The Economics of Information Security


Everyone knows that computer security is seriously broken. The daily onslaught of attacks caused by viruses, trojans and bots is testimony to that. But what many are unaware of - at least outside the open source community - is that much of the responsibility for this lies squarely with Microsoft. It is largely thanks to the poor design of Windows and its associated programs, particularly Internet Explorer and Microsoft Word, that viruses are transmitted so easily. It is a result of the poorly-designed approach to security, only now being fixed, that encourages users merrily to click on attachments and install new software without being aware of the consequences. And above all, it is a consequence of the pervasive and wilfully-constructed Microsoft monoculture, which allows malicious programmers to make many correct assumptions about what they will find on a typical Windows user's system.

Many of these problems do not exist when running GNU/Linux. This is not to say that viruses cannot exist in an open source context, just that they have a much harder time taking hold and spreading, because there are checks and obstacles at many levels. Given that the prospect of instantly converting large numbers of ordinary users to GNU/Linux is unrealistic (and would, in any case, only increase the incentive for malware authors to find weaknesses in open source rather than Windows), the question is, What can be done to reduce the damage caused by Windows, given its current problems?

What is needed is a new approach that does not simply call for Microsoft to do a better job (which, to be fair, it is finally doing - although after indirectly causing billions of pounds worth of damage to companies and individuals.) One promising idea is that of security economics. Rather than trying to address the myriad problems with computer security by mandating particular actions, economic pressure is used to encourage all the parties involved - software houses, ISPs, companies and end-users - to change their behaviour in such a way as to make it harder for malware.

One of the leading exponents of this approach is Ross Anderson, Professor of Security Engineering at Cambridge University. On his web site he has a section devoted to the area of information security economics, with plenty of good introductions to the subject. His most recent work in this area is a report written for ENISA:

ENISA is as a body set up by the EU to carry out a very specific technical, scientific or management task within the "Community domain" ("first pillar") of the EU: a "European Community Agency". These agencies are not provided for in the Treaties. Instead, each one is set up by an individual piece of legislation that specifies the task of that particular agency.

The Agency's Mission is essential to achieve a high and effective level of Network and Information Security within the European Union. Together with the EU-institutions and the Member States, ENISA seeks to develop a culture of Network and Information Security for the benefit of citizens, consumers, business and public sector organisations in the European Union. Operative networks contributes to the smooth functioning of the Internal Market, and concretely effects the daily lives of the citizens and business alike, using broadband, online banking, ecommerce, and mobile phones.

As the Agency’s in-house expertise grows, ENISA is helping the European Commission, the Member States and the business community to address, respond and especially to prevent Network and Information Security problems.

The Agency also assists the European Commission in the technical preparatory work for updating and developing Community legislation in the field of Network and Information Security.

The report is entitled “Security Economics and the Internal Market”. As the report's summary explains:

Network and information security are of significant and growing economic importance. The direct cost to Europe of protective measures and electronic fraud is measured in billions of euros; and growing public concerns about information security hinder the development of both markets and public services, giving rise to even greater indirect costs. For example, while we were writing this report, the UK government confessed to the loss of child-benefit records affecting 25 million citizens. Further revelations about losses of electronic medical information and of data on children have called into question plans for the development of e-health and other systems.

Information security is now a mainstream political issue, and can no longer be considered the sole purview of technologists. Fortunately, information security economics has recently become a live research topic: as well as collecting data on what fails and how, security economists have discovered that systems often fail not for some technical reason, but because the incentives were wrong. An appropriate regulatory framework is just as important for protecting economic and other activity online as it is offline.

This report sets out to draw, from both economic principles and empirical data, a set of recommendations about what information security issues should be handled at the Member State level and what issues may require harmonisation – or at least coordination. In this executive summary, we draw together fifteen key policy proposals.

Some of its more innovative proposals include: the introduction of a statutory scale of damages against ISPs that do not respond promptly to requests for the removal of compromised machines; standards for network-connected equipment to be secure by default; a combination of early responsible vulnerability disclosure and vendor liability for unpatched software; and the suggestion that patches be kept separate from feature updates, and made freely available.

This is an important report, and worth reading carefully, since it not only analyses rigorously the root causes of many of the security problems affecting computing today, but goes on to offer concrete suggestions for reducing them that are not simply rehashes of tired and manifestly ineffective past approaches.

"Recommended For You"

Private sector should be included in next EU cybersecurity simulation Software bugs most common cause for mobile Internet outages, study says