Ross Andersson, författaren till den fantastiska boken Security Engineering (som finns för nedladdning – läs!) är forskare vid Cambridge Computer Laboratory – den i mitt tycke forskningsgrupp i Europa som producerar flest intressanta forskningsresultat inom IT-säkerhet. Deras blogg Light Blue Touchpaper innehåller ständigt nya spännande rön.
(Ross Andersson)
Tillsammans med Tyler Moore har Ross Andersson skrivit en större artikel som försöker ange riktning och möjligheter till framtida forskning som försöker behandla IT-säkerhet utifrån ekonomiska termer och incitament. Information Security Economics – and Beyond släpptes i slutet av Augusti och har genererat en hel del diskussioner bland forskare inom IT-säkerhet. (Ross har även hållit en presentation i ämnet och presentationsmaterialet finns att ladda ner.)
Sammanfattningen för artikeln förklarar närmare:
The economics of information security has recently become a thriving and fast-moving discipline. As distributed systems are assembled from machines belonging to principals with divergent interests, incentives are becoming as important to dependability as technical design.The new field provides valuable insights not just into ‘security’ topics such as privacy, bugs, spam, and phishing, but into more general areas such as system dependability (the design of peer-to-peer systems and the optimal
balance of effort by programmers and testers), and policy (particularly digital rights management).This research program has been starting to spill over into more general security questions (such as law-enforcement strategy), and into the interface between security and sociology. Most recently it has started to interact with psychology, both through the psychology-and-economics tradition and in response to phishing. The promise of this research program is a novel framework for analyzing information security problems – one that is both principled and effective
Ett exempel på problem inom IT-säkerhet som artikeln tar upp är bankbedrägerier och bankernas kostnader för IT-säkerhet:
In the USA, banks are generally liable for the costs of card fraud; when a customer disputes a transaction, the bank must either show she is trying to cheat it, or refund her money. In the UK, the banks had a much easier ride: they generally got away with claiming that their systems were ‘secure’, and telling customers who complained that they must be mistaken or lying. “Lucky
bankers,” one might think; yet UK banks spent more on security and suffered more fraud. This may have been what economists call a moral-hazard effect: UK bank staff knew that customer complaints would not be taken seriously, so they became lazy and careless, leading to an epidemic of fraud
Ett annat problem är hur man får ut bättre och säkrare protokoll på Internet:
Network effects can also influence the initial deployment of security technology, whose benefit may depend on the number of users who adopt it. The cost may exceed the benefit until a minimum number adopt; so everyone might wait for others to go first, and the technology never gets deployed. Recently, Ozment and Schechter have analyzed different approaches
for overcoming such bootstrapping problems [17].This challenge is particularly topical. A number of core Internet protocols, such as DNS and routing, are considered insecure. Better protocols exist (e.g., DNSSEC, S-BGP); the challenge is to get them adopted. Two widely-deployed security protocols, SSH and IPsec, both overcame the bootstrapping problem by providing significant internal benefits to adopting firms, with the result that they could be adopted one firm at a time, rather than needing everyone to move at once. The deployment of fax machines was similar: many companies initially bought fax machines to connect their own offices.
Jag tycker att Ross och Tylers artikel är mycket läsvärd och leder förhoppningsvis till ny forskning där ekonomiska, sociala och psykologiska aspekter kopplas samman med IT-säkerhet. Att det finns goda möjligheter att hitta nya förklaringsmodeller och därmed lösningar på befintliga problem tycker jag efter att ha läst artikeln verkar klart.
No related posts.
Related posts brought to you by Yet Another Related Posts Plugin.
Om ni inte sett den tidigare, så rekommenderar jag Google Tech Talk med Ross Andersson. Bra talare i kombination med intressant ämne.
http://video.google.com/videoplay?docid=-1380463341028815296&hl=en-GB