Economics Crucial to Computer Security

By Tim Gray

(Back to article)

Computer security isn't a technological problem -- it's an economic one.

That is the message Bruce Schneier, CTO of Counterpane Internet Security and the author of "Beyond Fear: Thinking Sensibly About Security in an Uncertain World," repeated throughout his keynote address Thursday at the infoSecurity Conference in New York's Jacob K. Javits Center.

Schneier, a security technologist, said the future of security is getting harder to predict and warned the several hundred tech professionals on hand that they must start paying attention to the economics of security if they hoped for technology to keep pace.

"To understand the difference it's necessary to understand the basic economic incentives of companies and how businesses are affected by liabilities," he said.

The key is to think of security not in absolutes, but rather in terms of sensible trade-offs, said Schneier.

Schneier argued that profit-making ventures refuse to make decisions based on both short- and long-term profitability. Organizations, he says, find it cheaper to weather the occasional bad press and fix public problems after the fact, rather design security properly from the beginning.

However, until the cost paradigms shift, there will continue to be shoddy software and insecure security practices, he said. "The problem is that most of the costs of insecure software fall on the users," he said.

In economics, this is known as an externality: an effect of a decision not borne by the decision maker, according to Schneier.

"When ChoicePoint leaked data they weren't the victim -- you were," he told the audience. "The loss was to us."

"Depending on where you put liability, security improves or it doesn't," he added, noting that ChoicePoint had calculated its risks of losing data, and had weighed the financial burdens of protecting it no matter the cost. Ultimately the data service chose a certain level of protection before it would allow the information to be compromised.

"Put the liability on the responsible party than we can do something," he said. That liability usually comes through legislation or lawsuits, according to Schneier.

This article was first published on InternetNews.com. To read the full article, click here.