The Economics of Security
In his lastest Wired column, Bruce S. is writing about a subject particularly dear to my heart: the economics of security. He was lucky enough to go up to the fifth Workshop on the Economics of Information Security at Cambridge: I had hoped to go, but a sudden influx of work prevented me.
My own interest in this area was sparked by a talk that Ross Anderson, now a professor at Cambridge, gave down in London. I vaguely knew Ross at university, when both of us had rather more hair than we do now. Since this was 30 years ago, it's not suprising that he didn't remember me when I introduced myself at the London talk, pointing out that the last time I had seen him was in Whewell's Court: he stared at me as if I was completely bonkers. Ah well.
Schneier gives a good summary of what this whole area is about, and why it is so important:We generally think of computer security as a problem of technology, but often systems fail because of misplaced economic incentives: The people who could protect a system are not the ones who suffer the costs of failure.
When you start looking, economic considerations are everywhere in computer security. Hospitals' medical-records systems provide comprehensive billing-management features for the administrators who specify them, but are not so good at protecting patients' privacy. Automated teller machines suffered from fraud in countries like the United Kingdom and the Netherlands, where poor regulation left banks without sufficient incentive to secure their systems, and allowed them to pass the cost of fraud along to their customers. And one reason the internet is insecure is that liability for attacks is so diffuse.
Read the whole column, and then, if you are feeling strong, try Ross's seminal essay on the subject: "Why Information Security Is Hard -- An Economic Perspective".