This week’s Economist includes an interesting feature on the failure of economics. It addresses three main critiques: that macro and financial economists helped cause the credit crisis, that they failed to spot it, and that they have no idea how to fix it. These are damning accusations for such a long established profession.
But one day we might say the same about information security professionals. The promotion of risk management (as an alternative to minimum standards) has allowed many business managers to avoid investment in essential security controls. The lack of comprehensive incident reporting and certification audits has meant that many bad practices go unnoticed. And the lack of emphasis on crisis management means that many security functions are not adequately equipped to respond to a crisis.
For the past three decades information security academics have focused on subjects of marginal value, such as formal methods, cryptography and risk assessment. The latest fashion is “the economics of security”. But we don’t need a better mousetrap. We just need basic management systems that ensure that managers, staff and customers implement a simple set of controls. That’s something that’s been within everyone’s reach since the publication of BS 7799. Unfortunately our best efforts have failed to achieve that simple goal.