Create an Account
username: password:
 
  MemeStreams Logo

Why Information Security is Hard

search

noteworthy
Picture of noteworthy
My Blog
My Profile
My Audience
My Sources
Send Me a Message

sponsored links

noteworthy's topics
Arts
  Literature
   Fiction
   Non-Fiction
  Movies
   Documentary
   Drama
   Film Noir
   Sci-Fi/Fantasy Films
   War
  Music
  TV
   TV Documentary
Business
  Tech Industry
  Telecom Industry
  Management
Games
Health and Wellness
Home and Garden
Miscellaneous
  Humor
  MemeStreams
   Using MemeStreams
Current Events
  War on Terrorism
  Elections
  Israeli/Palestinian
Recreation
  Cars and Trucks
  Travel
   Asian Travel
Local Information
  Food
  SF Bay Area Events
Science
  History
  Math
  Nano Tech
  Physics
  Space
Society
  Economics
  Education
  Futurism
  International Relations
  History
  Politics and Law
   Civil Liberties
    Surveillance
   Intellectual Property
  Media
   Blogging
  Military
  Philosophy
Sports
Technology
  Biotechnology
  Computers
   Computer Security
    Cryptography
   Human Computer Interaction
   Knowledge Management
  Military Technology
  High Tech Developments

support us

Get MemeStreams Stuff!


 
Why Information Security is Hard
Topic: Computer Security 10:06 am EDT, Mar 26, 2007

This Ross Anderson paper from 2001 is worth (re-)reading. I'd be interested in any pointers to further reading along these lines.

I particularly liked this quote, from the French economist Jules Dupuit in 1849:

It is not because of the few thousand francs which would have to be spent to put a roof over the third-class carriage or to upholster the third-class seats that some company or other has open carriages with wooden benches ... What the company is trying to do is prevent the passengers who can pay the second-class fare from traveling third class; it hits the poor, not because it wants to hurt them, but to frighten the rich ... And it is again for the same reason that the companies, having proved almost cruel to the third-class passengers and mean to the second-class ones, become lavish in dealing with first-class customers. Having refused the poor what is necessary, they give the rich what is superfluous.

Here's the abstract of the paper:

According to one common view, information security comes down to technical measures. Given better access control policy models, formal proofs of cryptographic protocols, approved firewalls, better ways of detecting intrusions and malicious code, and better tools for system evaluation and assurance, the problems can be solved.

In this note, I put forward a contrary view: information insecurity is at least as much due to perverse incentives. Many of the problems can be explained more clearly and convincingly using the language of microeconomics: network externalities, asymmetric information, moral hazard, adverse selection, liability dumping and the tragedy of the commons.

Anderson has been working this theme over the past several years; his latest paper is The Economics of Information Security - A Survey and Open Questions.

Why Information Security is Hard



 
 
Powered By Industrial Memetics
RSS2.0