Why Information Security Is Hard - Essay Example

In the papers ‘Why information security is Hard’ by Ross Anderson and ‘The Economics of information security’ by Ross Anderson and Tyler Moore we see how a lot has been said about the lack of information security mechanisms to shield end users from scams and privacy violations. We also see aspects such as monopolistic gain, price discrimination, and risk dumping as key drivers behind security system design. Furthermore, it is brought to our attention how recent developments in the economics of information security have led to the realization that a failure in security is caused as much by bad incentives as by bad design.

Other incentives include consumers’ lack of prioritizing security measures which resulted in their minimum spending on software security. This is referred to by economists as ‘The tragedy of the commons’ with consumers unwilling to spend on measures that did not directly benefit them. Third is the failure in privacy and prolonged regulatory issues due to poor allocation of online risks. Last is the ability of these incentives to affect defense and offense strategies.

By highlighting these key aspects we can move on to examining two mutually exclusive reasons for the decline in credit card number prices and violations of security based on economics being the reason for the existence of economics of security. The first

of these reasons is ‘Network Externality’. In the information sector network externality refers to the software industry. Where the number of software users counts as the operating system developed depends on the choices of these people. So when the software company is in its initial development phase it tends to ignore security to strengthen its market position, later they add security measures once they have locked down on its target market.

In economies this principle is called Metcalfe’s law, stating that the value of a network grows with the number of people using it. This principle when applied to credit cards can be viewed as more merchants take credit cards their usefulness increases in the eyes of the customer. This results in more customers having credit cards increasing the likelihood of more merchants accepting them. So we notice that although the credit card network grows slowly initially positive feedback rolls in exponential growth results. This has a direct impact on the decrease in credit card number prices with a burst of credit card users.

The second reason for this mutually exclusive occurrence has to do with ‘competitive applications and corporate warfare’. About credit cards, we look at the business strategy that requires manipulating switching costs. This can incorporate direct and indirect switching costs in terms of making systems incompatible or controlling marketing channels. Sometimes product differentiation and higher switching costs can both be used as security mechanism goals. For example, look at Microsoft

Passport, which operates with the promise of a single sign-on that facilitates consumer convenience. However, that being said the real goal of Microsoft Passport is to subtly

gather huge sums of data on consumer purchasing patterns with the expansion of a strong network externality. Also, it limits the customer choice since the undertaken transactions are only operational on Microsoft software. This shows how instead of a concentration on security the product concentrates instead on web server control and acquisition of information markets. The product's credit card transactions and details, which are all kept by Microsoft, result in the creation of a target market. This increases the probability of a greater external threat as well as a stranger impersonating you simply by having your cookie file.

These present and unavoidable vulnerabilities in software’ bring us towards the violations of the security aspect of the economic element that leads us to believe that ‘offense is harder than defense’. This can be seen as there are sufficient security vulnerabilities present to do statistics in which case different testers find different bugs. Therefore even a very quite resourced attacker can break into a large and complex base. Read More