Economics of information security

Binary Numbers 24 April 2007

The information security guru Bruce Schneier gave a joint BCS and London School of Economics public lecture as part of this year's 50th anniversary celebrations.

He outlined ten trends that were changing the landscape of information security, and how viewing these trends in economic terms could help unravel some of the paradoxes of practical information security.

Corporations now often find that the information they hold is worth more than any other assets they possess. Information systems (such as email or the web) have become a part of the critical infrastructure required to do business. As information becomes the life-blood of commerce, it also becomes a more serious target.

'Hacking has changed from a hobbyist pursuit to a criminal pursuit. There are lots of ways to make money criminally on the net. A lot of this we're seeing from lone criminals, and also moving up to organised crime.'

In addition, the information belonging to individuals and corporations is not controlled by them. This may be as simple as email stored at an ISP or webmail account, or it may be through business process outsourcing.

Legal agreements may protect against misuse, but the control and oversight of information security becomes one step removed. For example, Paris Hilton had her phone book and text messages posted on the internet after the information was stolen; not from her phone, but from T-Mobile's central systems.

Applying principles of economics can reveal some of the forces at work, and suggest routes for solutions. One of the major problems in information security is that individuals, and many corporations, cannot tell the difference between good and bad security products. This means that in market terms the companies that invest in developing quality products are unable to compete with poor products that are lower priced.

Another problem is to do with externalities, when the effects of an action are not felt by the originator of the action. For example, a company may store personal information on an individual.

If that information is then stolen, it affects the individual, but there may be no consequences to the company, or the consequences may be unclear. In that case, there is no economic incentive for the company to make sure the information is not stolen.

Capability is also important. If a home PC is compromised, it may be used to send spam or as part of a bot-net in a denial-of-service attack. In these cases, that breach does not affect the home user as much as it does the target of the attack. Moreover, the home PC user is not necessarily capable of stopping that threat, or evaluating the risks.

Part of the solution, according to Bruce, is to re-align interests and capabilities; to internalise the externalities. This could, for example, mean making ISPs responsible for the prevention of infection of home PCs. It could mean legislation to penalise companies that lose personal information or the ability to sue if they do.

Listen to the full lecture here