[ISN] It's the Economy, Stupid

InfoSec News isn at c4i.org
Fri Jun 30 12:37:12 EDT 2006


By Bruce Schneier
June 29, 2006

I'm sitting in a conference room at Cambridge University, trying to
simultaneously finish this article for Wired News and pay attention to
the presenter onstage.

I'm in this awkward situation because 1) this article is due tomorrow,
and 2) I'm attending the fifth Workshop on the Economics of
Information Security, or WEIS: to my mind, the most interesting
computer security conference of the year.

The idea that economics has anything to do with computer security is
relatively new. Ross Anderson and I seem to have stumbled upon the
idea independently. He, in his brilliant article from 2001, "Why
Information Security Is Hard -- An Economic Perspective" (.pdf), and
me in various essays and presentations from that same period.

WEIS began a year later at the University of California at Berkeley
and has grown ever since. It's the only workshop where technologists
get together with economists and lawyers and try to understand the
problems of computer security.

And economics has a lot to teach computer security. We generally think
of computer security as a problem of technology, but often systems
fail because of misplaced economic incentives: The people who could
protect a system are not the ones who suffer the costs of failure.

When you start looking, economic considerations are everywhere in
computer security. Hospitals' medical-records systems provide
comprehensive billing-management features for the administrators who
specify them, but are not so good at protecting patients' privacy.  
Automated teller machines suffered from fraud in countries like the
United Kingdom and the Netherlands, where poor regulation left banks
without sufficient incentive to secure their systems, and allowed them
to pass the cost of fraud along to their customers. And one reason the
internet is insecure is that liability for attacks is so diffuse.

In all of these examples, the economic considerations of security are
more important than the technical considerations.

More generally, many of the most basic security questions are at least
as much economic as technical. Do we spend enough on keeping hackers
out of our computer systems? Or do we spend too much? For that matter,
do we spend appropriate amounts on police and Army services? And are
we spending our security budgets on the right things? In the shadow of
9/11, questions like these have a heightened importance.

Economics can actually explain many of the puzzling realities of
internet security. Firewalls are common, e-mail encryption is rare:  
not because of the relative effectiveness of the technologies, but
because of the economic pressures that drive companies to install
them. Corporations rarely publicize information about intrusions;  
that's because of economic incentives against doing so. And an
insecure operating system is the international standard, in part,
because its economic effects are largely borne not by the company that
builds the operating system, but by the customers that buy it.

Some of the most controversial cyberpolicy issues also sit squarely
between information security and economics. For example, the issue of
digital rights management: Is copyright law too restrictive -- or not
restrictive enough -- to maximize society's creative output? And if it
needs to be more restrictive, will DRM technologies benefit the music
industry or the technology vendors? Is Microsoft's Trusted Computing
initiative a good idea, or just another way for the company to lock
its customers into Windows, Media Player and Office? Any attempt to
answer these questions becomes rapidly entangled with both information
security and economic arguments.

WEIS encourages papers on these and other issues in economics and
computer security. We heard papers presented on the economics of
digital forensics of cell phones (.pdf) -- if you have an uncommon
phone, the police probably don't have the tools to perform forensic
analysis -- and the effect of stock spam on stock prices: It actually
works in the short term. We learned that more-educated wireless
network users are not more likely to secure their access points
(.pdf), and that the best predictor of wireless security is the
default configuration of the router.

Other researchers presented economic models to explain patch
management (.pdf), peer-to-peer worms (.pdf), investment in
information security technologies (.pdf) and opt-in versus opt-out
privacy policies (.pdf). There was a field study that tried to
estimate the cost to the U.S. economy for information infrastructure
failures (.pdf): less than you might think. And one of the most
interesting papers looked at economic barriers to adopting new
security protocols (.pdf), specifically DNS Security Extensions.

This is all heady stuff. In the early years, there was a bit of a
struggle as the economists and the computer security technologists
tried to learn each others' languages. But now it seems that there's a
lot more synergy, and more collaborations between the two camps.

I've long said that the fundamental problems in computer security are
no longer about technology; they're about applying technology.  
Workshops like WEIS are helping us understand why good security
technologies fail and bad ones succeed, and that kind of insight is
critical if we're going to improve security in the information age.


Bruce Schneier is the CTO of Counterpane Internet Security and the
author of Beyond Fear: Thinking Sensibly About Security in an
Uncertain World. You can contact him through his website.

More information about the ISN mailing list