- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
The long view of security strategies for your network.
Occasionally one reads a paper or a book that makes one sit up and take notice.
Older readers may remember the excitement in 1991 when the System Security Study Committee of the National Research Council issued Computers at Risk: Safe Computing in the Information Age, which was published by the National Academy Press. The text is still available for sale and can also be purchased as a PDF download or read for free (chapter by chapter and page by page) at the National Academies Press Web site.
Computers at Risk was exciting because it provided a wealth of information in its 320 pages and included stimulating, practicable recommendations for realistic discussions of public policy. It influenced the development of public policy for more than a decade after its publication and is still worth reading today. It can be an excellent primer for non-technical executives we are just now convincing to think about security.
Readers may come to agree with me that we have another exciting policy-related report to read this year.
At the 2008 Workshop on the Economics of Information Security (WEIS 2008) at Dartmouth College last month (see also my overview), Ross Anderson, Rainer Böhme, Richard Clayton and Tyler Moore presented a valuable paper entitled, “Security Economics and European Policy.” The paper is a summary of a longer report commissioned by the European Network and Information Security Agency, which, by the way, has a wealth of groundbreaking and highly stimulating papers available in English.
The original report, “Security Economics and the Internal Market,” was covered in part by John Leyden in The Register in March. The 114-page report was a study of “Barriers and Incentives for network and information security (NIS) in the Internal Market for e-Communication.” The Executive Summary begins as follows:
"Network and information security are of significant and growing economic importance. The direct cost to Europe of protective measures and electronic fraud is measured in billions of [Euros;] and growing public concerns about information security hinder the development of both markets and public services, giving rise to even greater indirect costs….
"Information security is now a mainstream political issue, and can no longer be considered the sole purview of technologists. Fortunately, information security economics has recently become a live research topic: as well as collecting data on what fails and how, security economists have discovered that systems often fail not for some technical reason, but because the incentives were wrong. An appropriate regulatory framework is just as important for protecting economic and other activity online as it is offline.
"This report sets out to draw, from both economic principles and empirical data, a set of recommendations about what information security issues should be handled at the Member State level and what issues may require harmonisation – or at least coordination…."
The authors provide 15 recommendations, each of which is discussed in detail. The following is the bare-bones list of their recommendations; I suggest that interested readers consult the original report or the paper delivered at WEIS 2008 for details. These proposals will interest readers around the world, not just those in Europe. I have deliberately generalized the proposals beyond Europe, but most of the following is quoted directly from the authors’ own text:
M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.