Why information security is hard - an economic perspective

  title={Why information security is hard - an economic perspective},
  author={Ross J. Anderson},
  journal={Seventeenth Annual Computer Security Applications Conference},
  • Ross J. Anderson
  • Published 2001
  • Computer Science
  • Seventeenth Annual Computer Security Applications Conference
According to one common view, information security comes down to technical measures. Given better access control policy models, formal proofs of cryptographic protocols, approved firewalls, better ways of detecting intrusions and malicious code, and better tools for system evaluation and assurance, the problems can be solved. The author puts forward a contrary view: information insecurity is at least as much due to perverse incentives. Many of the problems can be explained more clearly and… Expand
Why Computer Security Fails – An Economic View
Computer security is addressed from the economic point of view rather than the more traditional technical one. The reasons why security fails, such as the cost of security, incentive failures,Expand
Who Can We Trust?: The Economic Impact of Insider Threats
Abstract Information Systems (IS) Security has become a critical issue in the IT world. Among all threats against IS security, the insider threat is the greatest. This paper proposes a gameExpand
Security Audits Revisited
It is found that basic audits are hardly ever useful, and in general, the thoroughness of security audits needs to be carefully tailored to the situation. Expand
The Economics of Information Security
The economics of information security has recently become a thriving and fast-moving discipline and provides valuable insights into more general areas such as the design of peer-to-peer systems, the optimal balance of effort by programmers and testers, why privacy gets eroded, and the politics of digital rights management. Expand
Understanding and Influencing Attackers' Decisions: Implications for Security Investment Strategies
This work model economic behavior of attackers when they are able to obtain complete information about the security characteristics of targets and when such information is unavailable and finds that systems with better levels of protection have stronger incentives to reveal their security characteristics to attackers than poorly protected systems. Expand
Cost Tradeoffs for Information Security Assurance
This paper focuses to analyze such tradeoffs in terms of investment costs and opportunity cost (from perspective of defender and attacker respectively) of the CIA aspects of a computer based information system. Expand
The economics of information security investment
An economic model is presented that determines the optimal amount to invest to protect a given set of information and takes into account the vulnerability of the information to a security breach and the potential loss should such a breach occur. Expand
The Economics of Information Security : A Survey and Open Questions
The economics of information security has recently become a thriving and fastmoving discipline. As distributed systems are assembled from machines belonging to principals with divergent interests, weExpand
Internet Security
An economic perspective has yielded invaluable insights into the analysis and design of information security mechanisms. Systems often fail because the organizations that defend them do not bear theExpand
Rationally Opting for the Insecure Alternative: Negative Externalities and the Selection of Security Controls
This paper assesses the individual security cost and model the assessment in economic terms, vital in determining the cost benefit in applying costly security controls in systems in general and software in particular. Expand


Why cryptosystems fail
It turns out that the threat model commonly used by cryptosystem designers was wrong: most frauds were not caused by cryptanalysis or other technical attacks, but by implementation errors and management failures, suggesting that a paradigm shift is overdue in computer security. Expand
Compliance Defects in Public Key Cryptography
This paper presents five compliance defects that are inherent in public-key cryptography; these defects make public- key cryptography more suitable for server-to-server security than for desktop applications. Expand
Security engineering - a guide to building dependable distributed systems (2. ed.)
In almost 600 pages of riveting detail, Ross Anderson warns us not to be seduced by the latest defensive technologies, never to underestimate human ingenuity, and always use common sense in defending valuables. Expand
Risks of the Passport single signon protocol
The Passport single signon protocol is examined, several risks and attacks are identified, and a flaw that was discovered in the interaction of Passport and Netscape browsers that leaves a user logged in while informing him that he has successfully logged in. Expand
The Market for “Lemons”: Quality Uncertainty and the Market Mechanism
This paper relates quality and uncertainty. The existence of goods of many grades poses interesting and important problems for the theory of markets. On the one hand, the interaction of qualityExpand
Computer Security Technology Planning Study
This document is intended to assist in the management of government procurement operations and will not be used for other purposes other than a definitely related government procurement operation. Expand
Information rules
Although written by heavyweights in the field of economics and information management, the authors present a well written and thoughtful treatment of a subject that non-academics and academics alike should enjoy and refer to often. Expand
'Smart' and 'Stupid' networks: why the Internet is like Microsoft
A more detailed look suggests that the Internet is succeeding largely for the same reasons that led the PC to dominate the mainframe, and are responsible for the success of Microsoft. Expand
Intermediate Microeconomics: A Modern Approach
The worldwide best-selling intermediate microeconomics textbook is distinguished by its remarkably up-to-date and rigorous yet accessible analytical approach. The seventh edition has been carefullyExpand
Murphy’s law, the fitness of evolving species, and the limits of software reliability
The reliability growth model is inspired by statistical thermodynamics, but also applies to biological evolution, and shows that there are significant differences between the evolution of software and the Evolution of species. Expand