Monday, January 28, 2008

Security as Economics: Making security worth it

A co-worker dropped a link to Kevin Soo Hoo's slide deck for "Economic Incentives & Metrics of Cybersecurity" my way a while ago, and it is worth pointing out to the community.

If you're an information security person who struggles to make security relevant, this is worth a read. Similarly, if you're an information security officer and you're working on a security program, you should definitely take a look. Why? Because it will remind you of why people will act to handle security, and why security can be an unpopular budget item. It also points to coming possibilities, pointing out that policy efforts have thus far avoided product liability and strict security regulation.

Kevin notes that the free market isn't enough, as pure public good suffers from a number of issues, and externalities effect non-participants in the market. In short, security takes a back seat because the public good isn't enough to make the market work, and security effects people who aren't actively in the game.

In addition, he points out that the Internet creates incentives that encourage behavior that doesn't help information security. We've all seen this - anonymity, or at least the perception of anonymity, as well as the ease of access and openness of the Internet create security risks. The incentives include the usefulness of interconnectedness, the fact that each person's individual security can effect the security of others, and the fallacies of behaviors such as operating system elitism - the traditional Linux and MacOS superiority complex, for example.

Take a look - putting security into an economics framework is a great way to step back from the exigencies of day to day security efforts to look at the big picture.

No comments: