Information Security - Where Computer Science, Economics and Psychology Meet
Wednesday 12 March 2008, 1600-1730
Biology Large Lecture Theatre
For years, people thought that the insecurity of the Internet was due to a shortage of features, and so all through the 1990s we worked vigorously on developing better encryption, authentication and filtering mechanisms. But things didn't get any better. We began to realise that failures - of both security and dependability - are intricately tied up with incentives. Systems often fail because the people who guard and maintain them don't bear the full costs of failure. Microsoft doesn't accept liability for vulnerabilities that lead to millions of its customers being hacked; DVD region coding is easy to subvert because equipment vendors don't lose money when it fails; and ATMs suffer more fraud in countries that let banks dump the costs of fraud on customers.
This led to the emergence of a new field of study, information security economics, which Professor Ross Anderson helped to found. It provides valuable insights not just into `security' topics such as privacy, bugs, spam, and phishing, but into more general areas such as system dependability and policy. This research program has been starting to spill over into more general security questions (such as law-enforcement strategy), and into the interface between security and sociology.
The most recent development is the interaction with psychology. As systems get harder to attack, the bad guys attack the users instead; phishing only got properly going in 2004, but by 2006 cost British banks £35m. We now know that most information security mechanisms are too hard to use, being designed by geeks for geeks. We urgently need to introduce bright ideas and best practice from psychology and human-computer interface design. And in addition to these 'micro' scale concerns, there are many 'macro' scale problems - why do people overreact to terrorism, yet underreact to everything from environmental degradation to road traffic accidents?
The challenge is to build a proper multi-disciplinary framework for analyzing security problems - one that is both principled and effective. Up till now, security economics has started to fuse the engineering and economic aspects, while behavioural economics, which studies the heuristics and biases that affect human judgment, has put psychology and economics together. The next big research task may well be security pscyhology.
Profile - Ross Anderson
Ross Anderson is Professor of Security Engineering at The University of Cambridge's Computer Laboratory.
Professor Anderson takes a multidisciplinary approach to building systems that remain dependable in the face of malice, error or mischance. He was one of the pioneers of peer-to-peer systems, of steganography, of hardware tamper-resistance, and of security usability.
Recently he has been one of the founders of the study of information security economics. He wrote the standard textbook `Security Engineering - A Guide to Building Dependable Distributed Systems'.