security simply disappeared.

      --
      The higher the technology, the sharper that two-edged sword.
  2. That's why you take the scientific approach. by khasim · · Score: 4, Insightful

    Just to make this clear, "security" is not an end item. You cannot "have" security. My definition is: The process of identifying and evaluating threats and reducing their effectiveness.

    As Bruce says, when there isn't an economic incentive, that process is not maintained.

    But, suppose you are maintaining it. How do you know how good your security is?

    Bruce also wrote about "attack trees".
    http://www.schneier.com/paper-attacktrees-ddj-ft.h tml

    Identifying and evaluating the different avenues of attack is part of evaluating the threats. Once you've identified one, don't think about how you can "prove" it is "secure". Think about how you would go about showing that it is NOT secure. Make your statements about your security "falsifiable". Just like in the scientific method.

    Then experiment, on an on-going-basis, to see if you can demonstrate that your security can be broken. This takes time and effort on your part as you have to continually read about the latest advances and theories.

    Which gets back to the economic issue. If the organization does not see an economic incentive for you to perform that research/work, then you will be assigned to other tasks and the process will not be followed. If you are not following the process, there is no "security".

  3. Insurance risk by stox · · Score: 4, Interesting

    We will not see real security until Insurance companies start to really evaluate the risks involved. Once premiums sky-rocket due to poor security, then people will pay attention.

    --
    "To those who are overly cautious, everything is impossible. "
    1. Re:Insurance risk by Ulrich+Hobelmann · · Score: 4, Interesting

      I think it's the other way round: because IT is new terrain for them, most insurances make IT insurance too expensive.

      Now if any insurance company were to make IT insurance for certain systems with certain properties cheap, maybe people would try to implement those properties (say, Unix, separation of privileges, managed code or alternatively strongly checked code with powerful type/effect systems) to be able to get the cheap insurance (or to offer that cheap insurance to their clients/users).

  4. Put the liability in the right place by Dadoo · · Score: 5, Insightful

    I've been telling my co-workers for a long time - while hackers who break into companies' networks should be punished, the companies, themselves should be punished more. The very first paragraph of this essay (the one comparing the European banks to the American banks) would seem to agree with me.

    Let's face it: if your corporate network can't stand up to some high-school kid in his basement, it certainly isn't going to stand up to a well-funded foriegn power trying to attack us.

    --
    Sit, Ubuntu, sit. Good dog.