Information security guru Bruce Schneier has
outlined trends that are changing the landscape of information
security and how viewing these trends in economic terms could help
unravel some of the paradoxes of
practical information security.
Speaking at a joint BCS and London School of Economics public
lecture, Schneier said,
"
Hacking has changed from a hobbyist pursuit to a criminal
pursuit. There are lots of ways to make money criminally on the
net. A lot of this we are seeing from lone criminals, and also
moving up to organised crime.
"In addition, the information belonging to individuals and
corporations is not controlled by them. This may be as simple as
e-mail stored by an ISP or web mail provider, or it may be through
business process outsourcing."
Legal agreements may protect against misuse, but the control and
oversight of information security becomes one step removed, said
Schneier. For example,
Paris Hilton had her text messages posted on the internet after
the information was stolen not from her phone, but from T-Mobile's
central systems.
Applying principles of economics can reveal some of the forces
at work, and suggest routes for solutions, said Schneier. One of
the major problems is that individuals, and many corporations,
cannot tell the difference between good and bad security products.
This means that, in market terms, suppliers that invest in
developing quality products are unable to compete with poor
products that are cheaper.
Another problem is to do with externalities, when the effects of
an action are not felt by the originator of the action, said
Schneier. For example, a company may store personal information on
an individual. If that information is then stolen, it affects the
individual, but there may be limited consequences to the company.
In that case, there is no economic incentive for the company to
make sure the information is not stolen.
Capability is also important. If a home PC is compromised, it
may be used to send spam or as part of a botnet in a denial of
service attack. In these cases, that breach does not affect the
home user as much as it does the target of the attack. Moreover,
the home PC user is not necessarily capable of stopping that
threat, or evaluating the risks.
Part of the solution, according to Schneier, is to realign
interests and internalise the externalities. This could, for
example, mean making
ISPs responsible for the prevention of infection of home PCs,
and introducing legislation to penalise firms that lose personal
information.
Bruce Schneier's blog
>>
Who should be
liable for security? >>
London School of Economics >>
British Computing
Society: listen to the lecture >>
David Lacey’s
security blog >>
The latest ideas, best practices, and business issues associated
with managing security
Comment on this article:
computer.weekly@rbi.co.uk