Managing Online Security Risks
Full Title of Reference
Managing Online Security Risks
Hal Varian, Managing Online Security Risks, N.Y. Times, June 1, 2000. Web
- Issues: Behavioral Economics; Economics of Cybersecurity; Incentives; Risk Management and Investment
In this article, Varian writes about the growing vulnerability of the Internet, a "lab experiment let loose" he describes as being birthed in a secure environment of friendly researchers. The biggest culprit in computer and cyber security, in Varian's mind, is humans, and not technical vulnerability of any kind.
Whereas cryptography offers a vast measure of effective security, it often fails because of the human element. Varian laments computer security's focus on the hard issues of cryptography and system design, and the neglect of those more important fields of user experience, economics and incentives. Varian quotes a study by Ross Anderson that examines fraud in automated telling machines, almost all instances of which occur because of human -- and not machine -- error.
Looking at best practices in British and American banks' customer policies, Varian finds that the US, where liability in a customer dispute automatically falls to the bank, banks have a higher incentive to show that they are right. In Britain, where the bank is right unless the customer proves it wrong, banks have little incentive to take care -- the result is ATM fraud.
Risk management is best thought of not from a technical perspective, but from the standpoint of incentives. Effective risk management is a question of practices, not technology. Furthermore, the job of managing risk should fall to the party that can best do the job. In the case of banks and customers -- this part is the bank. But again, there should be a balance lest customers escape all liability and become too sloppy.
The same goes for computer attacks. Computer security is poor when liability is too diffuse. If a particular user's computer is taken over via a network, it would be pointless to assign liability to the user, given that most users are clueless about preventing zombie attacks or attacks of any sort. Assigning liability to the network operator makes more sense.
A typical security analysis involves identifying weak points in a system and indicating who might be in a position to fix them. But security analysts should go one step further and examine the incentives of those responsible for the system. Such an analysis could be used to assign liability so that those who are best positioned to control the risks have appropriate incentives to do so.
The study of incentives opens the proverbial cybersecurity door to insurance. Here, too, incentives comes into play. Just as there is no such thing as blanket insurance in the real world, neither does it exist in the realm of cybersecurity. Just as an insurer of an office building will give you a reduced rate if you have sprinklers every 12 feet, an insurer against computer crime will give you a reduced rate if you install security patches within two weeks of their posting, provide continuing education for security staff and engage in other good risk management practices. Yet most insurance companies have very little experience with computer security, and being unable to judge the risks, they offer little in the way of protection.
Varian's next steps for a better computer security are as follows: The first step is to assign legal liability to the parties best able to manage the risk. Insurers can then develop expertise in risk management for computer security and provide such services to their clients.
His conclusion is rather bleak: "Unfortunately, this will be a long and slow process. In the meantime, we can expect to see many more disruptions on the Internet."
Additional Notes and Highlights
About the author: Hal Varian is Chief Economist at Google and also teaches at UC Berkeley, at the School of Information as well as at the Haas Business School.