Information security guru Bruce Schneier has outlined trends that are changing the landscape of information security and how viewing these trends in economic terms could help unravel some of the paradoxes of practical information security.
Speaking at a joint BCS and London School of Economics public lecture, Schneier said, "Hacking has changed from a hobbyist pursuit to a criminal pursuit. There are lots of ways to make money criminally on the net. A lot of this we are seeing from lone criminals, and also moving up to organised crime.
"In addition, the information belonging to individuals and corporations is not controlled by them. This may be as simple as e-mail stored by an ISP or web mail provider, or it may be through business process outsourcing."
Legal agreements may protect against misuse, but the control and oversight of information security becomes one step removed, said Schneier. For example, Paris Hilton had her text messages posted on the internet after the information was stolen not from her phone, but from T-Mobile's central systems.
Applying principles of economics can reveal some of the forces at work, and suggest routes for solutions, said Schneier. One of the major problems is that individuals, and many corporations, cannot tell the difference between good and bad security products. This means that, in market terms, suppliers that invest in developing quality products are unable to compete with poor products that are cheaper.
Another problem is to do with externalities, when the effects of an action are not felt by the originator of the action, said Schneier. For example, a company may store personal information on an individual. If that information is then stolen, it affects the individual, but there may be limited consequences to the company. In that case, there is no economic incentive for the company to make sure the information is not stolen.
Capability is also important. If a home PC is compromised, it may be used to send spam or as part of a botnet in a denial of service attack. In these cases, that breach does not affect the home user as much as it does the target of the attack. Moreover, the home PC user is not necessarily capable of stopping that threat, or evaluating the risks.
Part of the solution, according to Schneier, is to realign interests and internalise the externalities. This could, for example, mean making ISPs responsible for the prevention of infection of home PCs, and introducing legislation to penalise firms that lose personal information.
David Lacey’s security blog >>
The latest ideas, best practices, and business issues associated with managing security
Comment on this article: firstname.lastname@example.org