— Ch. 1 · The 2000 Awakening —
Economics of security.
~3 min read · Ch. 1 of 6
Ross Anderson wrote a paper titled Why Information Security is Hard in the year 2000. He argued that security technology fails when incentives do not align with technical design. Designers often rely on altruism for adoption and diffusion of their tools. This approach ignores the rational economic behavior of the party at risk. Anderson insisted that economic insights must be integrated into technical design to enable rational investment. Many scholars consider this publication the birth of economics of security as a distinct field. The intellectual status of information security rose to prominence around that same time. Innovations arose simultaneously in multiple venues rather than following a single linear path.
Vulnerabilities As Trade Goods
Jean Camp and Wolfram published arguments at Harvard School of Government in 2000 stating security is not a public good. They defined vulnerabilities as tradable goods with an associated negative externality value. Six years later markets emerged for these vulnerabilities involving iDEFENSE, ZDI, and Mozilla. The Computer Emergency Response Team at Carnegie Mellon University proposed the Hierarchical Holographic Model in 2000. This mechanism provided the first multi-faceted evaluation tool to guide security investments using risk science. CERT developed a suite of systematic mechanisms called OCTAVE for organizations to use in risk evaluations. These frameworks depend on the size and expertise of the organization receiving the assessment. The study of computer security as an investment in risk avoidance has become standard practice today.Competitors And Game Theory
Lawrence A. Gordon and Martin P. Loeb published Using Information Security as a Response to Competitor Analysis System in 2001. Their working paper was written during the year 2000 before publication occurred. These professors from Maryland's Smith School of Business presented a game-theoretic framework. They demonstrated how information security can prevent rival firms from gaining sensitive information. The article considers the economic cost-benefit aspects of information security decisions. Hal Varian presented three models of security using the metaphor of wall height around a town. He showed security acts as a normal good, public good, or good with externalities. Free riding remains the end result regardless of which model applies to a specific scenario.