Why Information Security is Hard: Difference between revisions
| Line 23: | Line 23: | ||
This paper examines the winner-take-all IT market structure and the strategic practices towards market power that enable poor management decisions and large-spread security failures. The focus is on the constant competitive struggles to entrench or undermine monopolies and to segment and control markets that de facto determines many of the environmental conditions that | This paper examines the winner-take-all IT market structure and the strategic practices towards market power that enable poor management decisions and large-spread security failures. The focus is on the constant competitive struggles to entrench or undermine monopolies and to segment and control markets that de facto determines many of the environmental conditions that | ||
make the security engineer’s work harder. The paper also | make the security engineer’s work harder. The paper also suggests that it is likely that over time, government interference in information security standards will be motivated by broader competition issues, as well as by narrow issues of the effectiveness of information security product markets. | ||
==Additional Notes and Highlights== | ==Additional Notes and Highlights== | ||
'' * Outline key points of interest | '' * Outline key points of interest | ||
Revision as of 11:16, 21 June 2010
Why Information Security is Hard -- An Economic Perspective
Full Citation
Ross Anderson, Why Information Security is Hard -- An Economic Perspective, 17th Annual Computer Security Applications Conference (ACSAC'01), IEEE Computer Society, December, 2001. Web AltWeb
Categorization
Issues: Economics of Cybersecurity, Risk Management and Investment, Incentives
Approaches: Regulation/Liability
Key Words
Botnet, DDoS Attack, Tragedy of Commons
Synopsis
According to one common view, information security comes down to technical measures. Given better access control policy models, formal proofs of cryptographic protocols, approved firewalls, better ways of detecting intrusions and malicious code, and better tools for system evaluation and assurance, the problems can be solved. In this note, I put forward a contrary view: information insecurity is at least as much due to perverse incentives. Many of the problems can be explained more clearly and convincingly using the language of microeconomics: network externalities, asymmetric information, moral hazard, adverse selection, liability dumping and the tragedy of the commons.
This paper examines the winner-take-all IT market structure and the strategic practices towards market power that enable poor management decisions and large-spread security failures. The focus is on the constant competitive struggles to entrench or undermine monopolies and to segment and control markets that de facto determines many of the environmental conditions that make the security engineer’s work harder. The paper also suggests that it is likely that over time, government interference in information security standards will be motivated by broader competition issues, as well as by narrow issues of the effectiveness of information security product markets.
Additional Notes and Highlights
* Outline key points of interest