Make firms bear the cost to improve information security, says Schneier


Make firms bear the cost to improve information security, says Schneier

Justin Richards

Information security guru Bruce Schneier has outlined trends that are changing the landscape of information security and how viewing these trends in economic terms could help unravel some of the paradoxes of practical information security.

Speaking at a joint BCS and London School of Economics public lecture, Schneier said, "Hacking has changed from a hobbyist pursuit to a criminal pursuit. There are lots of ways to make money criminally on the net. A lot of this we are seeing from lone criminals, and also moving up to organised crime.

"In addition, the information belonging to individuals and corporations is not controlled by them. This may be as simple as e-mail stored by an ISP or web mail provider, or it may be through business process outsourcing."

Legal agreements may protect against misuse, but the control and oversight of information security becomes one step removed, said Schneier. For example, Paris Hilton had her text messages posted on the internet after the information was stolen not from her phone, but from T-Mobile's central systems.

Applying principles of economics can reveal some of the forces at work, and suggest routes for solutions, said Schneier. One of the major problems is that individuals, and many corporations, cannot tell the difference between good and bad security products. This means that, in market terms, suppliers that invest in developing quality products are unable to compete with poor products that are cheaper.

Another problem is to do with externalities, when the effects of an action are not felt by the originator of the action, said Schneier. For example, a company may store personal information on an individual. If that information is then stolen, it affects the individual, but there may be limited consequences to the company. In that case, there is no economic incentive for the company to make sure the information is not stolen.

Capability is also important. If a home PC is compromised, it may be used to send spam or as part of a botnet in a denial of service attack. In these cases, that breach does not affect the home user as much as it does the target of the attack. Moreover, the home PC user is not necessarily capable of stopping that threat, or evaluating the risks.

Part of the solution, according to Schneier, is to realign interests and internalise the externalities. This could, for example, mean making ISPs responsible for the prevention of infection of home PCs, and introducing legislation to penalise firms that lose personal information.

Bruce Schneier's blog >>

Who should be liable for security? >>

London School of Economics >>

British Computing Society: listen to the lecture >>

David Lacey’s security blog >>
The latest ideas, best practices, and business issues associated with managing security

Comment on this article:

Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy