Decius wrote: How LED signs become a national emergency.
The story here doesn't strike me as particularly novel. The underlying lesson is that security is all about incentives. We've been talking about that here for a long time now. Let's take a walk through the archives: Workshop on Economics and Information Security, from January 2002: Many system security failures occur not so much for technical reasons but because of failures of organisation and motivation. For example, the person or company best placed to protect a system may be insufficiently motivated to do so, because the costs of system failure fall on others. Such perverse incentives raise many issues best discussed using economic concepts such as externalities, asymmetric information, adverse selection and moral hazard. They are becoming increasingly important now that information security mechanisms are not merely used to protect against malicious attacks, but also to protect monopolies, differentiate products and segment markets. There are also interesting security issues raised by industry monopolization and the accompanying reduction in product heterogenity. For these and other reasons, the confluence between information security and economics is of growing importance.
This workshop continued; in 2004 I cited the Third Annual Workshop on Economics and Information Security, which posed such questions as: Can market forces ensure that firms will act to improve security?
Later that year, we enjoyed Old-school British anti-piracy ads, including one that encourages you to rat out your school teachers for cash. Earlier this year I recommended Anderson's 2001 paper about Why Information Security is Hard. This is always worth reading, and now seems like as good a time as any. I'm still loving the quote from 1849, about first-class and third-class carriage service: Having refused the poor what is necessary, they give the rich what is superfluous.
Bruce's "CYA decisions" are the superfluous trappings of the rich. Fear is the new Comfort. Also, I note another recommendation, from last year, about Costs and Consequences of Transformation and Transparency: The economics of ‘information-rich’ environments inherently inspire perverse incentives that frequently generate unhappy outcomes.
The context is slightly different but the message is quite applicable: Any objective review of private sector experiences with digital transformation offers RMA champions evidence more sobering than inspiring. The potentially enormous benefits of net-centric transformation should be valued only in the context of their potentially enormous costs. These cost-benefit ratios have not been adequately assessed. The fundamentalist dogma of the RMA transformation ideology recalls the aphorism, “Be careful of what you want because you’re sure to get it.”
There is also Nassim Nicholas Taleb and his Black Swans: Many hedge fund managers ... are just picking up pennies in front of a steamroller. And sometimes the steamroller accelerates. In a world of Black Swans, the first step is understanding just how much we will never understand.
|