According to one common view, information security
comes down to technical measures. Given better
access control policy models, formal proofs of cryptographic
protocols, approved firewalls, better ways of detecting
intrusions and malicious code, and better tools
for system evaluation and assurance, the problems can
be solved.
In this note, I put forward a contrary view: information
insecurity is at least as much due to perverse
incentives. Many of the problems can be explained
more clearly and convincingly using the language of
microeconomics: network externalities, asymmetric
information, moral hazard, adverse selection, liability
dumping and the tragedy of the commons.
4 comments
[ 73.4 ms ] story [ 620 ms ] threadRoss Anderson's security engineering book that gets a mention is this paper is available online for free at http://www.cl.cam.ac.uk/~rja14/book.html
According to one common view, information security comes down to technical measures. Given better access control policy models, formal proofs of cryptographic protocols, approved firewalls, better ways of detecting intrusions and malicious code, and better tools for system evaluation and assurance, the problems can be solved. In this note, I put forward a contrary view: information insecurity is at least as much due to perverse incentives. Many of the problems can be explained more clearly and convincingly using the language of microeconomics: network externalities, asymmetric information, moral hazard, adverse selection, liability dumping and the tragedy of the commons.
I took it a few years ago and at that time it was not free, now it is. If somebody is interested here is the link: https://www.edx.org/course/cyber-security-economics-delftx-s...