Schneier on Economic Insights to IT Security

Scyld_Scefing writes "In his June 29, 2006 Wired News article, 'It's the Economy, Stupid,' Bruce Schneier covers the content of the 2006 Workshop on the Economics of Information Security. Schneier says that economic analysis of IT security issues is relatively new, and links to one of the significant earlier papers from 1991, 'Why Information Security Is Hard -- An Economic Perspective' (.pdf). This article states: 'According to one common view, information security comes down to technical measures. Given better access control policy models, formal proofs of cryptographic protocols, approved firewalls, better ways of detecting intrusions and malicious code, and better tools for system evaluation and assurance, the problems can be solved. In this note, I put forward a contrary view: information insecurity is at least as much due to perverse incentives. Many of the problems can be explained more clearly and convincingly using the language of microeconomics: network externalities, asymmetric information, moral hazard, adverse selection, liability dumping and the tragedy of the commons.'"

Put the liability in the right place

[Dadoo]

I've been telling my co-workers for a long time - while hackers who break into companies' networks should be punished, the companies, themselves should be punished more. The very first paragraph of this essay (the one comparing the European banks to the American banks) would seem to agree with me.

Let's face it: if your corporate network can't stand up to some high-school kid in his basement, it certainly isn't going to stand up to a well-funded foriegn power trying to attack us.